This message was deleted.

Since you're using a programming language, you can create the resources (server and database) using Pulumi and then write code separately to create the users and roles.

Yes I could, but my DB is in a Vnet and the "runner" who will execute that code (typescript) would not be on that Vnet hence it cannot reach the Database via a connection string

The way that the mysql provider works is by running the sql scripts against your DB, so you'd need to give the "runner" the dame access

Okay, thanks we will look in to that then. Another question, how would you set "Allow Azure resources to connect" to yes via Pulumi on SQl Server?

@salmon-mechanic-4571 We can create User or Roles for sql db using custom implementation by extending Resource and by implementing interface ResourceProvider and using ShellCommand 1. export interface DatabaseUserProviderArgs { /** * Database Instance IP Address or DNS Name. */ instance: pulumi.Input<string>; /** * Admin User ID used to login to the database instance. */ adminUserId: pulumi.Input<string>; /** * Admin User Password to login to the database instance */ adminPassword: pulumi.Input<string>; /** * New LOGIN that will be created */ loginId: pulumi.Input<string>; /** * Password for the new LOGIN that will be created */ loginPassword: pulumi.Input<string>; } 2, DatabaseResource extends Resource (Eg export class DatabaseResource extends pulumi.dynamic.Resource {         constructor(name: string, args: DatabaseProviderArgs, opts?: pulumi.CustomResourceOptions) {         super(new DatabaseProvider(), name, { ...args }, opts);     } } 3, DatabaseProvider implements ResourceProvider export class DatabaseProvider implements ResourceProvider ...... public async create(inputs: DatabaseProviderArgs): Promise<pulumi.dynamic.CreateResult> { //TODO Create the database in the instance here. Create a user in this database. let id: string = uuidv4(); ...... ...... //Initialize users inputs.userIds.forEach(userId => { let sqlCommandCreateUser: string = `sqlcmd -b -x -U${inputs.adminUserId} -P${inputs.adminPassword} -S ${inputs.instance} -d ${inputs.name} -Q "create user ${userId} for login ${userId};" -o logs/${id}-create-user-${userId}.log`; ShellUtils.executeShellCommand(id + "-createuser-" + userId, sqlCommandCreateUser); //Grant owner privs let sqlCommandGrantRole: string = `sqlcmd -b -x -U${inputs.adminUserId} -P${inputs.adminPassword} -S ${inputs.instance} -d ${inputs.name} -Q "EXEC sp_addrolemember N'db_owner', N'${userId}';" -o logs/${id}-grant-role-${userId}.log`; ShellUtils.executeShellCommand(id + "-grantrole-" + userId, sqlCommandGrantRole); }); ...... } 4. ShellUtils executeShellCommand method will have execSync to execute the command ... const response = execSync(command, { stdio : "inherit"}); ..... 5. // Finally create the resource const repoUserAbadmin = new DatabaseUserResource("abadmin-user", { instance: sqlServer.fullyQualifiedDomainName, adminUserId: 'sqlserver', adminPassword: sqlserverPasswordObj, loginId: "abadmin", loginPassword: sqlserverPasswordObj }, { dependsOn: [sqlServer, firewallRule] });