Support for Express Configuration in azurerm_mssql_server_vulnerability_assessment

[ricohomewood]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Azure SQL now supports express configuration for SQL Server vulnerability assessments which no longer requires a storage account as this is now managed by the express configuration and the storage account version is now considered classic configuration.

Please can we look to support the express configuration for azurerm_mssql_server_vulnerability_assessment

New or Affected Resource(s)/Data Source(s)

azurerm_mssql_server_vulnerability_assessment

Potential Terraform Configuration

resource "azurerm_sql_server" "example" {
  name                         = "mysqlserver"
  resource_group_name          = azurerm_resource_group.example.name
  location                     = azurerm_resource_group.example.location
  version                      = "12.0"
  administrator_login          = "4dm1n157r470r"
  administrator_login_password = "4-v3ry-53cr37-p455w0rd"
}

resource "azurerm_mssql_server_vulnerability_assessment" "example" {
  server_id = azurerm_sql_server.example.id
  assessment_type = "express"
}

resource "azurerm_mssql_server_vulnerability_assessment_rule_baseline" "example" {
  server_vulnerability_assessment_id = azurerm_mssql_server_vulnerability_assessment.example.id
  latestScan = false

  baseline_result {
    result = {
      VA2063 = [
        "AllowAll",
        "0.0.0.0",
        "255.255.255.255"
      ]
    }

  }

  baseline_result {
    result = {
      VA2065 = [
        "allowedip2",
        "255.255.255.255",
        "255.255.255.255"
      ]
    }
  }
}

References

Terraform AzAPI example:

Enable Express mode:

• https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/servers/sqlvulnerabilityassessments?pivots=deployment-language-terraform

Baseline Creation:

• https://github.com/Azure/azure-rest-api-specs/blob/main/specification/sql/resource-manager/Microsoft.Sql/preview/2022-05-01-preview/examples/SqlVulnerabilityAssessmentBaselineAdd.json

REST API Create Example:

• https://github.com/Azure/azure-rest-api-specs/blob/main/specification/sql/resource-manager/Microsoft.Sql/preview/2022-05-01-preview/examples/SqlVulnerabilityAssessmentCreate.json

Rest API Spec:

• https://github.com/Azure/azure-rest-api-specs/blob/main/specification/sql/resource-manager/Microsoft.Sql/preview/2022-05-01-preview/SqlVulnerabilityAssessmentsSettings.json

[dimovcd1]

Hello, we have the same issue/request. If using "SQL vulnerability assessment" with "Express configuration", we can't use terraform as the resource "azurerm_mssql_server_vulnerability_assessment" requires a storage account.

As per the document below, there are two modes and Express configuration is not covered by terraform yet: https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview#what-are-the-express-and-classic-configurations

Are there plans to support the express configuration for azurerm_mssql_server_vulnerability_assessment?

[joakimlemb]

Workaround with azapi provider:

resource "azapi_update_resource" "example" {
  type = "Microsoft.Sql/servers/sqlVulnerabilityAssessments@2022-05-01-preview"
  name = "default"
  parent_id = azurerm_mssql_server.example.id
  body = jsonencode({
    properties = {
      state = "Enabled"
    }
  })
}