Cannot enable vulnerability_assessment on mssql_managed_instance

[AndyLonghurstHESA]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.1.7

AzureRM Provider Version

3.5.0

Affected Resource(s)/Data Source(s)

azurerm_mssql_managed_instance_vulnerability_assessment

Terraform Configuration Files

resource "azurerm_mssql_managed_instance_vulnerability_assessment" "vulnerability_scan" {
    managed_instance_id        = azurerm_mssql_managed_instance.sql.id
    storage_container_path     = "${azurerm_storage_account.sa.primary_blob_endpoint}${azurerm_storage_container.sa.name}/"
    storage_account_access_key = azurerm_storage_account.sa.primary_access_key

    recurring_scans {
        enabled                   = true
        email_subscription_admins = true
        emails = [
            "email@email.com"
        ]
    }
}

Debug Output/Panic Output

Error: updataing /subscriptions/subid/resourceGroups/resource-group/providers/Microsoft.Sql/managedInstances/managed-instance/vulnerabilityAssessments/default: sql.ManagedInstanceVulnerabilityAssessmentsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="VulnerabilityAssessmentADSIsDisabled" Message="Advanced Data Security should be 
enabled in order to use Vulnerability Assessment.

Expected Behaviour

Vulnerability assessments should have been enabled. There is no option on the azurerm_mssql_managed_instance resource block to configure Advanced Data Security

Actual Behaviour

Error: updataing /subscriptions/subid/resourceGroups/resource-group/providers/Microsoft.Sql/managedInstances/managed-instance/vulnerabilityAssessments/default: sql.ManagedInstanceVulnerabilityAssessmentsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="VulnerabilityAssessmentADSIsDisabled" Message="Advanced Data Security should be enabled in order to use Vulnerability Assessment.

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

[sinbai]

@AndyLonghurstHESA thank you for opening this issue here. The resource azurerm_mssql_managed_instance does not support configuring Advanced Data Security since the Azure API does not support it. Per the doc, could you enable it at the subscription level?

[AndyLonghurstHESA]

@sinbai ok if that is the case, how do you suggest we use the azurerm_mssql_managed_instance_vulnerability_assessment resource block then as Advanced Data Security is a pre-req

[sinbai]

Per "Programmatically with the REST API, Azure CLI, PowerShell, or Azure Policy" in above mentioned doc, Pricings API aka terraform resource azurerm_security_center_subscription_pricing could enable Microsoft Defender for SQL . Could you try this resource to enable it?

[mal1982]

Per "Programmatically with the REST API, Azure CLI, PowerShell, or Azure Policy" in above mentioned doc, Pricings API aka terraform resource azurerm_security_center_subscription_pricing could enable Microsoft Defender for SQL . Could you try this resource to enable it?

These two options only allow for enabling at a subscription level, not a resource level as can be achieved with Azure SQL DB with the 'azurerm_mssql_server_security_alert_policy' resource. The main issue though is that there is no way to enable defender for SQL for Managed Instances at a subscription level. We have Defender for databases enabled at a subscription level but this only applies to Azure SQL Databases, SQL servers on machines, Open-source relational databases and Azure Cosmos DB.

Is there a way of enabling defender for sql on specific Managed Instances through the Azure CLI or PowerShell? At least that way we can build this into automation to prevent failures when enabling vulnerability assessment.

[sinbai]

@AndyLonghurstHESA Terraform will soon support azurerm_mssql_managed_instance_security_alert_policy in PR . It enables ADS for azurerm_mssql_managed_instance. That PR is expected to be released in the upcoming v3.30.0 release, could you track it for more updates?

[rcskosir]

Thanks for taking the time to submit this issue. It looks like this has been resolved as of #18985. As such, I am going to mark this issue as closed. If that is not the case, please provide additional information including the version in which you are still experiencing this issue, thanks!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.