Bicep Module Documentation
← Back to Overview
Module sql-server
sqlServer
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| identity | identity | |
| adminUsername | string | Administrator username for the server. Once created it cannot be changed. |
| administrators | administrators | The Azure Active Directory administrator of the server. This can only be used at server create time. If used for server update, it will be ignored or it will result in an error. For updates individual APIs will need to be used. |
| federatedClientId | string | The Client id used for cross tenant CMK scenario |
| keyId | string | A CMK URI of the key to use for encryption. |
| minimalTlsVersion | '1.0' '1.1' '1.2' |
Minimal TLS version. Allowed values: 1.0, 1.1, 1.2 (default: 1.2) |
| primaryUserAssignedIdentityId | string | The resource id of a user assigned identity to be used by default. |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Whether or not public endpoint access is allowed for this server. Value is optional but if passed in, must be Enabled or Disabled (default: disabled) |
| restrictOutboundNetworkAccess | string | Whether or not to restrict outbound network access for this server. Value is optional but if passed in, must be Enabled or Disabled |
| version | string | The version of the server. |
| privateLink | privateLink | Settings for the private endpoint and private link for this resource |
| sqlElasticPools | sqlElasticPool[] | SQL Elastic Pools |
| sqlDatabases | sqlDatabase[] | SQL Databases |
| keyVaultId (required) | string | Keyvault for storing the password |
| keyVaultSecretName (required) | string | Name of the key vault secret in the key vault |
| firewallRules | sqlFirewallRule[] | Firewall rules for public access |
| virtualNetworkRules | sqlVirtualNetworkRule[] | Virtual network rules |
| auditingSettings | auditingSettings | SQL Auditing settings |
identity
| Property | Value | Description |
|---|---|---|
| type | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
The types of identities associated with this resource. (default: none) |
| userAssignedIdentities | string[] | Resource IDs of User Assigned Identities to associate with this resource |
administrators
| Property | Value | Description |
|---|---|---|
| azureADOnlyAuthentication | bool | Azure Active Directory only Authentication enabled. |
| login (required) | string | Login name of the server administrator. |
| principalType (required) | 'Application' 'Group' 'User' |
Principal Type of the sever administrator. |
| sid | string | SID (object ID) of the server administrator. |
| tenantId | string | Tenant ID of the administrator. |
auditingSettings
| Property | Value | Description |
|---|---|---|
| auditActionsAndGroups | string[] | Specifies the Actions-Groups and Actions to audit. (default: BATCH_COMPLETED_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP) |
| isAzureMonitorTargetEnabled | bool | Specifies whether audit events are sent to Azure Monitor. (default: false) |
| isManagedIdentityInUse | bool | Specifies whether Managed Identity is used to access blob storage |
| retentionDays | int | Specifies the number of days to keep in the audit logs in the storage account. |
| state | 'Disabled' 'Enabled' |
Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required. (default: Enabled) |
| storageAccountSubscriptionId | string | Specifies the blob storage subscription Id. |
| storageEndpoint | string | Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required. |
sqlElasticPool
| Property | Value | Description |
|---|---|---|
| naming (required) | naming | |
| sku (required) | sku | SKU properties |
| highAvailabilityReplicaCount | int | The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools. |
| licenseType | 'BasePrice' 'LicenseIncluded' |
The license type to apply for this elastic pool. (az sql elastic-pool list-editions -l {location} -o table) |
| maintenanceConfigurationId | string | Maintenance configuration id assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur. |
| maxSizeBytes | int | The storage limit for the database elastic pool in bytes. |
| minCapacity | int | Minimal capacity that serverless pool will not shrink below, if not paused |
| perDatabaseSettings | perDatabaseSettings | The per database settings for the elastic pool. |
| zoneRedundant | bool | Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones. |
| sqlElasticPoolDatabases (required) | sqlDatabase[] | SQL Databases in Elastic Pool |
sku
| Property | Value | Description |
|---|---|---|
| name | string | The name of the SKU, typically, a letter + Number code, e.g. P3. (az sql db list-editions -l {location} -o table) (default: Basic) |
| family | string | If the service has different generations of hardware, for the same SKU, then that can be captured here. |
| capacity | int | Capacity of the particular SKU. |
| size | string | Size of the particular SKU |
| tier | string | The tier or edition of the particular SKU, e.g. Basic, Premium. |
perDatabaseSettings
| Property | Value | Description |
|---|---|---|
| maxCapacity | int | The maximum capacity any one database can consume. |
| minCapacity | int | The minimum capacity all databases are guaranteed. |
sqlDatabase
| Property | Value | Description |
|---|---|---|
| naming (required) | naming | |
| sku | sku | SKU properties |
| autoPauseDelay | int | Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled |
| catalogCollation | 'DATABASE_DEFAULT' 'SQL_Latin1_General_CP1_CI_AS' |
