Support auditing to a storage account in VNet. (#11500)

* Aupport Auditing to Storage Account in VNet * Fix tests * Support auditing to a storage account in VNet. * Undo a breaking change. * Add records * Update records * Update SqlAuditAdapter.cs * Update test records
Azure · Apr 10, 2020 · d1bc67a · d1bc67a
1 parent a94d789
commit d1bc67a
Show file tree

Hide file tree

Showing 42 changed files with 34,837 additions and 28,262 deletions.
diff --git a/src/Sql/Sql.Test/ScenarioTests/AuditTests.cs b/src/Sql/Sql.Test/ScenarioTests/AuditTests.cs
@@ -240,5 +240,19 @@ public void TestRemoveServerAuditingSettingsMultipleDiagnosticSettings()
         {
             RunPowerShellTest("Test-RemoveServerAuditingSettingsMultipleDiagnosticSettings");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestServerAuditingToStorageInVNet()
+        {
+            RunPowerShellTest("Test-ServerAuditingToStorageInVNet");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestDatabaseAuditingToStorageInVNet()
+        {
+            RunPowerShellTest("Test-DatabaseAuditingToStorageInVNet");
+        }
     }
 }
diff --git a/src/Sql/Sql.Test/ScenarioTests/AuditTests.ps1 b/src/Sql/Sql.Test/ScenarioTests/AuditTests.ps1
@@ -1184,6 +1184,105 @@ function Test-RemoveAuditOnDatabase
 	}
 }
 
+<#
+.SYNOPSIS
+Test Server Auditing to storage acount in VNet
+#>
+function Test-ServerAuditingToStorageInVNet
+{
+	# Setup
+	$testSuffix = getAssetName
+	Create-BlobAuditingTestEnvironment $testSuffix "West Central US" "12.0" $True
+	$params = Get-SqlBlobAuditingTestEnvironmentParameters $testSuffix
+	$subscriptionId = (Get-AzContext).Subscription.Id
+
+	try
+	{
+		# Enable Server Auditing to storage in VNet, and verify.
+	    $profile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
+		$cmdlet = New-Object -TypeName Microsoft.Azure.Commands.Sql.Auditing.Cmdlet.SetAzSqlServerAudit
+		$cmdlet.DefaultProfile = $profile
+		$cmdlet.CommandRuntime = $PSCmdlet.CommandRuntime
+		$cmdlet.ResourceGroupName = $params.rgname
+		$cmdlet.ServerName = $params.serverName
+		$cmdlet.BlobStorageTargetState = "Enabled"
+		$cmdlet.StorageAccountResourceId = $params.storageAccountResourceId
+        $cmdlet.RoleAssignmentId = "B6C2E345-234A-421A-ADB2-4E81DD4470D6"
+		$cmdlet.ExecuteCmdlet()
+
+		$policy = Get-AzSqlServerAudit -ResourceGroupName $params.rgname -ServerName $params.serverName
+		Assert-AreEqual "Enabled" $policy.BlobStorageTargetState
+		Assert-AreEqual 3 $policy.AuditActionGroup.Length
+		Assert-AreEqual "" $policy.PredicateExpression
+		Assert-AreEqual $params.storageAccountResourceId $policy.StorageAccountResourceId
+		Assert-AreEqual 0 $policy.RetentionInDays
+
+		# Disable Server Auditing and verify.
+		Get-AzSqlServer -ResourceGroupName $params.rgname -ServerName $params.serverName | Set-AzSqlServerAudit -BlobStorageTargetState Disabled
+		$policy = Get-AzSqlServerAudit -ResourceGroupName $params.rgname -ServerName $params.serverName
+		Assert-AreEqual "Disabled" $policy.BlobStorageTargetState
+		Assert-AreEqual 3 $policy.AuditActionGroup.Length
+		Assert-Null $policy.StorageAccountResourceId
+		Assert-AreEqual "" $policy.PredicateExpression
+		Assert-Null $policy.RetentionInDays
+	}
+	finally
+	{
+		# Cleanup
+		Remove-BlobAuditingTestEnvironment $testSuffix
+	}
+}
+
+<#
+.SYNOPSIS
+Test Database Auditing to storage acount in VNet
+#>
+function Test-DatabaseAuditingToStorageInVNet
+{
+	# Setup
+	$testSuffix = getAssetName
+	Create-BlobAuditingTestEnvironment $testSuffix "West Central US" "12.0" $True
+	$params = Get-SqlBlobAuditingTestEnvironmentParameters $testSuffix
+	$subscriptionId = (Get-AzContext).Subscription.Id
+
+	try
+	{
+		# Enable Database Auditing to storage in VNet, and verify.
+	    $profile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
+		$cmdlet = New-Object -TypeName Microsoft.Azure.Commands.Sql.Auditing.Cmdlet.SetAzSqlDatabaseAudit
+		$cmdlet.DefaultProfile = $profile
+		$cmdlet.CommandRuntime = $PSCmdlet.CommandRuntime
+		$cmdlet.ResourceGroupName = $params.rgname
+		$cmdlet.ServerName = $params.serverName
+		$cmdlet.DatabaseName = $params.databaseName
+		$cmdlet.BlobStorageTargetState = "Enabled"
+		$cmdlet.StorageAccountResourceId = $params.storageAccountResourceId
+        $cmdlet.RoleAssignmentId = "F9CFE83C-552B-4ED1-BC58-741EF3A620AE"
+		$cmdlet.ExecuteCmdlet()
+
+		$policy = Get-AzSqlDatabaseAudit -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
+		Assert-AreEqual "Enabled" $policy.BlobStorageTargetState
+		Assert-AreEqual 3 $policy.AuditActionGroup.Length
+		Assert-AreEqual "" $policy.PredicateExpression
+		Assert-AreEqual $params.storageAccountResourceId $policy.StorageAccountResourceId
+		Assert-AreEqual 0 $policy.RetentionInDays
+
+		# Disable Database Auditing and verify.
+		Get-AzSqlDatabase -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName | Set-AzSqlDatabaseAudit -BlobStorageTargetState Disabled
+		$policy = Get-AzSqlDatabaseAudit -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
+		Assert-AreEqual "Disabled" $policy.BlobStorageTargetState
+		Assert-AreEqual 3 $policy.AuditActionGroup.Length
+		Assert-Null $policy.StorageAccountResourceId
+		Assert-AreEqual "" $policy.PredicateExpression
+		Assert-Null $policy.RetentionInDays
+	}
+	finally
+	{
+		# Cleanup
+		Remove-BlobAuditingTestEnvironment $testSuffix
+	}
+}
+
 <#
 .SYNOPSIS
 Test for all auditing settings on a server

