module update

kumarvna · kumarvna · commit 36a74163a047 · 2021-06-05T15:35:41.000+05:30
diff --git a/examples/Simple_SQL_Single_Database_creation/main.tf b/examples/Simple_SQL_Single_Database_creation/main.tf
@@ -2,48 +2,57 @@ module "mssql-server" {
   //source                          = "kumarvna/mssql-db/azurerm"
   //version                         = "1.0.0"
   source = "github.com/kumarvna/terraform-azurerm-mssql-db?ref=develop"
-  
-# Resource Group, VNet and Subnet declarations
-  create_resource_group           = false
-  resource_group_name             = "rg-demo-westeurope-01"
-  location                        = "westeurope"
-  virtual_network_name            = "vnet-demo-westeurope-001"
-  private_subnet_address_prefix   = "10.0.5.0/29"
-
-# SQL Server and Database scaling options
-  sqlserver_name                  = "sqldbserver-db01"
-  database_name                   = "demomssqldb"
-  sql_database_edition            = "Standard"
-  sqldb_service_objective_name    = "S1"
-
-# SQL Server and Database Audit policies  
-  enable_auditing_policy          = true
+  //source = "../../"
+
+  # By default, this module will create a resource group, proivde the name here
+  # to use an existing resource group, specify the existing resource group name,
+  # and set the argument to `create_resource_group = false`. Location will be same as existing RG.
+  create_resource_group         = false
+  resource_group_name           = "rg-shared-westeurope-01"
+  location                      = "westeurope"
+  virtual_network_name          = "vnet-shared-hub-westeurope-001"
+  private_subnet_address_prefix = ["10.1.5.0/29"]
+
+  # SQL Server and Database scaling options
+  sqlserver_name               = "sqldbserver-db01"
+  database_name                = "demomssqldb"
+  sql_database_edition         = "Standard"
+  sqldb_service_objective_name = "S1"
+
+  # SQL Server and Database Audit policies  
+  enable_extended_auditing_policy = true
   enable_threat_detection_policy  = true
   log_retention_days              = 30
-  email_addresses_for_alerts      = ["user@example.com"]
+  sql_admin_email_addresses       = ["user@example.com"]
 
-# AD administrator for an Azure SQL server
-  enable_sql_ad_admin             = true
-  ad_admin_login_name             = "firstname.lastname@example.com"
+  # AD administrator for an Azure SQL server
+  enable_sql_ad_admin = true
+  ad_admin_login_name = "firstname.lastname@example.com"
 
-# Firewall Rules to allow azure and external clients
-  enable_firewall_rules           = true
+  enable_vulnerability_assessment = false
+
+  # Firewall Rules to allow azure and external clients
+  enable_firewall_rules = true
   firewall_rules = [
-                {name             = "access-to-azure"
-                start_ip_address  = "0.0.0.0"
-                end_ip_address    = "0.0.0.0"},
-                {name             = "desktop-ip"
-                start_ip_address  = "123.201.42.91"
-                end_ip_address    = "123.201.42.91"}]
-
-# Create and initialize a database with SQL script
-  initialize_sql_script_execution = false
+    {
+      name             = "access-to-azure"
+      start_ip_address = "0.0.0.0"
+      end_ip_address   = "0.0.0.0"
+    },
+    {
+      name             = "desktop-ip"
+      start_ip_address = "49.204.225.134"
+      end_ip_address   = "49.204.225.134"
+  }]
+
+  # Create and initialize a database with SQL script
+  initialize_sql_script_execution = true
   sqldb_init_script_file          = "../artifacts/db-init-sample.sql"
 
-# Tags for Azure Resources
+  # Tags for Azure Resources
   tags = {
     Terraform   = "true"
     Environment = "dev"
     Owner       = "test-user"
   }
-}
+}
diff --git a/examples/Simple_SQL_Single_Database_creation/output.tf b/examples/Simple_SQL_Single_Database_creation/output.tf
@@ -1,10 +1,10 @@
 output "resource_group_name" {
-  description = "The name of the resource group in which resources are created"  
+  description = "The name of the resource group in which resources are created"
   value       = module.mssql-server.resource_group_name
 }
 
 output "resource_group_location" {
-  description = "The location of the resource group in which resources are created"  
+  description = "The location of the resource group in which resources are created"
   value       = module.mssql-server.resource_group_location
 }
 
