From e6716b71edfaede6b9fedb96517de90679b05b8e Mon Sep 17 00:00:00 2001 From: Stanislav Zhelyazkov Date: Wed, 21 Apr 2021 12:51:33 +0300 Subject: [PATCH 01/11] adds sql database example --- .../sql-database-with-management/main.bicep | 31 + .../sql-database-with-management/main.json | 881 ++++++++++++++++++ .../modules/audit-settings.bicep | 23 + .../modules/azure-defender.bicep | 13 + .../modules/short-term-backup.bicep | 10 + .../modules/sql-database.bicep | 187 ++++ .../modules/sql-firewall-rule.bicep | 13 + .../modules/sql-logical-server.bicep | 244 +++++ .../modules/sql-logical-servers.bicep | 64 ++ .../modules/transparent-data-encryption.bicep | 10 + .../parameters.json | 101 ++ 11 files changed, 1577 insertions(+) create mode 100644 docs/examples/301/sql-database-with-management/main.bicep create mode 100644 docs/examples/301/sql-database-with-management/main.json create mode 100644 docs/examples/301/sql-database-with-management/modules/audit-settings.bicep create mode 100644 docs/examples/301/sql-database-with-management/modules/azure-defender.bicep create mode 100644 docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep create mode 100644 docs/examples/301/sql-database-with-management/modules/sql-database.bicep create mode 100644 docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep create mode 100644 docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep create mode 100644 docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep create mode 100644 docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep create mode 100644 docs/examples/301/sql-database-with-management/parameters.json diff --git a/docs/examples/301/sql-database-with-management/main.bicep b/docs/examples/301/sql-database-with-management/main.bicep new file mode 100644 index 00000000000..4858503e324 --- /dev/null +++ b/docs/examples/301/sql-database-with-management/main.bicep @@ -0,0 +1,31 @@ +targetScope = 'subscription' + +@description('Resource Group object definition.') +param resourceGroup object + +@secure() +param password string + +var defaultResourceGroupProperties = { + tags: {} + deploy: true +} + +// Deploy Resource Group +resource sqlRg 'Microsoft.Resources/resourceGroups@2020-10-01' = if (union(defaultResourceGroupProperties, resourceGroup).deploy) { + name: resourceGroup.name + location:resourceGroup.location + tags: union(defaultResourceGroupProperties, resourceGroup).tags + properties: {} +} + +// Start SQL Logical Servers deployment +module sqlLogicalServers 'modules/sql-logical-servers.bicep' = { + name: 'sqlLogicalServers' + scope: sqlRg + params: { + sqlLogicalServers: resourceGroup.sqlLogicalServers + tags: union(defaultResourceGroupProperties, resourceGroup).tags + password: password + } +} diff --git a/docs/examples/301/sql-database-with-management/main.json b/docs/examples/301/sql-database-with-management/main.json new file mode 100644 index 00000000000..fbf1a6ac266 --- /dev/null +++ b/docs/examples/301/sql-database-with-management/main.json @@ -0,0 +1,881 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "15425439460857386433" + } + }, + "parameters": { + "resourceGroup": { + "type": "object", + "metadata": { + "description": "Resource Group object definition." + } + }, + "password": { + "type": "secureString" + } + }, + "functions": [], + "variables": { + "defaultResourceGroupProperties": { + "tags": {}, + "deploy": true + } + }, + "resources": [ + { + "condition": "[union(variables('defaultResourceGroupProperties'), parameters('resourceGroup')).deploy]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-10-01", + "name": "[parameters('resourceGroup').name]", + "location": "[parameters('resourceGroup').location]", + "tags": "[union(variables('defaultResourceGroupProperties'), parameters('resourceGroup')).tags]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "sqlLogicalServers", + "resourceGroup": "[parameters('resourceGroup').name]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlLogicalServers": { + "value": "[parameters('resourceGroup').sqlLogicalServers]" + }, + "tags": { + "value": "[union(variables('defaultResourceGroupProperties'), parameters('resourceGroup')).tags]" + }, + "password": { + "value": "[parameters('password')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "4037742454522260869" + } + }, + "parameters": { + "sqlLogicalServers": { + "type": "array", + "metadata": { + "description": "SQL logical servers." + } + }, + "tags": { + "type": "object" + }, + "password": { + "type": "secureString" + } + }, + "functions": [], + "variables": { + "defaultSqlLogicalServerProperties": { + "name": "", + "tags": {}, + "userName": "", + "passwordFromKeyVault": { + "subscriptionId": "[subscription().subscriptionId]", + "resourceGroupName": "", + "name": "", + "secretName": "" + }, + "systemManagedIdentity": false, + "minimalTlsVersion": "1.2", + "publicNetworkAccess": "Enabled", + "azureActiveDirectoryAdministrator": { + "name": "", + "objectId": "", + "tenantId": "[subscription().tenantId]" + }, + "firewallRules": [], + "azureDefender": { + "enabled": false, + "emailAccountAdmins": false, + "emailAddresses": [], + "disabledRules": [], + "vulnerabilityAssessments": { + "recurringScans": false, + "storageAccount": { + "resourceGroupName": "", + "name": "", + "containerName": "" + }, + "emailSubscriptionAdmins": false, + "emails": [] + } + }, + "auditActionsAndGroups": [], + "diagnosticLogsAndMetrics": { + "name": "", + "resourceGroupName": "", + "subscriptionId": "[subscription().subscriptionId]", + "logs": [], + "metrics": [], + "auditLogs": false, + "microsoftSupportOperationsAuditLogs": false + }, + "databases": [] + } + }, + "resources": [ + { + "copy": { + "name": "sqlLogicalServer", + "count": "[length(parameters('sqlLogicalServers'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('sqlLogicalServer-{0}', copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlLogicalServer": { + "value": "[union(variables('defaultSqlLogicalServerProperties'), parameters('sqlLogicalServers')[copyIndex()])]" + }, + "password": { + "value": "[parameters('password')]" + }, + "tags": { + "value": "[union(parameters('tags'), union(variables('defaultSqlLogicalServerProperties'), parameters('sqlLogicalServers')[copyIndex()]).tags)]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "12960428080819556485" + } + }, + "parameters": { + "sqlLogicalServer": { + "type": "object", + "metadata": { + "description": "SQL Logical server." + } + }, + "password": { + "type": "secureString", + "metadata": { + "description": "The SQL Logical Server password." + } + }, + "tags": { + "type": "object" + } + }, + "functions": [], + "variables": { + "defaultAuditActionsAndGroups": [ + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP", + "BATCH_COMPLETED_GROUP" + ], + "defaultSqlDatabaseProperties": { + "name": "", + "status": "", + "tags": {}, + "skuName": "", + "tier": "", + "zoneRedundant": false, + "collation": "SQL_Latin1_General_CP1_CI_AS", + "dataMaxSize": 0, + "hybridBenefit": false, + "readReplicas": 0, + "minimumCores": 0, + "autoPauseDelay": 0, + "dataEncryption": "Enabled", + "shortTermBackupRetention": 0, + "longTermBackup": { + "enabled": false, + "weeklyRetention": "P1W", + "monthlyRetention": "P4W", + "yearlyRetention": "P52W", + "weekOfYear": 1 + }, + "azureDefender": { + "enabled": false, + "emailAccountAdmins": false, + "emailAddresses": [], + "disabledRules": [], + "vulnerabilityAssessments": { + "recurringScans": false, + "storageAccount": { + "resourceGroupName": "", + "name": "", + "containerName": "" + }, + "emailSubscriptionAdmins": false, + "emails": [] + } + }, + "auditActionsAndGroups": [], + "diagnosticLogsAndMetrics": { + "name": "", + "resourceGroupName": "", + "subscriptionId": "[subscription().subscriptionId]", + "logs": [], + "metrics": [], + "auditLogs": false + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2020-02-02-preview", + "name": "[parameters('sqlLogicalServer').name]", + "location": "[resourceGroup().location]", + "tags": "[parameters('tags')]", + "identity": { + "type": "[if(parameters('sqlLogicalServer').systemManagedIdentity, 'SystemAssigned', 'None')]" + }, + "properties": { + "administratorLogin": "[parameters('sqlLogicalServer').userName]", + "administratorLoginPassword": "[parameters('password')]", + "version": "12.0", + "minimalTlsVersion": "[parameters('sqlLogicalServer').minimalTlsVersion]" + } + }, + { + "condition": "[not(empty(parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.objectId))]", + "type": "Microsoft.Sql/servers/administrators", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'activeDirectory')]", + "properties": { + "administratorType": "ActiveDirectory", + "login": "[parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.name]", + "sid": "[parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.objectId]", + "tenantId": "[parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.tenantId]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "type": "Microsoft.Sql/servers/securityAlertPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", + "properties": { + "state": "[if(parameters('sqlLogicalServer').azureDefender.enabled, 'Enabled', 'Disabled')]", + "emailAddresses": "[parameters('sqlLogicalServer').azureDefender.emailAddresses]", + "emailAccountAdmins": "[parameters('sqlLogicalServer').azureDefender.emailAccountAdmins]", + "disabledAlerts": "[parameters('sqlLogicalServer').azureDefender.disabledAlerts]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "condition": "[and(and(parameters('sqlLogicalServer').azureDefender.enabled, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", + "type": "Microsoft.Sql/servers/vulnerabilityAssessments", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", + "properties": { + "recurringScans": { + "isEnabled": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.recurringScans]", + "emailSubscriptionAdmins": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", + "emails": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.emails]" + }, + "storageContainerPath": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/securityAlertPolicies', parameters('sqlLogicalServer').name, 'Default')]", + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "type": "Microsoft.Sql/servers/auditingSettings", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", + "properties": { + "state": "[if(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", + "auditActionsAndGroups": "[if(not(empty(parameters('sqlLogicalServer').auditActionsAndGroups)), parameters('sqlLogicalServer').auditActionsAndGroups, variables('defaultAuditActionsAndGroups'))]", + "storageEndpoint": "", + "storageAccountAccessKey": "", + "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000", + "retentionDays": 0, + "isAzureMonitorTargetEnabled": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs]", + "isDevopsAuditEnabled": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.microsoftSupportOperationsAuditLogs]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "condition": "[and(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs, not(empty(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.name)))]", + "copy": { + "name": "dummyDeployments", + "count": "[length(range(0, 5))]", + "mode": "serial", + "batchSize": 1 + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[format('dummyTemplateSqlServer-{0}-{1}', uniqueString(parameters('sqlLogicalServer').name), copyIndex())]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "condition": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', parameters('sqlLogicalServer').name, 'master')]", + "name": "SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1", + "properties": { + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlLogicalServer').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlLogicalServer').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlLogicalServer').diagnosticLogsAndMetrics.name)]", + "logs": [ + { + "category": "SQLSecurityAuditEvents", + "enabled": true + }, + { + "category": "DevOpsOperationsAudit", + "enabled": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.microsoftSupportOperationsAuditLogs]" + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/auditingSettings', parameters('sqlLogicalServer').name, 'Default')]", + "dummyDeployments", + "sqlDatabases", + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "condition": "[not(empty(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.name))]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', parameters('sqlLogicalServer').name, 'master')]", + "name": "sendLogsAndMetrics", + "properties": { + "copy": [ + { + "name": "logs", + "count": "[length(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.logs)]", + "input": { + "category": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.logs[copyIndex('logs')]]", + "enabled": true + } + }, + { + "name": "metrics", + "count": "[length(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.metrics)]", + "input": { + "category": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.metrics[copyIndex('metrics')]]", + "enabled": true + } + } + ], + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlLogicalServer').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlLogicalServer').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlLogicalServer').diagnosticLogsAndMetrics.name)]" + }, + "dependsOn": [ + "dummyDeployments", + "sqlDatabases", + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "copy": { + "name": "sqlFirewallRules", + "count": "[length(parameters('sqlLogicalServer').firewallRules)]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('sqlFirewallRule-{0}-{1}', uniqueString(parameters('sqlLogicalServer').name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlFirewallRule": { + "value": "[parameters('sqlLogicalServer').firewallRules[copyIndex()]]" + }, + "sqlServerName": { + "value": "[parameters('sqlLogicalServer').name]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "13513172714425909162" + } + }, + "parameters": { + "sqlFirewallRule": { + "type": "object", + "metadata": { + "description": "Firewall rule" + } + }, + "sqlServerName": { + "type": "string", + "metadata": { + "description": "The name of the SQL Logical server." + } + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/firewallRules", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlServerName'), parameters('sqlFirewallRule').name)]", + "properties": { + "startIpAddress": "[parameters('sqlFirewallRule').startIpAddress]", + "endIpAddress": "[parameters('sqlFirewallRule').endIpAddress]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "copy": { + "name": "sqlDatabases", + "count": "[length(parameters('sqlLogicalServer').databases)]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('sqlDb-{0}-{1}', uniqueString(parameters('sqlLogicalServer').name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlServerName": { + "value": "[parameters('sqlLogicalServer').name]" + }, + "sqlDatabase": { + "value": "[union(variables('defaultSqlDatabaseProperties'), parameters('sqlLogicalServer').databases[copyIndex()])]" + }, + "tags": { + "value": "[union(parameters('tags'), union(variables('defaultSqlDatabaseProperties'), parameters('sqlLogicalServer').databases[copyIndex()]).tags)]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "358706201153740767" + } + }, + "parameters": { + "sqlServerName": { + "type": "string", + "metadata": { + "description": "The name of the SQL server." + } + }, + "sqlDatabase": { + "type": "object", + "metadata": { + "description": "The SQL database parameters object." + } + }, + "tags": { + "type": "object" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2020-02-02-preview", + "name": "[format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "location": "[resourceGroup().location]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('sqlDatabase').skuName]", + "tier": "[parameters('sqlDatabase').tier]" + }, + "properties": { + "zoneRedundant": "[parameters('sqlDatabase').zoneRedundant]", + "collation": "[parameters('sqlDatabase').collation]", + "maxSizeBytes": "[if(equals(parameters('sqlDatabase').dataMaxSize, 0), null(), mul(mul(mul(1024, 1024), 1024), parameters('sqlDatabase').dataMaxSize))]", + "licenseType": "[if(parameters('sqlDatabase').hybridBenefit, 'BasePrice', 'LicenseIncluded')]", + "readScale": "[if(equals(parameters('sqlDatabase').readReplicas, 0), 'Disabled', 'Enabled')]", + "readReplicaCount": "[parameters('sqlDatabase').readReplicas]", + "minCapacity": "[if(equals(parameters('sqlDatabase').minimumCores, 0), '', string(parameters('sqlDatabase').minimumCores))]", + "autoPauseDelay": "[if(equals(parameters('sqlDatabase').autoPauseDelay, 0), '', string(parameters('sqlDatabase').autoPauseDelay))]" + } + }, + { + "condition": "[parameters('sqlDatabase').longTermBackup.enabled]", + "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "properties": { + "weeklyRetention": "[parameters('sqlDatabase').longTermBackup.weeklyRetention]", + "monthlyRetention": "[parameters('sqlDatabase').longTermBackup.monthlyRetention]", + "yearlyRetention": "[parameters('sqlDatabase').longTermBackup.yearlyRetention]", + "weekOfYear": "[parameters('sqlDatabase').longTermBackup.weekOfYear]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('shortTermBackup-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "condition": "[and(and(parameters('sqlDatabase').azureDefender.enabled, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "properties": { + "recurringScans": { + "isEnabled": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans]", + "emailSubscriptionAdmins": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", + "emails": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emails]" + }, + "storageContainerPath": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('azureDefender-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "condition": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "name": "SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1", + "properties": { + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlDatabase').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlDatabase').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlDatabase').diagnosticLogsAndMetrics.name)]", + "logs": [ + { + "category": "SQLSecurityAuditEvents", + "enabled": true + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('auditSettings-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "condition": "[not(empty(parameters('sqlDatabase').diagnosticLogsAndMetrics.name))]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "name": "sendLogsAndMetrics", + "properties": { + "copy": [ + { + "name": "logs", + "count": "[length(parameters('sqlDatabase').diagnosticLogsAndMetrics.logs)]", + "input": { + "category": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.logs[copyIndex('logs')]]", + "enabled": true + } + }, + { + "name": "metrics", + "count": "[length(parameters('sqlDatabase').diagnosticLogsAndMetrics.metrics)]", + "input": { + "category": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.metrics[copyIndex('metrics')]]", + "enabled": true + } + } + ], + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlDatabase').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlDatabase').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlDatabase').diagnosticLogsAndMetrics.name)]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "17127545981622889090" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "name": "[format('{0}/{1}/current', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "status": "[parameters('sqlDatabase').dataEncryption]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]" + ] + }, + { + "condition": "[not(equals(parameters('sqlDatabase').shortTermBackupRetention, 0))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('shortTermBackup-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "11662974089594234440" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "retentionDays": "[parameters('sqlDatabase').shortTermBackupRetention]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('azureDefender-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "7930707696094790980" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "state": "[if(parameters('sqlDatabase').azureDefender.enabled, 'Enabled', 'Disabled')]", + "emailAddresses": "[parameters('sqlDatabase').azureDefender.emailAddresses]", + "emailAccountAdmins": "[parameters('sqlDatabase').azureDefender.emailAccountAdmins]", + "disabledAlerts": "[parameters('sqlDatabase').azureDefender.disabledRules]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('auditSettings-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "981955417693896583" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "variables": { + "defaultAuditActionsAndGroups": [ + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP", + "BATCH_COMPLETED_GROUP" + ] + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "state": "[if(parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", + "auditActionsAndGroups": "[if(not(empty(parameters('sqlDatabase').auditActionsAndGroups)), parameters('sqlDatabase').auditActionsAndGroups, variables('defaultAuditActionsAndGroups'))]", + "storageEndpoint": "", + "storageAccountAccessKey": "", + "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000", + "retentionDays": 0, + "isAzureMonitorTargetEnabled": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + } + ] + } + } + } + ] + } + }, + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroup').name)]" + ] + } + ] +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep b/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep new file mode 100644 index 00000000000..b90d4495f08 --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep @@ -0,0 +1,23 @@ + +param sqlDatabase object +param sqlServerName string + +var defaultAuditActionsAndGroups = [ + 'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP' + 'FAILED_DATABASE_AUTHENTICATION_GROUP' + 'BATCH_COMPLETED_GROUP' +] + +// Audit settings need for enabling auditing to Log Analytics workspace +resource auditSettings 'Microsoft.Sql/servers/databases/auditingSettings@2020-08-01-preview' = { + name: '${sqlServerName}/${sqlDatabase.name}/Default' + properties: { + state: sqlDatabase.diagnosticLogsAndMetrics.auditLogs ? 'Enabled' : 'Disabled' + auditActionsAndGroups: !empty(sqlDatabase.auditActionsAndGroups) ? sqlDatabase.auditActionsAndGroups : defaultAuditActionsAndGroups + storageEndpoint: '' + storageAccountAccessKey: '' + storageAccountSubscriptionId: '00000000-0000-0000-0000-000000000000' + retentionDays: 0 + isAzureMonitorTargetEnabled: sqlDatabase.diagnosticLogsAndMetrics.auditLogs + } +} diff --git a/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep b/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep new file mode 100644 index 00000000000..7fb137870de --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep @@ -0,0 +1,13 @@ +param sqlDatabase object +param sqlServerName string + +// Azure Defender +resource azureDefender 'Microsoft.Sql/servers/databases/securityAlertPolicies@2020-08-01-preview' = { + name: '${sqlServerName}/${sqlDatabase.name}/Default' + properties: { + state: sqlDatabase.azureDefender.enabled ? 'Enabled' : 'Disabled' + emailAddresses: sqlDatabase.azureDefender.emailAddresses + emailAccountAdmins: sqlDatabase.azureDefender.emailAccountAdmins + disabledAlerts: sqlDatabase.azureDefender.disabledRules + } +} diff --git a/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep b/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep new file mode 100644 index 00000000000..49ef2e601dc --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep @@ -0,0 +1,10 @@ +param sqlDatabase object +param sqlServerName string + +// Short term backup +resource shortTermBackup 'Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies@2020-08-01-preview' = { + name: '${sqlServerName}/${sqlDatabase.name}/Default' + properties: { + retentionDays: sqlDatabase.shortTermBackupRetention + } +} diff --git a/docs/examples/301/sql-database-with-management/modules/sql-database.bicep b/docs/examples/301/sql-database-with-management/modules/sql-database.bicep new file mode 100644 index 00000000000..68a30e84032 --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/sql-database.bicep @@ -0,0 +1,187 @@ +@description('The name of the SQL server.') +param sqlServerName string + +@description('The SQL database parameters object.') +param sqlDatabase object + +param tags object + +resource sqlDb 'Microsoft.Sql/servers/databases@2020-02-02-preview' = { + name: '${sqlServerName}/${sqlDatabase.name}' + location: resourceGroup().location + tags: tags + sku: { + name: sqlDatabase.skuName + tier: sqlDatabase.tier + } + properties: { + zoneRedundant: sqlDatabase.zoneRedundant + collation: sqlDatabase.collation + maxSizeBytes: sqlDatabase.dataMaxSize == 0 ? any(null) : 1024*1024*1024*sqlDatabase.dataMaxSize + licenseType: sqlDatabase.hybridBenefit ? 'BasePrice' : 'LicenseIncluded' + readScale: sqlDatabase.readReplicas == 0 ? 'Disabled' : 'Enabled' + readReplicaCount: sqlDatabase.readReplicas + minCapacity: sqlDatabase.minimumCores == 0 ? any('') : any(string(sqlDatabase.minimumCores)) + autoPauseDelay: sqlDatabase.autoPauseDelay == 0 ? any('') : any(string(sqlDatabase.autoPauseDelay)) + } +} + +module transparentDataEncryption 'transparent-data-encryption.bicep' = { + dependsOn: [ + sqlDb + ] + name: 'transparentDataEncryption-${uniqueString(sqlServerName, sqlDatabase.name)}' + params: { + sqlDatabase: sqlDatabase + sqlServerName: sqlServerName + } +} + +// Works +//resource transparentDataEncryption 'Microsoft.Sql/servers/databases/transparentDataEncryption@2014-04-01' = { +// dependsOn: [ +// sqlDb +// ] +// name: '${sqlServerName}/${sqlDatabase.name}/current' +// properties: { +// status: sqlDatabase.dataEncryption +// } +//} + +// Does not work +//resource transparentDataEncryption 'Microsoft.Sql/servers/databases/transparentDataEncryption@2014-04-01' = { +// name: 'current' +// parent: sqlDb +// properties: { +// status: sqlDatabase.dataEncryption +// } +//} + + +// Short term backup +module shortTermBackup 'short-term-backup.bicep' = if (!(sqlDatabase.shortTermBackupRetention == 0)) { + dependsOn: [ + transparentDataEncryption + sqlDb + ] + name: 'shortTermBackup-${uniqueString(sqlServerName, sqlDatabase.name)}' + params: { + sqlDatabase: sqlDatabase + sqlServerName: sqlServerName + } +} + +// Long term backup +resource longTermBackup 'Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies@2020-08-01-preview' = if (sqlDatabase.longTermBackup.enabled) { + dependsOn: [ + transparentDataEncryption + shortTermBackup + ] + name: 'Default' + parent: sqlDb + properties: { + weeklyRetention: sqlDatabase.longTermBackup.weeklyRetention + monthlyRetention: sqlDatabase.longTermBackup.monthlyRetention + yearlyRetention: sqlDatabase.longTermBackup.yearlyRetention + weekOfYear: sqlDatabase.longTermBackup.weekOfYear + } +} + +// Azure Defender +module azureDefender 'azure-defender.bicep' = { + dependsOn: [ + transparentDataEncryption + sqlDb + ] + name: 'azureDefender-${uniqueString(sqlServerName, sqlDatabase.name)}' + params: { + sqlDatabase: sqlDatabase + sqlServerName: sqlServerName + } +} + +// Get existing storage account +resource storageAccountVulnerabilityAssessments 'Microsoft.Storage/storageAccounts@2021-01-01' existing = if (sqlDatabase.azureDefender.enabled && sqlDatabase.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name)) { + scope: resourceGroup(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName) + name: sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name +} + + + +// Vulnerability Assessments +// Can be enabled only if Azure Defender is enabled as well +resource vulnerabilityAssessments 'Microsoft.Sql/servers/databases/vulnerabilityAssessments@2020-08-01-preview' = if (sqlDatabase.azureDefender.enabled && sqlDatabase.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name)) { + dependsOn: [ + transparentDataEncryption + azureDefender + ] + name: 'Default' + parent: sqlDb + properties: { + recurringScans: { + isEnabled: sqlDatabase.azureDefender.vulnerabilityAssessments.recurringScans + emailSubscriptionAdmins: sqlDatabase.azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins + emails: sqlDatabase.azureDefender.vulnerabilityAssessments.emails + } + storageContainerPath: !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name) ? concat(storageAccountVulnerabilityAssessments.properties.primaryEndpoints.blob, sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.containerName) : '' + storageAccountAccessKey: !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name) ? listKeys(storageAccountVulnerabilityAssessments.id, storageAccountVulnerabilityAssessments.apiVersion ).keys[0].value : '' + } +} + +// Audit settings need for enabling auditing to Log Analytics workspace +module auditSettings 'audit-settings.bicep' = { + dependsOn: [ + transparentDataEncryption + sqlDb + ] + name: 'auditSettings-${uniqueString(sqlServerName, sqlDatabase.name)}' + params: { + sqlDatabase: sqlDatabase + sqlServerName: sqlServerName + } +} + +// Get existing Log Analytics workspace +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-10-01' existing = if (sqlDatabase.diagnosticLogsAndMetrics.auditLogs || !empty(sqlDatabase.diagnosticLogsAndMetrics.name)) { + scope: resourceGroup(sqlDatabase.diagnosticLogsAndMetrics.subscriptionId, sqlDatabase.diagnosticLogsAndMetrics.resourceGroupName) + name: sqlDatabase.diagnosticLogsAndMetrics.name +} + +// Sends audit logs to Log Analytics Workspace +resource auditDiagnosticSetings 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (sqlDatabase.diagnosticLogsAndMetrics.auditLogs) { + dependsOn: [ + transparentDataEncryption + auditSettings + ] + scope: sqlDb + name: 'SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1' + properties: { + workspaceId: logAnalyticsWorkspace.id + logs: [ + { + category: 'SQLSecurityAuditEvents' + enabled: true + } + ] + } +} + +// Send other logs and metrics to Log Analytics +resource diagnosticSetings 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (!empty(sqlDatabase.diagnosticLogsAndMetrics.name)) { + dependsOn: [ + transparentDataEncryption + ] + scope: sqlDb + name: 'sendLogsAndMetrics' + properties: { + workspaceId: logAnalyticsWorkspace.id + logs: [for log in sqlDatabase.diagnosticLogsAndMetrics.logs: { + category: log + enabled: true + }] + metrics: [for metric in sqlDatabase.diagnosticLogsAndMetrics.metrics: { + category: metric + enabled: true + }] + } +} diff --git a/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep new file mode 100644 index 00000000000..2cb7dc7b395 --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep @@ -0,0 +1,13 @@ +@description('Firewall rule') +param sqlFirewallRule object + +@description('The name of the SQL Logical server.') +param sqlServerName string + +resource firewallRule 'Microsoft.Sql/servers/firewallRules@2020-08-01-preview' = { + name: '${sqlServerName}/${sqlFirewallRule.name}' + properties: { + startIpAddress: sqlFirewallRule.startIpAddress + endIpAddress: sqlFirewallRule.endIpAddress + } +} diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep new file mode 100644 index 00000000000..6975f5e62cf --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep @@ -0,0 +1,244 @@ +@description('SQL Logical server.') +param sqlLogicalServer object + +@description('The SQL Logical Server