module update

kumarvna · kumarvna · commit 01be2c855b1b · 2021-06-05T21:14:36.000+05:30
diff --git a/.gitignore b/.gitignore
@@ -29,3 +29,4 @@ override.tf.json
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 versions.tf
+examples/artifacts/db-init-sample.log
diff --git a/main.tf b/main.tf
@@ -1,8 +1,8 @@
 locals {
-  resource_group_name                 = element(coalescelist(data.azurerm_resource_group.rgrp.*.name, azurerm_resource_group.rg.*.name, [""]), 0)
-  location                            = element(coalescelist(data.azurerm_resource_group.rgrp.*.location, azurerm_resource_group.rg.*.location, [""]), 0)
-  if_threat_detection_policy_enabled  = var.enable_threat_detection_policy ? [{}] : []
-  if_extended_auditing_policy_enabled = var.enable_extended_auditing_policy ? [{}] : []
+  resource_group_name                = element(coalescelist(data.azurerm_resource_group.rgrp.*.name, azurerm_resource_group.rg.*.name, [""]), 0)
+  location                           = element(coalescelist(data.azurerm_resource_group.rgrp.*.location, azurerm_resource_group.rg.*.location, [""]), 0)
+  if_threat_detection_policy_enabled = var.enable_threat_detection_policy ? [{}] : []
+  #if_extended_auditing_policy_enabled = var.enable_extended_auditing_policy ? [{}] : []
 }
 
 #---------------------------------------------------------
@@ -23,13 +23,29 @@ resource "azurerm_resource_group" "rg" {
 
 data "azurerm_client_config" "current" {}
 
+data "azurerm_log_analytics_workspace" "logws" {
+  count               = var.log_analytics_workspace_name != null ? 1 : 0
+  name                = var.log_analytics_workspace_name
+  resource_group_name = local.resource_group_name
+}
+
 #---------------------------------------------------------
 # Storage Account to keep Audit logs - Default is "false"
 #----------------------------------------------------------
 
+resource "random_string" "str" {
+  count   = var.enable_sql_server_extended_auditing_policy || var.enable_database_extended_auditing_policy || var.enable_vulnerability_assessment ? 1 : 0
+  length  = 6
+  special = false
+  upper   = false
+  keepers = {
+    name = var.storage_account_name
+  }
+}
+
 resource "azurerm_storage_account" "storeacc" {
-  count                     = var.enable_threat_detection_policy || var.enable_extended_auditing_policy ? 1 : 0
-  name                      = var.storage_account_name == null ? "stsqlauditlogs" : var.storage_account_name
+  count                     = var.enable_sql_server_extended_auditing_policy || var.enable_database_extended_auditing_policy || var.enable_vulnerability_assessment || var.enable_audit_log_monitoring == true ? 1 : 0
+  name                      = var.storage_account_name == null ? "stsqlauditlogs${element(concat(random_string.str.*.result, [""]), 0)}" : substr(var.storage_account_name, 0, 24)
   resource_group_name       = local.resource_group_name
   location                  = local.location
   account_kind              = "StorageV2"
@@ -41,6 +57,7 @@ resource "azurerm_storage_account" "storeacc" {
 }
 
 resource "azurerm_storage_container" "storcont" {
+  count                 = var.enable_vulnerability_assessment ? 1 : 0
   name                  = "vulnerability-assessment"
   storage_account_name  = azurerm_storage_account.storeacc.0.name
   container_access_type = "private"
@@ -67,8 +84,8 @@ resource "azurerm_sql_server" "primary" {
   resource_group_name          = local.resource_group_name
   location                     = local.location
   version                      = "12.0"
-  administrator_login          = "sqladmin"
-  administrator_login_password = random_password.main.result
+  administrator_login          = var.admin_username == null ? "sqladmin" : var.admin_username
+  administrator_login_password = var.admin_password == null ? random_password.main.result : var.admin_password
   tags                         = merge({ "Name" = format("%s-primary", var.sqlserver_name) }, var.tags, )
 
   dynamic "identity" {
@@ -80,12 +97,13 @@ resource "azurerm_sql_server" "primary" {
 }
 
