[SQL] added useIdentity parameter (#20518)

* added useIdentity parameter

* added change comments

* added validation

* indentation

* added helm messages

* Update ChangeLog.md

Co-authored-by: Ilias Khan <[email protected]>
Co-authored-by: Yeming Liu <[email protected]>

Author: 3 people

src/Sql/Sql/Auditing/AuditingHelpMessages.cs

@@ -62,6 +62,8 @@ public static class AuditingHelpMessages
 
         public const string AsJobHelpMessage = "Run cmdlet in the background";
 
+        public const string UseIdentityMessage = "Indicates whether to use managed identity or not. It is required when you want to use managed identity while target storage is not behind firewall.";
+
         public const string AuditActionHelpMessage =
 @"The set of audit actions.  
 The supported actions to audit are:  

src/Sql/Sql/Auditing/Cmdlet/SetAzSqlDatabaseAudit.cs

@@ -109,6 +109,13 @@ public class SetAzSqlDatabaseAudit : SqlDatabaseAuditCmdlet
             HelpMessage = AuditingHelpMessages.PassThruHelpMessage)]
         public SwitchParameter PassThru { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = AuditingHelpMessages.UseIdentityMessage)]
+        [ValidateSet(SecurityConstants.True, SecurityConstants.False, IgnoreCase = true)]
+        [ValidateNotNullOrEmpty]
+        public string UseIdentity { get; set; }
+
         public Guid RoleAssignmentId { get; set; } = default(Guid);
 
         protected override DatabaseAuditModel ApplyUserInputToModel(DatabaseAuditModel model)
@@ -178,6 +185,12 @@ protected override DatabaseAuditModel ApplyUserInputToModel(DatabaseAuditModel m
                 model.WorkspaceResourceId = WorkspaceResourceId;
             }
 
+            if (UseIdentity != null)
+            {
+                model.UseIdentity = UseIdentity.ToString().ToUpper() == SecurityConstants.True ?
+                    BoolType.True : BoolType.False;
+            }
+
             return model;
         }
 

src/Sql/Sql/Auditing/Cmdlet/SetSqlServerAuditCmdlet.cs

@@ -76,6 +76,13 @@ public abstract class SetSqlServerAuditCmdlet<ServerAuditPolicyType, ServerAudit
             HelpMessage = AuditingHelpMessages.PassThruHelpMessage)]
         public SwitchParameter PassThru { get; set; }
 
+        [Parameter(
+            Mandatory = false,
+            HelpMessage = AuditingHelpMessages.UseIdentityMessage)]
+        [ValidateSet(SecurityConstants.True, SecurityConstants.False, IgnoreCase = true)]
+        [ValidateNotNullOrEmpty]
+        public String UseIdentity { get; set; }
+
         public Guid RoleAssignmentId { get; set; } = default(Guid);
 
         protected override ServerAuditModelType ApplyUserInputToModel(ServerAuditModelType model)
@@ -117,7 +124,14 @@ protected override ServerAuditModelType ApplyUserInputToModel(ServerAuditModelTy
 
             if (WorkspaceResourceId != null)
             {
-                model.WorkspaceResourceId = WorkspaceResourceId;
+                model.LogAnalyticsTargetState = LogAnalyticsTargetState == SecurityConstants.Enabled ?
+                    AuditStateType.Enabled : AuditStateType.Disabled;
+            }
+
+            if (UseIdentity != null)
+            {
+                model.UseIdentity = UseIdentity.ToString().ToUpper() == SecurityConstants.True ?
+                    BoolType.True : BoolType.False;
             }
 
             return model;

src/Sql/Sql/Auditing/Model/ServerDevOpsAuditModel.cs

@@ -19,6 +19,7 @@
 namespace Microsoft.Azure.Commands.Sql.Auditing.Model
 {
     public enum AuditStateType { Enabled, Disabled };
+    public enum BoolType { False, True };
 
     public class ServerDevOpsAuditModel
     {
@@ -40,6 +41,8 @@ public class ServerDevOpsAuditModel
 
         public string WorkspaceResourceId { get; set; }
 
+        public BoolType UseIdentity { get; set; }
+
         [Hidden]
         internal bool? IsAzureMonitorTargetEnabled { get; set; }
 

src/Sql/Sql/Auditing/Services/SqlAuditAdapter.cs

@@ -349,7 +349,7 @@ internal virtual void PolicizeStorageInfo(AuditModelType model, ProxyResource po
             dynamicPolicy.StorageEndpoint = GetStorageAccountEndpoint(storageAccountName);
             dynamicPolicy.StorageAccountSubscriptionId = storageAccountSubscriptionId;
 
-            if (AzureCommunicator.IsStorageAccountInVNet(model.StorageAccountResourceId))
+            if (AzureCommunicator.IsStorageAccountInVNet(model.StorageAccountResourceId) || model.UseIdentity == BoolType.True)
             {
                 Guid? principalId = Communicator.AssignServerIdentityIfNotAssigned(model.ResourceGroupName, model.ServerName);
                 AzureCommunicator.AssignRoleForServerIdentityOnStorageIfNotAssigned(model.StorageAccountResourceId, principalId.Value, RoleAssignmentId);

src/Sql/Sql/ChangeLog.md

@@ -18,8 +18,9 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
-* Added `isManagedIdentityInUse` parameter for `Get-AzSqlServerMSSupportAudit`
-* Added `PreferredEnclaveType` parameter to `NewAzureSqlDatabase`, `GetAzureSqlDatabase` and `SetAzureSqlDatabase` cmdlet
+* Added a parameter named `UseIdentity` for `Set-AzSqlServerAudit`, `Set-AzSqlDatabaseAudit`, `Set-AzSqlServerMSSupportAudit`
+* Added `IsManagedIdentityInUse` property to the output of `Get-AzSqlServerMSSupportAudit`
+* Added `PreferredEnclaveType` parameter to `New-AzSqlDatabase`, `Get-AzSqlDatabase` and `Set-AzSqlDatabase` cmdlet
 
 ## Version 4.1.0
 * Added new cmdlets for CRUD operations on SQL server IPv6 Firewall rules

src/Sql/Sql/Common/SecurityConstants.cs

@@ -45,6 +45,8 @@ public class SecurityConstants
 
         public const string Enabled = "Enabled";
         public const string Disabled = "Disabled";
+        public const string True = "TRUE";
+        public const string False = "FALSE";
 
         // Masking functions
         public const string NoMasking = "NoMasking";

src/Sql/Sql/help/Set-AzSqlDatabaseAudit.md

@@ -19,8 +19,9 @@ Set-AzSqlDatabaseAudit [-AuditActionGroup <AuditActionGroups[]>] [-AuditAction <
  [-PredicateExpression <String>] [-BlobStorageTargetState <String>] [-StorageAccountResourceId <String>]
  [-StorageKeyType <String>] [-RetentionInDays <UInt32>] [-EventHubTargetState <String>]
  [-EventHubName <String>] [-EventHubAuthorizationRuleResourceId <String>] [-LogAnalyticsTargetState <String>]
- [-WorkspaceResourceId <String>] [-PassThru] [-ResourceGroupName] <String> [-ServerName] <String>
- [-DatabaseName] <String> [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-WorkspaceResourceId <String>] [-PassThru] [-UseIdentity <String>] [-ResourceGroupName] <String>
+ [-ServerName] <String> [-DatabaseName] <String> [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
+ [-Confirm] [<CommonParameters>]
 ```
 
 ### DatabaseObjectParameterSet
@@ -29,7 +30,7 @@ Set-AzSqlDatabaseAudit [-AuditActionGroup <AuditActionGroups[]>] [-AuditAction <
  [-PredicateExpression <String>] [-BlobStorageTargetState <String>] [-StorageAccountResourceId <String>]
  [-StorageKeyType <String>] [-RetentionInDays <UInt32>] [-EventHubTargetState <String>]
  [-EventHubName <String>] [-EventHubAuthorizationRuleResourceId <String>] [-LogAnalyticsTargetState <String>]
- [-WorkspaceResourceId <String>] [-PassThru] -DatabaseObject <AzureSqlDatabaseModel>
+ [-WorkspaceResourceId <String>] [-PassThru] [-UseIdentity <String>] -DatabaseObject <AzureSqlDatabaseModel>
  [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
@@ -379,6 +380,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -UseIdentity
+Indicates whether to use managed identity or not. It is required when you want to use managed identity while target storage is not behind firewall.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -WorkspaceResourceId
 The workspace ID (resource ID of a Log Analytics workspace) for a Log Analytics workspace to which you would like to send Audit Logs. Example: /subscriptions/4b9e8510-67ab-4e9a-95a9-e2f1e570ea9c/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2
 

src/Sql/Sql/help/Set-AzSqlServerAudit.md

@@ -19,8 +19,9 @@ Set-AzSqlServerAudit [-AuditActionGroup <AuditActionGroups[]>] [-PredicateExpres
  [-StorageKeyType <String>] [-RetentionInDays <UInt32>] [-BlobStorageTargetState <String>]
  [-StorageAccountResourceId <String>] [-EventHubTargetState <String>] [-EventHubName <String>]
  [-EventHubAuthorizationRuleResourceId <String>] [-LogAnalyticsTargetState <String>]
- [-WorkspaceResourceId <String>] [-PassThru] [-ResourceGroupName] <String> [-ServerName] <String> [-AsJob]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-WorkspaceResourceId <String>] [-PassThru] [-UseIdentity <String>] [-ResourceGroupName] <String>
+ [-ServerName] <String> [-AsJob] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
 ```
 
