How to Import an Azure SQL Database Extended Auditing Policy into Terraform
terraback azure import --method bulk. Terraback writes the matching azurerm_mssql_database_extended_auditing_policy resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the database resource ID with the suffix /extendedAuditingSettings/default (.../databases/<db>/extendedAuditingSettings/default).Import Azure SQL Database Extended Auditing Policy with Terraback (recommended)
Terraback reverse-engineers your live infrastructure: it reads the Azure SQL Database resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live Azure SQL Database Extended Auditing Policy to managed Terraform.
Scan your Azure account
terraback scan all azure --subscription-id YOUR_IDGenerate import blocks and import into state
terraback azure import --method bulkThe Terraform import block
Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.
import {
to = azurerm_mssql_database_extended_auditing_policy.main
id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/prod-rg/providers/Microsoft.Sql/servers/prod-sql/databases/prod-db/extendedAuditingSettings/default"
}Example azurerm_mssql_database_extended_auditing_policy configuration
Here is a realistic Azure SQL Database Extended Auditing Policy block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.
resource "azurerm_mssql_database_extended_auditing_policy" "main" {
database_id = azurerm_mssql_database.main.id
storage_endpoint = "https://prodaudit.blob.core.windows.net/"
storage_account_access_key = var.audit_storage_account_access_key
retention_in_days = 90
enabled = true
}Gotchas when importing a Azure SQL Database Extended Auditing Policy
- The import ID is the database ID plus a fixed /extendedAuditingSettings/default suffix; the policy is a singleton, so the trailing segment is always 'default'.
- This is a one-to-one settings resource keyed by database_id; there is no name attribute.
- storage_account_access_key is sensitive; Terraback emits it as a variable (var.mssql_database_extended_auditing_storage_account_access_key) rather than inlining the key.
- Server-level auditing (azurerm_mssql_server_extended_auditing_policy) and database-level auditing can both apply; importing one does not affect the other.
Doing it manually with terraform import
The native approach is to write the azurerm_mssql_database_extended_auditing_policy block by hand, then run terraform import azurerm_mssql_database_extended_auditing_policy.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.
Import other Azure resources
Import your whole Azure account in minutes
Terraback scans 80+ Azure resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.