hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.59k stars 4.63k forks source link

Problems with Azure SQL Auditing using Log Analytics on a server level #27025

Open hmbrennecke opened 2 months ago

hmbrennecke commented 2 months ago

Is there an existing issue for this?

Community Note

Terraform Version

1.5.2

AzureRM Provider Version

3.92.0

Affected Resource(s)/Data Source(s)

azurerm_mssql_server_extended_auditing_policy, azurerm_mssql_database_extended_auditing_policy, azurerm_monitor_diagnostic_setting

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">=3.41.0"
    }
  }
}

resource "azurerm_mssql_server_extended_auditing_policy" "main" {
  server_id              = var.server_id
  retention_in_days      = 30
  log_monitoring_enabled = true
}

resource "azurerm_monitor_diagnostic_setting" "mssql_audit" {
  name                       = "mssql-audit-to-log-analytics"
  target_resource_id         = var.server_id
  log_analytics_workspace_id = var.log_analytics_workspace_id

  metric {
    category = "AllMetrics"
  }

  depends_on = [
    azurerm_mssql_server_extended_auditing_policy.main
  ]
}

Debug Output/Panic Output

-

Expected Behaviour

The azurerm resource "azurerm_mssql_server_extended_auditing_policy" should enable the Azure SQL Auditing on Azure Portal and the resource "azurerm_monitor_diagnostic_setting" should set Log Analytics as the audit log destination.

I found an issue related to this, but it was at the database level, which in this case using the resources:

resource "azurerm_mssql_database_extended_auditing_policy" "main" {
  database_id            = var.database_id
  retention_in_days      = 30
  log_monitoring_enabled = true
}

resource "azurerm_monitor_diagnostic_setting" "mssql_audit" {
  name                       = "mssql-audit-to-log-analytics"
  target_resource_id         = var.database_id
  log_analytics_workspace_id = var.log_analytics_workspace_id

  enabled_log {
    category = "SQLSecurityAuditEvents"
  }

  metric {
    category = "AllMetrics"
  }

  depends_on = [
    azurerm_mssql_database_extended_auditing_policy.main
  ]
}

It was possible to enable and set the analytic log destination to Log Analytics in the database:

image

But if I set this to the server level:

resource "azurerm_mssql_server_extended_auditing_policy" "main" {
  server_id              = var.server_id
  retention_in_days      = 30
  log_monitoring_enabled = true
}

resource "azurerm_monitor_diagnostic_setting" "mssql_audit" {
  name                       = "mssql-audit-to-log-analytics"
  target_resource_id         = var.server_id
  log_analytics_workspace_id = var.log_analytics_workspace_id

  metric {
    category = "AllMetrics"
  }

  depends_on = [
    azurerm_mssql_server_extended_auditing_policy.main
  ]
}

It only enables Azure SQL Audit and does not set the Log Analystics as the destination:

image

Actual Behaviour

Azure SQL Audit was indeed enabled, but without an audit log destination.

Steps to Reproduce

No response

Important Factoids

No response

References

No response

magodo commented 2 months ago

By looking at the Portal, the request for the sql server level is targeting to: /subscriptions/xxxx/resourceGroups/test-rg/providers/Microsoft.Sql/servers/acctest-sqlserver-344/auditingSettings/default?api-version=2021-11-01-preview, which is defined in https://github.com/Azure/azure-rest-api-specs/blob/c1d839d48ee936c9338431c38f2cbbfbc9879ea2/specification/sql/resource-manager/Microsoft.Sql/preview/2022-11-01-preview/BlobAuditing.json#L61. (Note that this endpoint only has GET and PUT).

This isn't currently supported by the provider yet.

On the other hand, those database level audit settings are implemented by the extension resource of insight RP.

hmbrennecke commented 2 months ago

@magodo thank you very much for your reply. So for now I'm going to work at the database level audit, but is there a change that we can do this at the server level in the future?

babuga365 commented 1 month ago

It would be good to have options to enable log analytics option on resource: azurerm_mssql_server_extended_auditing_policy, similar like storage account and no need to create diagnostics settings seperately.

Reason: As per this document: https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-server-level-database-level?view=azuresql, enabling auditing on SQL server level is enough and it will automatically monitor all the available SQL Databases on that server.

It would be good to have log analytics option on this resource as well; azurerm_mssql_database_extended_auditing_policy

Both the resources has only Storage Account integration options and not having Log Analytics and EventHub options through terraform. If we have these options on the resource: azurerm_mssql_server_extended_auditing_policy, azurerm_mssql_database_extended_auditing_policy, it will simplify the terraform setup and easily understandable.

image

frostsxx commented 4 weeks ago

@magodo thank you very much for your reply. So for now I'm going to work at the database level audit, but is there a change that we can do this at the server level in the future?

Hi @hmbrennecke! Have you found any solution to this problem? I'm currently trying the same thing.

EduardGurman commented 3 weeks ago

Hey, Same problem here, the Log analytics for the server is not configured although the database is.