azurerm_sql_database - Add sql threat detection policy configuration #1628
Conversation
…onfiguration of the `azurerm_sql_database` resource
There was a problem hiding this comment.
hey @TFaga
Thanks for this PR - I've taken a look through and left some comments in-line - if we can fix those up we should be able to run the tests and see how this looks :)
Thanks!
| email_addresses = "%s" | ||
| storage_account_access_key = "${azurerm_storage_account.test.primary_access_key}" | ||
| storage_endpoint = "${azurerm_storage_account.test.primary_blob_endpoint}" | ||
| use_server_default = "%s" |
There was a problem hiding this comment.
minor can we make the indentation consistent here?
azurerm/resource_arm_sql_database.go
Outdated
| Elem: &schema.Resource{ | ||
| Schema: map[string]*schema.Schema{ | ||
| "disabled_alerts": { | ||
| Type: schema.TypeString, |
There was a problem hiding this comment.
going on the description below:
disabled_alerts- (Optional) Specifies the semicolon-separated list of alerts that are disabled, or empty string to disable no alerts. Possible values: Sql_Injection; Sql_Injection_Vulnerability; Access_Anomaly; Usage_Anomaly.
If this is guaranteed to be a list of semicolon-separated strings, it would be a better UX to make this a List/Set of strings, so that users could get a better diff here in future; what do you think?
| Type: schema.TypeString, | ||
| Optional: true, | ||
| DiffSuppressFunc: suppress.CaseDifference, | ||
| Default: string(sql.SecurityAlertPolicyUseServerDefaultDisabled), |
There was a problem hiding this comment.
🤔 would it make sense for this to default to Enabled?
There was a problem hiding this comment.
The reason I left it Disabled is because that's the default value returned from the API if no policy is set.
Default values from the API:
{
"properties": {
"useServerDefault": "Disabled",
"state": "Disabled",
"disabledAlerts": "",
"emailAddresses": "",
"emailAccountAdmins": "Disabled",
"storageEndpoint": "",
"storageAccountAccessKey": "",
"retentionDays": 0
}
}
azurerm/resource_arm_sql_database.go
Outdated
| }, | ||
|
|
||
| "email_addresses": { | ||
| Type: schema.TypeString, |
There was a problem hiding this comment.
(same here) I think this'd make more sense as a list?
| @@ -644,3 +682,51 @@ resource "azurerm_sql_database" "test" { | |||
| } | |||
| `, rInt, location, rInt, rInt, requestedServiceObjectiveName) | |||
| } | |||
|
|
|||
| func testAccAzureRMSqlDatabase_threatDetectionPolicy(rInt int, location, state, disabledAlerts, emailAccountAdmins, emailAddresses, | |||
There was a problem hiding this comment.
can we hard-code the state,disabledAlerts, emailAccountAdmins, emailAddresses, useServerDefault and retentionDays fields here? since they're only used in a single place, there's no need to make them dynamic
| @@ -85,6 +87,17 @@ The following arguments are supported: | |||
| * `authentication_type` - (Required) Specifies the type of authentication used to access the server. Valid values are `SQL` or `ADPassword`. | |||
| * `operation_mode` - (Optional) Specifies the type of import operation being performed. The only allowable value is `Import`. | |||
|
|
|||
| `threat_detection_policy` supports the following: | |||
|
|
|||
| * `state` - (Required) Specifies the state of the policy. If state is Enabled, storageEndpoint and storageAccountAccessKey are required. | |||
There was a problem hiding this comment.
can we update:
Specifies the state of the policy. If state is Enabled, storageEndpoint and storageAccountAccessKey are required.
to be:
The State of the Policy. Possible values are `Enabled`, `Disabled` or `New`.
| @@ -85,6 +87,17 @@ The following arguments are supported: | |||
| * `authentication_type` - (Required) Specifies the type of authentication used to access the server. Valid values are `SQL` or `ADPassword`. | |||
| * `operation_mode` - (Optional) Specifies the type of import operation being performed. The only allowable value is `Import`. | |||
|
|
|||
| `threat_detection_policy` supports the following: | |||
There was a problem hiding this comment.
minor can we add --- and then a blank line above this to add a divider?
|
|
||
| * `state` - (Required) Specifies the state of the policy. If state is Enabled, storageEndpoint and storageAccountAccessKey are required. | ||
| * `disabled_alerts` - (Optional) Specifies the semicolon-separated list of alerts that are disabled, or empty string to disable no alerts. Possible values: Sql_Injection; Sql_Injection_Vulnerability; Access_Anomaly; Usage_Anomaly. | ||
| * `email_account_admins` - (Optional) Specifies that the alert is sent to the account administrators. |
There was a problem hiding this comment.
