Added new resource azurerm_mssql_managed_instance_transparent_data_encryption, azurerm_mssql_managed_instance changes.

[dkuzmenok]

Description

There is no existing way to define Transparent Data Encryption for SQL Managed Instance.
UserAssigned identities are not allowed in azurerm_mssql_managed_instance resources.

Issues:

• Fixes Support for SQL Managed Instance - User Assigned Managed Identity #15277
• Fixes Support for MSSQL Managed Instance - Transparent data encryption #14567

Changes

• Added separate resource azurerm_mssql_managed_instance_transparent_data_encryption that controls usage of KeyVault Key over SQL Managed Instance.
• Added a customer_managed_key field to azurerm_mssql_managed_instance data source to include KeyVault Key information.
• Added support of UserAssigned identity into azurerm_mssql_managed_instance resource and data source.

Tests

 # go test -v -timeout 300000s -run ^TestAccMsSqlManagedInstanceTransparentDataEncryption_ github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql/
=== RUN   TestAccMsSqlManagedInstanceTransparentDataEncryption_keyVaultSystemAssignedIdentity
=== PAUSE TestAccMsSqlManagedInstanceTransparentDataEncryption_keyVaultSystemAssignedIdentity
=== RUN   TestAccMsSqlManagedInstanceTransparentDataEncryption_systemManaged
=== PAUSE TestAccMsSqlManagedInstanceTransparentDataEncryption_systemManaged
=== RUN   TestAccMsSqlManagedInstanceTransparentDataEncryption_update
=== PAUSE TestAccMsSqlManagedInstanceTransparentDataEncryption_update
=== CONT  TestAccMsSqlManagedInstanceTransparentDataEncryption_keyVaultSystemAssignedIdentity
=== CONT  TestAccMsSqlManagedInstanceTransparentDataEncryption_systemManaged
=== CONT  TestAccMsSqlManagedInstanceTransparentDataEncryption_update
--- PASS: TestAccMsSqlManagedInstanceTransparentDataEncryption_systemManaged (15390.06s)
--- PASS: TestAccMsSqlManagedInstanceTransparentDataEncryption_keyVaultSystemAssignedIdentity (15521.54s)
--- PASS: TestAccMsSqlManagedInstanceTransparentDataEncryption_update (15627.88s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql 15627.906s
#

# go test -v -timeout 300000s -run ^TestAccMsSqlManagedInstanceTransparentDataEncryption_keyVaultUserAssignedIdentity$ github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql/
=== RUN   TestAccMsSqlManagedInstanceTransparentDataEncryption_keyVaultUserAssignedIdentity
=== PAUSE TestAccMsSqlManagedInstanceTransparentDataEncryption_keyVaultUserAssignedIdentity
=== CONT  TestAccMsSqlManagedInstanceTransparentDataEncryption_keyVaultUserAssignedIdentity
--- PASS: TestAccMsSqlManagedInstanceTransparentDataEncryption_keyVaultUserAssignedIdentity (16018.16s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql 16018.181s
#

[dkuzmenok]

That is almost a copy-paste from azurerm_mssql_server_transparent_data_encryption.
It seems API side is also copy pasted from MSSQL Server TDE, so should work with same logic serverside.

[katbyte]

we are getting a bunch of test failures for this resource:

Error: waiting for creation of Managed Instance: (Name "acctestsqlserver221102190109220892" / Resource Group "acctestRG1-sql-221102190109220892"): Code="Failed" Message="The async operation failed." AdditionalInfo=[{"id":"/subscriptions/*******/resourceGroups/acctestRG1-sql-221102190109220892/providers/Microsoft.Sql/managedInstances/acctestsqlserver221102190109220892","identity":{"type":"UserAssigned","userAssignedIdentities":{}},"location":"westeurope","name":"acctestsqlserver221102190109220892","properties":{"administratorLogin":"missadministrator","collation":"SQL_Latin1_General_CP1_CI_AS","licenseType":"BasePrice","maintenanceConfigurationId":"/subscriptions/*******/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/SQL_Default","minimalTlsVersion":"1.2","privateEndpointConnections":[],"provisioningState":"Failed","proxyOverride":"Default","publicDataEndpointEnabled":false,"state":"CreationFailed","storageAccountType":"GRS","storageSizeInGB":32,"subnetId":"/subscriptions/*******/resourceGroups/acctestRG1-sql-221102190109220892/providers/Microsoft.Network/virtualNetworks/acctest-vnet1-221102190109220892/subnets/subnet1-221102190109220892","timezoneId":"UTC","vCores":4,"zoneRedundant":false},"sku":{"capacity":4,"family":"Gen5","name":"GP_Gen5","tier":"GeneralPurpose"},"tags":{"database":"test","environment":"staging"},"type":"Microsoft.Sql/managedInstances"}]

however i'm not sure if its these changes or something on the service side :/

[dkuzmenok]

we are getting a bunch of test failures for this resource:

