azurermMssqlServerSecurityAlertPolicy
Manages a Security Alert Policy for a MSSQL Server.
-> NOTE Security Alert Policy is currently only available for MS SQL databases.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermSqlServerExample = new azurerm.sqlServer.SqlServer(
this,
"example_1",
{
administrator_login: "4dm1n157r470r",
administrator_login_password: "4-v3ry-53cr37-p455w0rd",
location: azurermResourceGroupExample.location,
name: "mysqlserver",
resource_group_name: azurermResourceGroupExample.name,
version: "12.0",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSqlServerExample.overrideLogicalId("example");
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_2",
{
account_replication_type: "GRS",
account_tier: "Standard",
location: azurermResourceGroupExample.location,
name: "accteststorageaccount",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermMssqlServerSecurityAlertPolicyExample =
new azurerm.mssqlServerSecurityAlertPolicy.MssqlServerSecurityAlertPolicy(
this,
"example_3",
{
disabled_alerts: ["Sql_Injection", "Data_Exfiltration"],
resource_group_name: azurermResourceGroupExample.name,
retention_days: 20,
server_name: azurermSqlServerExample.name,
state: "Enabled",
storage_account_access_key: azurermStorageAccountExample.primaryAccessKey,
storage_endpoint: azurermStorageAccountExample.primaryBlobEndpoint,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlServerSecurityAlertPolicyExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
-
resourceGroupName
- (Required) The name of the resource group that contains the MS SQL Server. Changing this forces a new resource to be created. -
serverName
- (Required) Specifies the name of the MS SQL Server. Changing this forces a new resource to be created. -
state
- (Required) Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database server. Possible values aredisabled
,enabled
andnew
. -
disabledAlerts
- (Optional) Specifies an array of alerts that are disabled. Allowed values are:sqlInjection
,sqlInjectionVulnerability
,accessAnomaly
,dataExfiltration
,unsafeAction
. -
emailAccountAdmins
- (Optional) Boolean flag which specifies if the alert is sent to the account administrators or not. Defaults tofalse
. -
emailAddresses
- (Optional) Specifies an array of email addresses to which the alert is sent. -
retentionDays
- (Optional) Specifies the number of days to keep in the Threat Detection audit logs. Defaults to0
. -
storageEndpoint
- (Optional) Specifies the blob storage endpoint (e.g. https://example.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs. -
storageAccountAccessKey
- (Optional) Specifies the identifier key of the Threat Detection audit storage account. This is mandatory when you usestorageEndpoint
to specify a storage account blob endpoint.
-> NOTE: Please note that storage accounts configured with sharedAccessKeyEnabled =False
cannot be used to configure azurermMssqlServerSecurityAlertPolicy
with storageEndpoint
for now.
Attributes Reference
The following attributes are exported:
id
- The ID of the MS SQL Server Security Alert Policy.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the MSSQL Server Security Alert Policy.update
- (Defaults to 30 minutes) Used when updating the MSSQL Server Security Alert Policy.read
- (Defaults to 5 minutes) Used when retrieving the MSSQL Server Security Alert Policy.delete
- (Defaults to 30 minutes) Used when deleting the MSSQL Server Security Alert Policy.
Import
MS SQL Server Security Alert Policy can be imported using the resourceId
, e.g.