Specifies that the alert is sent to the account administrators. -> Should the account administrators be emailed when this alert is triggered?
| * `state` - (Required) Specifies the state of the policy. If state is Enabled, storageEndpoint and storageAccountAccessKey are required. | ||
| * `disabled_alerts` - (Optional) Specifies the semicolon-separated list of alerts that are disabled, or empty string to disable no alerts. Possible values: Sql_Injection; Sql_Injection_Vulnerability; Access_Anomaly; Usage_Anomaly. | ||
| * `email_account_admins` - (Optional) Specifies that the alert is sent to the account administrators. | ||
| * `email_addresses` - (Optional) Specifies the semicolon-separated list of e-mail addresses to which the alert is sent. |
There was a problem hiding this comment.
Once we've updated this to a list (above) we should be able to make this:
A list of email addresses which alerts should be sent to.
| * `retention_days` - (Optional) Specifies the number of days to keep in the Threat Detection audit logs. | ||
| * `storage_account_access_key` - (Optional) Specifies the identifier key of the Threat Detection audit storage account. If state is Enabled, storageAccountAccessKey is required. | ||
| * `storage_endpoint` - (Optional) Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs. If state is Enabled, storageEndpoint is required. | ||
| * `use_server_default` - (Optional) Specifies whether to use the default server policy. |
There was a problem hiding this comment.
Specifies whether to use the default server policy. ->
Should the default server policy be used? Defaults to `true`
tombuildsstuff
added
enhancement
waiting-response
service/mssql
…es in the sql threat detection configuration of the `azurerm_sql_database` resource
|
@tombuildsstuff Hey, thank you for the quick review. I've pushed a commit to address the changes. |
There was a problem hiding this comment.
Hi @TFaga,
Thank you for the updates, apologies with the delay in giving this a re-review. I have left some mostly minor comments inline with my primary concern being there are no import test and a missing nil check. The rest are fairly stylistic in nature and are not blocking the PR.
azurerm/resource_arm_sql_database.go
Outdated
| @@ -327,6 +435,12 @@ func resourceArmSqlDatabaseCreateUpdate(d *schema.ResourceData, meta interface{} | |||
|
|
|||
| d.SetId(*resp.ID) | |||
|
|
|||
| threatDetectionClient := meta.(*ArmClient).sqlDatabaseThreatDetectionPoliciesClient | |||
| _, err = threatDetectionClient.CreateOrUpdate(ctx, resourceGroup, serverName, name, *threatDetection) | |||
| if err != nil { | |||
There was a problem hiding this comment.
These two lines could be combined:
if _, err = threatDetectionClient.CreateOrUpdate(ctx, resourceGroup, serverName, name, *threatDetection); err != nil {
azurerm/resource_arm_sql_database.go
Outdated
| @@ -354,6 +468,19 @@ func resourceArmSqlDatabaseRead(d *schema.ResourceData, meta interface{}) error | |||
| return fmt.Errorf("Error making Read request on Sql Database %s: %+v", name, err) | |||
| } | |||
|
|
|||
| oldThreatDetection, hasOldThreatDetection := d.GetOk("threat_detection_policy") | |||
| if hasOldThreatDetection { | |||
There was a problem hiding this comment.
Is there a reason we are only reading this in when it has been set in state?
If the user changes this in the portal/we are importing won't those changes now be ignored?
There was a problem hiding this comment.
