azurermMssqlManagedInstanceSecurityAlertPolicy
Manages a Security Alert Policy for an MS SQL Managed Instance.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "database-rg",
}
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
this,
"example_1",
{
address_space: ["10.0.0.0/16"],
location: azurermResourceGroupExample.location,
name: "vnet-mi",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermNetworkSecurityGroupExample =
new azurerm.networkSecurityGroup.NetworkSecurityGroup(this, "example_2", {
location: azurermResourceGroupExample.location,
name: "mi-security-group",
resource_group_name: azurermResourceGroupExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermNetworkSecurityGroupExample.overrideLogicalId("example");
new azurerm.networkSecurityRule.NetworkSecurityRule(
this,
"allow_health_probe_inbound",
{
access: "Allow",
destination_address_prefix: "*",
destination_port_range: "*",
direction: "Inbound",
name: "allow_health_probe_inbound",
network_security_group_name: azurermNetworkSecurityGroupExample.name,
priority: 300,
protocol: "*",
resource_group_name: azurermResourceGroupExample.name,
source_address_prefix: "AzureLoadBalancer",
source_port_range: "*",
}
);
new azurerm.networkSecurityRule.NetworkSecurityRule(
this,
"allow_management_inbound",
{
access: "Allow",
destination_address_prefix: "*",
destination_port_ranges: ["9000", "9003", "1438", "1440", "1452"],
direction: "Inbound",
name: "allow_management_inbound",
network_security_group_name: azurermNetworkSecurityGroupExample.name,
priority: 106,
protocol: "Tcp",
resource_group_name: azurermResourceGroupExample.name,
source_address_prefix: "*",
source_port_range: "*",
}
);
new azurerm.networkSecurityRule.NetworkSecurityRule(
this,
"allow_management_outbound",
{
access: "Allow",
destination_address_prefix: "*",
destination_port_ranges: ["80", "443", "12000"],
direction: "Outbound",
name: "allow_management_outbound",
network_security_group_name: azurermNetworkSecurityGroupExample.name,
priority: 102,
protocol: "Tcp",
resource_group_name: azurermResourceGroupExample.name,
source_address_prefix: "*",
source_port_range: "*",
}
);
new azurerm.networkSecurityRule.NetworkSecurityRule(
this,
"allow_misubnet_inbound",
{
access: "Allow",
destination_address_prefix: "*",
destination_port_range: "*",
direction: "Inbound",
name: "allow_misubnet_inbound",
network_security_group_name: azurermNetworkSecurityGroupExample.name,
priority: 200,
protocol: "*",
resource_group_name: azurermResourceGroupExample.name,
source_address_prefix: "10.0.0.0/24",
source_port_range: "*",
}
);
new azurerm.networkSecurityRule.NetworkSecurityRule(
this,
"allow_misubnet_outbound",
{
access: "Allow",
destination_address_prefix: "*",
destination_port_range: "*",
direction: "Outbound",
name: "allow_misubnet_outbound",
network_security_group_name: azurermNetworkSecurityGroupExample.name,
priority: 200,
protocol: "*",
resource_group_name: azurermResourceGroupExample.name,
source_address_prefix: "10.0.0.0/24",
source_port_range: "*",
}
);
new azurerm.networkSecurityRule.NetworkSecurityRule(this, "allow_tds_inbound", {
access: "Allow",
destination_address_prefix: "*",
destination_port_range: "1433",
direction: "Inbound",
name: "allow_tds_inbound",
network_security_group_name: azurermNetworkSecurityGroupExample.name,
priority: 1000,
protocol: "Tcp",
resource_group_name: azurermResourceGroupExample.name,
source_address_prefix: "VirtualNetwork",
source_port_range: "*",
});
new azurerm.networkSecurityRule.NetworkSecurityRule(this, "deny_all_inbound", {
access: "Deny",
destination_address_prefix: "*",
destination_port_range: "*",
direction: "Inbound",
name: "deny_all_inbound",
network_security_group_name: azurermNetworkSecurityGroupExample.name,
priority: 4096,
protocol: "*",
resource_group_name: azurermResourceGroupExample.name,
source_address_prefix: "*",
source_port_range: "*",
});
new azurerm.networkSecurityRule.NetworkSecurityRule(this, "deny_all_outbound", {
access: "Deny",
destination_address_prefix: "*",
destination_port_range: "*",
direction: "Outbound",
name: "deny_all_outbound",
network_security_group_name: azurermNetworkSecurityGroupExample.name,
priority: 4096,
protocol: "*",
resource_group_name: azurermResourceGroupExample.name,
source_address_prefix: "*",
source_port_range: "*",
});
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_11", {
address_prefixes: ["10.0.0.0/24"],
delegation: [
{
name: "managedinstancedelegation",
service_delegation: [
{
actions: [
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
"Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action",
],
name: "Microsoft.Sql/managedInstances",
},
],
},
],
name: "subnet-mi",
resource_group_name: azurermResourceGroupExample.name,
virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermSubnetNetworkSecurityGroupAssociationExample =
new azurerm.subnetNetworkSecurityGroupAssociation.SubnetNetworkSecurityGroupAssociation(
this,
"example_12",
{
network_security_group_id: azurermNetworkSecurityGroupExample.id,
subnet_id: azurermSubnetExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetNetworkSecurityGroupAssociationExample.overrideLogicalId(
"example"
);
const azurermRouteTableExample = new azurerm.routeTable.RouteTable(
this,
"example_13",
{
depends_on: [`\${${azurermSubnetExample.fqn}}`],
disable_bgp_route_propagation: false,
location: azurermResourceGroupExample.location,
name: "routetable-mi",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermRouteTableExample.overrideLogicalId("example");
const azurermSubnetRouteTableAssociationExample =
new azurerm.subnetRouteTableAssociation.SubnetRouteTableAssociation(
this,
"example_14",
{
route_table_id: azurermRouteTableExample.id,
subnet_id: azurermSubnetExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetRouteTableAssociationExample.overrideLogicalId("example");
const azurermMssqlManagedInstanceExample =
new azurerm.mssqlManagedInstance.MssqlManagedInstance(this, "example_15", {
administrator_login: "mradministrator",
administrator_login_password: "thisIsDog11",
depends_on: [
`\${${azurermSubnetNetworkSecurityGroupAssociationExample.fqn}}`,
`\${${azurermSubnetRouteTableAssociationExample.fqn}}`,
],
license_type: "BasePrice",
location: azurermResourceGroupExample.location,
name: "managedsqlinstance",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "GP_Gen5",
storage_size_in_gb: 32,
subnet_id: azurermSubnetExample.id,
vcores: 4,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlManagedInstanceExample.overrideLogicalId("example");
const azurermMssqlManagedInstanceSecurityAlertPolicyExample =
new azurerm.mssqlManagedInstanceSecurityAlertPolicy.MssqlManagedInstanceSecurityAlertPolicy(
this,
"example_16",
{
disabled_alerts: ["Sql_Injection", "Data_Exfiltration"],
enabled: true,
managed_instance_name: azurermMssqlManagedInstanceExample.name,
resource_group_name: azurermResourceGroupExample.name,
retention_days: 20,
storage_account_access_key:
"${azurerm_storage_account.example.primary_access_key}",
storage_endpoint:
"${azurerm_storage_account.example.primary_blob_endpoint}",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlManagedInstanceSecurityAlertPolicyExample.overrideLogicalId(
"example"
);
Argument Reference
The following arguments are supported:
-
resourceGroupName
- (Required) The name of the resource group that contains the MS SQL Managed Instance. Changing this forces a new resource to be created. -
managedInstanceName
- (Required) Specifies the name of the MS SQL Managed Instance. Changing this forces a new resource to be created. -
disabledAlerts
- (Optional) Specifies an array of alerts that are disabled. Possible values aresqlInjection
,sqlInjectionVulnerability
,accessAnomaly
,dataExfiltration
,unsafeAction
andbruteForce
. -
enabled
- (Optional) Specifies the state of the Security Alert Policy, whether it is enabled or disabled. Possible values aretrue
,false
. -
emailAccountAdminsEnabled
- (Optional) Boolean flag which specifies if the alert is sent to the account administrators or not. Defaults tofalse
. -
emailAddresses
- (Optional) Specifies an array of email addresses to which the alert is sent. -
retentionDays
- (Optional) Specifies the number of days to keep in the Threat Detection audit logs. Defaults to0
. -
storageEndpoint
- (Optional) Specifies the blob storage endpoint (e.g. https://example.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs. -
storageAccountAccessKey
- (Optional) Specifies the identifier key of the Threat Detection audit storage account. This is mandatory when you usestorageEndpoint
to specify a storage account blob endpoint.
-> NOTE: Please note that storage accounts configured with sharedAccessKeyEnabled =False
cannot be used to configure azurermMssqlManagedInstanceSecurityAlertPolicy
with storageEndpoint
for now.
Attributes Reference
The following attributes are exported:
id
- The ID of the MS SQL Managed Instance Security Alert Policy.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the MS SQL Managed Instance Security Alert Policy.update
- (Defaults to 30 minutes) Used when updating the MS SQL Managed Instance Security Alert Policy.read
- (Defaults to 5 minutes) Used when retrieving the MS SQL Managed Instance Security Alert Policy.delete
- (Defaults to 30 minutes) Used when deleting the MS SQL Managed Instance Security Alert Policy.
Import
MS SQL Managed Instance Security Alert Policy can be imported using the resourceId
, e.g.