password.') +@secure() +param password string + +param tags object + +var defaultAuditActionsAndGroups = [ + 'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP' + 'FAILED_DATABASE_AUTHENTICATION_GROUP' + 'BATCH_COMPLETED_GROUP' +] + +var defaultSqlDatabaseProperties = { + name: '' + status: '' + tags: {} + skuName: '' + tier: '' + zoneRedundant: false + collation: 'SQL_Latin1_General_CP1_CI_AS' + dataMaxSize: 0 + hybridBenefit: false + readReplicas: 0 + minimumCores: 0 + autoPauseDelay: 0 + dataEncryption: 'Enabled' + shortTermBackupRetention: 0 + longTermBackup: { + enabled: false + weeklyRetention: 'P1W' + monthlyRetention: 'P4W' + yearlyRetention: 'P52W' + weekOfYear: 1 + } + azureDefender: { + enabled: false + emailAccountAdmins: false + emailAddresses: [] + disabledRules: [] + vulnerabilityAssessments: { + recurringScans: false + storageAccount: { + resourceGroupName: '' + name: '' + containerName: '' + } + emailSubscriptionAdmins: false + emails: [] + } + } + auditActionsAndGroups: [] + diagnosticLogsAndMetrics: { + name: '' + resourceGroupName: '' + subscriptionId: subscription().subscriptionId + logs: [] + metrics: [] + auditLogs: false + } +} + +resource sqlLogicalServerRes 'Microsoft.Sql/servers@2020-02-02-preview' = { + name: sqlLogicalServer.name + location: resourceGroup().location + tags: tags + identity: { + type: sqlLogicalServer.systemManagedIdentity ? 'SystemAssigned' : 'None' + } + properties: { + administratorLogin: sqlLogicalServer.userName + administratorLoginPassword: password + version: '12.0' + minimalTlsVersion: sqlLogicalServer.minimalTlsVersion + //publicNetworkAccess: sqlLogicalServer.publicNetworkAccess + + } +} + + // Azure Active Directory integration +resource azureAdIntegration 'Microsoft.Sql/servers/administrators@2020-08-01-preview' = if (!empty(sqlLogicalServer.azureActiveDirectoryAdministrator.objectId)) { + name: 'activeDirectory' + parent: sqlLogicalServerRes + properties: { + administratorType: 'ActiveDirectory' + login: sqlLogicalServer.azureActiveDirectoryAdministrator.name + sid: sqlLogicalServer.azureActiveDirectoryAdministrator.objectId + tenantId: sqlLogicalServer.azureActiveDirectoryAdministrator.tenantId + } +} + +// Azure Defender +resource azureDefender 'Microsoft.Sql/servers/securityAlertPolicies@2020-08-01-preview' = { + name: 'Default' + parent: sqlLogicalServerRes + properties: { + state: sqlLogicalServer.azureDefender.enabled ? 'Enabled' : 'Disabled' + emailAddresses: sqlLogicalServer.azureDefender.emailAddresses + emailAccountAdmins: sqlLogicalServer.azureDefender.emailAccountAdmins + disabledAlerts: sqlLogicalServer.azureDefender.disabledAlerts + } +} + +// Get existing storage account +resource storageAccountVulnerabilityAssessments 'Microsoft.Storage/storageAccounts@2021-01-01' existing = if (sqlLogicalServer.azureDefender.enabled && sqlLogicalServer.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name)) { + scope: resourceGroup(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName) + name: sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name +} + +// Vulnerability Assessments +// Can be enabled only if Azure Defender is enabled as well +resource vulnerabilityAssessments 'Microsoft.Sql/servers/vulnerabilityAssessments@2020-08-01-preview' = if (sqlLogicalServer.azureDefender.enabled && sqlLogicalServer.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name)) { + dependsOn: [ + azureDefender + ] + name: 'Default' + parent: sqlLogicalServerRes + properties: { + recurringScans: { + isEnabled: sqlLogicalServer.azureDefender.vulnerabilityAssessments.recurringScans + emailSubscriptionAdmins: sqlLogicalServer.azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins + emails: sqlLogicalServer.azureDefender.vulnerabilityAssessments.emails + } + storageContainerPath: !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name) ? concat(storageAccountVulnerabilityAssessments.properties.primaryEndpoints.blob , sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.containerName) : '' + storageAccountAccessKey: !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name) ? listKeys(storageAccountVulnerabilityAssessments.id, storageAccountVulnerabilityAssessments.apiVersion).keys[0].value : '' + } +} + +// Audit settings need for enabling auditing to Log Analytics workspace +resource auditSettings 'Microsoft.Sql/servers/auditingSettings@2020-08-01-preview' = { + name: 'Default' + parent: sqlLogicalServerRes + properties: { + state: sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs ? 'Enabled' : 'Disabled' + auditActionsAndGroups: !empty(sqlLogicalServer.auditActionsAndGroups) ? sqlLogicalServer.auditActionsAndGroups : defaultAuditActionsAndGroups + storageEndpoint: '' + storageAccountAccessKey: '' + storageAccountSubscriptionId: '00000000-0000-0000-0000-000000000000' + retentionDays: 0 + isAzureMonitorTargetEnabled: sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs + isDevopsAuditEnabled: sqlLogicalServer.diagnosticLogsAndMetrics.microsoftSupportOperationsAuditLogs + } +} + +// SQL Logical Server Firewall Rules +module sqlFirewallRules 'sql-firewall-rule.bicep' = [for (firewallRules, index) in sqlLogicalServer.firewallRules: { + dependsOn: [ + sqlLogicalServerRes + ] + name: 'sqlFirewallRule-${uniqueString(sqlLogicalServer.name)}-${index}' + params: { + sqlFirewallRule: sqlLogicalServer.firewallRules[index] + sqlServerName: sqlLogicalServer.name + } +}] + +// SQL Databases +module sqlDatabases 'sql-database.bicep' = [for (sqlDatabase, index) in sqlLogicalServer.databases: { + dependsOn: [ + sqlLogicalServerRes + ] + name: 'sqlDb-${uniqueString(sqlLogicalServer.name)}-${index}' + params: { + sqlServerName: sqlLogicalServer.name + sqlDatabase: union(defaultSqlDatabaseProperties, sqlLogicalServer.databases[index]) + tags: union(tags, union(defaultSqlDatabaseProperties, sqlLogicalServer.databases[index]).tags) + } +}] + +// Empty deployment that serves as artificial delay until master database resource is created +@batchSize(1) +resource dummyDeployments 'Microsoft.Resources/deployments@2020-10-01' = [for (dummyDeployment, index) in range(0, 5): if (sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs && !empty(sqlLogicalServer.diagnosticLogsAndMetrics.name)) { + dependsOn: [ + sqlLogicalServerRes + ] + name: 'dummyTemplateSqlServer-${uniqueString(sqlLogicalServer.name)}-${index}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#' + contentVersion:'1.0.0.0' + resources: [] + } + } +}] + +// Get existing master database +resource masterDb 'Microsoft.Sql/servers/databases@2020-08-01-preview' existing = if (sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs || !empty(sqlLogicalServer.diagnosticLogsAndMetrics.name)) { + name: 'master' + parent: sqlLogicalServerRes +} + +// Get existing Log Analytics workspace +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-10-01' existing = if (sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs || !empty(sqlLogicalServer.diagnosticLogsAndMetrics.name)) { + scope: resourceGroup(sqlLogicalServer.diagnosticLogsAndMetrics.subscriptionId, sqlLogicalServer.diagnosticLogsAndMetrics.resourceGroupName) + name: sqlLogicalServer.diagnosticLogsAndMetrics.name +} + +// Sends audit logs to Log Analytics Workspace +resource auditDiagnosticSetings 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs) { + dependsOn: [ + auditSettings + sqlDatabases + dummyDeployments + ] + scope: masterDb + name: 'SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1' + properties: { + workspaceId: logAnalyticsWorkspace.id + logs: [ + { + category: 'SQLSecurityAuditEvents' + enabled: true + } + { + category: 'DevOpsOperationsAudit' + enabled: sqlLogicalServer.diagnosticLogsAndMetrics.microsoftSupportOperationsAuditLogs + } + ] + } +} + +// Send other logs and metrics to Log Analytics +resource diagnosticSetings 