Azure · AlexanderSehr · Mar 31, 2023 · Mar 20, 2023 · Mar 20, 2023 · Mar 20, 2023
@@ -116,6 +116,10 @@ module testDeployment '../../deploy.bicep' = {
         diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
         diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
         elasticPoolId: '${resourceGroup.id}/providers/Microsoft.Sql/servers/<<namePrefix>>-${serviceShort}/elasticPools/<<namePrefix>>-${serviceShort}-ep-001'
+        encryptionProtectorObj: {
+          serverKeyType: 'AzureKeyVault'
+          serverKeyName: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}'
+        }
         backupShortTermRetentionPolicy: {
           retentionDays: 14
         }

@@ -94,6 +94,9 @@ var identity = identityType != 'None' ? {
 
 var enableReferencedModulesTelemetry = false
 
+@description('Optional. The encryption protection configuration.')
+param encryptionProtectorObj object = {}
+
 @description('Optional. The vulnerability assessment configuration.')
 param vulnerabilityAssessmentsObj object = {}
 
@@ -312,6 +315,20 @@ module server_keys 'keys/deploy.bicep' = [for (key, index) in keys: {
   }
 }]
 
+module server_encryptionProtector 'encryptionProtector/deploy.bicep' = if (!empty(encryptionProtectorObj)) {
+  name: '${uniqueString(deployment().name, location)}-Sql-EncryProtector'
+  params: {
+    sqlServerName: server.name
+    serverKeyName: encryptionProtectorObj.serverKeyName
+    serverKeyType: contains(encryptionProtectorObj, 'serverKeyType') ? encryptionProtectorObj.serverKeyType : 'ServiceManaged'
+    autoRotationEnabled: contains(encryptionProtectorObj, 'autoRotationEnabled') ? encryptionProtectorObj.autoRotationEnabled : true
+    enableDefaultTelemetry: enableReferencedModulesTelemetry
+  }
+  dependsOn: [
+    server_keys
+  ]
+}
+
 @description('The name of the deployed SQL server.')
 output name string = server.name
 

@@ -0,0 +1,53 @@
+@description('Conditional. The name of the sql server. Required if the template is used in a standalone deployment.')
+param sqlServerName string
+
+@description('Required. The name of the server key.')
+param serverKeyName string
+
+@description('Optional. Key auto rotation opt-in.')
+param autoRotationEnabled bool = false
+
+@description('Optional. The encryption protector type.')
+@allowed([
+  'AzureKeyVault'
+  'ServiceManaged'
+])
+param serverKeyType string = 'ServiceManaged'
+
+@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
+param enableDefaultTelemetry bool = true
+
+resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
+  name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+    }
+  }
+}
+
+resource sqlServer 'Microsoft.Sql/servers@2022-08-01-preview' existing = {
+  name: sqlServerName
+}
+
+resource encryptionProtector 'Microsoft.Sql/servers/encryptionProtector@2022-08-01-preview' = {
+  name: 'current'
+  parent: sqlServer
+  properties: {
+    serverKeyType: serverKeyType
+    autoRotationEnabled: autoRotationEnabled
+    serverKeyName: serverKeyName
+  }
+}
+
+@description('The name of the deployed encryption protector.')
+output name string = encryptionProtector.name
+
+@description('The resource ID of the encryption protector.')
+output resourceId string = encryptionProtector.id
+
+@description('The resource group of the deployed encryption protector.')
+output resourceGroupName string = resourceGroup().name
@@ -0,0 +1,51 @@
+# Sql Servers EncryptionProtector `[Microsoft.Sql/servers/encryptionProtector]`
+
+This module deploys an Sql Servers Encryption Protector.
+
+## Navigation
+
+- [Resource Types](#Resource-Types)
+- [Parameters](#Parameters)
+- [Outputs](#Outputs)
+- [Cross-referenced modules](#Cross-referenced-modules)
+
+## Resource Types
+
+| Resource Type | API Version |
+| :-- | :-- |
+| `Microsoft.Sql/servers/encryptionProtector` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01/servers/encryptionProtector) |
+
+## Parameters
+
+**Required parameters**
+
+| Parameter Name | Type | Description |
+| :-- | :-- | :-- |
+| `serverKeyName` | string | The name of the server key. |
+
+**Conditional parameters**
+
+| Parameter Name | Type | Description |
+| :-- | :-- | :-- |
+| `sqlServerName` | string | The name of the sql server. |
+
+**Optional parameters**
+
+| Parameter Name | Type | Default Value | Allowed Values | Description |
+| :-- | :-- | :-- | :-- | :-- |
+| `autoRotationEnabled` | bool | `False` |  | Key auto rotation opt-in. |
+| `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via a Globally Unique Identifier (GUID). |
+| `serverKeyType` | string | `'ServiceManaged'` | `[AzureKeyVault, ServiceManaged]` | The encryption protector type like "ServiceManaged", "AzureKeyVault". |
+
+
+## Outputs
+
+| Output Name | Type | Description |
+| :-- | :-- | :-- |
+| `name` | string | The name of the deployed encryption protector. |
+| `resourceGroupName` | string | The resource group of the deployed encryption protector. |
+| `resourceId` | string | The resource ID of the encryption protector. |
+
+## Cross-referenced modules
+
+_None_
@@ -0,0 +1,4 @@
+{
+    "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
+    "version": "0.5"
+}
@@ -24,6 +24,7 @@ This module deploys a SQL server.
 | `Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupLongTermRetentionPolicies) |
 | `Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupShortTermRetentionPolicies) |
 | `Microsoft.Sql/servers/elasticPools` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/elasticPools) |
+| `Microsoft.Sql/servers/encryptionProtector` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01/servers/encryptionProtector) |
 | `Microsoft.Sql/servers/firewallRules` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/firewallRules) |
 | `Microsoft.Sql/servers/keys` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/keys) |
 | `Microsoft.Sql/servers/securityAlertPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/securityAlertPolicies) |
@@ -54,6 +55,7 @@ This module deploys a SQL server.
 | `databases` | _[databases](databases/readme.md)_ array | `[]` |  | The databases to create in the server. |
 | `elasticPools` | _[elasticPools](elasticPools/readme.md)_ array | `[]` |  | The Elastic Pools to create in the server. |
 | `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via a Globally Unique Identifier (GUID). |
+| `encryptionProtectorObj` | _[encryptionProtector](encryptionProtector/readme.md)_ object | `{object}` |  | The encryption protection configuration. |
 | `firewallRules` | _[firewallRules](firewallRules/readme.md)_ array | `[]` |  | The firewall rules to create in the server. |
 | `keys` | _[keys](keys/readme.md)_ array | `[]` |  | The keys to configure. |
 | `location` | string | `[resourceGroup().location]` |  | Location for all resources. |
@@ -459,6 +461,10 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = {
         diagnosticStorageAccountId: '<diagnosticStorageAccountId>'
         diagnosticWorkspaceId: '<diagnosticWorkspaceId>'
         elasticPoolId: '<elasticPoolId>'
+        encryptionProtectorObj: {
+          serverKeyName: '<serverKeyName>'
+          serverKeyType: 'AzureKeyVault'
+        }
         licenseType: 'LicenseIncluded'
         maxSizeBytes: 34359738368
         name: '<<namePrefix>>-sqlscomdb-001'
@@ -592,6 +598,10 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = {
           "diagnosticStorageAccountId": "<diagnosticStorageAccountId>",
           "diagnosticWorkspaceId": "<diagnosticWorkspaceId>",
           "elasticPoolId": "<elasticPoolId>",
+          "encryptionProtectorObj": {
+            "serverKeyName": "<serverKeyName>",
+            "serverKeyType": "AzureKeyVault"
+          },
           "licenseType": "LicenseIncluded",
           "maxSizeBytes": 34359738368,
           "name": "<<namePrefix>>-sqlscomdb-001",