@@ -24,18 +24,20 @@ output "primary_sql_server_id" {
 }
 
 output "primary_sql_server_fqdn" {
-  description = "The fully qualified domain name of the primary Azure SQL Server" 
+  description = "The fully qualified domain name of the primary Azure SQL Server"
   value       = module.mssql-server.primary_sql_server_fqdn
 }
 
 output "sql_server_admin_user" {
   description = "SQL database administrator login id"
-  value = module.mssql-server.sql_server_admin_user
+  value       = module.mssql-server.sql_server_admin_user
+  sensitive   = true
 }
 
 output "sql_server_admin_password" {
   description = "SQL database administrator login password"
-  value = module.mssql-server.sql_server_admin_password
+  value       = module.mssql-server.sql_server_admin_password
+  sensitive   = true
 }
 
 output "sql_database_id" {
diff --git a/main.tf b/main.tf
@@ -2,7 +2,7 @@ locals {
   resource_group_name                 = element(coalescelist(data.azurerm_resource_group.rgrp.*.name, azurerm_resource_group.rg.*.name, [""]), 0)
   location                            = element(coalescelist(data.azurerm_resource_group.rgrp.*.location, azurerm_resource_group.rg.*.location, [""]), 0)
   if_threat_detection_policy_enabled  = var.enable_threat_detection_policy ? [{}] : []
-  if_extended_auditing_policy_enabled = var.enable_auditing_policy ? [{}] : []
+  if_extended_auditing_policy_enabled = var.enable_extended_auditing_policy ? [{}] : []
 }
 
 #---------------------------------------------------------
@@ -21,13 +21,15 @@ resource "azurerm_resource_group" "rg" {
   tags     = merge({ "Name" = format("%s", var.resource_group_name) }, var.tags, )
 }
 
+data "azurerm_client_config" "current" {}
+
 #---------------------------------------------------------
 # Storage Account to keep Audit logs - Default is "false"
 #----------------------------------------------------------
 
 resource "azurerm_storage_account" "storeacc" {
-  count                     = var.enable_threat_detection_policy || var.enable_auditing_policy ? 1 : 0
-  name                      = "stsqlauditlogs"
+  count                     = var.enable_threat_detection_policy || var.enable_extended_auditing_policy ? 1 : 0
+  name                      = var.storage_account_name == null ? "stsqlauditlogs" : var.storage_account_name
   resource_group_name       = local.resource_group_name
   location                  = local.location
   account_kind              = "StorageV2"
@@ -38,6 +40,12 @@ resource "azurerm_storage_account" "storeacc" {
   tags                      = merge({ "Name" = format("%s", "stsqlauditlogs") }, var.tags, )
 }
 
+resource "azurerm_storage_container" "storcont" {
+  name                  = "vulnerability-assessment"
+  storage_account_name  = azurerm_storage_account.storeacc.0.name
+  container_access_type = "private"
+}
+
 #-------------------------------------------------------------
 # SQL servers - Secondary server is depends_on Failover Group
 #-------------------------------------------------------------
@@ -63,26 +71,23 @@ resource "azurerm_sql_server" "primary" {
   administrator_login_password = random_password.main.result
   tags                         = merge({ "Name" = format("%s-primary", var.sqlserver_name) }, var.tags, )
 
-  /*  dynamic "extended_auditing_policy" {
-    for_each = local.if_extended_auditing_policy_enabled
+  dynamic "identity" {
+    for_each = var.identity == true ? [1] : [0]
     content {
-      storage_account_access_key = azurerm_storage_account.storeacc.0.primary_access_key
-      storage_endpoint           = azurerm_storage_account.storeacc.0.primary_blob_endpoint
-      retention_in_days          = var.log_retention_days
+      type = "SystemAssigned"
     }
-  } */
+  }
 }
 
