azure_synapse_sql_pool_extended_auditing_policy: Support additional log destinations.

[bcline760]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Right now azure_synapse_sql_pool_extended_auditing_policy only supports writing audit logs to a storage account. I would like to see support for Log Analytics and Event Hubs. This ability is present in the Azure Portal to use log analytics and event hubs.

New or Affected Resource(s)

• azure_synapse_sql_pool_extended_auditing_policy

Potential Terraform Configuration

resource "azurerm_synapse_workspace_extended_auditing_policy" "example" {
  synapse_workspace_id                    = azurerm_synapse_workspace.example.id
  retention_in_days                       = 6

  storage_account {
      access_key              = azurerm_storage_account.audit_logs.primary_access_key
      endpoint                = azurerm_storage_account.audit_logs.primary_blob_endpoint
      is_secondary_access_key = false
  }

  event_hub {
      name            = data.azurerm_eventhub.audit_hub.name
      namespace       = var.event_hub.name
      policy_name     = data.azurerm_eventhub_namespace.audit_namespace.default_primary_key
      subscription_id = data.azurerm_client_config.current.subscription_id
  }
}

I realize that this might be a helluva breaking change. To maintain backwards compatibility, break it into separate resources or rename the resource like removing the "extended" out or go like azurerm_synapse_workspace_auditing. I'm terrible at names. :P

References

https://docs.microsoft.com/en-us/azure/azure-sql/database/auditing-overview#setup-auditing

[aristosvo]

Hi @bcline760! This is an issue which fortunately is already solved, but I apologise for the setup being a bit more advanced than you would expect.

By enabling log_monitoring_enabled and adding a azurerm_monitor_diagnostic_setting with export settings to Log Analytics or EventHub, additional log destinations are supported already:

resource "azurerm_synapse_sql_pool_extended_auditing_policy" "test" {
  sql_pool_id            = azurerm_synapse_sql_pool.test.id
  log_monitoring_enabled = true
}

resource "azurerm_monitor_diagnostic_setting" "test" {
  name                           = "acctest-DS-test"
  target_resource_id             = azurerm_synapse_sql_pool.test.id
  eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.test.id
  eventhub_name                  = azurerm_eventhub.test.name
  log {
    category = "SQLSecurityAuditEvents"
    enabled  = true
    retention_policy {
      enabled = false
    }
  }
  metric {
    category = "AllMetrics"
    retention_policy {
      enabled = false
    }
  }
  // log, metric will return all disabled categories
  lifecycle {
    ignore_changes = [log, metric]
  }
}

I hope this helps you out and close this issue for now, if this is not enough: let me know!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.