Create an Azure SQL Server, with data encryption protector
This template creates an Azure SQL server, and activate the data encryption protector with the "bring your own key". For that, you will need to provide the Key Vault, and the Key to use.
In order to use an already in place Key Vault, it needs to have the property "soft-delete" enable. You can only do that using command lines (either Powershell or CLI)
Alternatively, you can use the PowerShell file included in this directory to create a Key Vault and generate a key.
Then, the arm template will achieve the following:
- Create the Azure SQL server
- Add the SQL server principalID access to the given Key Vault (permissions 'get', 'wrapLey' and 'unwrapKey')
- Add a new key at the SQL server level, with the Key value from the Vault
- And finally, activate the protector using the key created before
Tags: Microsoft.Sql/servers, SystemAssigned, Microsoft.Resources/deployments, Microsoft.KeyVault/vaults/accessPolicies, Microsoft.Sql/servers/keys, Microsoft.Sql/servers/encryptionProtector, Microsoft.ManagedIdentity/userAssignedIdentities, Microsoft.Authorization/roleAssignments, Microsoft.KeyVault/vaults, Microsoft.Resources/deploymentScripts, userAssigned