Open hmbrennecke opened 2 months ago
By looking at the Portal, the request for the sql server level is targeting to: /subscriptions/xxxx/resourceGroups/test-rg/providers/Microsoft.Sql/servers/acctest-sqlserver-344/auditingSettings/default?api-version=2021-11-01-preview
, which is defined in https://github.com/Azure/azure-rest-api-specs/blob/c1d839d48ee936c9338431c38f2cbbfbc9879ea2/specification/sql/resource-manager/Microsoft.Sql/preview/2022-11-01-preview/BlobAuditing.json#L61.
(Note that this endpoint only has GET
and PUT
).
This isn't currently supported by the provider yet.
On the other hand, those database level audit settings are implemented by the extension resource of insight RP.
@magodo thank you very much for your reply. So for now I'm going to work at the database level audit, but is there a change that we can do this at the server level in the future?
It would be good to have options to enable log analytics option on resource: azurerm_mssql_server_extended_auditing_policy, similar like storage account and no need to create diagnostics settings seperately.
Reason: As per this document: https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-server-level-database-level?view=azuresql, enabling auditing on SQL server level is enough and it will automatically monitor all the available SQL Databases on that server.
It would be good to have log analytics option on this resource as well; azurerm_mssql_database_extended_auditing_policy
Both the resources has only Storage Account integration options and not having Log Analytics and EventHub options through terraform. If we have these options on the resource: azurerm_mssql_server_extended_auditing_policy, azurerm_mssql_database_extended_auditing_policy, it will simplify the terraform setup and easily understandable.
@magodo thank you very much for your reply. So for now I'm going to work at the database level audit, but is there a change that we can do this at the server level in the future?
Hi @hmbrennecke! Have you found any solution to this problem? I'm currently trying the same thing.
Hey, Same problem here, the Log analytics for the server is not configured although the database is.
Is there an existing issue for this?
Community Note
Terraform Version
1.5.2
AzureRM Provider Version
3.92.0
Affected Resource(s)/Data Source(s)
azurerm_mssql_server_extended_auditing_policy, azurerm_mssql_database_extended_auditing_policy, azurerm_monitor_diagnostic_setting
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
The azurerm resource "azurerm_mssql_server_extended_auditing_policy" should enable the Azure SQL Auditing on Azure Portal and the resource "azurerm_monitor_diagnostic_setting" should set Log Analytics as the audit log destination.
I found an issue related to this, but it was at the database level, which in this case using the resources:
It was possible to enable and set the analytic log destination to Log Analytics in the database:
But if I set this to the server level:
It only enables Azure SQL Audit and does not set the Log Analystics as the destination:
Actual Behaviour
Azure SQL Audit was indeed enabled, but without an audit log destination.
Steps to Reproduce
No response
Important Factoids
No response
References
No response