Collation of the metadata catalog. |
| collation | string | Collation of the database. |
| createMode | 'Copy' 'Default' 'OnlineSecondary' 'PointInTimeRestore' 'Recovery' 'Restore' 'RestoreExternalBackup' 'RestoreExternalBackupSecondary' 'RestoreLongTermRetentionBackup' 'Secondary' |
Specifies the mode of database creation. |
| elasticPoolId | string | The resource identifier of the elastic pool containing this database. |
| federatedClientId | string | The Client id used for cross tenant per database CMK scenario |
| highAvailabilityReplicaCount | int | The number of secondary replicas associated with the database that are used to provide high availability. Not applicable to a Hyperscale database within an elastic pool. |
| isLedgerOn | bool | Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created. |
| licenseType | 'BasePrice' 'LicenseIncluded' |
The license type to apply for this database. LicenseIncluded if you need a license, or BasePrice if you have a license and are eligible for the Azure Hybrid Benefit. |
| longTermRetentionBackupResourceId | string | The resource identifier of the long term retention backup associated with create operation of this database. |
| maintenanceConfigurationId | string | Maintenance configuration id assigned to the database. This configuration defines the period when the maintenance updates will occur. |
| maxSizeBytes | int | The max size of the database expressed in bytes. |
| minCapacity | int | Minimal capacity that database will always have allocated, if not paused To specify a decimal value, use the json() function. |
| preferredEnclaveType | 'Default' 'VBS' |
Type of enclave requested on the database i.e. Default or VBS enclaves. |
| readScale | 'Disabled' 'Enabled' |
The state of read-only routing. If enabled, connections that have application intent set to readonly in their connection string may be routed to a readonly secondary replica in the same region. Not applicable to a Hyperscale database within an elastic pool. |
| recoverableDatabaseId | string | The resource identifier of the recoverable database associated with create operation of this database. |
| recoveryServicesRecoveryPointId | string | The resource identifier of the recovery point associated with create operation of this database. |
| requestedBackupStorageRedundancy | 'Geo' 'GeoZone' 'Local' 'Zone' |
The storage account type to be used to store backups for this database. |
| restorableDroppedDatabaseId | string | The resource identifier of the restorable dropped database associated with create operation of this database. |
| restorePointInTime | string | Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. |
| sampleName | 'AdventureWorksLT' 'WideWorldImportersFull' 'WideWorldImportersStd' |
The name of the sample schema to apply when creating this database. |
| secondaryType | 'Geo' 'Named' 'Standby' |
The secondary type of the database if it is a secondary. Valid values are Geo, Named and Standby. |
| sourceDatabaseId | string | The resource identifier of the source database associated with create operation of this database. |
| sourceResourceId | string | The resource identifier of the source associated with the create operation of this database. |
| zoneRedundant | bool | Whether or not this database is zone redundant, which means the replicas of this database will be spread across multiple availability zones. |
| partnerServersId | string | Resource identifier of the partner server |
| failoverPolicy | 'Automatic' 'Manual' |
Failover policy of the read-write endpoint for the failover group. If failoverPolicy is Automatic then failoverWithDataLossGracePeriodMinutes is required. |
| failoverWithDataLossGracePeriodMinutes | int | Grace period before failover with data loss is attempted for the read-write endpoint: min 60 |
sqlFirewallRule
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name |
| startIpAddress (required) | string | The start IP address of the firewall rule. Must be IPv4 format. Use value 0.0.0.0 for all Azure-internal IP addresses. |
| endIpAddress (required) | string | The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value 0.0.0.0 for all Azure-internal IP addresses. |
sqlVirtualNetworkRule
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name |
| ignoreMissingVnetServiceEndpoint | bool | Create firewall rule before the virtual network has vnet service endpoint enabled. (default: true) |
| virtualNetworkSubnetId (required) | string | The ARM resource id of the virtual network subnet. |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
10.1.0 (2025-11-03)
Features
- add audit logging
10.0.0 (2025-10-06)
⚠ BREAKING CHANGES
- update api versions & require keyVaultSecretName for admin password
Features
- update api versions & require keyVaultSecretName for admin password
9.1.4 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
9.1.3 (2025-06-11)
Bug Fixes
- resolve code inaccuracy for Entra administrators
9.1.2 (2025-05-14)
Bug Fixes
- mitigate error when FailoverGroup not specified
9.1.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
9.1.0 (2025-03-26)
Features
- add resourceName output
9.0.0 (2025-03-17)
⚠ BREAKING CHANGES
- remove role-assignment principalType parameter
Features
- remove role-assignment principalType parameter
8.0.0 (2025-01-03)
⚠ BREAKING CHANGES
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
Features
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.