Terraform Azure Server Access Issue

1
votes

Within terraform Azure server I have whitelisted the ips but cannot access the server with anything but the admin login. Is there an additional configuration/role needed to permit active directory access that I am missing?

script:

# Create Server using keyvault secrets for user/pw
resource "azurerm_sql_server" "sqlserver" {
  name                         = "sql-${var.suffix}"
  resource_group_name          = var.resource_group_name
  location                     = var.location
  version                      = "12.0"
  administrator_login          = data.azurerm_key_vault_secret.sqlserverusr.value
  administrator_login_password = data.azurerm_key_vault_secret.sqlserverpw.value

}



# Create SQL Server firewall rule for Azure resouces access
resource "azurerm_sql_firewall_rule" "azureservicefirewall" {
  name                = "allow-azure-service"
  resource_group_name = var.resource_group_name
  server_name         = azurerm_sql_server.sqlserver.name
  start_ip_address    = "0.0.0.0"
  end_ip_address      = "0.0.0.0"
}
1
terraformterraform-provider-azure

1 Answers

2
votes

When you set the start_ip_address = "0.0.0.0" and end_ip_address = "0.0.0.0" in the SQL server firewall, actually it set the Allow Azure services and resources to access this server to Yes. That means your server accepts communication from any subnet inside the Azure boundary i.e. originating from one of the IP addresses that is recognized as those within ranges defined for Azure datacenters.

If you want to access your SQL server from the Internet, you need to add the public IP address of your client. Then change it like this:

  start_ip_address    = "73.118.x.x"
  end_ip_address      = "73.118.x.x"

If you want to set a user or group as the AD administrator for an Azure SQL server, you can use azurerm_sql_active_directory_administrator

data "azurerm_client_config" "current" {}

resource "azurerm_sql_active_directory_administrator" "example" {
  server_name         = azurerm_sql_server.sqlserver.name
  resource_group_name = azurerm_resource_group.example.name
  login               = "sqladmin"
  tenant_id           = data.azurerm_client_config.current.tenant_id
  object_id           = data.azurerm_client_config.current.object_id
}

Whatever the authentication method you are using, you still need to ensure the network connectivity is successful.