search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io
Other
42.77k stars 9.56k forks source link

azurerm_mssql_server_vulnerability_assessment issue with different subscription #25958

Closed Xander-Rudolph closed 4 years ago

Xander-Rudolph commented 4 years ago

When trying to use azurerm_mssql_server_vulnerability_assessment and referencing a storage container path that is in a different subscription, it fails to find the storage account. I had tried to use a different provider and a data command to try to force the connection to the right place, but data and the azurerm_mssql_server_vulnerability_assessment's don't appear to support a different provider.

Terraform Version

Terraform v0.12.28

Expected Behavior

Because storage names are unique, I would expect the assessment is able to find the resource the same way that the azurerm_mssql_server_security_alert_policy or azurerm_sql_server (in extended_auditing_policy) does while the resource is in a different subscription.

Actual Behavior

It fails to find the storage account and throws the following error:

Error: error updataing mssql server vulnerability assessment: sql.ServerVulnerabilityAssessmentsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="DataSecurityInvalidUserSuppliedParameter" Message="\"Invalid parameter 'storageContainerPath'. Value should be a valid blob storage container endpoint (e.g. https://MyAccount.blob.core.windows.net/containername).\""

Steps to Reproduce

  1. create an azure storage account with a blob container in it
  2. Update the variables accordingly in the script (3 values come from the storage account/blob you created the rest can be whatever)
  3. terraform init
  4. terraform apply

References

https://www.terraform.io/docs/providers/azurerm/r/mssql_server_vulnerability_assessment.html

Sample Code

# ----------------------------------------------------------
# These come from the other storage account that you create
# ----------------------------------------------------------
variable "AssessmentStorageName" {
    type = string
    default = ""
}
variable "assessmentcontainer" {
    type = string
    default = ""
}
variable "storage_account_access_key" {
    type = string
    default = ""
}

# ----------------------------------------------------------
# These can be what ever you want
# ----------------------------------------------------------
variable "resource_group_name" {
    type    = string
    default = ""
}
variable "resource_group_location" {
    type    = string
    default = "East US"
}
variable "Username" {
    type    = string
    default = ""
}
variable "SQLServerName" {
    type    = string
    default = ""
}
variable "subscription_id" {
    type    = string
    default = ""
}
variable "tenant_id" {
    type    = string
    default = ""
}
variable "email" {
    type    = string
    default = "dummyemail@fake.com"
}

# ----------------------------------------------------------
# Begin script
# ----------------------------------------------------------
provider "azurerm" {
    features {}
}

# create a resource group
resource "azurerm_resource_group" "resource" {
    name                = var.resource_group_name
    location            = var.resource_group_location
}

#Create password for SQL
resource "random_password" "SQLPassword" {
    length = 30
    special = true
    override_special = "_%@"
}

# create a sql server (sql server requires all lower case for names)
resource "azurerm_sql_server" "sql_server" {
    name                         = lower(var.SQLServerName)
    resource_group_name          = azurerm_resource_group.resource.name
    location                     = var.resource_group_location
    version                      = "12.0"
    administrator_login          = var.Username
    administrator_login_password = random_password.SQLPassword.result

    extended_auditing_policy {
        storage_endpoint                        = var.AssessmentStorageName
        storage_account_access_key              = var.storage_account_access_key
        storage_account_access_key_is_secondary = true
        retention_in_days                       = 365
    }
}

resource "azurerm_mssql_server_security_alert_policy" "standard" {
    resource_group_name = azurerm_resource_group.resource.name
    server_name         = azurerm_sql_server.sql_server.name
    state               = "Enabled"
}

resource "azurerm_mssql_server_vulnerability_assessment" "assessment" {
    server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.standard.id
    storage_container_path          = "{var.AssessmentStorageName}${var.assessmentcontainer}/"
    storage_account_access_key      = var.storage_account_access_key

    recurring_scans {
        enabled                   = true
        email_subscription_admins = true
        emails = [
            var.email,
        ]
    }
}

resource "azurerm_mssql_server_security_alert_policy" "ATP" {
    resource_group_name        = azurerm_resource_group.resource.name
    server_name                = azurerm_sql_server.sql_server.name
    state                      = "Enabled"

    email_addresses = [
        var.email,
    ]

    email_account_admins = true
}
danieldreier commented 4 years ago

Thanks for reporting this! I think that this is an issue to be addressed in the AzureRM Terraform provider, rather than in core. I'm going to label it as such, and the HashiBot will shortly migrate it over to the provider GitHub repository. Please feel free to re-open this if they determine that it is indeed an issue that needs to be addressed in Terraform core.

ghost commented 4 years ago

This issue has been automatically migrated to terraform-providers/terraform-provider-azurerm#8199 because it looks like an issue with that provider. If you believe this is not an issue with the provider, please reply to terraform-providers/terraform-provider-azurerm#8199.

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.