To enable audit logs to a LAW in Azure, the following MySQL configuration entries are needed:
"audit_log_enabled" = "ON",
"audit_log_events" = "ADMIN,CONNECTION,DCL,DDL"
The latter may vary depend on what logging is desired from the server.
Via Terraform these could be implemented via a pair of azurerm_mysql_flexible_server_configuration resources:
resource "azurerm_mysql_flexible_server_configuration" "audit_log_enabled" {
resource_group_name = azurerm_resource_group.redcap.name
server_name = azurerm_mysql_flexible_server.redcap.name
name = "audit_log_enabled"
value = "ON"
}
resource "azurerm_mysql_flexible_server_configuration" "audit_log_events" {
resource_group_name = azurerm_resource_group.redcap.name
server_name = azurerm_mysql_flexible_server.redcap.name
name = "audit_log_events"
value = "ADMIN,CONNECTION,DCL,DDL"
}
These could either be enabled via an option variable in the variables.tf file (e.g. enable_audit_log), or even better such a variable could add the above defined in locals as an argument to a merge() function such as suggested in #50 (preferred).
This will also require a diagnostic setting resource and a LAW to house logs. In Terraform:
From a governance perspective, I prefer that auditing is enabled via Azure Policy. I am not sure if MySQL database auditing can be enabled via Policy, in which case we'll consider that for implementation in Bicep.
To enable audit logs to a LAW in Azure, the following MySQL configuration entries are needed: "audit_log_enabled" = "ON", "audit_log_events" = "ADMIN,CONNECTION,DCL,DDL"
The latter may vary depend on what logging is desired from the server.
Via Terraform these could be implemented via a pair of
azurerm_mysql_flexible_server_configuration
resources:These could either be enabled via an option variable in the variables.tf file (e.g.
enable_audit_log
), or even better such a variable could add the above defined in locals as an argument to a merge() function such as suggested in #50 (preferred).This will also require a diagnostic setting resource and a LAW to house logs. In Terraform: