diff --git a/modules/mssql-database/CHANGELOG.md b/modules/mssql-database/CHANGELOG.md
new file mode 100644
index 0000000..825c32f
--- /dev/null
+++ b/modules/mssql-database/CHANGELOG.md
@@ -0,0 +1 @@
+# Changelog
diff --git a/modules/mssql-database/README.md b/modules/mssql-database/README.md
new file mode 100644
index 0000000..2ec1fe5
--- /dev/null
+++ b/modules/mssql-database/README.md
@@ -0,0 +1,38 @@
+# MS SQL Database
+
+This module creates a [MS SQL Database](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database) and associated [Diagnostic Setting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting).
+
+## Usage
+
+```hcl
+module "mssql_database" {
+  source = "https://github.com/gofrontier-com/azurerm-terraform-modules/releases/download/mssql-database/[VERSION]/module.tar.gz//src"
+
+  environment         = "dev"
+  identifier          = "mortgages"
+  location            = "uksouth"
+  zone                = "mtg"
+
+  threat_detection_policy = {
+    retention_days                 = 10
+    email_account_admins           = true
+    security_alert_email_addresses = ["email@example.com"]
+    storage_account_access_key     = "abc123"
+    storage_endpoint               = "endpoint"
+  }
+
+  log_analytics_workspace_id = data.azurerm_log_analytics_workspace.main.id
+
+  tags = {
+    WorkloadType = "MortgagesLZ/data-platform"
+  }
+}
+```
+
+## Known issues
+
+_None._
+
+## Contributing
+
+See <https://github.com/gofrontier-com/azurerm-terraform-modules/blob/main/README.rst#contributing>.
diff --git a/modules/mssql-database/VERSION b/modules/mssql-database/VERSION
new file mode 100644
index 0000000..d3827e7
--- /dev/null
+++ b/modules/mssql-database/VERSION
@@ -0,0 +1 @@
+1.0
diff --git a/modules/mssql-database/src/locals.tf b/modules/mssql-database/src/locals.tf
new file mode 100644
index 0000000..6a78776
--- /dev/null
+++ b/modules/mssql-database/src/locals.tf
@@ -0,0 +1,14 @@
+locals {
+  identifier = replace(lower(var.identifier), "/[^a-z1-9]/", "")
+
+  short_locations = {
+    "uksouth" = "uks"
+    "ukwest"  = "ukw"
+  }
+
+  tags = {
+    Environment = var.environment
+    Location    = var.location
+    Zone        = var.zone
+  }
+}
diff --git a/modules/mssql-database/src/main.tf b/modules/mssql-database/src/main.tf
new file mode 100644
index 0000000..91d27a9
--- /dev/null
+++ b/modules/mssql-database/src/main.tf
@@ -0,0 +1,59 @@
+resource "azurerm_mssql_database" "main" {
+  name        = "sdb-${var.zone}-${var.environment}-${lookup(local.short_locations, var.location)}-${local.identifier}"
+  server_id   = var.sql_server_id
+  max_size_gb = var.max_size_gb
+  sku_name    = var.sql_database_sku
+  collation   = var.sql_database_collation
+
+  min_capacity                = var.serverless_min_capacity
+  auto_pause_delay_in_minutes = var.serverless_auto_pause_delay
+
+  dynamic "threat_detection_policy" {
+    for_each = var.threat_detection_policy != null ? [{}] : []
+    content {
+      state                      = "Enabled"
+      retention_days             = var.threat_detection_policy.retention_days
+      email_account_admins       = var.threat_detection_policy.email_account_admins
+      email_addresses            = var.threat_detection_policy.security_alert_email_addresses
+      storage_account_access_key = var.threat_detection_policy.storage_account_access_key
+      storage_endpoint           = var.threat_detection_policy.storage_endpoint
+    }
+  }
+
+  tags = merge(var.tags, local.tags)
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "azurerm_monitor_diagnostic_setting" "main" {
+  name                           = "log-analytics"
+  target_resource_id             = azurerm_mssql_database.main.id
+  log_analytics_workspace_id     = var.log_analytics_workspace_id
+  log_analytics_destination_type = "AzureDiagnostics"
+
+  dynamic "enabled_log" {
+    for_each = var.log_categories
+
+    content {
+      category = enabled_log.value
+    }
+  }
+
+  dynamic "enabled_log" {
+    for_each = var.log_category_groups
+
+    content {
+      category_group = enabled_log.value
+    }
+  }
+
+  dynamic "metric" {
+    for_each = var.metric_categories
+
+    content {
+      category = metric.value
+    }
+  }
+}
diff --git a/modules/mssql-database/src/outputs.tf b/modules/mssql-database/src/outputs.tf
new file mode 100644
index 0000000..f31e865
--- /dev/null
+++ b/modules/mssql-database/src/outputs.tf
@@ -0,0 +1,3 @@
+output "id" {
+  value = azurerm_mssql_database.main.id
+}
diff --git a/modules/mssql-database/src/variables.tf b/modules/mssql-database/src/variables.tf
new file mode 100644
index 0000000..6bcab44
--- /dev/null
+++ b/modules/mssql-database/src/variables.tf
@@ -0,0 +1,91 @@
+variable "environment" {
+  type = string
+}
+
+variable "identifier" {
+  type = string
+}
+
+variable "location" {
+  type = string
+}
+
+variable "log_analytics_workspace_id" {
+  type = string
+}
+
+variable "log_categories" {
+  type    = list(string)
+  default = []
+}
+
+variable "log_category_groups" {
+  type    = list(string)
+  default = []
+}
+
+variable "max_size_gb" {
+  type    = number
+  default = 32
+}
+
+variable "metric_categories" {
+  type    = list(string)
+  default = []
+}
+
+variable "retention_days" {
+  type    = string
+  default = "30"
+}
+
+variable "security_alert_email_addresses" {
+  type    = list(string)
+  default = []
+}
+
+variable "serverless_min_capacity" {
+  type        = string
+  default     = null
+  description = "Minimum capacity for serverless SKUs. Minimum value is 0.5 (vCore)."
+}
+
+variable "serverless_auto_pause_delay" {
+  type        = string
+  default     = null
+  description = "The auto-pause delay for serverless SKUs. Minimum value is 60 (minutes)."
+}
+
+variable "sql_database_collation" {
+  type    = string
+  default = "SQL_LATIN1_GENERAL_CP1_CI_AS"
+}
+
+variable "sql_database_sku" {
+  type    = string
+  default = "GP_Gen5_2"
+}
+
+variable "sql_server_id" {
+  type = string
+}
+
+variable "tags" {
+  type    = map(string)
+  default = {}
+}
+
+variable "threat_detection_policy" {
+  type = object({
+    retention_days                 = number
+    email_account_admins           = bool
+    security_alert_email_addresses = list(string)
+    storage_account_access_key     = string
+    storage_endpoint               = string
+  })
+  default = null
+}
+
+variable "zone" {
+  type = string
+}
diff --git a/modules/mssql-database/test/main.tf b/modules/mssql-database/test/main.tf
new file mode 100644
index 0000000..f3b03cd
--- /dev/null
+++ b/modules/mssql-database/test/main.tf
@@ -0,0 +1,19 @@
+provider "azurerm" {
+  features {}
+}
+
+module "mssql-server" {
+  source = "../src"
+
+  environment = "baz"
+  identifier  = "qux"
+  location    = "uksouth"
+  zone        = "waldo"
+
+  log_analytics_workspace_id = "quux"
+  sql_server_id              = "123"
+
+  tags = {
+    Foo = "Bar"
+  }
+}
diff --git a/modules/mssql-database/test/terraform.tf b/modules/mssql-database/test/terraform.tf
new file mode 100644
index 0000000..762ef2e
--- /dev/null
+++ b/modules/mssql-database/test/terraform.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = "~> 1.5"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.85"
+    }
+  }
+}