hashicorp · mbfrahry · Apr 3, 2024 · Mar 26, 2024 · Mar 27, 2024
@@ -10,6 +10,7 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/services/preview/sql/mgmt/v5.0/sql" // nolint: staticcheck
 	"github.com/gofrs/uuid"
+	"github.com/hashicorp/go-azure-helpers/lang/pointer"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonids"
 	"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
@@ -93,6 +94,23 @@ func resourceMsSqlServerExtendedAuditingPolicy() *pluginsdk.Resource {
 				Sensitive:    true,
 				ValidateFunc: validation.IsUUID,
 			},
+
+			"predicate_expression": {
+				Type:         pluginsdk.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringIsNotEmpty,
+			},
+
+			"audit_actions_and_groups": {
+				Type:     pluginsdk.TypeList,
+				Optional: true,
+				// audit_actions_and_groups seems to be pre-populated with values ["SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "FAILED_DATABASE_AUTHENTICATION_GROUP", "BATCH_COMPLETED_GROUP"],
+				Computed: true,
+				Elem: &pluginsdk.Schema{
+					Type:         pluginsdk.TypeString,
+					ValidateFunc: validation.StringIsNotEmpty,
+				},
+			},
 		},
 	}
 }
@@ -151,6 +169,14 @@ func resourceMsSqlServerExtendedAuditingPolicyCreateUpdate(d *pluginsdk.Resource
 		params.ExtendedServerBlobAuditingPolicyProperties.StorageAccountAccessKey = utils.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("predicate_expression"); ok {
+		params.ExtendedServerBlobAuditingPolicyProperties.PredicateExpression = pointer.To(v.(string))
+	}
+
+	if v, ok := d.GetOk("audit_actions_and_groups"); ok && len(v.([]interface{})) > 0 {
+		params.ExtendedServerBlobAuditingPolicyProperties.AuditActionsAndGroups = utils.ExpandStringSlice(v.([]interface{}))
+	}
+
 	future, err := client.CreateOrUpdate(ctx, serverId.ResourceGroupName, serverId.ServerName, params)
 	if err != nil {
 		return fmt.Errorf("creating MsSql Server Extended Auditing Policy %s: %+v", serverId, err)
@@ -195,6 +221,8 @@ func resourceMsSqlServerExtendedAuditingPolicyRead(d *pluginsdk.ResourceData, me
 		d.Set("retention_in_days", props.RetentionDays)
 		d.Set("log_monitoring_enabled", props.IsAzureMonitorTargetEnabled)
 		d.Set("enabled", props.State == sql.BlobAuditingPolicyStateEnabled)
+		d.Set("predicate_expression", props.PredicateExpression)
+		d.Set("audit_actions_and_groups", utils.FlattenStringSlice(props.AuditActionsAndGroups))
 
 		if props.StorageAccountSubscriptionID.String() != "00000000-0000-0000-0000-000000000000" {
 			d.Set("storage_account_subscription_id", props.StorageAccountSubscriptionID.String())

@@ -114,6 +114,64 @@ func TestAccMsSqlServerExtendedAuditingPolicy_storageAccBehindFireWall(t *testin
 	})
 }
 
+func TestAccMsSqlServerExtendedAuditingPolicy_predicateExpression(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_mssql_server_extended_auditing_policy", "test")
+	r := MsSqlServerExtendedAuditingPolicyResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.basic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("storage_account_access_key"),
+		{
+			Config: r.predicateExpression(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("storage_account_access_key"),
+		{
+			Config: r.basic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("storage_account_access_key"),
+	})
+}
+
+func TestAccMsSqlServerExtendedAuditingPolicy_auditActionsAndGroups(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_mssql_server_extended_auditing_policy", "test")
+	r := MsSqlServerExtendedAuditingPolicyResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.basic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("storage_account_access_key"),
+		{
+			Config: r.auditActionsAndGroups(data, "[\"BATCH_COMPLETED_GROUP\"]"),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("storage_account_access_key"),
+		{
+			Config: r.auditActionsAndGroups(data, "[\"BATCH_COMPLETED_GROUP\", \"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\"]"),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("storage_account_access_key"),
+	})
+}
+
 func (MsSqlServerExtendedAuditingPolicyResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	id, err := parse.ServerExtendedAuditingPolicyID(state.ID)
 	if err != nil {
@@ -321,3 +379,31 @@ resource "azurerm_mssql_server_extended_auditing_policy" "test" {
 }
 `, data.RandomInteger, data.Locations.Primary, data.RandomString)
 }
+
+func (r MsSqlServerExtendedAuditingPolicyResource) predicateExpression(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azurerm_mssql_server_extended_auditing_policy" "test" {
+  server_id                  = azurerm_mssql_server.test.id
+  storage_endpoint           = azurerm_storage_account.test.primary_blob_endpoint
+  storage_account_access_key = azurerm_storage_account.test.primary_access_key
+
+  predicate_expression = "action_id != 17234"
+}
+`, r.template(data))
+}
+
+func (r MsSqlServerExtendedAuditingPolicyResource) auditActionsAndGroups(data acceptance.TestData, input string) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azurerm_mssql_server_extended_auditing_policy" "test" {
+  server_id                  = azurerm_mssql_server.test.id
+  storage_endpoint           = azurerm_storage_account.test.primary_blob_endpoint
+  storage_account_access_key = azurerm_storage_account.test.primary_access_key
+
+  audit_actions_and_groups = %s
+}
+`, r.template(data), input)
+}
@@ -270,6 +270,10 @@ The following arguments are supported:
 
 * `storage_account_subscription_id` - (Optional) The ID of the Subscription containing the Storage Account.
 
+* `predicate_expression` - (Optional) Specifies condition of where clause when creating an audit.
+
+* `audit_actions_and_groups` - (Optional) A list of Actions-Groups and Actions to audit.
+
 ## Attributes Reference
 
 In addition to the Arguments listed above - the following Attributes are exported: