Open iso514 opened 2 years ago
Example workaround with azapi provider for configuring SQL auditing actions/groups and logging to log analytics:
# No native support for SQL audit actions/groups in azurerm_mssql_server_extended_auditing_policy yet:
# https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/servers/auditingsettings?pivots=deployment-language-terraform
resource "azapi_update_resource" "example_audit_actions" {
type = "Microsoft.Sql/servers/auditingSettings@2022-05-01-preview"
name = "default"
parent_id = azurerm_mssql_server.example.id
body = jsonencode({
properties = {
auditActionsAndGroups = [
"FAILED_DATABASE_AUTHENTICATION_GROUP",
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"
]
isAzureMonitorTargetEnabled = true
state = "Enabled"
}
})
depends_on = [azurerm_mssql_server.example]
}
# Will most likely fail on first create run as the master database in azurerm_mssql_server is created async and azurerm provider is missing retry/wait logic:
# https://github.com/hashicorp/terraform-provider-azurerm/issues/22226
resource "azurerm_monitor_diagnostic_setting" "example_audit_log" {
name = "SQLSecurityAuditEvents"
target_resource_id = "${azurerm_mssql_server.example.id}/databases/master"
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
enabled_log { category = "SQLSecurityAuditEvents" }
lifecycle {
ignore_changes = [metric]
}
depends_on = [azurerm_mssql_server.example]
}
This is now supported at server level:
But not at database level:
Is there an existing issue for this?
Community Note
Description
There is currently no support to configure azure sql database audit-policy action groups in Terraform. By default, only these action groups are enabled :
New or Affected Resource(s)/Data Source(s)
azurerm_mssql_server_extended_auditing_policy
Potential Terraform Configuration
References
It was part of this initial feature request but has not been implemented : https://github.com/hashicorp/terraform-provider-azurerm/issues/5929 Microsoft documentation reference :