azurermMssqlServerExtendedAuditingPolicy
Manages a MS SQL Server Extended Auditing Policy.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_2",
{
account_replication_type: "LRS",
account_tier: "Standard",
location: azurermResourceGroupExample.location,
name: "examplesa",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermMssqlServerExample = new azurerm.mssqlServer.MssqlServer(
this,
"example_3",
{
administrator_login: "missadministrator",
administrator_login_password: "AdminPassword123!",
location: azurermResourceGroupExample.location,
name: "example-sqlserver",
resource_group_name: azurermResourceGroupExample.name,
version: "12.0",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlServerExample.overrideLogicalId("example");
const azurermMssqlServerExtendedAuditingPolicyExample =
new azurerm.mssqlServerExtendedAuditingPolicy.MssqlServerExtendedAuditingPolicy(
this,
"example_4",
{
retention_in_days: 6,
server_id: azurermMssqlServerExample.id,
storage_account_access_key: azurermStorageAccountExample.primaryAccessKey,
storage_account_access_key_is_secondary: false,
storage_endpoint: azurermStorageAccountExample.primaryBlobEndpoint,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlServerExtendedAuditingPolicyExample.overrideLogicalId("example");
Example Usage with storage account behind VNet and firewall
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example",
}
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
this,
"example_2",
{
address_space: ["10.0.0.0/16"],
location: azurermResourceGroupExample.location,
name: "virtnetname-1",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const dataAzurermClientConfigExample =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"example_3",
{}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzurermClientConfigExample.overrideLogicalId("example");
const dataAzurermSubscriptionPrimary =
new azurerm.dataAzurermSubscription.DataAzurermSubscription(
this,
"primary",
{}
);
const azurermMssqlServerExample = new azurerm.mssqlServer.MssqlServer(
this,
"example_5",
{
administrator_login: "missadministrator",
administrator_login_password: "AdminPassword123!",
identity: [
{
type: "SystemAssigned",
},
],
location: azurermResourceGroupExample.location,
minimum_tls_version: "1.2",
name: "example-sqlserver",
resource_group_name: azurermResourceGroupExample.name,
version: "12.0",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlServerExample.overrideLogicalId("example");
const azurermRoleAssignmentExample = new azurerm.roleAssignment.RoleAssignment(
this,
"example_6",
{
principal_id: `\${${azurermMssqlServerExample.identity}.0.principal_id}`,
role_definition_name: "Storage Blob Data Contributor",
scope: dataAzurermSubscriptionPrimary.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermRoleAssignmentExample.overrideLogicalId("example");
const azurermSqlFirewallRuleExample =
new azurerm.sqlFirewallRule.SqlFirewallRule(this, "example_7", {
end_ip_address: "0.0.0.0",
name: "FirewallRule1",
resource_group_name: azurermResourceGroupExample.name,
server_name: azurermMssqlServerExample.name,
start_ip_address: "0.0.0.0",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSqlFirewallRuleExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_8", {
address_prefixes: ["10.0.2.0/24"],
enforce_private_link_endpoint_network_policies: true,
name: "subnetname-1",
resource_group_name: azurermResourceGroupExample.name,
service_endpoints: ["Microsoft.Sql", "Microsoft.Storage"],
virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
new azurerm.sqlVirtualNetworkRule.SqlVirtualNetworkRule(this, "sqlvnetrule", {
name: "sql-vnet-rule",
resource_group_name: azurermResourceGroupExample.name,
server_name: azurermMssqlServerExample.name,
subnet_id: azurermSubnetExample.id,
});
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_10",
{
account_kind: "StorageV2",
account_replication_type: "LRS",
account_tier: "Standard",
allow_nested_items_to_be_public: false,
identity: [
{
type: "SystemAssigned",
},
],
location: azurermResourceGroupExample.location,
name: "examplesa",
network_rules: [
{
bypass: ["AzureServices"],
default_action: "Deny",
ip_rules: ["127.0.0.1"],
virtual_network_subnet_ids: [azurermSubnetExample.id],
},
],
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermMssqlServerExtendedAuditingPolicyExample =
new azurerm.mssqlServerExtendedAuditingPolicy.MssqlServerExtendedAuditingPolicy(
this,
"example_11",
{
depends_on: [
`\${${azurermRoleAssignmentExample.fqn}}`,
`\${${azurermStorageAccountExample.fqn}}`,
],
log_monitoring_enabled: false,
retention_in_days: 6,
server_id: azurermMssqlServerExample.id,
storage_account_subscription_id:
"${azurerm_subscription.primary.subscription_id}",
storage_endpoint: azurermStorageAccountExample.primaryBlobEndpoint,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlServerExtendedAuditingPolicyExample.overrideLogicalId("example");
Example Usage with Log Analytics Workspace and EventHub
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_mssql_server" "example" {
name = "example-sqlserver"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "missadministrator"
administrator_login_password = "AdminPassword123!"
}
resource "azurerm_mssql_server_extended_auditing_policy" "example" {
server_id = azurerm_mssql_server.example.id
storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.example.primary_access_key
storage_account_access_key_is_secondary = false
retention_in_days = 6
}
resource "azurerm_log_analytics_workspace" "example" {
name = "example-workspace"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "PerGB2018"
retention_in_days = 30
}
resource "azurerm_eventhub_namespace" "example" {
name = "example-eventhub-namespace"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "Standard"
}
resource "azurerm_eventhub" "example" {
name = "example-eventhub"
namespace_name = azurerm_eventhub_namespace.example.name
resource_group_name = azurerm_resource_group.example.name
partition_count = 2
message_retention = 1
}
resource "azurerm_eventhub_namespace_authorization_rule" "example" {
name = "example-eventhub-auth-rule"
namespace_name = azurerm_eventhub_namespace.example.name
resource_group_name = azurerm_resource_group.example.name
listen = true
send = true
manage = true
}
resource "azurerm_mssql_server_extended_auditing_policy" "example" {
server_id = azurerm_mssql_server.example.id
log_monitoring_enabled = true
}
resource "azurerm_monitor_diagnostic_setting" "example" {
name = "example-diagnotic-setting"
target_resource_id = "${azurerm_mssql_server.example.id}/databases/master”
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.example.id
eventhub_name = azurerm_eventhub.example.name
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
log {
category = "SQLSecurityAuditEvents"
enabled = true
retention_policy {
enabled = false
}
}
metric {
category = "AllMetrics"
retention_policy {
enabled = false
}
}
}
Arguments Reference
The following arguments are supported:
-
serverId
- (Required) The ID of the SQL Server to set the extended auditing policy. Changing this forces a new resource to be created. -
enabled
- (Optional) Whether to enable the extended auditing policy. Possible values aretrue
andfalse
. Defaults totrue
.
->NOTE: If enabled
is true
, storageEndpoint
or logMonitoringEnabled
are required.
-
storageEndpoint
- (Optional) The blob storage endpoint (e.g. https://example.blob.core.windows.net). This blob storage will hold all extended auditing logs. -
retentionInDays
- (Optional) The number of days to retain logs for in the storage account. Defaults to0
. -
storageAccountAccessKey
- (Optional) The access key to use for the auditing storage account. -
storageAccountAccessKeyIsSecondary
- (Optional) IsstorageAccountAccessKey
value the storage's secondary key? -
logMonitoringEnabled
- (Optional) Enable audit events to Azure Monitor? To enable server audit events to Azure Monitor, please enable its main database audit events to Azure Monitor. Defaults totrue
. -
storageAccountSubscriptionId
- (Optional) The ID of the Subscription containing the Storage Account.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the MS SQL Server Extended Auditing Policy.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the MS SQL Server Extended Auditing Policy.read
- (Defaults to 5 minutes) Used when retrieving the MS SQL Server Extended Auditing Policy.update
- (Defaults to 30 minutes) Used when updating the MS SQL Server Extended Auditing Policy.delete
- (Defaults to 30 minutes) Used when deleting the MS SQL Server Extended Auditing Policy.
Import
MS SQL Server Extended Auditing Policies can be imported using the resourceId
, e.g.