[AVM Module Issue]: Sql Server Module should add the creation of Microsoft.KeyVault/vaults/secrets

[NanaXiong00]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Issue Type?

Feature Request

Module Name

avm/res/sql/server

(Optional) Module Version

No response

Description

Please add the creation of Microsoft.KeyVault/vaults/secrets.
In azd, we allow the user to pass a keyvault reference when creating a sql server. If they do provide one, then we set a keyvault secret that contains the sqlAdminPassword, appUserPassword, connectionString. Refer to this issue: #632

For example (azd):

• https://github.com/Azure/azure-dev/blob/main/templates/common/infra/bicep/core/database/sqlserver/sqlserver.bicep#L100-L126

CC: @jongio

(Optional) Correlation Id

No response

[avm-team-linter]

@NanaXiong00, thanks for submitting this issue for the avm/res/sql/server module!

Important

Please note, that this module is currently orphaned. The @Azure/avm-core-team-technical-bicep, will attempt to find an owner for it. In the meantime, the core team may assist with this issue. Thank you for your patience!

[AlexanderSehr]

This is connected to

• [AVM Question/Feedback]: How do we handle resources that emit secrets? #1934
• [AVM Question/Feedback]: Accessing Storage Account Access Key #1780

[jtracey93]

Hey @NanaXiong00 & @jongio, this module avm/res/sql/server is currently orphaned 😢

Do yourselves or anyone you know want to take ownership of this module and make the the required changes to the module as per: #1934 (comment) ?

#RR

[v-xuto]

@jtracey93 We will try to fix this issue.
@jongio for notification.

[v-xuto]

@jtracey93 PR is ready, please review.

• feat: Add the creation of Microsoft.KeyVault/vaults/secrets in Sql Server Module - avm/res/sql/server #2859

[AlexanderSehr]

as commented in the PR, this depends on #1934

[zedy-wj]

According to the comments here: #2859 (comment), it seems more appropriate to set KeyVault Secrets outside the module. Should this issue continue?

[AlexanderSehr]

According to the comments here: #2859 (comment), it seems more appropriate to set KeyVault Secrets outside the module. Should this issue continue?

Hey @zedy-wj,
please note: The comment only relates to the addition of a secret value to the interface.
The idea of the issue should be that the module can store all the service's credentials (e.g., access keys, connection strings, etc.) in a given Key Vault, if the user opts in. This is something that we already agreed on implementing, and I just need to maintainers to greenlight the suggested spec so that we can go ahead and implement the interface.

The commented line goes a step beyond that and not only does the above, but also would have the user be able to add custom secrets to that mix which I'd say should be done outside the module. In this case specifically, a password is added which could/should just as well be set outside the module's scope.
If we don't, I'm of the (subjective) opinion, that we're bloating the key vault secrets feature beyond the module's scope as one could essentially start setting any secrets via the module, even if they're completely unrelated.

I hope that makes sense. Happy to discuss :)