3

Currently I'm trying to create a universal sql_database module in Terraform. I want to have control over arguments I want to include in this resource. For example one time I need only required arguments but next time in another project I need them plus threat_detection_policy block with all nested arguments.

modules/sql_database.tf

resource "azurerm_sql_database" "sql-db" {
  name                             = var.sql-db-name
  resource_group_name              = data.azurerm_resource_group.rg-name.name
  location                         = var.location
  server_name                      = var.server-name
  edition                          = var.sql-db-edition
  collation                        = var.collation
  create_mode                      = var.create-mode
  requested_service_objective_name = var.sql-requested-service-objective-name
  read_scale                       = var.read-scale
  zone_redundant                   = var.zone-redundant

  extended_auditing_policy {
    storage_endpoint                        = var.eap-storage-endpoint
    storage_account_access_key              = var.eap-storage-account-access-key
    storage_account_access_key_is_secondary = var.eap-storage-account-access-key-is-secondary
    retention_in_days                       = var.eap-retention-days
  }

  import = {
    storage_uri                  = var.storage-uri
    storage_key                  = var.storage-key
    storage_key_type             = var.storage-key-type
    administrator_login          = var.administrator-login
    administrator_login_password = var.administrator-login-password
    authentication_type          = var.authentication-type
    operation_mode               = var.operation-mode
  }

  threat_detection_policy = {
    state                      = var.state
    disabled_alerts            = var.disabled-alerts
    email_account_admins       = var.email-account-admins
    email_addresses            = var.email-addresses
    retention_days             = var.retention-days
    storage_account_access_key = var.storage-account-access-key
    storage_endpoint           = var.storage-endpoint
    use_server_default         = var.use-server-default
  }
}

modules/variables.tf (few sql_database vars)

variable "sql-db-edition" {
  type        = string
}
...

variable "state" { #for example this should be optional
  type        = string
}
...

main.tf

module "sql_database" {
  source = "./modules/sql_database"

  sql-db-name = "sqldbs-example"
  location    = "westus"
  server-name = "sqlsrv-example"

    storage-uri                        = "" #some values 
    storage-key                        = ""
    storage-key_type                   = ""
    administrator-login                = ""
    administrator-login-password       = ""
    authentication-type                = ""
    operation-mode                     = ""

  sql-db-edition                       = "Standard"
  collation                            = "SQL_LATIN1_GENERAL_CP1_CI_AS"
  create-mode                          = "Default"
  sql-requested_service_objective_name = "S0"
  requested_service_objective_id       = ""
  read-scale = "false"
  zone_redundant                       = ""
  source_database_id                   = ""
  restore_point_in_time                = ""
  max_size_bytes                       = ""
  source_database_deletion_date        = ""
  elastic_pool_name                    = ""

#variables below should be all optional
    state                              = ""
    disabled_alerts                    = ""  
    email_account_admins               = ""
    email_addresses                    = ""
    retention_days                     = 6
    storage_account_access_key         = ""
    storage_endpoint                   = ""
    use_server_default                 = ""

  storage_endpoint                        = ""
  storage_account_access_key              = ""
  storage_account_access_key_is_secondary = "false"
  retention_in_days                       = 6
}

Thank you in advance for help!

Bater55
  • 73
  • 1
  • 9
  • It sounds to me that the `threat_detection_policy` block is optional can you not set a default? – Helder Sepulveda May 06 '20 at 15:14
  • Of course it is optional. Do you mean ```default=null``` or ```default=my_default_value```? – Bater55 May 07 '20 at 06:36
  • Can you provide your variables file or create a minimal project on GitHub... the terraform behavior in your comment `module wants me to input all values, required and optional` is really strange ... my guess is what you call optional is not really coded as optional – Helder Sepulveda May 07 '20 at 12:33

1 Answers1

1

For your requirements, I think a possible way is to set the default values inside the module and make the default values act as you do not set them. For example, in the threat_detection_policy block, the property use_server_default, when you do not set it, the default value is Disabled. And when you want to set them, just input the values in the module block.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • Will they be omitted during deployment then? I don't get your sentence ```make the default values act as you do not set them```. What is already happening is module wants me to input all values of arguments, required and optional. – Bater55 May 07 '20 at 06:39
  • @Bater55 The default value means you do not input value when you deploy it. It's the way that Terraform always uses. – Charles Xu May 07 '20 at 06:48
  • But they are deployed anyway with default values but I dont want them to be deployed. – Bater55 May 07 '20 at 09:18
  • @Bater55 How do you know it does not set it if you do not set it after your deployment? When Terraform provides the property, it also has the default value act as you do not set it. When you set it, it acts as you want. Do you think Terraform will provide multiple modules for you between set it and do not set it? I'm afraid not. – Charles Xu May 07 '20 at 09:49
  • 1
    Thnak you very much for your response. Actually I managed to do it. What I did is I used similar solution to this one using ```dynamic``` blocks. https://stackoverflow.com/questions/42461753/is-it-possible-to-turn-the-access-logs-block-on-and-off-via-the-environment-name – Bater55 May 11 '20 at 14:04