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (!empty(sqlLogicalServer.diagnosticLogsAndMetrics.name)) { + dependsOn: [ + sqlDatabases + dummyDeployments + ] + scope: masterDb + name: 'sendLogsAndMetrics' + properties: { + workspaceId: logAnalyticsWorkspace.id + logs: [for log in sqlLogicalServer.diagnosticLogsAndMetrics.logs: { + category: log + enabled: true + }] + metrics: [for metric in sqlLogicalServer.diagnosticLogsAndMetrics.metrics: { + category: metric + enabled: true + }] + } +} diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep new file mode 100644 index 00000000000..327130d8543 --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep @@ -0,0 +1,64 @@ +@description('SQL logical servers.') +param sqlLogicalServers array +param tags object + +@secure() +param password string + +var defaultSqlLogicalServerProperties = { + name: '' + tags: {} + userName: '' + passwordFromKeyVault: { + subscriptionId: subscription().subscriptionId + resourceGroupName: '' + name: '' + secretName: '' + } + systemManagedIdentity: false + minimalTlsVersion: '1.2' + publicNetworkAccess: 'Enabled' + azureActiveDirectoryAdministrator: { + name: '' + objectId: '' + tenantId: subscription().tenantId + } + firewallRules: [] + azureDefender: { + enabled: false + emailAccountAdmins: false + emailAddresses: [] + disabledRules: [] + vulnerabilityAssessments: { + recurringScans: false + storageAccount: { + resourceGroupName: '' + name: '' + containerName: '' + } + emailSubscriptionAdmins: false + emails: [] + } + } + auditActionsAndGroups: [] + diagnosticLogsAndMetrics: { + name: '' + resourceGroupName: '' + subscriptionId: subscription().subscriptionId + logs: [] + metrics: [] + auditLogs: false + microsoftSupportOperationsAuditLogs: false + } + databases: [] +} + + +module sqlLogicalServer 'sql-logical-server.bicep' = [for (sqlLogicalServer, index) in sqlLogicalServers: { + name: 'sqlLogicalServer-${index}' + params: { + sqlLogicalServer: union(defaultSqlLogicalServerProperties, sqlLogicalServer) + password: password + tags: union(tags, union(defaultSqlLogicalServerProperties, sqlLogicalServer).tags) + } +}] diff --git a/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep b/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep new file mode 100644 index 00000000000..d3a05785a1a --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep @@ -0,0 +1,10 @@ +param sqlDatabase object +param sqlServerName string + + +resource transparentDataEncryption 'Microsoft.Sql/servers/databases/transparentDataEncryption@2014-04-01' = { + name: '${sqlServerName}/${sqlDatabase.name}/current' + properties: { + status: sqlDatabase.dataEncryption + } +} diff --git a/docs/examples/301/sql-database-with-management/parameters.json b/docs/examples/301/sql-database-with-management/parameters.json new file mode 100644 index 00000000000..c0f85ef85d3 --- /dev/null +++ b/docs/examples/301/sql-database-with-management/parameters.json @@ -0,0 +1,101 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroup": { + "value": { + "name": "", + "location": "West Europe", + //"tags": { + // "env": "DEV" + //}, + "sqlLogicalServers": [ + { + "name": "", + "systemManagedIdentity": true, + "userName": "", + "passwordFromKeyVault": { + "resourceGroupName": "", + "name": "", + "secretName": "" + }, + //"azureActiveDirectoryAdministrator": { + // "name": """, + // "objectId": """ + //}, + "firewallRules": [ + { + "name": "allAzure", + "startIpAddress": "0.0.0.0", + "endIpAddress": "0.0.0.0" + } + ], + //"diagnosticLogsAndMetrics": { + // "name": """, + // "resourceGroupName": "", + // "logs": [ + // "SQLInsights", + // "AutomaticTuning", + // "QueryStoreRuntimeStatistics", + // "QueryStoreWaitStatistics", + // "Errors", + // "DatabaseWaitStatistics", + // "Timeouts", + // "Blocks", + // "Deadlocks" + // ], + // "metrics": [ + // "Basic" + // ], + // "auditLogs": true, + // "microsoftSupportOperationsAuditLogs": true + //}, + "databases": [ + { + "name": "", + "skuName": "GP_Gen5_2", + "tier": "GeneralPurpose", + "shortTermBackupRetention": 14, + "longTermBackup": { + "enabled": true, + "weeklyRetention": "P1W", + "monthlyRetention": "P4W", + "yearlyRetention": "P52W", + "weekOfYear": 1 + }, + "diagnosticLogsAndMetrics": { + "name": "", + "resourceGroupName": "", + "logs": [ + "SQLInsights", + "AutomaticTuning", + "QueryStoreRuntimeStatistics", + "QueryStoreWaitStatistics", + "Errors", + "DatabaseWaitStatistics", + "Timeouts", + "Blocks", + "Deadlocks" + ], + "metrics": [ + "Basic" + ], + "auditLogs": true, + "microsoftSupportOperationsAuditLogs": true + } + } + ] + } + ] + } + }, + "password": { + "reference": { + "keyVault": { + "id": "" + }, + "secretName": "" + } + } + } +} From 5b670d0b055f973409c9130787c98223f4c21117 Mon Sep 17 00:00:00 2001 From: Stanislav Zhelyazkov Date: Wed, 21 Apr 2021 12:52:53 +0300 Subject: [PATCH 02/11] updates index.json --- docs/examples/index.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/examples/index.json b/docs/examples/index.json index 3c7f804f035..2ea4e291470 100644 --- a/docs/examples/index.json +++ b/docs/examples/index.json @@ -518,5 +518,9 @@ { "filePath": "301/deployment-script-dev-environment/main.bicep", "description": "301/deployment-script-dev-environment" + }, + { + "filePath": "301/sql-database-with-management/main.bicep", + "description": "301/sql-database-with-management" } -] \ No newline at end of file +] From 10063c5731b35bda77373bad04b1df44c9874b7d Mon Sep 17 00:00:00 2001 From: Stanislav Zhelyazkov Date: Wed, 21 Apr 2021 13:25:47 +0300 Subject: [PATCH 03/11] fixes whitespaces --- docs/examples/301/sql-database-with-management/main.bicep | 2 +- .../modules/audit-settings.bicep | 2 +- .../modules/sql-database.bicep | 4 ++-- .../modules/sql-logical-server.bicep | 8 ++++---- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/examples/301/sql-database-with-management/main.bicep b/docs/examples/301/sql-database-with-management/main.bicep index 4858503e324..60eccbf3cd0 100644 --- a/docs/examples/301/sql-database-with-management/main.bicep +++ b/docs/examples/301/sql-database-with-management/main.bicep @@ -14,7 +14,7 @@ var defaultResourceGroupProperties = { // Deploy Resource Group resource sqlRg 'Microsoft.Resources/resourceGroups@2020-10-01' = if (union(defaultResourceGroupProperties, resourceGroup).deploy) { name: resourceGroup.name - location:resourceGroup.location + location: resourceGroup.location tags: union(defaultResourceGroupProperties, resourceGroup).tags properties: {} } diff --git a/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep b/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep index b90d4495f08..dbec8430cf9 100644 --- a/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep +++ b/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep @@ -19,5 +19,5 @@ resource auditSettings 'Microsoft.Sql/servers/databases/auditingSettings@2020-08 storageAccountSubscriptionId: '00000000-0000-0000-0000-000000000000' retentionDays: 0 isAzureMonitorTargetEnabled: sqlDatabase.diagnosticLogsAndMetrics.auditLogs - } + } } diff --git a/docs/examples/301/sql-database-with-management/modules/sql-database.bicep b/docs/examples/301/sql-database-with-management/modules/sql-database.bicep index 68a30e84032..01e4f74a0e2 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-database.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-database.bicep @@ -17,7 +17,7 @@ resource sqlDb 'Microsoft.Sql/servers/databases@2020-02-02-preview' = { properties: { zoneRedundant: sqlDatabase.zoneRedundant collation: sqlDatabase.collation - maxSizeBytes: sqlDatabase.dataMaxSize == 0 ? any(null) : 1024*1024*1024*sqlDatabase.dataMaxSize + maxSizeBytes: sqlDatabase.dataMaxSize == 0 ? any(null) : 1024 * 1024 * 1024 * sqlDatabase.dataMaxSize licenseType: sqlDatabase.hybridBenefit ? 'BasePrice' : 'LicenseIncluded' readScale: sqlDatabase.readReplicas == 0 ? 