Support for sql auditing to Azure Monitor (#10324)

Fix: #7695 #10100 #6849
hashicorp · Feb 26, 2021 · 2598a62 · 2598a62
1 parent 809be17
commit 2598a62
Show file tree

Hide file tree

Showing 16 changed files with 718 additions and 113 deletions.
diff --git a/azurerm/internal/services/mssql/helper/sql_extended_auditing.go b/azurerm/internal/services/mssql/helper/sql_extended_auditing.go
@@ -19,14 +19,14 @@ func ExtendedAuditingSchema() *schema.Schema {
 			Schema: map[string]*schema.Schema{
 				"storage_account_access_key": {
 					Type:         schema.TypeString,
-					Required:     true,
+					Optional:     true,
 					Sensitive:    true,
 					ValidateFunc: validation.StringIsNotEmpty,
 				},
 
 				"storage_endpoint": {
 					Type:         schema.TypeString,
-					Required:     true,
+					Optional:     true,
 					ValidateFunc: validation.IsURLWithHTTPS,
 				},
 
@@ -40,6 +40,12 @@ func ExtendedAuditingSchema() *schema.Schema {
 					Optional:     true,
 					ValidateFunc: validation.IntBetween(0, 3285),
 				},
+
+				"log_monitoring_enabled": {
+					Type:     schema.TypeBool,
+					Optional: true,
+					Default:  true,
+				},
 			},
 		},
 	}
@@ -49,18 +55,15 @@ func ExpandSqlServerBlobAuditingPolicies(input []interface{}) *sql.ExtendedServe
 	if len(input) == 0 || input[0] == nil {
 		return &sql.ExtendedServerBlobAuditingPolicyProperties{
 			State: sql.BlobAuditingPolicyStateDisabled,
-
-			// NOTE: this works around a regression in the Azure API detailed here:
-			// https://github.com/Azure/azure-rest-api-specs/issues/11271
-			IsAzureMonitorTargetEnabled: utils.Bool(true),
 		}
 	}
 	serverBlobAuditingPolicies := input[0].(map[string]interface{})
 
 	ExtendedServerBlobAuditingPolicyProperties := sql.ExtendedServerBlobAuditingPolicyProperties{
-		State:                   sql.BlobAuditingPolicyStateEnabled,
-		StorageAccountAccessKey: utils.String(serverBlobAuditingPolicies["storage_account_access_key"].(string)),
-		StorageEndpoint:         utils.String(serverBlobAuditingPolicies["storage_endpoint"].(string)),
+		State:                       sql.BlobAuditingPolicyStateEnabled,
+		StorageAccountAccessKey:     utils.String(serverBlobAuditingPolicies["storage_account_access_key"].(string)),
+		StorageEndpoint:             utils.String(serverBlobAuditingPolicies["storage_endpoint"].(string)),
+		IsAzureMonitorTargetEnabled: utils.Bool(serverBlobAuditingPolicies["log_monitoring_enabled"].(bool)),
 	}
 	if v, ok := serverBlobAuditingPolicies["storage_account_access_key_is_secondary"]; ok {
 		ExtendedServerBlobAuditingPolicyProperties.IsStorageSecondaryKeyInUse = utils.Bool(v.(bool))
@@ -93,13 +96,18 @@ func FlattenSqlServerBlobAuditingPolicies(extendedServerBlobAuditingPolicy *sql.
 	if extendedServerBlobAuditingPolicy.RetentionDays != nil {
 		retentionDays = *extendedServerBlobAuditingPolicy.RetentionDays
 	}
+	var monitor bool
+	if extendedServerBlobAuditingPolicy.IsAzureMonitorTargetEnabled != nil {
+		monitor = *extendedServerBlobAuditingPolicy.IsAzureMonitorTargetEnabled
+	}
 
 	return []interface{}{
 		map[string]interface{}{
 			"storage_account_access_key":              storageAccessKey,
 			"storage_endpoint":                        storageEndpoint,
 			"storage_account_access_key_is_secondary": secondKeyInUse,
 			"retention_in_days":                       retentionDays,
+			"log_monitoring_enabled":                  monitor,
 		},
 	}
 }
@@ -108,18 +116,15 @@ func ExpandMsSqlDBBlobAuditingPolicies(input []interface{}) *sql.ExtendedDatabas
 	if len(input) == 0 || input[0] == nil {
 		return &sql.ExtendedDatabaseBlobAuditingPolicyProperties{
 			State: sql.BlobAuditingPolicyStateDisabled,
-
-			// NOTE: this works around a regression in the Azure API detailed here:
-			// https://github.com/Azure/azure-rest-api-specs/issues/11271
-			IsAzureMonitorTargetEnabled: utils.Bool(true),
 		}
 	}
 	dbBlobAuditingPolicies := input[0].(map[string]interface{})
 
 	ExtendedDatabaseBlobAuditingPolicyProperties := sql.ExtendedDatabaseBlobAuditingPolicyProperties{
-		State:                   sql.BlobAuditingPolicyStateEnabled,
-		StorageAccountAccessKey: utils.String(dbBlobAuditingPolicies["storage_account_access_key"].(string)),
-		StorageEndpoint:         utils.String(dbBlobAuditingPolicies["storage_endpoint"].(string)),
+		State:                       sql.BlobAuditingPolicyStateEnabled,
+		StorageAccountAccessKey:     utils.String(dbBlobAuditingPolicies["storage_account_access_key"].(string)),
+		StorageEndpoint:             utils.String(dbBlobAuditingPolicies["storage_endpoint"].(string)),
+		IsAzureMonitorTargetEnabled: utils.Bool(dbBlobAuditingPolicies["log_monitoring_enabled"].(bool)),
 	}
 	if v, ok := dbBlobAuditingPolicies["storage_account_access_key_is_secondary"]; ok {
 		ExtendedDatabaseBlobAuditingPolicyProperties.IsStorageSecondaryKeyInUse = utils.Bool(v.(bool))
@@ -152,13 +157,18 @@ func FlattenMsSqlDBBlobAuditingPolicies(extendedDatabaseBlobAuditingPolicy *sql.
 	if extendedDatabaseBlobAuditingPolicy.RetentionDays != nil {
 		retentionDays = *extendedDatabaseBlobAuditingPolicy.RetentionDays
 	}
+	var monitor bool
+	if extendedDatabaseBlobAuditingPolicy.IsAzureMonitorTargetEnabled != nil {
+		monitor = *extendedDatabaseBlobAuditingPolicy.IsAzureMonitorTargetEnabled
+	}
 
 	return []interface{}{
 		map[string]interface{}{
 			"storage_account_access_key":              storageAccessKey,
 			"storage_endpoint":                        storageEndpoint,
 			"storage_account_access_key_is_secondary": secondKeyInUse,
 			"retention_in_days":                       retentionDays,
+			"log_monitoring_enabled":                  monitor,
 		},
 	}
 }
diff --git a/azurerm/internal/services/mssql/mssql_database_extended_auditing_policy_resource.go b/azurerm/internal/services/mssql/mssql_database_extended_auditing_policy_resource.go
@@ -47,7 +47,7 @@ func resourceMsSqlDatabaseExtendedAuditingPolicy() *schema.Resource {
 
 			"storage_endpoint": {
 				Type:         schema.TypeString,
-				Required:     true,
+				Optional:     true,
 				ValidateFunc: validation.IsURLWithHTTPS,
 			},
 
@@ -70,6 +70,12 @@ func resourceMsSqlDatabaseExtendedAuditingPolicy() *schema.Resource {
 				Default:      0,
 				ValidateFunc: validation.IntBetween(0, 3285),
 			},
+
+			"log_monitoring_enabled": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  true,
+			},
 		},
 	}
 }
@@ -102,14 +108,11 @@ func resourceMsSqlDatabaseExtendedAuditingPolicyCreateUpdate(d *schema.ResourceD
 
 	params := sql.ExtendedDatabaseBlobAuditingPolicy{
 		ExtendedDatabaseBlobAuditingPolicyProperties: &sql.ExtendedDatabaseBlobAuditingPolicyProperties{
-			State:                      sql.BlobAuditingPolicyStateEnabled,
-			StorageEndpoint:            utils.String(d.Get("storage_endpoint").(string)),
-			IsStorageSecondaryKeyInUse: utils.Bool(d.Get("storage_account_access_key_is_secondary").(bool)),
-			RetentionDays:              utils.Int32(int32(d.Get("retention_in_days").(int))),
-
-			// NOTE: this works around a regression in the Azure API detailed here:
-			// https://github.com/Azure/azure-rest-api-specs/issues/11271
-			IsAzureMonitorTargetEnabled: utils.Bool(true),
+			State:                       sql.BlobAuditingPolicyStateEnabled,
+			StorageEndpoint:             utils.String(d.Get("storage_endpoint").(string)),
+			IsStorageSecondaryKeyInUse:  utils.Bool(d.Get("storage_account_access_key_is_secondary").(bool)),
+			RetentionDays:               utils.Int32(int32(d.Get("retention_in_days").(int))),
+			IsAzureMonitorTargetEnabled: utils.Bool(d.Get("log_monitoring_enabled").(bool)),
 		},
 	}
 
@@ -166,6 +169,7 @@ func resourceMsSqlDatabaseExtendedAuditingPolicyRead(d *schema.ResourceData, met
 		d.Set("storage_endpoint", props.StorageEndpoint)
 		d.Set("storage_account_access_key_is_secondary", props.IsStorageSecondaryKeyInUse)
 		d.Set("retention_in_days", props.RetentionDays)
+		d.Set("log_monitoring_enabled", props.IsAzureMonitorTargetEnabled)
 	}
 
 	return nil
@@ -184,10 +188,6 @@ func resourceMsSqlDatabaseExtendedAuditingPolicyDelete(d *schema.ResourceData, m
 	params := sql.ExtendedDatabaseBlobAuditingPolicy{
 		ExtendedDatabaseBlobAuditingPolicyProperties: &sql.ExtendedDatabaseBlobAuditingPolicyProperties{
 			State: sql.BlobAuditingPolicyStateDisabled,
-
-			// NOTE: this works around a regression in the Azure API detailed here:
-			// https://github.com/Azure/azure-rest-api-specs/issues/11271
-			IsAzureMonitorTargetEnabled: utils.Bool(true),
 		},
 	}