 resource "azurerm_mssql_server_extended_auditing_policy" "primary" {
-  count                                   = var.enable_extended_auditing_policy ? 1 : 0
+  count                                   = var.enable_sql_server_extended_auditing_policy ? 1 : 0
   server_id                               = azurerm_sql_server.primary.id
   storage_endpoint                        = azurerm_storage_account.storeacc.0.primary_blob_endpoint
   storage_account_access_key              = azurerm_storage_account.storeacc.0.primary_access_key
   storage_account_access_key_is_secondary = false
   retention_in_days                       = var.log_retention_days
+  log_monitoring_enabled                  = var.enable_audit_log_monitoring == true && var.log_analytics_workspace_name != null ? true : false
 }
 
 resource "azurerm_sql_server" "secondary" {
@@ -95,7 +113,7 @@ resource "azurerm_sql_server" "secondary" {
   location                     = var.secondary_sql_server_location
   version                      = "12.0"
   administrator_login          = "sqladmin"
-  administrator_login_password = random_password.main.result
+  administrator_login_password = var.admin_password == null ? random_password.main.result : var.admin_password
   tags                         = merge({ "Name" = format("%s-secondary", var.sqlserver_name) }, var.tags, )
 
   dynamic "identity" {
@@ -107,12 +125,13 @@ resource "azurerm_sql_server" "secondary" {
 }
 
 resource "azurerm_mssql_server_extended_auditing_policy" "secondary" {
-  count                                   = var.enable_failover_group && var.enable_extended_auditing_policy ? 1 : 0
+  count                                   = var.enable_failover_group && var.enable_sql_server_extended_auditing_policy ? 1 : 0
   server_id                               = azurerm_sql_server.secondary.0.id
   storage_endpoint                        = azurerm_storage_account.storeacc.0.primary_blob_endpoint
   storage_account_access_key              = azurerm_storage_account.storeacc.0.primary_access_key
   storage_account_access_key_is_secondary = false
   retention_in_days                       = var.log_retention_days
+  log_monitoring_enabled                  = var.enable_audit_log_monitoring == true && var.log_analytics_workspace_name != null ? true : null
 }
 
 
@@ -142,12 +161,13 @@ resource "azurerm_sql_database" "db" {
 }
 
 resource "azurerm_mssql_database_extended_auditing_policy" "primary" {
-  count                                   = var.enable_extended_auditing_policy ? 1 : 0
+  count                                   = var.enable_database_extended_auditing_policy ? 1 : 0
   database_id                             = azurerm_sql_database.db.id
   storage_endpoint                        = azurerm_storage_account.storeacc.0.primary_blob_endpoint
   storage_account_access_key              = azurerm_storage_account.storeacc.0.primary_access_key
   storage_account_access_key_is_secondary = false
   retention_in_days                       = var.log_retention_days
+  log_monitoring_enabled                  = var.enable_audit_log_monitoring == true && var.log_analytics_workspace_name != null ? true : null
 }
 
 #-----------------------------------------------------------------------------------------------
@@ -183,7 +203,7 @@ resource "azurerm_mssql_server_security_alert_policy" "sap_secondary" {
 resource "azurerm_mssql_server_vulnerability_assessment" "va_primary" {
   count                           = var.enable_vulnerability_assessment ? 1 : 0
   server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.sap_primary.0.id
-  storage_container_path          = "${azurerm_storage_account.storeacc.0.primary_blob_endpoint}${azurerm_storage_container.storcont.name}/"
+  storage_container_path          = "${azurerm_storage_account.storeacc.0.primary_blob_endpoint}${azurerm_storage_container.storcont.0.name}/"
   storage_account_access_key      = azurerm_storage_account.storeacc.0.primary_access_key
 
   recurring_scans {
@@ -196,7 +216,7 @@ resource "azurerm_mssql_server_vulnerability_assessment" "va_primary" {
 resource "azurerm_mssql_server_vulnerability_assessment" "va_secondary" {
   count                           = var.enable_vulnerability_assessment && var.enable_failover_group == true ? 1 : 0
   server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.sap_secondary.0.id
-  storage_container_path          = "${azurerm_storage_account.storeacc.0.primary_blob_endpoint}${azurerm_storage_container.storcont.name}/"
+  storage_container_path          = "${azurerm_storage_account.storeacc.0.primary_blob_endpoint}${azurerm_storage_container.storcont.0.name}/"
   storage_account_access_key      = azurerm_storage_account.storeacc.0.primary_access_key
 
   recurring_scans {
@@ -222,7 +242,7 @@ resource "null_resource" "create_sql" {
 #-----------------------------------------------------------------------------------------------
 
 resource "azurerm_sql_active_directory_administrator" "aduser1" {
-  count               = var.enable_sql_ad_admin ? 1 : 0
+  count               = var.ad_admin_login_name != null ? 1 : 0
   server_name         = azurerm_sql_server.primary.name
   resource_group_name = local.resource_group_name
   login               = var.ad_admin_login_name
@@ -231,7 +251,7 @@ resource "azurerm_sql_active_directory_administrator" "aduser1" {
 }
 
 resource "azurerm_sql_active_directory_administrator" "aduser2" {
-  count               = var.enable_failover_group && var.enable_sql_ad_admin ? 1 : 0
+  count               = var.enable_failover_group && var.ad_admin_login_name != null ? 1 : 0
   server_name         = azurerm_sql_server.secondary.0.name
   resource_group_name = local.resource_group_name
   login               = var.ad_admin_login_name
@@ -389,3 +409,35 @@ resource "azurerm_private_dns_a_record" "arecord2" {
   records             = [data.azurerm_private_endpoint_connection.private-ip2.0.private_service_connection.0.private_ip_address]
 
 }
+
+#------------------------------------------------------------------
+# azurerm monitoring diagnostics  - Default is "false" 
+#------------------------------------------------------------------
+resource "azurerm_monitor_diagnostic_setting" "extaudit" {
+  count                      = var.enable_audit_log_monitoring == true && var.log_analytics_workspace_name != null ? 1 : 0
+  name                       = lower("extaudit-${var.database_name}-diag")
+  target_resource_id         = azurerm_sql_database.db.id
+  log_analytics_workspace_id = data.azurerm_log_analytics_workspace.logws.0.id
+  storage_account_id         = azurerm_storage_account.storeacc.0.id
+
+  log {
+    category = "SQLSecurityAuditEvents"
+    enabled  = true
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  metric {
+    category = "AllMetrics"
+
+    retention_policy {
+      enabled = false
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [log, metric]
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -13,6 +13,11 @@ variable "storage_account_name" {
   default     = null
 }
 
+variable "log_analytics_workspace_name" {
+  description = "The name of log analytics workspace name"
+  default     = null
+}
+
 variable "location" {
   description = "The location/region to keep all your network resources. To get the list of all locations with table format from azure cli, run 'az account list-locations -o table'"
   default     = "westeurope"
@@ -23,8 +28,13 @@ variable "random_password_length" {
   default     = 24
 }
 
-variable "enable_extended_auditing_policy" {
-  description = "Audit policy for SQL server and database"
+variable "enable_sql_server_extended_auditing_policy" {
+  description = "Manages Extended Audit policy for SQL servers"
+  default     = true
+}
+
+variable "enable_database_extended_auditing_policy" {
+  description = "Manages Extended Audit policy for SQL database"
   default     = false
 }
 
@@ -38,6 +48,16 @@ variable "sqlserver_name" {
   default     = "sqldbserver-demodbapp"
 }
 
+variable "admin_username" {
+  description = "The administrator login name for the new SQL Server"
+  default     = null
+}
+
+variable "admin_password" {
+  description = "The password associated with the admin_username user"
+  default     = null
+}
+
 variable "database_name" {
   description = "The name of the database"
   default     = ""
@@ -134,6 +154,11 @@ variable "firewall_rules" {
   default = []
 }
 
+variable "enable_audit_log_monitoring" {
+  description = "Enable audit events to Azure Monitor?"
+  default     = false
+}
+
 variable "initialize_sql_script_execution" {
   description = "Allow/deny to Create and initialize a Microsoft SQL Server database"
   default     = false
@@ -143,8 +168,15 @@ variable "sqldb_init_script_file" {
   description = "SQL Script file name to create and initialize the database"
 }
 
+variable "extaudit_diag_logs" {
+  description = "Database Monitoring Category details for Azure Diagnostic setting"
+  default     = ["SQLSecurityAuditEvents", "SQLInsights", "AutomaticTuning", "QueryStoreRuntimeStatistics", "QueryStoreWaitStatistics", "Errors", "DatabaseWaitStatistics", "Timeouts", "Blocks", "Deadlocks"]
+}
+
 variable "tags" {
   description = "A map of tags to add to all resources"
   type        = map(string)
   default     = {}
 }
+
+
