Azure / azure-cli

Azure Command-Line Interface
MIT License
4.01k stars 2.99k forks source link

Support Azure SQL Server Vulnerability Assessment Baselines #16895

Open cocowalla opened 3 years ago

cocowalla commented 3 years ago

Is your feature request related to a problem? Please describe. After creating an Azure SQL Server and Databases using the Azure CLI, with Vulnerability Assessment enabled, Azure's Security Centre flagged up that no vulnerability assessment baselines had been created (as it's meant to).

I set about trying to create these baselines with Azure CLI, since we use it for all other IaC tasks - but Azure CLI doesn't appear to support anything like Powershell's Set-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline - so I had to hack something together with Azure Powershell instead.

Describe the solution you'd like I'd like Azure CLI to have capabilities to work with SQL Server Vulnerability Assessment Baselines. In particular, I'd like to be able to do the same things as these Azure Powershell cmdlets:

Clear-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline
Get-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline
Set-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline

Clear-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline
Get-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline
Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline

Describe alternatives you've considered

Additional context None

ghost commented 3 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @azureSQLGitHub.

Issue Details
**Is your feature request related to a problem? Please describe.** After creating an Azure SQL Server and Databases using the Azure CLI, with Vulnerability Assessment enabled, Azure's Security Centre flagged up that no vulnerability assessment baselines had been created (as it's meant to). I set about trying to create these baselines with Azure CLI, since we use it for all other IaC tasks - but Azure CLI doesn't appear to support anything like Powershell's `Set-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline` - so I had to hack something together with Azure Powershell instead. **Describe the solution you'd like** I'd like Azure CLI to have capabilities to work with SQL Server Vulnerability Assessment Baselines. In particular, I'd like to be able to do the same things as these Azure Powershell cmdlets: ```powershell Clear-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline Get-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline Set-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline Clear-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline Get-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline ``` **Describe alternatives you've considered** - Using Azure Powershell instead - using ARM templates instead (would have been horrible though, considering all the dynamic variables I'd need to stuff into them) **Additional context** None
Author: cocowalla
Assignees: -
Labels: `SQL`, `Service Attention`, `question`
Milestone: -
yonzhan commented 3 years ago

SQL

chull434 commented 3 years ago

+1 on this

just came across the same, got bash az cli scripts for all my other deployment scripts but now I need to use PowerShell instead for this one task

Sreini commented 3 years ago

I would love to have this as well.

Especially for stuff like adding all the ips in a service tag to a firewall rule and adding them to the security baseline at the same time