 ### ServerObjectParameterSet
@@ -29,8 +30,8 @@ Set-AzSqlServerAudit [-AuditActionGroup <AuditActionGroups[]>] [-PredicateExpres
  [-StorageKeyType <String>] [-RetentionInDays <UInt32>] [-BlobStorageTargetState <String>]
  [-StorageAccountResourceId <String>] [-EventHubTargetState <String>] [-EventHubName <String>]
  [-EventHubAuthorizationRuleResourceId <String>] [-LogAnalyticsTargetState <String>]
- [-WorkspaceResourceId <String>] [-PassThru] -ServerObject <AzureSqlServerModel> [-AsJob]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-WorkspaceResourceId <String>] [-PassThru] [-UseIdentity <String>] -ServerObject <AzureSqlServerModel>
+ [-AsJob] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -348,6 +349,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -UseIdentity
+Indicates whether to use managed identity or not. It is required when you want to use managed identity while target storage is not behind firewall.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -WorkspaceResourceId
 The workspace ID (resource ID of a Log Analytics workspace) for a Log Analytics workspace to which you would like to send Audit Logs. Example: /subscriptions/4b9e8510-67ab-4e9a-95a9-e2f1e570ea9c/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2
 

src/Sql/Sql/help/Set-AzSqlServerMSSupportAudit.md

@@ -17,16 +17,16 @@ Changes the Microsoft support operations auditing settings of an Azure SQL serve
 ```
 Set-AzSqlServerMSSupportAudit [-BlobStorageTargetState <String>] [-StorageAccountResourceId <String>]
  [-EventHubTargetState <String>] [-EventHubName <String>] [-EventHubAuthorizationRuleResourceId <String>]
- [-LogAnalyticsTargetState <String>] [-WorkspaceResourceId <String>] [-PassThru] [-ResourceGroupName] <String>
- [-ServerName] <String> [-AsJob] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
- [<CommonParameters>]
+ [-LogAnalyticsTargetState <String>] [-WorkspaceResourceId <String>] [-PassThru] [-UseIdentity <String>]
+ [-ResourceGroupName] <String> [-ServerName] <String> [-AsJob] [-DefaultProfile <IAzureContextContainer>]
+ [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### ServerObjectParameterSet
 ```
 Set-AzSqlServerMSSupportAudit [-BlobStorageTargetState <String>] [-StorageAccountResourceId <String>]
  [-EventHubTargetState <String>] [-EventHubName <String>] [-EventHubAuthorizationRuleResourceId <String>]
- [-LogAnalyticsTargetState <String>] [-WorkspaceResourceId <String>] [-PassThru]
+ [-LogAnalyticsTargetState <String>] [-WorkspaceResourceId <String>] [-PassThru] [-UseIdentity <String>]
  -ServerObject <AzureSqlServerModel> [-AsJob] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
@@ -268,6 +268,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -UseIdentity
+Indicates whether to use managed identity or not. It is required when you want to use managed identity while target storage is not behind firewall.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -WorkspaceResourceId
 The workspace ID (resource ID of a Log Analytics workspace) for a Log Analytics workspace to which you would like to send Microsoft support operations Audit Logs. Example: /subscriptions/4b9e8510-67ab-4e9a-95a9-e2f1e570ea9c/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2