Support for azure sql database audit policy

lotaezhao commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

There is currently no support to configure azure sql database audit-policy settings in Terraform. Please can this added as it's a pretty standard requirement within enterprises to need auditing switched on. Sql databases are one of of the most fundamental resources so we should have full feature support. This can be enabled both on individual databases and at the server level. I'm talking about the database level but might as well add support for sql server level as well.

New or Affected Resource(s)

azurerm_sql_database azurerm_sql_server

Potential Terraform Configuration

Basing this off of the 'az sql db audit-policy update' command, proposed configuration could be a new 'audit_policy' block with the following attributes.

Actions (optional): List of actions and action groups to audit.
Retention Days (optional): The number of days to retain audit logs.
State: Auditing policy state (optional). Accepted values: Disabled, Enabled
Storage Account (optional): Name of the storage account.
Storage Endpoint (optional): The storage account endpoint.
Storage Key (optional): Access key for the storage account.
Log Analytics Workspace ID (optional): ID of a Log Analytics Workspace where Audit Data should be sent.
Eventhub Authorization Rule ID (optional): ID of an Event Hub Namespace Authorization Rule used to send Audit Data.

resource "azurerm_sql_database" "example" {
  name                = "mysqldatabase"
  resource_group_name = azurerm_resource_group.example.name
  location            = "West US"
  server_name         = azurerm_sql_server.example.name

  audit_policy {
    actions                        = example_actions
    retention_days                 = 30
    state                          = enabled
    storage_account                = example_storage_account
    storage_endpoint               = example_storage endpoint
    storage_key                    = example_storage_key
    log_analytics_workspace_id     = example_log_analytics_workspace_id
    eventhub_authorization_rule_id = example_authorization_rule_id
  }

  tags = {
    environment = "production"
  }
}

References

This is the same configuration as provided by the Az Cli command 'az sql db audit-policy update' which is what I currently have to use in order to configure this setting: https://docs.microsoft.com/en-us/cli/azure/sql/db/audit-policy?view=azure-cli-latest

0000

rohrerb commented 4 years ago

@katbyte any chance this could be done on the SQL level as well and if possible broke out to its own resource?

yupwei68 commented 4 years ago

Hi @lotaezhao ,thanks for opening this issue. Blob Auditing Policies are supported now on azurerm_sql_database and azurerm_sql_server. Hi @katbyte we may be able to close this issue.

tombuildsstuff commented 4 years ago

Appears the documentation is missing for the extended_auditing_policy block; so this wants fixing prior to closing this https://www.terraform.io/docs/providers/azurerm/r/sql_database.html

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

hashicorp / terraform-provider-azurerm