hashicorp · katbyte · Oct 26, 2022 · Nov 14, 2021 · Sep 25, 2022 · Sep 25, 2022
@@ -50,6 +50,11 @@ func resourceMsSqlTransparentDataEncryption() *pluginsdk.Resource {
 				Optional:     true,
 				ValidateFunc: keyVaultValidate.NestedItemId,
 			},
+			"auto_rotation_enabled": {
+				Type:     pluginsdk.TypeBool,
+				Optional: true,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -87,8 +92,9 @@ func resourceMsSqlTransparentDataEncryptionCreateUpdate(d *pluginsdk.ResourceDat
 
 		// Set the SQL Server Key properties
 		serverKeyProperties := sql.ServerKeyProperties{
-			ServerKeyType: serverKeyType,
-			URI:           &keyVaultKeyId,
+			ServerKeyType:       serverKeyType,
+			URI:                 &keyVaultKeyId,
+			AutoRotationEnabled: utils.Bool(d.Get("auto_rotation_enabled").(bool)),
 		}
 		serverKey.ServerKeyProperties = &serverKeyProperties
 
@@ -121,8 +127,9 @@ func resourceMsSqlTransparentDataEncryptionCreateUpdate(d *pluginsdk.ResourceDat
 
 	// Service managed doesn't require a key name
 	encryptionProtectorProperties := sql.EncryptionProtectorProperties{
-		ServerKeyType: serverKeyType,
-		ServerKeyName: &serverKeyName,
+		ServerKeyType:       serverKeyType,
+		ServerKeyName:       &serverKeyName,
+		AutoRotationEnabled: utils.Bool(d.Get("auto_rotation_enabled").(bool)),
 	}
 
 	// Only create a server key if the properties have been set
@@ -185,16 +192,25 @@ func resourceMsSqlTransparentDataEncryptionRead(d *pluginsdk.ResourceData, meta
 	log.Printf("[INFO] Encryption protector key type is %s", resp.EncryptionProtectorProperties.ServerKeyType)
 
 	keyVaultKeyId := ""
-
+	autoRotationEnabled := false
 	// Only set the key type if it's an AKV key. For service managed, we can omit the setting the key_vault_key_id
 	if resp.EncryptionProtectorProperties != nil && resp.EncryptionProtectorProperties.ServerKeyType == sql.ServerKeyTypeAzureKeyVault {
 		log.Printf("[INFO] Setting Key Vault URI to %s", *resp.EncryptionProtectorProperties.URI)
 
 		keyVaultKeyId = *resp.EncryptionProtectorProperties.URI
+
+		// autoRotation is only for AKV keys
+		if resp.EncryptionProtectorProperties.AutoRotationEnabled != nil {
+			autoRotationEnabled = *resp.EncryptionProtectorProperties.AutoRotationEnabled
+		}
 	}
 
 	if err := d.Set("key_vault_key_id", keyVaultKeyId); err != nil {
-		return fmt.Errorf("setting key_vault_key_id`: %+v", err)
+		return fmt.Errorf("setting `key_vault_key_id`: %+v", err)
+	}
+
+	if err := d.Set("auto_rotation_enabled", autoRotationEnabled); err != nil {
+		return fmt.Errorf("setting `auto_rotation_enabled`: %+v", err)
 	}
 
 	return nil

@@ -30,6 +30,28 @@ func TestAccMsSqlServerTransparentDataEncryption_keyVault(t *testing.T) {
 	})
 }
 
+func TestAccMsSqlServerTransparentDataEncryption_autoRotate(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_mssql_server_transparent_data_encryption", "test")
+	r := MsSqlServerTransparentDataEncryptionResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.autoRotate(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.keyVault(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func TestAccMsSqlServerTransparentDataEncryption_systemManaged(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_mssql_server_transparent_data_encryption", "test")
 	r := MsSqlServerTransparentDataEncryptionResource{}
@@ -88,7 +110,7 @@ func (MsSqlServerTransparentDataEncryptionResource) Exists(ctx context.Context,
 	return utils.Bool(resp.ID != nil), nil
 }
 
-func (r MsSqlServerTransparentDataEncryptionResource) keyVault(data acceptance.TestData) string {
+func (r MsSqlServerTransparentDataEncryptionResource) baseKeyVault(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %s
 
@@ -141,12 +163,30 @@ resource "azurerm_key_vault_key" "generated" {
     azurerm_key_vault.test,
   ]
 }
+`, r.server(data), data.RandomStringOfLength(5))
+}
+
+func (r MsSqlServerTransparentDataEncryptionResource) keyVault(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
 
 resource "azurerm_mssql_server_transparent_data_encryption" "test" {
   server_id        = azurerm_mssql_server.test.id
   key_vault_key_id = azurerm_key_vault_key.generated.id
 }
-`, r.server(data), data.RandomStringOfLength(5))
+`, r.baseKeyVault(data))
+}
+
+func (r MsSqlServerTransparentDataEncryptionResource) autoRotate(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_mssql_server_transparent_data_encryption" "test" {
+  server_id             = azurerm_mssql_server.test.id
+  key_vault_key_id      = azurerm_key_vault_key.generated.id
+  auto_rotation_enabled = true
+}
+`, r.baseKeyVault(data))
 }
 
 func (r MsSqlServerTransparentDataEncryptionResource) systemManaged(data acceptance.TestData) string {

@@ -156,6 +156,8 @@ The following arguments are supported:
 
 ~> **NOTE:** If `server_id` denotes a secondary server deployed for disaster recovery purposes, then the `key_vault_key_id` should be the same key used for the primary server's transparent data encryption. Both primary and secondary servers should be encrypted with same key material.
 
+* `auto_rotation_enabled` - (Optional) When enabled, the server will continuously check the key vault for any new versions of the key being used as the TDE protector. If a new version of the key is detected, the TDE protector on the server will be automatically rotated to the latest key version within 60 minutes.
+
 ## Attributes Reference
 
 In addition to the Arguments listed above - the following Attributes are exported: