Azure Database SQL Server Database Extended Auditing Policy
This page shows how to write Terraform and Azure Resource Manager for Database SQL Server Database Extended Auditing Policy and write them securely.
azurerm_mssql_database_extended_auditing_policy (Terraform)
The SQL Server Database Extended Auditing Policy in Database can be configured in Terraform with the resource name azurerm_mssql_database_extended_auditing_policy. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_mssql_database_extended_auditing_policy" "mssqldbaudit" {
database_id = var.sqldb_database_id
storage_endpoint = var.sqldb_audit_endpoint
storage_account_access_key = var.sqldb_audit_access_key
storage_account_access_key_is_secondary = var.sqldb_audit_access_key_is_2nd
retention_in_days = var.sqldb_audit_retention
resource "azurerm_mssql_database_extended_auditing_policy" "sql_db_ext_auditing_policys" {
for_each = var.sql_server_db_names
database_id = azurerm_mssql_database.sql_databases[each.key].id
storage_endpoint = var.storage_account_blob_endpoint
storage_account_access_key = var.storage_account_primary_secret
resource "azurerm_mssql_database_extended_auditing_policy" "example" {
database_id = azurerm_mssql_database.examplea.id
storage_endpoint = azurerm_storage_account.examplea.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.examplea.primary_access_key
storage_account_access_key_is_secondary = false
retention_in_days = var.audit_retention_in_days
resource "azurerm_mssql_database_extended_auditing_policy" "lab01" {
database_id = azurerm_mssql_database.lab01.id
storage_endpoint = azurerm_storage_account.lab01.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.lab01.primary_access_key
storage_account_access_key_is_secondary = false
retention_in_days = 30
resource "azurerm_mssql_database_extended_auditing_policy" "auditing" {
depends_on = [
azurerm_mssql_server.db-server,
azurerm_mssql_database.db,
azurerm_mssql_elasticpool.Vcore,
azurerm_mssql_elasticpool.DTU
resource "azurerm_mssql_database_extended_auditing_policy" "example" {
database_id = azurerm_sql_database.examplea.id
storage_endpoint = azurerm_storage_account.examplea.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.examplea.primary_access_key
storage_account_access_key_is_secondary = false
retention_in_days = var.audit_retention_in_days
resource "azurerm_mssql_database_extended_auditing_policy" "mssqldb" {
database_id = azurerm_mssql_database.sql_db.id
storage_endpoint = var.sa_primary_blob_endpoint
storage_account_access_key = var.sa_primary_access_key
retention_in_days = var.retention_days
resource "azurerm_mssql_database_extended_auditing_policy" "lab02" {
database_id = azurerm_mssql_database.lab02.id
storage_endpoint = azurerm_storage_account.lab02.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.lab02.primary_access_key
storage_account_access_key_is_secondary = false
retention_in_days = 30
resource "azurerm_mssql_database_extended_auditing_policy" "example" {
database_id = azurerm_mssql_database.test.id
storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.example.primary_access_key
storage_account_access_key_is_secondary = false
retention_in_days = 6
resource "azurerm_mssql_database_extended_auditing_policy" "mssqldb" {
database_id = azurerm_mssql_database.sql_db.id
storage_endpoint = var.sa_primary_blob_endpoint
storage_account_access_key = var.sa_primary_access_key
retention_in_days = var.retention_days
Security Best Practices for azurerm_mssql_database_extended_auditing_policy
There is 1 setting in azurerm_mssql_database_extended_auditing_policy that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to configure retention periods of database auditing to enough duration
It is better to configure retention periods of database auditing to enough duration. It would be better to set greater than at least 90 days.
Parameters
-
database_idrequired - string -
idoptional computed - string -
log_monitoring_enabledoptional - bool -
retention_in_daysoptional - number -
storage_account_access_keyoptional - string -
storage_account_access_key_is_secondaryoptional - bool -
storage_endpointoptional - string -
timeoutssingle block
Explanation in Terraform Registry
Manages a Ms Sql Database Extended Auditing Policy.
NOTE: The Database Extended Auditing Policy Can be set inline here as well as with the mssql_database_extended_auditing_policy resource resource. You can only use one or the other and using both will cause a conflict.
Tips: Best Practices for The Other Azure Database Resources
In addition to the azurerm_mariadb_firewall_rule, Azure Database has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_mariadb_firewall_rule
Ensure database firewalls do not permit public access
It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.
azurerm_mariadb_server
Ensure that access to Azure SQL Database is restricted
It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.
azurerm_mssql_server
Ensure to enable auditing on Azure SQL databases
It is better to enable auditing on Azure SQL databases. It helps you maintain regulatory compliance, monitor the activities indicating unexpected incidents or suspected security violations.
azurerm_mssql_server_security_alert_policy
Ensure to configure at least one email address for threat alerts
It is better to configure at least one email address for threat alerts. SQL Server is able to send alerts for threat detection via emails and it could support us to notice the incident on time.
azurerm_mysql_firewall_rule
Ensure database firewalls do not permit public access
It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.
azurerm_mysql_server
Ensure to disable public access to database
It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.
azurerm_postgresql_firewall_rule
Ensure database firewalls do not permit public access
It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.
azurerm_postgresql_server
Ensure to disable public access to database
It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.
azurerm_sql_firewall_rule
Ensure database firewalls do not permit public access
It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.
azurerm_sql_server
Ensure to enable auditing on Azure SQL databases
It is better to enable auditing on Azure SQL databases. It helps you maintain regulatory compliance, monitor the activities indicating unexpected incidents or suspected security violations.
Microsoft.Sql/servers/databases/extendedAuditingSettings (Azure Resource Manager)
The servers/databases/extendedAuditingSettings in Microsoft.Sql can be configured in Azure Resource Manager with the resource name Microsoft.Sql/servers/databases/extendedAuditingSettings. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Sql/servers/databases/extendedAuditingSettings",
"properties": {
"state": "Enabled",
"isAzureMonitorTargetEnabled": true,
"retentionDays": 0,
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Sql/servers/databases/extendedAuditingSettings",
"properties": {
"state": "Enabled",
"isAzureMonitorTargetEnabled": true,
"retentionDays": 0,
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Sql/servers/databases/extendedAuditingSettings",
"properties": {
"state":"Enabled",
"storageEndpoint": "https://mystorage.blob.core.windows.net",
"retentionDays": 0,
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Sql/servers/databases/extendedAuditingSettings",
"properties": {
"state":"Enabled",
"storageEndpoint": "https://mystorage.blob.core.windows.net",
"retentionDays": 0,
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Sql/servers/databases/extendedAuditingSettings",
"properties": {
"state":"Enabled",
"storageEndpoint": "https://mystorage.blob.core.windows.net",
"retentionDays": 0,
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Sql/servers/databases/extendedAuditingSettings",
"properties": {
"state": "Enabled",
"isAzureMonitorTargetEnabled": true,
"retentionDays": 0,
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Sql/servers/databases/extendedAuditingSettings",
"properties": {
"state":"Enabled",
"storageEndpoint": "https://mystorage.blob.core.windows.net",
"retentionDays": 0,
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Sql/servers/databases/extendedAuditingSettings",
"properties": {
"state":"Enabled",
"storageEndpoint": "https://mystorage.blob.core.windows.net",
"retentionDays": 0,
"storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
"type": "Microsoft.Sql/servers/databases/extendedAuditingSettings",
"properties": {
"state": "Enabled",
"isAzureMonitorTargetEnabled": true,
"retentionDays": 0,
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Sql/servers/databases/extendedAuditingSettings",
"properties": {
"state": "Enabled",
"isAzureMonitorTargetEnabled": true,
"retentionDays": 0,
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
Frequently asked questions
What is Azure Database SQL Server Database Extended Auditing Policy?
Azure Database SQL Server Database Extended Auditing Policy is a resource for Database of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Database SQL Server Database Extended Auditing Policy?
For Terraform, the prancer-io/prancer-terramerra, logamanig/infinite.cloud.deployment and JamesWoolfenden/terraform-azurerm-mssqlserver source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the assing/alerts-extension, shawns1/shawns1CI and yuncmsft/swagger source code examples are useful. See the Azure Resource Manager Example section for further details.
