Support for SQL Server Auditing Settings[Event Hub]/LogAnalytics Policies Support for [Azure SQL Server]

[IntoTheNature]

There is no what to deploy an Azure SQL Server with auditing policy set to EventHub or Log Analytics. It's not possible to ignore them too, if this setting is set manually on a SQL server, deployment fails with this error:

Error: Error issuing create/update request for SQL Server "mysqlserver" Blob Auditing Policies(Resource Group "my resource group"): sql.ExtendedServerBlobAuditingPoliciesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="DataSecurityInvalidUserSuppliedParameter" Message="Invalid parameter 'storageEndpoint'. Value should be a blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net)."

  on main.tf line 54, in resource "azurerm_sql_server" "server":
  54: resource "azurerm_sql_server" "server" {

[IntoTheNature]

These audit log destinations are not in preview anymore, can someone from terraform triage this request?

[fcatacut]

We ended up using a null_resource block to run an az cli command enabling this: az sql server audit-policy update.

resource "null_resource" "server_auditing_policy" {
  triggers = {
    eventhub_authorization_rule_id = var.eventhub_authorization_rule_id
    resource_group_name            = var.resource_group_name
    server_name                    = var.server_name
    event_hub_name                 = var.event_hub_name
  }

  # Apply: Suppressing the output of `update`, which isn't very informative, and displaying that of the `show` instead.
  provisioner "local-exec" {
    command = chomp(
      <<-EOT
az sql server audit-policy update --resource-group ${var.resource_group_name} --name ${var.server_name} --state Enabled --event-hub-target-state Enabled --event-hub-authorization-rule-id ${var.eventhub_authorization_rule_id} --event-hub ${var.event_hub_name} --output none
az sql server audit-policy show --resource-group ${var.resource_group_name} --name ${var.server_name}
EOT
    )
  }
}

[Raffledoocious]

Any update on this being implemented? This is something we'd also want to start using at my org instead of enabling the event hub auditing on each individual database.

[fcatacut]

Any update on this being implemented? This is something we'd also want to start using at my org instead of enabling the event hub auditing on each individual database.

This enhancement request is over a year old, and we couldn't wait, which is why we went the null_resource route. See my previous comment. If you enable auditing on the server-level, it is enabled for each database.

[Raffledoocious]

Yep, I see your solution and I definitely appreciate you following up. What we ended up doing was enabling this on the server as well but by hand. We don't have a ton of servers so this is manageable. This feature is also missing in the AzureRM terraform module. You can't set an EventHub audit destination on a SQL server via the module.

[fcatacut]

You can set the EventHub using the azurerm_monitor_diagnostic_setting resource. If I recall correctly, the log category name is "SQLSecurityAuditEvents".