We want to use Terraform Registry (azure sql server) provider in one of our customer project . But it is maintained by external /community not by HansiCorp directly so I am not sure whether we should use such provider in customer project. The reason maybe it is not secure or not sure about future changes/support. So, can you please guide us whether we should use or not ?
And why we are using it :
We want to assign Azure AD group/user in Azure sql server database as sql user with sql database role .
Hi @sunil.sharma,
You’re correct that providers that are not in the “Official” or “Partner” tiers have no meaningful relationship with HashiCorp. You will need to decide for yourself if you are comfortable with the risks that implies.
One way to mitigate that risk is to analyze the provider yourself to check whether it meets your needs from both a functionality standpoint and a security standpoint. If you decide based on the analysis that you wish to use the provider, you can save the specific version you analyzed – along with its package checksums – in your dependency lock file. Terraform will then always install exactly that selected version unless you explicitly override that by running terraform init -upgrade.
You can mitigate the risk further by hosting your own copy of the provider in either a filesystem-based or network-based provider mirror, configured using the Provider Installation settings in your CLI Configuration file. That means that other versions of the provider will not be available for installation at all, unless you explicitly place them in your mirror directory.
If you use either of these strategies to ensure that you’re only using a pre-reviewed version of the provider, you would need to repeat the review/approval process each time you upgrade to a newer version of the provider.
I cannot tell you what is an acceptable level of risk for your situation, and so nothing I’ve described in this comment is intended as advice about whether it’s okay to use this provider, even if you do make use of the mechanisms I described to manage the risk. I have no familiarity with this provider and so I cannot make any statement about its quality or the risk of using it.
Thanks for your reply. Now it is clear to us.
Can you help us, is there any official/partner provider that provides similar functionality?
@apparentlymart Thanks for your reply. Now it is clear to us.
Can you help us, is there any official/partner provider that provides similar functionality?
@apparentlymart any thing you want to share on my last comment ?