'Disabled' : 'Enabled' readReplicaCount: sqlDatabase.readReplicas @@ -124,7 +124,7 @@ resource vulnerabilityAssessments 'Microsoft.Sql/servers/databases/vulnerability emails: sqlDatabase.azureDefender.vulnerabilityAssessments.emails } storageContainerPath: !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name) ? concat(storageAccountVulnerabilityAssessments.properties.primaryEndpoints.blob, sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.containerName) : '' - storageAccountAccessKey: !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name) ? listKeys(storageAccountVulnerabilityAssessments.id, storageAccountVulnerabilityAssessments.apiVersion ).keys[0].value : '' + storageAccountAccessKey: !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name) ? listKeys(storageAccountVulnerabilityAssessments.id, storageAccountVulnerabilityAssessments.apiVersion).keys[0].value : '' } } diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep index 6975f5e62cf..cc9cbdf8502 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep @@ -123,7 +123,7 @@ resource vulnerabilityAssessments 'Microsoft.Sql/servers/vulnerabilityAssessment emailSubscriptionAdmins: sqlLogicalServer.azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins emails: sqlLogicalServer.azureDefender.vulnerabilityAssessments.emails } - storageContainerPath: !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name) ? concat(storageAccountVulnerabilityAssessments.properties.primaryEndpoints.blob , sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.containerName) : '' + storageContainerPath: !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name) ? concat(storageAccountVulnerabilityAssessments.properties.primaryEndpoints.blob, sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.containerName) : '' storageAccountAccessKey: !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name) ? listKeys(storageAccountVulnerabilityAssessments.id, storageAccountVulnerabilityAssessments.apiVersion).keys[0].value : '' } } @@ -163,9 +163,9 @@ module sqlDatabases 'sql-database.bicep' = [for (sqlDatabase, index) in sqlLogic ] name: 'sqlDb-${uniqueString(sqlLogicalServer.name)}-${index}' params: { - sqlServerName: sqlLogicalServer.name - sqlDatabase: union(defaultSqlDatabaseProperties, sqlLogicalServer.databases[index]) - tags: union(tags, union(defaultSqlDatabaseProperties, sqlLogicalServer.databases[index]).tags) + sqlServerName: sqlLogicalServer.name + sqlDatabase: union(defaultSqlDatabaseProperties, sqlLogicalServer.databases[index]) + tags: union(tags, union(defaultSqlDatabaseProperties, sqlLogicalServer.databases[index]).tags) } }] From b59d203ee357d4b51c99cc3a9e47917c3001ec27 Mon Sep 17 00:00:00 2001 From: Stanislav Zhelyazkov Date: Wed, 21 Apr 2021 13:44:07 +0300 Subject: [PATCH 04/11] removes extra end line --- docs/examples/301/sql-database-with-management/main.bicep | 2 +- .../sql-database-with-management/modules/audit-settings.bicep | 3 +-- .../sql-database-with-management/modules/azure-defender.bicep | 2 +- .../modules/short-term-backup.bicep | 2 +- .../sql-database-with-management/modules/sql-database.bicep | 2 +- .../modules/sql-firewall-rule.bicep | 2 +- .../modules/sql-logical-server.bicep | 2 +- .../modules/sql-logical-servers.bicep | 3 +-- .../modules/transparent-data-encryption.bicep | 3 +-- 9 files changed, 9 insertions(+), 12 deletions(-) diff --git a/docs/examples/301/sql-database-with-management/main.bicep b/docs/examples/301/sql-database-with-management/main.bicep index 60eccbf3cd0..8cd0528bf91 100644 --- a/docs/examples/301/sql-database-with-management/main.bicep +++ b/docs/examples/301/sql-database-with-management/main.bicep @@ -28,4 +28,4 @@ module sqlLogicalServers 'modules/sql-logical-servers.bicep' = { tags: union(defaultResourceGroupProperties, resourceGroup).tags password: password } -} +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep b/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep index dbec8430cf9..8a7ff66d4fc 100644 --- a/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep +++ b/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep @@ -1,4 +1,3 @@ - param sqlDatabase object param sqlServerName string @@ -20,4 +19,4 @@ resource auditSettings 'Microsoft.Sql/servers/databases/auditingSettings@2020-08 retentionDays: 0 isAzureMonitorTargetEnabled: sqlDatabase.diagnosticLogsAndMetrics.auditLogs } -} +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep b/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep index 7fb137870de..06de0731fe0 100644 --- a/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep +++ b/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep @@ -10,4 +10,4 @@ resource azureDefender 'Microsoft.Sql/servers/databases/securityAlertPolicies@20 emailAccountAdmins: sqlDatabase.azureDefender.emailAccountAdmins disabledAlerts: sqlDatabase.azureDefender.disabledRules } -} +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep b/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep index 49ef2e601dc..3177ff92b49 100644 --- a/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep +++ b/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep @@ -7,4 +7,4 @@ resource shortTermBackup 'Microsoft.Sql/servers/databases/backupShortTermRetenti properties: { retentionDays: sqlDatabase.shortTermBackupRetention } -} +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/sql-database.bicep b/docs/examples/301/sql-database-with-management/modules/sql-database.bicep index 01e4f74a0e2..23e190c3cae 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-database.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-database.bicep @@ -184,4 +184,4 @@ resource diagnosticSetings 'microsoft.insights/diagnosticSettings@2017-05-01-pre enabled: true }] } -} +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep index 2cb7dc7b395..b63d432ee02 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep @@ -10,4 +10,4 @@ resource firewallRule 'Microsoft.Sql/servers/firewallRules@2020-08-01-preview' = startIpAddress: sqlFirewallRule.startIpAddress endIpAddress: sqlFirewallRule.endIpAddress } -} +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep index cc9cbdf8502..5f0c0cdff01 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep @@ -241,4 +241,4 @@ resource diagnosticSetings 'microsoft.insights/diagnosticSettings@2017-05-01-pre enabled: true }] } -} +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep index 327130d8543..a7aba50809f 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep @@ -53,7 +53,6 @@ var defaultSqlLogicalServerProperties = { databases: [] } - module sqlLogicalServer 'sql-logical-server.bicep' = [for (sqlLogicalServer, index) in sqlLogicalServers: { name: 'sqlLogicalServer-${index}' params: { @@ -61,4 +60,4 @@ module sqlLogicalServer 'sql-logical-server.bicep' = [for (sqlLogicalServer, ind password: password tags: union(tags, union(defaultSqlLogicalServerProperties, sqlLogicalServer).tags) } -}] +}] \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep b/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep index d3a05785a1a..0cd3120ff86 100644 --- a/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep +++ b/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep @@ -1,10 +1,9 @@ param sqlDatabase object param sqlServerName string - resource transparentDataEncryption 'Microsoft.Sql/servers/databases/transparentDataEncryption@2014-04-01' = { name: '${sqlServerName}/${sqlDatabase.name}/current' properties: { status: sqlDatabase.dataEncryption } -} +} \ No newline at end of file From 4fa26124c0dc2323e0f404c8a5ccf345cfc91e63 Mon Sep 17 00:00:00 2001 From: Stanislav Zhelyazkov Date: Wed, 21 Apr 2021 14:01:18 +0300 Subject: [PATCH 05/11] removes more empty lines --- docs/examples/301/sql-database-with-management/main.json | 9 +++++---- .../modules/sql-database.bicep | 3 --- .../modules/sql-logical-server.bicep | 7 +++---- 3 files changed, 8 insertions(+), 11 deletions(-) diff --git