-resource "azurerm_mssql_server_extended_auditing_policy" "main" {
-  count                                   = var.enable_auditing_policy ? 1 : 0
+resource "azurerm_mssql_server_extended_auditing_policy" "primary" {
+  count                                   = var.enable_extended_auditing_policy ? 1 : 0
   server_id                               = azurerm_sql_server.primary.id
   storage_endpoint                        = azurerm_storage_account.storeacc.0.primary_blob_endpoint
   storage_account_access_key              = azurerm_storage_account.storeacc.0.primary_access_key
   storage_account_access_key_is_secondary = false
   retention_in_days                       = var.log_retention_days
 }
 
-
 resource "azurerm_sql_server" "secondary" {
   count                        = var.enable_failover_group ? 1 : 0
   name                         = format("%s-secondary", var.sqlserver_name)
@@ -93,16 +98,24 @@ resource "azurerm_sql_server" "secondary" {
   administrator_login_password = random_password.main.result
   tags                         = merge({ "Name" = format("%s-secondary", var.sqlserver_name) }, var.tags, )
 
-  dynamic "extended_auditing_policy" {
-    for_each = local.if_extended_auditing_policy_enabled
+  dynamic "identity" {
+    for_each = var.identity == true ? [1] : [0]
     content {
-      storage_account_access_key = azurerm_storage_account.storeacc.0.primary_access_key
-      storage_endpoint           = azurerm_storage_account.storeacc.0.primary_blob_endpoint
-      retention_in_days          = var.log_retention_days
+      type = "SystemAssigned"
     }
   }
 }
 
+resource "azurerm_mssql_server_extended_auditing_policy" "secondary" {
+  count                                   = var.enable_failover_group && var.enable_extended_auditing_policy ? 1 : 0
+  server_id                               = azurerm_sql_server.secondary.0.id
+  storage_endpoint                        = azurerm_storage_account.storeacc.0.primary_blob_endpoint
+  storage_account_access_key              = azurerm_storage_account.storeacc.0.primary_access_key
+  storage_account_access_key_is_secondary = false
+  retention_in_days                       = var.log_retention_days
+}
+
+
 #--------------------------------------------------------------------
 # SQL Database creation - Default edition:"Standard" and objective:"S1"
 #--------------------------------------------------------------------
@@ -123,17 +136,73 @@ resource "azurerm_sql_database" "db" {
       storage_endpoint           = azurerm_storage_account.storeacc.0.primary_blob_endpoint
       storage_account_access_key = azurerm_storage_account.storeacc.0.primary_access_key
       retention_days             = var.log_retention_days
-      email_addresses            = var.email_addresses_for_alerts
+      email_addresses            = var.sql_admin_email_addresses
     }
   }
+}
 
