TDE with database level customer-managed keys - using Terraform

[SnehaniranjanaSR]

Description:
I am trying to create my database in azure with TDE with database level customer-managed keys - using Terraform. Need help in achieving that.

I see --encryption-protector $keyid can be used in creation of db using Azure CLI. Is there something similar to use in terraform?

I am trying to achieve,

New supported scenario: Logical server configured with customer-managed key
Key1 is configured as the customer-managed key at the logical server level. A different customer-managed key (Key2) can be configured at the database level.

Server – Key1 set as CMK
Database1 – Key2 used as CMK
Database2 – Key1 used as CMK
Database3 – Key1 used as CMK

We have azurerm_mssql_server_transparent_data_encryption" for TDE at server level. I am looking for something similar for database level.

New or Affected Resource(s)/Data Source(s):
azurerm_mssql_database

Potential Terraform Configuration:
resource "azurerm_mssql_database_transparent_data_encryption" "msql_db_tde"{
server_id = azurerm_mssql_server.sql_server.id
database_name = azurerm_mssql_database.databases.name
key_vault_key_id = data.azurerm_key_vault_key.mssql_db_key.id
}

I was asked to create a thread here as there was no supporting Azure REST API that supports this feature ([https://github.com/hashicorp/terraform-provider-azurerm/issues/24316]). Please confirm if one exists and route me to there or help me with this issue.

Reference:
[https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-database-level-overview?view=azuresql]
[https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-database-level-basic-actions?view=azuresql&tabs=azure-portal%2Cazure-portal2#view-the-database-level-customer-managed-key-settings-on-an-azure-sql-database]

[SnehaniranjanaSR]

Any updates on this SR yet?

[SnehaniranjanaSR]

Additionally,
I see that,
NOTE:
The azurerm_sql_database resource is deprecated in version 3.0 of the AzureRM provider and will be removed in version 4.0. Please use the azurerm_mssql_database resource instead.

but the Azure CLI commands given in the URL,
(https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-database-level-basic-actions?view=azuresql&tabs=azure-cli%2Cazure-portal2#view-the-database-level-customer-managed-key-settings-on-an-azure-sql-database) are az sql db and not az mysql db

As I mentioned initially, The feature I am looking for is possible through Azure portal, for my existing DB. But it is not available using terraform code as the Azure REST API is not available.

Looking forward for a help on this asap.

Regards,
Sneha

[JackTn]

@MilanNz @jha1bhavna can some one help to check this issue! Thanks. And let me know if you have any question!