azurerm_mssql_outbound_firewall_rule - New resource

[aristosvo]

Fixes #14691

Acceptance Tests

To Do:

• Docs azurerm_mssql_outbound_firewall_rule
• Docs azurerm_mssql_server

[katbyte]

Thanks @aristosvo - looks like this is missing docs.. also shouldn't there be more properties for a firewall rule 🤔

[aristosvo]

@katbyte These are the options from the Portal:

I'll add docs tonight!

[katbyte]

Hmm, it seems like this is a per server setting - ie 1:1 for the resource, and just flips a boolean setting for that server?

maybe this would be best as a restrict_outbound_networking property on the server rather than a separate resource?

[aristosvo]

It's two kind of settings:

• a switch on server level to restrict outbound traffic
• a list of FQDNs which are allowed to receive traffic (the actual firewall rules)

My thinking was to mimic inbound firewall rules setup, which has:

• a switch on server level to restrict inbound traffic
• a separate resource for the rules, the firewall rules resource

Like this:

# option 1
resource "azurerm_mssql_server" "test" {
  name                         = "acctestsqlserver%[1]d"
  resource_group_name          = azurerm_resource_group.test.name
  location                     = azurerm_resource_group.test.location
  version                      = "12.0"
  administrator_login          = "msincredible"
  administrator_login_password = "P@55W0rD!!%[3]s"

  outbound_network_restriction_enabled = true # new boolean to restrict outbound network
}

# Allows traffic to 'sql%[2]d.database.windows.net'
 resource "azurerm_mssql_outbound_firewall_rule" "test" {
   name      = "sql%[2]d.database.windows.net"
   server_id = azurerm_mssql_server.test.id
 }

I'll happily change it if necessary, I just mimicked the structure for inbound firewall rules. Your suggestion would result in this structure:

resource "azurerm_mssql_server" "test" {
  name                         = "acctestsqlserver%[1]d"
  resource_group_name          = azurerm_resource_group.test.name
  location                     = azurerm_resource_group.test.location
  version                      = "12.0"
  administrator_login          = "msincredible"
  administrator_login_password = "P@55W0rD!!%[3]s"

  # option 2a
  outbound_network_restriction {
   enabled      = true # new boolean to restrict outbound network, can be made implicit
   fqdns_allowed = [ "sql%[2]d.database.windows.net", "test.example.com" ]
  }
  # or option 2b
  # outbound_network_restriction_fqdn_exceptions = [ "sql%[2]d.database.windows.net", "test.example.com" ]
}

Do you prefer the latter implementation (2a/2b)?

[katbyte]

I prefer 2b but given inbound already behaves this way so be it for consistency! thanks @aristosvo - LBTM 🚀

[github-actions]

This functionality has been released in v2.97.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.