-  dynamic "extended_auditing_policy" {
-    for_each = local.if_extended_auditing_policy_enabled
-    content {
-      storage_account_access_key = azurerm_storage_account.storeacc.0.primary_access_key
-      storage_endpoint           = azurerm_storage_account.storeacc.0.primary_blob_endpoint
-      retention_in_days          = var.log_retention_days
-    }
+resource "azurerm_mssql_database_extended_auditing_policy" "primary" {
+  count                                   = var.enable_extended_auditing_policy ? 1 : 0
+  database_id                             = azurerm_sql_database.db.id
+  storage_endpoint                        = azurerm_storage_account.storeacc.0.primary_blob_endpoint
+  storage_account_access_key              = azurerm_storage_account.storeacc.0.primary_access_key
+  storage_account_access_key_is_secondary = false
+  retention_in_days                       = var.log_retention_days
+}
+
+#-----------------------------------------------------------------------------------------------
+# SQL ServerVulnerability assessment and alert to admin team  - Default is "false"
+#-----------------------------------------------------------------------------------------------
+
+resource "azurerm_mssql_server_security_alert_policy" "sap_primary" {
+  count                      = var.enable_vulnerability_assessment ? 1 : 0
+  resource_group_name        = local.resource_group_name
+  server_name                = azurerm_sql_server.primary.name
+  state                      = "Enabled"
+  email_account_admins       = true
+  email_addresses            = var.sql_admin_email_addresses
+  retention_days             = var.threat_detection_audit_logs_retention_days
+  disabled_alerts            = var.disabled_alerts
+  storage_account_access_key = azurerm_storage_account.storeacc.0.primary_access_key
+  storage_endpoint           = azurerm_storage_account.storeacc.0.primary_blob_endpoint
+}
+
+resource "azurerm_mssql_server_security_alert_policy" "sap_secondary" {
+  count                      = var.enable_vulnerability_assessment && var.enable_failover_group ? 1 : 0
+  resource_group_name        = local.resource_group_name
+  server_name                = azurerm_sql_server.secondary.0.name
+  state                      = "Enabled"
+  email_account_admins       = true
+  email_addresses            = var.sql_admin_email_addresses
+  retention_days             = var.threat_detection_audit_logs_retention_days
+  disabled_alerts            = var.disabled_alerts
+  storage_account_access_key = azurerm_storage_account.storeacc.0.primary_access_key
+  storage_endpoint           = azurerm_storage_account.storeacc.0.primary_blob_endpoint
+}
+
+resource "azurerm_mssql_server_vulnerability_assessment" "va_primary" {
+  count                           = var.enable_vulnerability_assessment ? 1 : 0
+  server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.sap_primary.0.id
+  storage_container_path          = "${azurerm_storage_account.storeacc.0.primary_blob_endpoint}${azurerm_storage_container.storcont.name}/"
+  storage_account_access_key      = azurerm_storage_account.storeacc.0.primary_access_key
+
+  recurring_scans {
+    enabled                   = true
+    email_subscription_admins = true
+    emails                    = var.sql_admin_email_addresses
+  }
+}
+
+resource "azurerm_mssql_server_vulnerability_assessment" "va_secondary" {
+  count                           = var.enable_vulnerability_assessment && var.enable_failover_group == true ? 1 : 0
+  server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.sap_secondary.0.id
+  storage_container_path          = "${azurerm_storage_account.storeacc.0.primary_blob_endpoint}${azurerm_storage_container.storcont.name}/"
+  storage_account_access_key      = azurerm_storage_account.storeacc.0.primary_access_key
+
+  recurring_scans {
+    enabled                   = true
+    email_subscription_admins = true
+    emails                    = var.sql_admin_email_addresses
   }
 }
 
@@ -152,8 +221,6 @@ resource "null_resource" "create_sql" {
 # Adding AD Admin to SQL Server - Secondary server depend on Failover Group - Default is "false"
 #-----------------------------------------------------------------------------------------------
 
-data "azurerm_client_config" "current" {}
-
 resource "azurerm_sql_active_directory_administrator" "aduser1" {
   count               = var.enable_sql_ad_admin ? 1 : 0
   server_name         = azurerm_sql_server.primary.name
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,10 @@`
`1`	`1`	`output "resource_group_name" {`
`2`		`- description = "The name of the resource group in which resources are created"`
	`2`	`+ description = "The name of the resource group in which resources are created"`
`3`	`3`	`value = module.mssql-server.resource_group_name`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`output "resource_group_location" {`
`7`		`- description = "The location of the resource group in which resources are created"`
	`7`	`+ description = "The location of the resource group in which resources are created"`
`8`	`8`	`value = module.mssql-server.resource_group_location`
`9`	`9`	`}`
`10`	`10`
`@@ -24,18 +24,20 @@ output "primary_sql_server_id" {`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`output "primary_sql_server_fqdn" {`
`27`		`- description = "The fully qualified domain name of the primary Azure SQL Server"`
	`27`	`+ description = "The fully qualified domain name of the primary Azure SQL Server"`
`28`	`28`	`value = module.mssql-server.primary_sql_server_fqdn`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`output "sql_server_admin_user" {`
`32`	`32`	`description = "SQL database administrator login id"`
`33`		`- value = module.mssql-server.sql_server_admin_user`
	`33`	`+ value = module.mssql-server.sql_server_admin_user`
	`34`	`+ sensitive = true`
`34`	`35`	`}`
`35`	`36`
`36`	`37`	`output "sql_server_admin_password" {`
`37`	`38`	`description = "SQL database administrator login password"`
`38`		`- value = module.mssql-server.sql_server_admin_password`
	`39`	`+ value = module.mssql-server.sql_server_admin_password`
	`40`	`+ sensitive = true`
`39`	`41`	`}`
`40`	`42`
`41`	`43`	`output "sql_database_id" {`