Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for external extended_auditing_policy setting for azurerm_sql_server #7486

Closed
yuri-tieto opened this issue Jun 25, 2020 · 5 comments · Fixed by #7793 or #8447
Closed

Support for external extended_auditing_policy setting for azurerm_sql_server #7486

yuri-tieto opened this issue Jun 25, 2020 · 5 comments · Fixed by #7793 or #8447
Labels
service/mssql Microsoft SQL Server
Milestone
v2.27.0

Comments

@yuri-tieto
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

To be able to send audit logs to Storage account protected by Firewall we have to add specific permissions for SQL Server identity to Blob storage (role Storage Blob Data Contributor). And for that to happen SQL Server identity should be created first and then it should be assigned to specified role, that as the next step we will be able to apply Audit setting, so that they will work. For this extended_auditing_policy can not be provided during SQL Server creation and should be done as a separate step. There is already issue created regarding this for MSSQL server #6906 . This one is for SQL Server.

New or Affected Resource(s)

  • azurerm_sql_server (update)
  • azurerm_sql_server_auditing (new)

Potential Terraform Configuration

resource "azurerm_sql_server_auditing" {
  storage_endpoint                        = "https://myaccount.blob.core.windows.net/"
  storage_account_access_key              = "xxx" # Optional (only required if not using SystemAssigned identity)
  storage_account_access_key_is_secondary = false # Optional (only required if not using SystemAssigned identity)
  retention_in_days                       = 30
}

References

#6906
@yuri-tieto
Copy link
Author

Some additional information: looks like Portal, PowerShell SDK and ARM Templates are using auditingSettings Rest API endpoint (https://docs.microsoft.com/en-us/rest/api/sql/server%20auditing%20settings/createorupdate) for creating audit, but Terraform Azure provider uses extendedAuditingSettings (https://docs.microsoft.com/en-us/rest/api/sql/server%20extended%20auditing%20settings/createorupdate) endpoint. And when I enable firewall on Storage Account, though SQL Server SystemAssigned identity is having Storage Blob Data Contributor role, audit logs are not getting written to blob storage. Is there any specific reason why terraform provider uses extendedAuditingSettings instead of auditingSettings. Will it be possible to change it, as even if this external resource for azure sql server auditing will be created, it is still not going to work for vnet/firewalled storage accounts.

@mybayern1974 mybayern1974 added the service/mssql Microsoft SQL Server label Jun 26, 2020
@yupwei68
Copy link
Contributor

Hi @yuri-tieto , thanks for opening this issue. 1. azurerm_mssql_server is calling a later version service api comparing to azurerm_sql_server, which is planed to include all the functions that azurerm_sql_server owns and substitute azurerm_sql_server in the long term.

  1. Once azurerm_mssql_server_auditing is implemented, we'll mark the internal block extended_auditing_policy as computed in both azurerm_mssql_server and azurerm_sql_server. Thus, there is no need to implement another resource azurerm_sql_server_auditing, the resources in azurerm_sql_* and azurerm_mssql_* could be used mixed.

  2. As for extended_auditing_policy comparing to auditing_policy, we choose extended_auditing_policy because it includes more functions than auditing_policy which might be useful in the future.

4.Currently, even if you have assigned Storage Blob Data Contributor role to the sql server, you could not auditing the sql server to a storage account behind firewall because the storage_account_access_key must not be set in this case (which currently is required in Terraform). It's not related to use extended_auditing_policy or auditing_policy.

@m4r74
Copy link

m4r74 commented Jun 30, 2020

@yupwei68 what is the timeline for storage_account_access_key to be made as an optional field?

@yupwei68 yupwei68 mentioned this issue Jul 17, 2020
Merged
@dhirschfeld dhirschfeld mentioned this issue Sep 3, 2020
Closed
@WodansSon WodansSon added this to the v2.27.0 milestone Sep 10, 2020
@ghost
Copy link

ghost commented Sep 10, 2020

This has been released in version 2.27.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.27.0"
}
# ... other configuration ...

@yupwei68 yupwei68 mentioned this issue Sep 14, 2020
Merged
@ghost
Copy link

ghost commented Oct 10, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Oct 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
service/mssql Microsoft SQL Server
Projects
None yet
Milestone
v2.27.0
5 participants
@mybayern1974 @WodansSon @yuri-tieto @yupwei68 @m4r74