Skip to content

azurermMssqlManagedInstanceVulnerabilityAssessment

Manages the Vulnerability Assessment for an MS Managed Instance.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermMssqlManagedInstanceSecurityAlertPolicyExample =
  new azurerm.mssqlManagedInstanceSecurityAlertPolicy.MssqlManagedInstanceSecurityAlertPolicy(
    this,
    "example",
    {
      enabled: true,
      managed_instance_name: "${azurerm_mssql_managed_instance.test.name}",
      resource_group_name: "${azurerm_resource_group.test.name}",
      retention_days: 30,
      storage_account_access_key:
        "${azurerm_storage_account.test.primary_access_key}",
      storage_endpoint: "${azurerm_storage_account.test.primary_blob_endpoint}",
    }
  );
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example_1",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermResourceGroupExample.overrideLogicalId("example");
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
  this,
  "example_2",
  {
    account_replication_type: "GRS",
    account_tier: "Standard",
    location: azurermResourceGroupExample.location,
    name: "accteststorageaccount",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermStorageContainerExample =
  new azurerm.storageContainer.StorageContainer(this, "example_3", {
    container_access_type: "private",
    name: "accteststoragecontainer",
    storage_account_name: azurermStorageAccountExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageContainerExample.overrideLogicalId("example");
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "example_4",
  {
    address_space: ["10.0.0.0/16"],
    location: azurermResourceGroupExample.location,
    name: "example",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_5", {
  address_prefixes: ["10.0.2.0/24"],
  name: "example",
  resource_group_name: azurermResourceGroupExample.name,
  virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermMssqlManagedInstanceExample =
  new azurerm.mssqlManagedInstance.MssqlManagedInstance(this, "example_6", {
    administrator_login: "missadministrator",
    administrator_login_password: "NCC-1701-D",
    license_type: "BasePrice",
    location: azurermResourceGroupExample.location,
    name: "exampleinstance",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "GP_Gen5",
    storage_size_in_gb: 32,
    subnet_id: azurermSubnetExample.id,
    vcores: 4,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlManagedInstanceExample.overrideLogicalId("example");
const azurermMssqlManagedInstanceVulnerabilityAssessmentExample =
  new azurerm.mssqlManagedInstanceVulnerabilityAssessment.MssqlManagedInstanceVulnerabilityAssessment(
    this,
    "example_7",
    {
      depends_on: [
        `\${${azurermMssqlManagedInstanceSecurityAlertPolicyExample.fqn}}`,
      ],
      managed_instance_id: azurermMssqlManagedInstanceExample.id,
      recurring_scans: [
        {
          email_subscription_admins: true,
          emails: ["email@example1.com", "email@example2.com"],
          enabled: true,
        },
      ],
      storage_account_access_key: azurermStorageAccountExample.primaryAccessKey,
      storage_container_path: `\${${azurermStorageAccountExample.primaryBlobEndpoint}}\${${azurermStorageContainerExample.name}}/`,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlManagedInstanceVulnerabilityAssessmentExample.overrideLogicalId(
  "example"
);

Argument Reference

The following arguments are supported:

  • managedInstanceId - (Required) The id of the MS SQL Managed Instance. Changing this forces a new resource to be created.

  • storageContainerPath - (Required) A blob storage container path to hold the scan results (e.g. https://myStorage.blob.core.windows.net/VaScans/).

  • storageAccountAccessKey - (Optional) Specifies the identifier key of the storage account for vulnerability assessment scan results. If storageContainerSasKey isn't specified, storageAccountAccessKey is required.

-> NOTE The storageAccountAccessKey only applies if the storage account is not behind a virtual network or a firewall.

  • storageContainerSasKey - (Optional) A shared access signature (SAS Key) that has write access to the blob container specified in storageContainerPath parameter. If storageAccountAccessKey isn't specified, storageContainerSasKey is required.

-> NOTE The storageContainerSasKey only applies if the storage account is not behind a virtual network or a firewall.

  • recurringScans - (Optional) The recurring scans settings. The recurringScans block supports fields documented below.

The recurringScans block supports the following:

  • enabled - (Optional) Boolean flag which specifies if recurring scans is enabled or disabled. Defaults to false.
  • emailSubscriptionAdmins - (Optional) Boolean flag which specifies if the schedule scan notification will be sent to the subscription administrators. Defaults to true.
  • emails - (Optional) Specifies an array of e-mail addresses to which the scan notification is sent.

Attributes Reference

The following attributes are exported:

  • id - The ID of the Vulnerability Assessment.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 60 minutes) Used when creating the Vulnerability Assessment.
  • update - (Defaults to 60 minutes) Used when updating the Vulnerability Assessment.
  • read - (Defaults to 5 minutes) Used when retrieving the Vulnerability Assessment.
  • delete - (Defaults to 60 minutes) Used when deleting the Vulnerability Assessment.

Import

The Vulnerability Assessment can be imported using the resourceId, e.g.

terraform import azurerm_mssql_managed_instance_vulnerability_assessment.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/acceptanceTestResourceGroup1/providers/Microsoft.Sql/managedInstances/instance1/vulnerabilityAssessments/Default