Error: waiting for creation of Managed Instance: (Name "acctestsqlserver221102190109220892" / Resource Group "acctestRG1-sql-221102190109220892"): Code="Failed" Message="The async operation failed." AdditionalInfo=[{"id":"/subscriptions/*******/resourceGroups/acctestRG1-sql-221102190109220892/providers/Microsoft.Sql/managedInstances/acctestsqlserver221102190109220892","identity":{"type":"UserAssigned","userAssignedIdentities":{}},"location":"westeurope","name":"acctestsqlserver221102190109220892","properties":{"administratorLogin":"missadministrator","collation":"SQL_Latin1_General_CP1_CI_AS","licenseType":"BasePrice","maintenanceConfigurationId":"/subscriptions/*******/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/SQL_Default","minimalTlsVersion":"1.2","privateEndpointConnections":[],"provisioningState":"Failed","proxyOverride":"Default","publicDataEndpointEnabled":false,"state":"CreationFailed","storageAccountType":"GRS","storageSizeInGB":32,"subnetId":"/subscriptions/*******/resourceGroups/acctestRG1-sql-221102190109220892/providers/Microsoft.Network/virtualNetworks/acctest-vnet1-221102190109220892/subnets/subnet1-221102190109220892","timezoneId":"UTC","vCores":4,"zoneRedundant":false},"sku":{"capacity":4,"family":"Gen5","name":"GP_Gen5","tier":"GeneralPurpose"},"tags":{"database":"test","environment":"staging"},"type":"Microsoft.Sql/managedInstances"}]

however i'm not sure if its these changes or something on the service side :/

Should not be related to my changes. I was not touching server resource. But usually creation of the SQL MI takes 5 hours each (plus up to 2 hours for removing it).
Maybe your test suite is timing out?

I will fix conflicts and also include latest changes for autoRotation.

[manicminer]

Thanks for this @dkuzmenok! The test failures seem unrelated to these changes. I made some documentation tweaks but this otherwise LGTM 🧢

[dkuzmenok]

@manicminer Thanks for your review! I want to include a smaller change to include autorotate functionality. That would avoid introducing more changes in the future. It is basically implemented already for azurerm_mssql_server here - #18523

[manicminer]

@dkuzmenok Sounds good, if you want to go ahead and add that in then I'll re-run the acceptance tests. Thanks!

[dkuzmenok]

@manicminer Coming late, sorry. I've pushed my auto_rotation_enabled change.
Can't run the full test for it, because my subscription has dangling resources, but the test was vefiried by API without problems, no fingers crossed.

[manicminer]

This looks great, thanks @dkuzmenok! Just waiting on the tests to finish before merging.

[manicminer]

@dkuzmenok Looks like we have a test failure if you can take a look?

------- Stdout: -------
=== RUN   TestAccMsSqlManagedInstanceTransparentDataEncryption_autoRotate
=== PAUSE TestAccMsSqlManagedInstanceTransparentDataEncryption_autoRotate
=== CONT  TestAccMsSqlManagedInstanceTransparentDataEncryption_autoRotate
testcase.go:110: Step 1/2 error: Check failed: Check 2/2 error: azurerm_mssql_managed_instance_transparent_data_encryption.test: Attribute 'key_vault_key_id' expected "", got "https://acctestsqlserver06746.vault.azure.net/keys/keyVault/331f19d5415e46839a960ea1594e009f
--- FAIL: TestAccMsSqlManagedInstanceTransparentDataEncryption_autoRotate (19673.48s)
FAIL

[dkuzmenok]

@manicminer I have pushed a change with a fix for the test.

Was able to test in on new subscription:

$ go test -v -timeout 30000s -run ^TestAccMsSqlManagedInstanceTransparentDataEncryption_autoRotate$ github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql/
=== RUN   TestAccMsSqlManagedInstanceTransparentDataEncryption_autoRotate
=== PAUSE TestAccMsSqlManagedInstanceTransparentDataEncryption_autoRotate
=== CONT  TestAccMsSqlManagedInstanceTransparentDataEncryption_autoRotate
--- PASS: TestAccMsSqlManagedInstanceTransparentDataEncryption_autoRotate (17414.64s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/mssql 17414.650s

[manicminer]

@dkuzmenok Thanks for the changes, this LGTM, we are just having some trouble with test timeouts (instances taking >12hrs to create/destroy) but hopefully this will pass today and we can merge this 😬

[dkuzmenok]

@manicminer On my subscription I've had SQL MI hanged, so had to create a support request to remove them (was not able to remove for about a month)...

[dkuzmenok]

@manicminer Are there any news with the testing progress? Are we good?

[manicminer]

@dkuzmenok We continue to have problems testing this resource. However, between the test runs, there has been enough coverage by passing tests (both before and after the addition of auto rotation) that I'm satisfied to merge this.

[github-actions]

This functionality has been released in v3.33.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.