azure terraform terraform-provider-azure

Azure Terraform Create a Firewall rule for a flexible MySql Database

I have created 2 resources on Azure using Terraform:

1- A flexible MySql Database

resource "azurerm_mysql_flexible_server" "mysql" {
  name                   = var.db-name
  resource_group_name    = azurerm_resource_group.rg.name
  location               = azurerm_resource_group.rg.location
  administrator_login    = var.db-root-username
  administrator_password = var.db-root-password
  sku_name               = var.db-sku
  version                = "8.0.21"
  
  storage {
    size_gb = var.db-storage
  }
}

2- A Backend .Net Core Web-app Server

# Define BE Server Plan
resource "azurerm_service_plan" "apiplan" {
  name                = var.be-plan-name
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  os_type             = var.be-plan-os-type
  sku_name            = var.be-plan-sku
}

# Create BE Server
resource "azurerm_linux_web_app" "be" {
  name                = var.be-server-name
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_service_plan.apiplan.location
  service_plan_id     = azurerm_service_plan.apiplan.id
  
  connection_string {
    name  = "Default"
    type  = "MySql"
    value = "Data Source=${azurerm_mysql_flexible_server.mysql.fqdn};Port=3306;Database=${var.db-schema-name};User Id=${var.db-root-username};Password=${var.db-root-password};Connect Timeout=300;"
  }

  site_config {   
    application_stack {
     dotnet_version  = "8.0"
    } 
  }
}

Now, what I need is to create a "azurerm_mysql_flexible_server_firewall_rule" in order to only allow access to the Database from the Backend Server.

How?

Solution

Create a Firewall rule for a flexible MySql Database using terraform.

Since you need only allows access from your Backend .NET Core Web App Server you can use the azurerm_mysql_flexible_server_firewall_rule resource in your Terraform configuration.

I tried a demo configuration which works as per the requriement

Configuration:

resource "azurerm_mysql_flexible_server" "mysql" {
  name                   = "vk-flexible-db"
  resource_group_name    = azurerm_resource_group.rg.name
  location               = azurerm_resource_group.rg.location
  administrator_login    = "myadmin"
  administrator_password = "INtel@199049"
  sku_name               = "GP_Standard_D2ds_v4"
  version                = "8.0.21"

  storage {
    size_gb = 20
  }
}


resource "azurerm_service_plan" "apiplan" {
  name                = "vk-e-plan"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  os_type             = "Linux"
  sku_name            = "B1"
}

resource "azurerm_linux_web_app" "be" {
  name                = "vk-e-server"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_service_plan.apiplan.location
  service_plan_id     = azurerm_service_plan.apiplan.id

  connection_string {
    name  = "Default"
    type  = "MySql"
    value = "Data Source=${azurerm_mysql_flexible_server.mysql.fqdn};Port=3306;Database=mydb;User Id=myadmin;Password=YourStrongPassword!;Connect Timeout=300;"
  }

  site_config {
    application_stack {
      dotnet_version = "8.0"
    }
  }
}

locals {
  outbound_ips = length(azurerm_linux_web_app.be.outbound_ip_addresses) > 0 ? split(",", azurerm_linux_web_app.be.outbound_ip_addresses) : ["0.0.0.0"]
}

output "outbound_ip_addresses" {
  value = azurerm_linux_web_app.be.outbound_ip_addresses
}

resource "azurerm_mysql_flexible_server_firewall_rule" "allow_be_server" {
  name                = "allow-be-server"
  resource_group_name = azurerm_resource_group.rg.name
  server_name         = azurerm_mysql_flexible_server.mysql.name
  start_ip_address    = local.outbound_ips[0]
  end_ip_address      = local.outbound_ips[0]

  depends_on = [azurerm_linux_web_app.be]  
}

Deployment:

enter image description here

Refer:

azurerm_mysql_flexible_server | Resources | hashicorp/azurerm | Terraform | Terraform Registry

azurerm_mysql_flexible_server_firewall_rule | Resources | hashicorp/azurerm | Terraform | Terraform Registry

https://developer.hashicorp.com/terraform/language/values/locals