Bicep Module Documentation
← Back to Overview
Module sql-server
sqlServer
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| identity | identity | |
| adminUsername | string | Administrator username for the server. This value cannot be changed once created. If the SQL server was initially created using azureADOnlyAuthentication, then Azure will generate a random username starting with CloudSA which cannot be changed. (default: arxus) |
| administrators | administrators | The Entra ID administrator of the server. |
| federatedClientId | string | The Client id used for cross tenant CMK scenario |
| keyId | string | A CMK URI of the key to use for encryption. |
| minimalTlsVersion | '1.0' '1.1' '1.2' |
Minimal TLS version. Allowed values: 1.0, 1.1, 1.2 (default: 1.2) |
| primaryUserAssignedIdentityId | string | The resource id of a user assigned identity to be used by default. |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Whether or not public endpoint access is allowed for this server. Value is optional but if passed in, must be Enabled or Disabled (default: disabled) |
| restrictOutboundNetworkAccess | string | Whether or not to restrict outbound network access for this server. Value is optional but if passed in, must be Enabled or Disabled |
| version | string | The version of the server. |
| privateLink | privateLink | Settings for the private endpoint and private link for this resource |
| sqlElasticPools | sqlElasticPool[] | SQL Elastic Pools |
| sqlDatabases | sqlDatabase[] | SQL Databases |
| keyVaultId | string | Key Vault Resource ID where the password is stored. Cannot be combined with azureADOnlyAuthentication. |
| keyVaultSecretName | string | Name of the Key Vault secret in the Key Vault. Cannot be combined with azureADOnlyAuthentication. |
| firewallRules | sqlFirewallRule[] | Firewall rules for public access |
| virtualNetworkRules | sqlVirtualNetworkRule[] | Virtual network rules |
| auditingSettings | auditingSettings | SQL Auditing settings |
identity
| Property | Value | Description |
|---|---|---|
| type | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
The types of identities associated with this resource. (default: none) |
| userAssignedIdentities | string[] | Resource IDs of User Assigned Identities to associate with this resource |
administrators
| Property | Value | Description |
|---|---|---|
| azureADOnlyAuthentication | bool | Entra ID-only authentication enabled. (default: false) |
| login (required) | string | Login name of the server administrator. |
| principalType (required) | 'Application' 'Group' 'User' |
Principal Type of the sever administrator. |
| sid | string | SID (object ID) of the server administrator. |
| tenantId | string | Tenant ID of the administrator. |
auditingSettings
| Property | Value | Description |
|---|---|---|
| auditActionsAndGroups | string[] | Specifies the Actions-Groups and Actions to audit. (default: BATCH_COMPLETED_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP) |
| isAzureMonitorTargetEnabled | bool | Specifies whether audit events are sent to Azure Monitor. (default: false) |
| isManagedIdentityInUse | bool | Specifies whether Managed Identity is used to access blob storage |
| retentionDays | int | Specifies the number of days to keep in the audit logs in the storage account. |
| state | 'Disabled' 'Enabled' |
Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required. (default: Enabled) |
| storageAccountSubscriptionId | string | Specifies the blob storage subscription Id. |
| storageEndpoint | string | Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required. |
sqlElasticPool
| Property | Value | Description |
|---|---|---|
| naming (required) | naming | |
| sku (required) | sku | SKU properties |
| highAvailabilityReplicaCount | int | The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools. |
| licenseType | 'BasePrice' 'LicenseIncluded' |
The license type to apply for this elastic pool. (az sql elastic-pool list-editions -l {location} -o table) |
| maintenanceConfigurationId | string | Maintenance configuration id assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur. |
| maxSizeBytes | int | The storage limit for the database elastic pool in bytes. |
| minCapacity | int | Minimal capacity that serverless pool will not shrink below, if not paused |
| perDatabaseSettings | perDatabaseSettings | The per database settings for the elastic pool. |
| zoneRedundant | bool | Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones. |
| sqlElasticPoolDatabases (required) | sqlDatabase[] | SQL Databases in Elastic Pool |
sku
| Property | Value | Description |
|---|---|---|
| name | string | The name of the SKU, typically, a letter + Number code, e.g. P3. (az sql db list-editions -l {location} -o table) (default: Basic) |
| family | string | If the service has different generations of hardware, for the same SKU, then that can be captured here. |
| capacity | int | Capacity of the particular SKU. |
| size | string | Size of the particular SKU |
| tier | string | The tier or edition of the particular SKU, e.g. Basic, Premium. |
perDatabaseSettings
| Property | Value | Description |
|---|---|---|
| maxCapacity | int | The maximum capacity any one database can consume. |
| minCapacity | int | The minimum capacity all databases are guaranteed. |
sqlDatabase
| Property | Value | Description |
|---|---|---|
| naming (required) | naming | |
| sku | sku | SKU properties |
| autoPauseDelay | int | Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled |
| catalogCollation | 'DATABASE_DEFAULT' 'SQL_Latin1_General_CP1_CI_AS' |
Collation of the metadata catalog. |
| collation | string | Collation of the database. |
| createMode | 'Copy' 'Default' 'OnlineSecondary' 'PointInTimeRestore' 'Recovery' 'Restore' 'RestoreExternalBackup' 'RestoreExternalBackupSecondary' 'RestoreLongTermRetentionBackup' 'Secondary' |
Specifies the mode of database creation. |
| elasticPoolId | string | The resource identifier of the elastic pool containing this database. |
| federatedClientId | string | The Client id used for cross tenant per database CMK scenario |
| highAvailabilityReplicaCount | int | The number of secondary replicas associated with the database that are used to provide high availability. Not applicable to a Hyperscale database within an elastic pool. |
| isLedgerOn | bool | Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created. |
| licenseType | 'BasePrice' 'LicenseIncluded' |
The license type to apply for this database. LicenseIncluded if you need a license, or BasePrice if you have a license and are eligible for the Azure Hybrid Benefit. |
| longTermRetentionBackupResourceId | string | The resource identifier of the long term retention backup associated with create operation of this database. |
| maintenanceConfigurationId | string | Maintenance configuration id assigned to the database. This configuration defines the period when the maintenance updates will occur. |
| maxSizeBytes | int | The max size of the database expressed in bytes. |
| minCapacity | int | Minimal capacity that database will always have allocated, if not paused To specify a decimal value, use the json() function. |
| preferredEnclaveType | 'Default' 'VBS' |
Type of enclave requested on the database i.e. Default or VBS enclaves. |
| readScale | 'Disabled' 'Enabled' |
The state of read-only routing. If enabled, connections that have application intent set to readonly in their connection string may be routed to a readonly secondary replica in the same region. Not applicable to a Hyperscale database within an elastic pool. |
| recoverableDatabaseId | string | The resource identifier of the recoverable database associated with create operation of this database. |
| recoveryServicesRecoveryPointId | string | The resource identifier of the recovery point associated with create operation of this database. |
| requestedBackupStorageRedundancy | 'Geo' 'GeoZone' 'Local' 'Zone' |
The storage account type to be used to store backups for this database. |
| restorableDroppedDatabaseId | string | The resource identifier of the restorable dropped database associated with create operation of this database. |
| restorePointInTime | string | Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. |
| sampleName | 'AdventureWorksLT' 'WideWorldImportersFull' 'WideWorldImportersStd' |
The name of the sample schema to apply when creating this database. |
| secondaryType | 'Geo' 'Named' 'Standby' |
The secondary type of the database if it is a secondary. Valid values are Geo, Named and Standby. |
| sourceDatabaseId | string | The resource identifier of the source database associated with create operation of this database. |
| sourceResourceId | string | The resource identifier of the source associated with the create operation of this database. |
| zoneRedundant | bool | Whether or not this database is zone redundant, which means the replicas of this database will be spread across multiple availability zones. |
| partnerServersId | string | Resource identifier of the partner server |
| failoverPolicy | 'Automatic' 'Manual' |
Failover policy of the read-write endpoint for the failover group. If failoverPolicy is Automatic then failoverWithDataLossGracePeriodMinutes is required. |
| failoverWithDataLossGracePeriodMinutes | int | Grace period before failover with data loss is attempted for the read-write endpoint: min 60 |
sqlFirewallRule
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name |
| startIpAddress (required) | string | The start IP address of the firewall rule. Must be IPv4 format. Use value 0.0.0.0 for all Azure-internal IP addresses. |
| endIpAddress (required) | string | The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value 0.0.0.0 for all Azure-internal IP addresses. |
sqlVirtualNetworkRule
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name |
| ignoreMissingVnetServiceEndpoint | bool | Create firewall rule before the virtual network has vnet service endpoint enabled. (default: true) |
| virtualNetworkSubnetId (required) | string | The ARM resource id of the virtual network subnet. |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
10.1.1 (2026-03-31)
Bug Fixes
- make admin username & password optional when using Entra ID-only auth
10.1.0 (2025-11-03)
Features
- add audit logging
10.0.0 (2025-10-06)
⚠ BREAKING CHANGES
- update api versions & require keyVaultSecretName for admin password
Features
- update api versions & require keyVaultSecretName for admin password
9.1.4 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
9.1.3 (2025-06-11)
Bug Fixes
- resolve code inaccuracy for Entra administrators
9.1.2 (2025-05-14)
Bug Fixes
- mitigate error when FailoverGroup not specified
9.1.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
9.1.0 (2025-03-26)
Features
- add resourceName output
9.0.0 (2025-03-17)
⚠ BREAKING CHANGES
- remove role-assignment principalType parameter
Features
- remove role-assignment principalType parameter
8.0.0 (2025-01-03)
⚠ BREAKING CHANGES
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
Features
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.