azurermMssqlManagedInstanceSecurityAlertPolicy

Manages a Security Alert Policy for an MS SQL Managed Instance.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "database-rg",
  }
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "example_1",
  {
    address_space: ["10.0.0.0/16"],
    location: azurermResourceGroupExample.location,
    name: "vnet-mi",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermNetworkSecurityGroupExample =
  new azurerm.networkSecurityGroup.NetworkSecurityGroup(this, "example_2", {
    location: azurermResourceGroupExample.location,
    name: "mi-security-group",
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermNetworkSecurityGroupExample.overrideLogicalId("example");
new azurerm.networkSecurityRule.NetworkSecurityRule(
  this,
  "allow_health_probe_inbound",
  {
    access: "Allow",
    destination_address_prefix: "*",
    destination_port_range: "*",
    direction: "Inbound",
    name: "allow_health_probe_inbound",
    network_security_group_name: azurermNetworkSecurityGroupExample.name,
    priority: 300,
    protocol: "*",
    resource_group_name: azurermResourceGroupExample.name,
    source_address_prefix: "AzureLoadBalancer",
    source_port_range: "*",
  }
);
new azurerm.networkSecurityRule.NetworkSecurityRule(
  this,
  "allow_management_inbound",
  {
    access: "Allow",
    destination_address_prefix: "*",
    destination_port_ranges: ["9000", "9003", "1438", "1440", "1452"],
    direction: "Inbound",
    name: "allow_management_inbound",
    network_security_group_name: azurermNetworkSecurityGroupExample.name,
    priority: 106,
    protocol: "Tcp",
    resource_group_name: azurermResourceGroupExample.name,
    source_address_prefix: "*",
    source_port_range: "*",
  }
);
new azurerm.networkSecurityRule.NetworkSecurityRule(
  this,
  "allow_management_outbound",
  {
    access: "Allow",
    destination_address_prefix: "*",
    destination_port_ranges: ["80", "443", "12000"],
    direction: "Outbound",
    name: "allow_management_outbound",
    network_security_group_name: azurermNetworkSecurityGroupExample.name,
    priority: 102,
    protocol: "Tcp",
    resource_group_name: azurermResourceGroupExample.name,
    source_address_prefix: "*",
    source_port_range: "*",
  }
);
new azurerm.networkSecurityRule.NetworkSecurityRule(
  this,
  "allow_misubnet_inbound",
  {
    access: "Allow",
    destination_address_prefix: "*",
    destination_port_range: "*",
    direction: "Inbound",
    name: "allow_misubnet_inbound",
    network_security_group_name: azurermNetworkSecurityGroupExample.name,
    priority: 200,
    protocol: "*",
    resource_group_name: azurermResourceGroupExample.name,
    source_address_prefix: "10.0.0.0/24",
    source_port_range: "*",
  }
);
new azurerm.networkSecurityRule.NetworkSecurityRule(
  this,
  "allow_misubnet_outbound",
  {
    access: "Allow",
    destination_address_prefix: "*",
    destination_port_range: "*",
    direction: "Outbound",
    name: "allow_misubnet_outbound",
    network_security_group_name: azurermNetworkSecurityGroupExample.name,
    priority: 200,
    protocol: "*",
    resource_group_name: azurermResourceGroupExample.name,
    source_address_prefix: "10.0.0.0/24",
    source_port_range: "*",
  }
);
new azurerm.networkSecurityRule.NetworkSecurityRule(this, "allow_tds_inbound", {
  access: "Allow",
  destination_address_prefix: "*",
  destination_port_range: "1433",
  direction: "Inbound",
  name: "allow_tds_inbound",
  network_security_group_name: azurermNetworkSecurityGroupExample.name,
  priority: 1000,
  protocol: "Tcp",
  resource_group_name: azurermResourceGroupExample.name,
  source_address_prefix: "VirtualNetwork",
  source_port_range: "*",
});
new azurerm.networkSecurityRule.NetworkSecurityRule(this, "deny_all_inbound", {
  access: "Deny",
  destination_address_prefix: "*",
  destination_port_range: "*",
  direction: "Inbound",
  name: "deny_all_inbound",
  network_security_group_name: azurermNetworkSecurityGroupExample.name,
  priority: 4096,
  protocol: "*",
  resource_group_name: azurermResourceGroupExample.name,
  source_address_prefix: "*",
  source_port_range: "*",
});
new azurerm.networkSecurityRule.NetworkSecurityRule(this, "deny_all_outbound", {
  access: "Deny",
  destination_address_prefix: "*",
  destination_port_range: "*",
  direction: "Outbound",
  name: "deny_all_outbound",
  network_security_group_name: azurermNetworkSecurityGroupExample.name,
  priority: 4096,
  protocol: "*",
  resource_group_name: azurermResourceGroupExample.name,
  source_address_prefix: "*",
  source_port_range: "*",
});
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_11", {
  address_prefixes: ["10.0.0.0/24"],
  delegation: [
    {
      name: "managedinstancedelegation",
      service_delegation: [
        {
          actions: [
            "Microsoft.Network/virtualNetworks/subnets/join/action",
            "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
            "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action",
          ],
          name: "Microsoft.Sql/managedInstances",
        },
      ],
    },
  ],
  name: "subnet-mi",
  resource_group_name: azurermResourceGroupExample.name,
  virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermSubnetNetworkSecurityGroupAssociationExample =
  new azurerm.subnetNetworkSecurityGroupAssociation.SubnetNetworkSecurityGroupAssociation(
    this,
    "example_12",
    {
      network_security_group_id: azurermNetworkSecurityGroupExample.id,
      subnet_id: azurermSubnetExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetNetworkSecurityGroupAssociationExample.overrideLogicalId(
  "example"
);
const azurermRouteTableExample = new azurerm.routeTable.RouteTable(
  this,
  "example_13",
  {
    depends_on: [`\${${azurermSubnetExample.fqn}}`],
    disable_bgp_route_propagation: false,
    location: azurermResourceGroupExample.location,
    name: "routetable-mi",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermRouteTableExample.overrideLogicalId("example");
const azurermSubnetRouteTableAssociationExample =
  new azurerm.subnetRouteTableAssociation.SubnetRouteTableAssociation(
    this,
    "example_14",
    {
      route_table_id: azurermRouteTableExample.id,
      subnet_id: azurermSubnetExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetRouteTableAssociationExample.overrideLogicalId("example");
const azurermMssqlManagedInstanceExample =
  new azurerm.mssqlManagedInstance.MssqlManagedInstance(this, "example_15", {
    administrator_login: "mradministrator",
    administrator_login_password: "thisIsDog11",
    depends_on: [
      `\${${azurermSubnetNetworkSecurityGroupAssociationExample.fqn}}`,
      `\${${azurermSubnetRouteTableAssociationExample.fqn}}`,
    ],
    license_type: "BasePrice",
    location: azurermResourceGroupExample.location,
    name: "managedsqlinstance",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "GP_Gen5",
    storage_size_in_gb: 32,
    subnet_id: azurermSubnetExample.id,
    vcores: 4,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlManagedInstanceExample.overrideLogicalId("example");
const azurermMssqlManagedInstanceSecurityAlertPolicyExample =
  new azurerm.mssqlManagedInstanceSecurityAlertPolicy.MssqlManagedInstanceSecurityAlertPolicy(
    this,
    "example_16",
    {
      disabled_alerts: ["Sql_Injection", "Data_Exfiltration"],
      enabled: true,
      managed_instance_name: azurermMssqlManagedInstanceExample.name,
      resource_group_name: azurermResourceGroupExample.name,
      retention_days: 20,
      storage_account_access_key:
        "${azurerm_storage_account.example.primary_access_key}",
      storage_endpoint:
        "${azurerm_storage_account.example.primary_blob_endpoint}",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlManagedInstanceSecurityAlertPolicyExample.overrideLogicalId(
  "example"
);

Argument Reference

The following arguments are supported:

resourceGroupName - (Required) The name of the resource group that contains the MS SQL Managed Instance. Changing this forces a new resource to be created.
managedInstanceName - (Required) Specifies the name of the MS SQL Managed Instance. Changing this forces a new resource to be created.
disabledAlerts - (Optional) Specifies an array of alerts that are disabled. Possible values are sqlInjection, sqlInjectionVulnerability, accessAnomaly, dataExfiltration, unsafeAction and bruteForce.
enabled - (Optional) Specifies the state of the Security Alert Policy, whether it is enabled or disabled. Possible values are true, false.
emailAccountAdminsEnabled - (Optional) Boolean flag which specifies if the alert is sent to the account administrators or not. Defaults to false.
emailAddresses - (Optional) Specifies an array of email addresses to which the alert is sent.
retentionDays - (Optional) Specifies the number of days to keep in the Threat Detection audit logs. Defaults to 0.
storageEndpoint - (Optional) Specifies the blob storage endpoint (e.g. https://example.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.
storageAccountAccessKey - (Optional) Specifies the identifier key of the Threat Detection audit storage account. This is mandatory when you use storageEndpoint to specify a storage account blob endpoint.

-> NOTE: Please note that storage accounts configured with sharedAccessKeyEnabled =False cannot be used to configure azurermMssqlManagedInstanceSecurityAlertPolicy with storageEndpoint for now.

Attributes Reference

The following attributes are exported:

id - The ID of the MS SQL Managed Instance Security Alert Policy.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

create - (Defaults to 30 minutes) Used when creating the MS SQL Managed Instance Security Alert Policy.
update - (Defaults to 30 minutes) Used when updating the MS SQL Managed Instance Security Alert Policy.
read - (Defaults to 5 minutes) Used when retrieving the MS SQL Managed Instance Security Alert Policy.
delete - (Defaults to 30 minutes) Used when deleting the MS SQL Managed Instance Security Alert Policy.

Import

MS SQL Managed Instance Security Alert Policy can be imported using the resourceId, e.g.

terraform import azurerm_mssql_managed_instance_security_alert_policy.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/acceptanceTestResourceGroup1/providers/Microsoft.Sql/managedInstances/instance1/securityAlertPolicies/Default