The problem was that the thread detection problem is a separate API call which always returns the default values, causing every plan operation to be the following every time, if the threat_detection_policy was not set in the manifest as it filled out the list in the state with all default values:
~ azurerm_sql_database.test
threat_detection_policy.#: "1" => "0"
I've changed this so that the list element is marked computed, which alleviates the problem. Though I'm not sure if this is ok or if there is a better option to handle this case.
azurerm/resource_arm_sql_database.go
Outdated
| @@ -439,6 +566,46 @@ func flattenEncryptionStatus(encryption *[]sql.TransparentDataEncryption) string | |||
| return "" | |||
| } | |||
|
|
|||
| func flattenArmSqlServerThreatDetectionPolicy(policy sql.DatabaseSecurityAlertPolicy, oldThreatDetection []interface{}) []interface{} { | |||
|
|
|||
| properties := policy.DatabaseSecurityAlertPolicyProperties | |||
There was a problem hiding this comment.
Could we get a nil check here?
There was a problem hiding this comment.
Maybe return early:
threatDetectionPolicy := make(map[string]interface{})
properties := policy.DatabaseSecurityAlertPolicyProperties
if properties != nil {
return []interface{}{threatDetectionPolicy}
}
azurerm/resource_arm_sql_database.go
Outdated
| threatDetectionPolicy["email_account_admins"] = string(properties.EmailAccountAdmins) | ||
| threatDetectionPolicy["use_server_default"] = string(properties.UseServerDefault) | ||
|
|
||
| if properties.DisabledAlerts != nil && *properties.DisabledAlerts != "" { |
There was a problem hiding this comment.
could we simplify this by:
if disabledAlerts := properties.DisabledAlerts; disabledAlerts != nil {And if strings.Split() gets an empty string it should return an empty slice. Is there any harm in setting disabled_alerts to an empty slice?
This applies to email_addresses.
azurerm/resource_arm_sql_database.go
Outdated
| } | ||
|
|
||
| // If storage account access key is in state readd it to the new state, as the API does not return it for security reasons | ||
| if t, ok := oldThreatDetection[0].(map[string]interface{})["storage_account_access_key"]; ok { |
There was a problem hiding this comment.
Minor, but this can be done by passing in d and grabbing the property directly. An example can be see here
azurerm/resource_arm_sql_database.go
Outdated
| if v, ok := threadDetection["disabled_alerts"]; ok { | ||
| alerts := v.(*schema.Set).List() | ||
| expandedAlerts := make([]string, len(alerts)) | ||
| for i := range alerts { |
There was a problem hiding this comment.
Very minor but this could be
for _, v := range v.(*schema.Set).List() {
expandedAlerts[i] = v.(string)
}There was a problem hiding this comment.
I've updated to use the value from the current element of the loop, though still needed the index for the expandedAlerts variable.
| * `email_account_admins` - (Optional) Should the account administrators be emailed when this alert is triggered? | ||
| * `email_addresses` - (Optional) A list of email addresses which alerts should be sent to. | ||
| * `retention_days` - (Optional) Specifies the number of days to keep in the Threat Detection audit logs. | ||
| * `storage_account_access_key` - (Optional) Specifies the identifier key of the Threat Detection audit storage account. If state is Enabled, storageAccountAccessKey is required. |
There was a problem hiding this comment.
Echoing toms comment, could
If state is Enabled, storageAccountAccessKey is required.
become:
Required if
stateisenabled.
| ), | ||
| }, | ||
| { | ||
| Config: postConfig, |
There was a problem hiding this comment.
Could we get an import test step to verify that import works?
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},…g of the remote state of the `azurerm_sql_database` resource
|
Hi @katbyte , Thanks for the review. Apologies for the late response. I've pushed the changes in the comments. |
azurerm/resource_arm_sql_database.go
Outdated
| "storage_account_access_key": { | ||
| Type: schema.TypeString, | ||
| Optional: true, | ||
| Sensitive: true, |
There was a problem hiding this comment.
Can we add some validation here to ensure something is entered?
ValidateFunc: validation.NoZeroValues,
azurerm/resource_arm_sql_database.go
Outdated
|
|
||
| "storage_endpoint": { | ||
| Type: schema.TypeString, | ||
| Optional: true, |
There was a problem hiding this comment.
Same here with the validation.
…account_access_key` property of the `azurerm_sql_database` resource
|
Hi @jeffreyCline, I've pushed the changes in the comments. |
|
Thank you for the updates! this LGTM 👍 Tests pass: |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
This pull request adds the ability to configure sql threat detection policy for an
azurerm_sql_database. Addresses issue #1484