Using terraform how do I create an azure sql database from a backup

Following the blog Deploying Azure SQL Database Bacpac and Terraform by John Q. Martin

You can include the bacpac as the source for the database created in Azure.

First, setup the firewall on the Azure SQL Server to prevent any failure during deployment due to blob storage access issue. To ensure this we have to enable “Allow Azure services and resources to access this server”, this allows the two Azure services to communicate.

Setting the Azure SQL Server Firewall

Set both Start_ip and End_ip to 0.0.0.0. This is interpreted by Azure as a firewall rule to allow Azure services.

resource "azurerm_sql_firewall_rule" "allowAzureServices" {
  name                = "Allow_Azure_Services"
  resource_group_name = azurerm_resource_group.example.name
  server_name         = azurerm_sql_server.example.name
  start_ip_address    = "0.0.0.0"
  end_ip_address      = "0.0.0.0"
}

Defining the Database Resource

We need to use the azurerm_sql_database resource, because the deployment of a bacpac is only supported through this resource type.

The resource definition here is comprised of two main sections, the first being the details around where the database needs to go and the second part being a sub-block which defines the bacpac source details. Here we need to put in the URI for the bacpac file and the storage key, in this case we are using the SAS token for the key to allow access to the bacpac.

We also need to provide the username and password for the server we are creating to allow the import to work because it needs to have authorisation to the Azure SQL Server to work.

provider "azurerm" {
    features {}
}

resource "azurerm_resource_group" "example" {
    name     = "example-resources"
    location = "West Europe"
}

resource "azurerm_storage_account" "example" {
    name                     = "examplesa"
    resource_group_name      = azurerm_resource_group.example.name
    location                 = azurerm_resource_group.example.location
    account_tier             = "Standard"
    account_replication_type = "LRS"
}

resource "azurerm_sql_server" "example" {
  name                         = "myexamplesqlserver"
  resource_group_name          = azurerm_resource_group.example.name
  location                     = azurerm_resource_group.example.location
  version                      = "12.0"
  administrator_login          = "4dm1n157r470r"
  administrator_login_password = "4-v3ry-53cr37-p455w0rd"

  tags = {
    environment = "production"
  }
}

resource "azurerm_sql_firewall_rule" "allowAzureServices" {
  name                = "Allow_Azure_Services"
  resource_group_name = azurerm_resource_group.example.name
  server_name         = azurerm_sql_server.example.name
  start_ip_address    = "0.0.0.0"
  end_ip_address      = "0.0.0.0"
}


resource "azurerm_sql_database" "appdb01" {
  depends_on                       = [azurerm_sql_firewall_rule.allowAzureServices]
  name                             = "AzSqlDbName"
  resource_group_name              = azurerm_sql_server.example.resource_group_name
  location                         = azurerm_sql_server.example.location
  server_name                      = azurerm_sql_server.example.name
  collation      = "SQL_Latin1_General_CP1_CI_AS"
  requested_service_objective_name = "BC_Gen5_2"
  max_size_gb    = 4
  read_scale     = true
  zone_redundant = true
  

  create_mode = "Default"
  import {
    storage_uri                  = "https://examplesa.blob.core.windows.net/source/Source.bacpac"
    storage_key                  = "gSKjBfoK4toNAWXUdhe6U7YHqBgCBPsvoDKTlh2xlqUQeDcuCVKcU+uwhq61AkQaPIbNnqZbPmYwIRkXp3OzLQ=="
    storage_key_type             = "StorageAccessKey"
    administrator_login          = "4dm1n157r470r"
    administrator_login_password = "4-v3ry-53cr37-p455w0rd"
    authentication_type          = "SQL"
    operation_mode               = "Import"
  }



  extended_auditing_policy {
        storage_endpoint                        = azurerm_storage_account.example.primary_blob_endpoint
        storage_account_access_key              = azurerm_storage_account.example.primary_access_key
        storage_account_access_key_is_secondary = true
        retention_in_days                       = 6
    }


    tags = {
        foo = "bar"
    }
}

Note:

The extended_auditing_policy block has been moved to azurerm_mssql_server_extended_auditing_policy and azurerm_mssql_database_extended_auditing_policy. This block will be removed in version 3.0 of the provider.

requested_service_objective_name - (Optional) The service objective name for the database. Valid values depend on edition and location and may include S0, S1, S2, S3, P1, P2, P4, P6, P11 and ElasticPool. You can list the available names with the cli: shell az sql db list-editions -l westus -o table. For further information please see Azure CLI - az sql db.

And import supports the following:

• storage_uri - (Required) Specifies the blob URI of the .bacpac file.
• storage_key - (Required) Specifies the access key for the storage account.
• storage_key_type - (Required) Specifies the type of access key for the storage account. Valid values are StorageAccessKey or SharedAccessKey.
• administrator_login - (Required) Specifies the name of the SQL administrator.
• administrator_login_password - (Required) Specifies the password of the SQL administrator.
• authentication_type - (Required) Specifies the type of authentication used to access the server. Valid values are SQL or ADPassword.
• operation_mode - (Optional) Specifies the type of import operation being performed. The only allowable value is Import.

Alternately, If you want to continue using the azurerm_mssql_database then we would need to deploy and empty database and then deploy the bacpac via SqlPackage. (Which I haven't tried yet)