azurerm_sql_database - support for the `extended_auditing_pol… (#5049)

Similar to #5036 continuation of #4982
hashicorp · Mar 16, 2020 · c9ceaa1 · c9ceaa1
1 parent 843323e
commit c9ceaa1
Show file tree

Hide file tree

Showing 5 changed files with 325 additions and 35 deletions.
diff --git a/azurerm/internal/services/sql/client/client.go b/azurerm/internal/services/sql/client/client.go
@@ -6,15 +6,16 @@ import (
 )
 
 type Client struct {
-	DatabasesClient                          *sql.DatabasesClient
-	DatabaseThreatDetectionPoliciesClient    *sql.DatabaseThreatDetectionPoliciesClient
-	ElasticPoolsClient                       *sql.ElasticPoolsClient
-	FirewallRulesClient                      *sql.FirewallRulesClient
-	FailoverGroupsClient                     *sql.FailoverGroupsClient
-	ServersClient                            *sql.ServersClient
-	ServerAzureADAdministratorsClient        *sql.ServerAzureADAdministratorsClient
-	VirtualNetworkRulesClient                *sql.VirtualNetworkRulesClient
-	ExtendedServerBlobAuditingPoliciesClient *sql.ExtendedServerBlobAuditingPoliciesClient
+	DatabasesClient                            *sql.DatabasesClient
+	DatabaseThreatDetectionPoliciesClient      *sql.DatabaseThreatDetectionPoliciesClient
+	ElasticPoolsClient                         *sql.ElasticPoolsClient
+	FirewallRulesClient                        *sql.FirewallRulesClient
+	FailoverGroupsClient                       *sql.FailoverGroupsClient
+	ServersClient                              *sql.ServersClient
+	ServerAzureADAdministratorsClient          *sql.ServerAzureADAdministratorsClient
+	VirtualNetworkRulesClient                  *sql.VirtualNetworkRulesClient
+	ExtendedDatabaseBlobAuditingPoliciesClient *sql.ExtendedDatabaseBlobAuditingPoliciesClient
+	ExtendedServerBlobAuditingPoliciesClient   *sql.ExtendedServerBlobAuditingPoliciesClient
 }
 
 func NewClient(o *common.ClientOptions) *Client {
@@ -43,18 +44,22 @@ func NewClient(o *common.ClientOptions) *Client {
 	VirtualNetworkRulesClient := sql.NewVirtualNetworkRulesClientWithBaseURI(o.ResourceManagerEndpoint, o.SubscriptionId)
 	o.ConfigureClient(&VirtualNetworkRulesClient.Client, o.ResourceManagerAuthorizer)
 
+	ExtendedDatabaseBlobAuditingPoliciesClient := sql.NewExtendedDatabaseBlobAuditingPoliciesClientWithBaseURI(o.ResourceManagerEndpoint, o.SubscriptionId)
+	o.ConfigureClient(&ExtendedDatabaseBlobAuditingPoliciesClient.Client, o.ResourceManagerAuthorizer)
+
 	ExtendedServerBlobAuditingPoliciesClient := sql.NewExtendedServerBlobAuditingPoliciesClient(o.SubscriptionId)
 	o.ConfigureClient(&ExtendedServerBlobAuditingPoliciesClient.Client, o.ResourceManagerAuthorizer)
 