diff --git a/src/Sql/Sql.Test/ScenarioTests/Common.ps1 b/src/Sql/Sql.Test/ScenarioTests/Common.ps1
@@ -32,13 +32,13 @@ Gets the values of the parameters used at the blob auditing tests
 function Get-SqlBlobAuditingTestEnvironmentParameters ($testSuffix)
 {
 	$subscriptionId = (Get-AzContext).Subscription.Id
-	return @{ rgname = "blob-audit-cmdlet-test-rg" + $testSuffix;
-			  serverName = "blob-audit-cmdlet-server" + $testSuffix;
-			  databaseName = "blob-audit-cmdlet-db" + $testSuffix;
+	return @{ rgname = "audit-cmdlet-test-rg" + $testSuffix;
+			  serverName = "audit-cmdlet-server" + $testSuffix;
+			  databaseName = "audit-cmdlet-db" + $testSuffix;
 			  storageAccount = "blobaudit" + $testSuffix
 			  eventHubNamespace = "audit-cmdlet-event-hub-ns" + $testSuffix
 			  workspaceName = "audit-cmdlet-workspace" +$testSuffix
-			  storageAccountResourceId = "/subscriptions/" + $subscriptionId + "/resourceGroups/" + "blob-audit-cmdlet-test-rg" + $testSuffix + "/providers/Microsoft.Storage/storageAccounts/" + "blobaudit" + $testSuffix
+			  storageAccountResourceId = "/subscriptions/" + $subscriptionId + "/resourceGroups/" + "audit-cmdlet-test-rg" + $testSuffix + "/providers/Microsoft.Storage/storageAccounts/" + "blobaudit" + $testSuffix
 		}
 }
 
@@ -77,24 +77,14 @@ function Get-SqlDataMaskingTestEnvironmentParameters ($testSuffix)
 			  }
 }
 
-<#
-.SYNOPSIS
-Creates the test environment needed to perform the Sql auditing tests
-#>
-function Create-AuditingTestEnvironment ($testSuffix, $location = "West Central US", $serverVersion = "12.0")
-{
-	$params = Get-SqlAuditingTestEnvironmentParameters $testSuffix
-	Create-TestEnvironmentWithParams $params $location $serverVersion
-}
-
 <#
 .SYNOPSIS
 Creates the test environment needed to perform the Sql blob auditing tests
 #>
-function Create-BlobAuditingTestEnvironment ($testSuffix, $location = "West Central US", $serverVersion = "12.0")
+function Create-BlobAuditingTestEnvironment ($testSuffix, $location = "West Central US", $serverVersion = "12.0", $denyAsNetworkRuleDefaultAction = $False)
 {
 	$params = Get-SqlBlobAuditingTestEnvironmentParameters $testSuffix
-	Create-TestEnvironmentWithParams $params $location $serverVersion
+	Create-TestEnvironmentWithParams $params $location $serverVersion $denyAsNetworkRuleDefaultAction
 	New-AzOperationalInsightsWorkspace -ResourceGroupName $params.rgname -Name $params.workspaceName -Sku "Standard" -Location "eastus"
 	New-AzEventHubNamespace -ResourceGroupName $params.rgname -NamespaceName $params.eventHubNamespace -Location $location
 }
@@ -143,10 +133,10 @@ function Create-ThreatDetectionClassicTestEnvironment ($testSuffix, $location =
 .SYNOPSIS
 Creates the test environment needed to perform the Sql auditing tests
 #>
-function Create-TestEnvironmentWithParams ($params, $location, $serverVersion)
+function Create-TestEnvironmentWithParams ($params, $location, $serverVersion, $denyAsNetworkRuleDefaultAction = $False)
 {
 	Create-BasicTestEnvironmentWithParams $params $location $serverVersion
-	New-AzStorageAccount -StorageAccountName $params.storageAccount -ResourceGroupName $params.rgname -Location $location -Type Standard_GRS
+	New-AzStorageAccount -StorageAccountName $params.storageAccount -ResourceGroupName $params.rgname -Location $location -Type Standard_GRS -DenyAsNetworkRuleDefaultAction $denyAsNetworkRuleDefaultAction
 	Wait-Seconds 10
 }