Managing Azure SQL Server permissions with Active Directory groups
TypeScriptWhen working with Azure SQL Server and managing permissions with Active Directory (AD) groups, there are several Pulumi resources you can utilize. The key resources are the
azure-native.sql.ServerAzureADAdministrator
to assign an AD admin to the SQL Server, theazuread.Group
resource to create an AD group, and theazure-native.sql.ServerTrustGroup
which can be used for controlling access and permissions between Azure SQL servers if you’re setting up trust relationships.Here's a high-level view of what these resources do:
azuread.Group
: Creates a group within Azure Active Directory. You can add users to this group who should have access to SQL Server.azure-native.sql.ServerAzureADAdministrator
: Associates an Azure AD group or user with an Azure SQL Server as an Active Directory admin. This allows members of that Azure AD group to be an admin on the SQL Server.azure-native.sql.ServerTrustGroup
(optional): If you need to set up access between multiple Azure SQL servers and control these using AD groups, this resource helps configure such a setup.
Below, you'll find a Pulumi program in TypeScript that outlines how to create an AD group and assign it administrative permissions to an Azure SQL Server.
import * as azuread from "@pulumi/azuread"; import * as azure from "@pulumi/azure-native"; // Create a new Azure AD Group const sqlAdminGroup = new azuread.Group("sqlAdminGroup", { displayName: "SQL Server Admins", members: [], // List object IDs of users to include in this group securityEnabled: true, }); // Assigning the Azure AD Group as an administrator of Azure SQL Server const sqlServerAdmin = new azure.sql.ServerAzureADAdministrator("sqlServerAdAdmin", { login: "sqlAdminGroup", sid: sqlAdminGroup.objectId, tenantId: azure.config.tenant, // Your Azure Tenant ID serverName: "your-sql-server-name", // The name of the SQL Server resourceGroupName: "your-resource-group-name", // The name of the resource group where the SQL server resides administratorType: "ActiveDirectory", // Set the type as Active Directory user/group. }); export const sqlAdminGroupObjectId = sqlAdminGroup.objectId; export const sqlServerAdminLogin = sqlServerAdmin.login;
In this program, we first create the Azure AD group
sqlAdminGroup
, which will act as our SQL Server admin group. You would add Azure AD users' object IDs to themembers
array to include them in the group.Next, we set up an
azure.sql.ServerAzureADAdministrator
resource. This will associate the AD group we created as the admin on the specified Azure SQL Server.The
serverName
andresourceGroupName
fields should be replaced by your specific Azure SQL Server's name and the corresponding Azure resource group name. ThetenantId
is your Azure tenant ID where all your resources are managed.Please ensure that the SQL Server and the resource group are already created and properly configured in your Azure environment before running this Pulumi program. The actual user object IDs should replace the placeholders in the
members
array of the AD group.Remember to provide the appropriate values for
tenantId
,serverName
,resourceGroupName
, andmembers
. When you run this program with Pulumi, it will provision the necessary resources within your Azure subscription.The program exports the object ID of the
sqlAdminGroup
and the login name for thesqlServerAdmin
. You can use these in further Pulumi programs or configurations as necessary.