 	return &Client{
-		DatabasesClient:                          &DatabasesClient,
-		DatabaseThreatDetectionPoliciesClient:    &DatabaseThreatDetectionPoliciesClient,
-		ElasticPoolsClient:                       &ElasticPoolsClient,
-		FailoverGroupsClient:                     &FailoverGroupsClient,
-		FirewallRulesClient:                      &FirewallRulesClient,
-		ServersClient:                            &ServersClient,
-		ServerAzureADAdministratorsClient:        &ServerAzureADAdministratorsClient,
-		VirtualNetworkRulesClient:                &VirtualNetworkRulesClient,
-		ExtendedServerBlobAuditingPoliciesClient: &ExtendedServerBlobAuditingPoliciesClient,
+		DatabasesClient:                            &DatabasesClient,
+		DatabaseThreatDetectionPoliciesClient:      &DatabaseThreatDetectionPoliciesClient,
+		ElasticPoolsClient:                         &ElasticPoolsClient,
+		FailoverGroupsClient:                       &FailoverGroupsClient,
+		FirewallRulesClient:                        &FirewallRulesClient,
+		ServersClient:                              &ServersClient,
+		ServerAzureADAdministratorsClient:          &ServerAzureADAdministratorsClient,
+		VirtualNetworkRulesClient:                  &VirtualNetworkRulesClient,
+		ExtendedDatabaseBlobAuditingPoliciesClient: &ExtendedDatabaseBlobAuditingPoliciesClient,
+		ExtendedServerBlobAuditingPoliciesClient:   &ExtendedServerBlobAuditingPoliciesClient,
 	}
 }
diff --git a/azurerm/internal/services/sql/helper/sqlExtendedAuditing.go b/azurerm/internal/services/sql/helper/sqlExtendedAuditing.go
@@ -96,3 +96,58 @@ func FlattenAzureRmSqlServerBlobAuditingPolicies(extendedServerBlobAuditingPolic
 		},
 	}
 }
+
+func ExpandAzureRmSqlDBBlobAuditingPolicies(input []interface{}) *sql.ExtendedDatabaseBlobAuditingPolicyProperties {
+	if len(input) == 0 {
+		return &sql.ExtendedDatabaseBlobAuditingPolicyProperties{
+			State: sql.BlobAuditingPolicyStateDisabled,
+		}
+	}
+	dbBlobAuditingPolicies := input[0].(map[string]interface{})
+
+	ExtendedDatabaseBlobAuditingPolicyProperties := sql.ExtendedDatabaseBlobAuditingPolicyProperties{
+		State:                   sql.BlobAuditingPolicyStateEnabled,
+		StorageAccountAccessKey: utils.String(dbBlobAuditingPolicies["storage_account_access_key"].(string)),
+		StorageEndpoint:         utils.String(dbBlobAuditingPolicies["storage_endpoint"].(string)),
+	}
+	if v, ok := dbBlobAuditingPolicies["storage_account_access_key_is_secondary"]; ok {
+		ExtendedDatabaseBlobAuditingPolicyProperties.IsStorageSecondaryKeyInUse = utils.Bool(v.(bool))
+	}
+	if v, ok := dbBlobAuditingPolicies["retention_in_days"]; ok {
+		ExtendedDatabaseBlobAuditingPolicyProperties.RetentionDays = utils.Int32(int32(v.(int)))
+	}
+
+	return &ExtendedDatabaseBlobAuditingPolicyProperties
+}
+
+func FlattenAzureRmSqlDBBlobAuditingPolicies(extendedDatabaseBlobAuditingPolicy *sql.ExtendedDatabaseBlobAuditingPolicy, d *schema.ResourceData) []interface{} {
+	if extendedDatabaseBlobAuditingPolicy == nil || extendedDatabaseBlobAuditingPolicy.State == sql.BlobAuditingPolicyStateDisabled {
+		return []interface{}{}
+	}
+	var storageAccessKey, storageEndpoint string
+	// storage_account_access_key will not be returned, so we transfer the schema value
+	if v, ok := d.GetOk("extended_auditing_policy.0.storage_account_access_key"); ok {
+		storageAccessKey = v.(string)
+	}
+
+	if extendedDatabaseBlobAuditingPolicy.StorageEndpoint != nil {
+		storageEndpoint = *extendedDatabaseBlobAuditingPolicy.StorageEndpoint
+	}
+	var secondKeyInUse bool
+	if extendedDatabaseBlobAuditingPolicy.IsStorageSecondaryKeyInUse != nil {
+		secondKeyInUse = *extendedDatabaseBlobAuditingPolicy.IsStorageSecondaryKeyInUse
+	}
+	var retentionDays int32
+	if extendedDatabaseBlobAuditingPolicy.RetentionDays != nil {
+		retentionDays = *extendedDatabaseBlobAuditingPolicy.RetentionDays
+	}
+
+	return []interface{}{
+		map[string]interface{}{
+			"storage_account_access_key":              storageAccessKey,
+			"storage_endpoint":                        storageEndpoint,
+			"storage_account_access_key_is_secondary": secondKeyInUse,
+			"retention_in_days":                       retentionDays,
+		},
+	}
+}
diff --git a/azurerm/internal/services/sql/resource_arm_sql_database.go b/azurerm/internal/services/sql/resource_arm_sql_database.go
@@ -16,6 +16,7 @@ import (
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/clients"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/features"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/sql/helper"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tags"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/timeouts"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
@@ -328,6 +329,8 @@ func resourceArmSqlDatabase() *schema.Resource {
 				Optional: true,
 			},
 
+			"extended_auditing_policy": helper.ExtendedAuditingSchema(),
+
 			"tags": tags.Schema(),
 		},
 
@@ -502,6 +505,14 @@ func resourceArmSqlDatabaseCreateUpdate(d *schema.ResourceData, meta interface{}
 		return fmt.Errorf("Error setting database threat detection policy: %+v", err)
 	}
 
+	auditingClient := meta.(*clients.Client).Sql.ExtendedDatabaseBlobAuditingPoliciesClient
+	auditingProps := sql.ExtendedDatabaseBlobAuditingPolicy{
+		ExtendedDatabaseBlobAuditingPolicyProperties: helper.ExpandAzureRmSqlDBBlobAuditingPolicies(d.Get("extended_auditing_policy").([]interface{})),
+	}
+	if _, err = auditingClient.CreateOrUpdate(ctx, resourceGroup, serverName, name, auditingProps); err != nil {
+		return fmt.Errorf("Error issuing create/update request for SQL Database %q Blob Auditing Policies(SQL Server %q/ Resource Group %q): %+v", name, serverName, resourceGroup, err)
+	}
+
 	return resourceArmSqlDatabaseRead(d, meta)
 }
 
@@ -586,6 +597,17 @@ func resourceArmSqlDatabaseRead(d *schema.ResourceData, meta interface{}) error
 		d.Set("zone_redundant", props.ZoneRedundant)
 	}
 
+	auditingClient := meta.(*clients.Client).Sql.ExtendedDatabaseBlobAuditingPoliciesClient
+	auditingResp, err := auditingClient.Get(ctx, resourceGroup, serverName, name)
+	if err != nil {
+		return fmt.Errorf("Error reading SQL Database %q: %v Blob Auditing Policies", name, err)
+	}
+
+	flattenBlobAuditing := helper.FlattenAzureRmSqlDBBlobAuditingPolicies(&auditingResp, d)
+	if err := d.Set("extended_auditing_policy", flattenBlobAuditing); err != nil {
+		return fmt.Errorf("Error setting `extended_auditing_policy`: %+v", err)
+	}
+
 	return tags.FlattenAndSet(d, resp.Tags)
 }