a/docs/examples/301/sql-database-with-management/main.json b/docs/examples/301/sql-database-with-management/main.json index fbf1a6ac266..4ae88ce0db5 100644 --- a/docs/examples/301/sql-database-with-management/main.json +++ b/docs/examples/301/sql-database-with-management/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.3.255.40792", - "templateHash": "15425439460857386433" + "templateHash": "15145536707706943368" } }, "parameters": { @@ -64,7 +64,7 @@ "_generator": { "name": "bicep", "version": "0.3.255.40792", - "templateHash": "4037742454522260869" + "templateHash": "17292316314592963422" } }, "parameters": { @@ -163,7 +163,7 @@ "_generator": { "name": "bicep", "version": "0.3.255.40792", - "templateHash": "12960428080819556485" + "templateHash": "11038828717948749659" } }, "parameters": { @@ -253,7 +253,8 @@ "administratorLogin": "[parameters('sqlLogicalServer').userName]", "administratorLoginPassword": "[parameters('password')]", "version": "12.0", - "minimalTlsVersion": "[parameters('sqlLogicalServer').minimalTlsVersion]" + "minimalTlsVersion": "[parameters('sqlLogicalServer').minimalTlsVersion]", + "publicNetworkAccess": "[parameters('sqlLogicalServer').publicNetworkAccess]" } }, { diff --git a/docs/examples/301/sql-database-with-management/modules/sql-database.bicep b/docs/examples/301/sql-database-with-management/modules/sql-database.bicep index 23e190c3cae..9d851b11bac 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-database.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-database.bicep @@ -57,7 +57,6 @@ module transparentDataEncryption 'transparent-data-encryption.bicep' = { // } //} - // Short term backup module shortTermBackup 'short-term-backup.bicep' = if (!(sqlDatabase.shortTermBackupRetention == 0)) { dependsOn: [ @@ -106,8 +105,6 @@ resource storageAccountVulnerabilityAssessments 'Microsoft.Storage/storageAccoun name: sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name } - - // Vulnerability Assessments // Can be enabled only if Azure Defender is enabled as well resource vulnerabilityAssessments 'Microsoft.Sql/servers/databases/vulnerabilityAssessments@2020-08-01-preview' = if (sqlDatabase.azureDefender.enabled && sqlDatabase.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name)) { diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep index 5f0c0cdff01..c722065a8d2 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep @@ -74,12 +74,11 @@ resource sqlLogicalServerRes 'Microsoft.Sql/servers@2020-02-02-preview' = { administratorLoginPassword: password version: '12.0' minimalTlsVersion: sqlLogicalServer.minimalTlsVersion - //publicNetworkAccess: sqlLogicalServer.publicNetworkAccess - + publicNetworkAccess: sqlLogicalServer.publicNetworkAccess } } - // Azure Active Directory integration +// Azure Active Directory integration resource azureAdIntegration 'Microsoft.Sql/servers/administrators@2020-08-01-preview' = if (!empty(sqlLogicalServer.azureActiveDirectoryAdministrator.objectId)) { name: 'activeDirectory' parent: sqlLogicalServerRes @@ -180,7 +179,7 @@ resource dummyDeployments 'Microsoft.Resources/deployments@2020-10-01' = [for (d mode: 'Incremental' template: { '$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#' - contentVersion:'1.0.0.0' + contentVersion: '1.0.0.0' resources: [] } } From 5ee569a3b13225601a8ea4782977224c6b83e6ab Mon Sep 17 00:00:00 2001 From: Stanislav Zhelyazkov Date: Wed, 21 Apr 2021 14:09:25 +0300 Subject: [PATCH 06/11] adds extra line in main.bicep --- docs/examples/301/sql-database-with-management/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/examples/301/sql-database-with-management/main.bicep b/docs/examples/301/sql-database-with-management/main.bicep index 8cd0528bf91..60eccbf3cd0 100644 --- a/docs/examples/301/sql-database-with-management/main.bicep +++ b/docs/examples/301/sql-database-with-management/main.bicep @@ -28,4 +28,4 @@ module sqlLogicalServers 'modules/sql-logical-servers.bicep' = { tags: union(defaultResourceGroupProperties, resourceGroup).tags password: password } -} \ No newline at end of file +} From 031e725cc854c970d0f76bb34c9f8cf1f645bb70 Mon Sep 17 00:00:00 2001 From: Stanislav Zhelyazkov Date: Wed, 21 Apr 2021 14:32:02 +0300 Subject: [PATCH 07/11] adds back new lines at end --- .../sql-database-with-management/modules/audit-settings.bicep | 2 +- .../sql-database-with-management/modules/azure-defender.bicep | 2 +- .../modules/short-term-backup.bicep | 2 +- .../modules/sql-firewall-rule.bicep | 2 +- .../modules/sql-logical-server.bicep | 2 +- .../modules/sql-logical-servers.bicep | 2 +- .../modules/transparent-data-encryption.bicep | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep b/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep index 8a7ff66d4fc..6932840aaa8 100644 --- a/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep +++ b/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep @@ -19,4 +19,4 @@ resource auditSettings 'Microsoft.Sql/servers/databases/auditingSettings@2020-08 retentionDays: 0 isAzureMonitorTargetEnabled: sqlDatabase.diagnosticLogsAndMetrics.auditLogs } -} \ No newline at end of file +} diff --git a/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep b/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep index 06de0731fe0..7fb137870de 100644 --- a/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep +++ b/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep @@ -10,4 +10,4 @@ resource azureDefender 'Microsoft.Sql/servers/databases/securityAlertPolicies@20 emailAccountAdmins: sqlDatabase.azureDefender.emailAccountAdmins disabledAlerts: sqlDatabase.azureDefender.disabledRules } -} \ No newline at end of file +} diff --git a/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep b/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep index 3177ff92b49..49ef2e601dc 100644 --- a/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep +++ b/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep @@ -7,4 +7,4 @@ resource shortTermBackup 'Microsoft.Sql/servers/databases/backupShortTermRetenti properties: { retentionDays: sqlDatabase.shortTermBackupRetention } -} \ No newline at end of file +} diff --git a/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep index b63d432ee02..2cb7dc7b395 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep @@ -10,4 +10,4 @@ resource firewallRule 'Microsoft.Sql/servers/firewallRules@2020-08-01-preview' = startIpAddress: sqlFirewallRule.startIpAddress endIpAddress: sqlFirewallRule.endIpAddress } -} \ No newline at end of file +} diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep index c722065a8d2..a74696210c2 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep @@ -240,4 +240,4 @@ resource diagnosticSetings 'microsoft.insights/diagnosticSettings@2017-05-01-pre enabled: true }] } -} \ No newline at end of file +} diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep index a7aba50809f..ef805e8334a 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep @@ -60,4 +60,4 @@ module sqlLogicalServer 'sql-logical-server.bicep' = [for (sqlLogicalServer, ind password: password tags: union(tags, union(defaultSqlLogicalServerProperties, sqlLogicalServer).tags) } -}] \ No newline at end of file +}] diff --git a/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep b/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep index 0cd3120ff86..56f1206e0b1 100644 --- a/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep +++ b/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep @@ -6,4 +6,4 @@ resource transparentDataEncryption 'Microsoft.Sql/servers/databases/transparentD properties: { status: sqlDatabase.dataEncryption } -} \ No newline at end of file +} From e8a2e19cb8b50ddbf712aba7b0065c927fa80538 Mon Sep 17 00:00:00 2001 From: Stanislav Zhelyazkov Date: Wed, 21 Apr 2021 15:07:25 +0300 Subject: [PATCH 08/11] adds new line at end of sql-database.bicep --- .../301/sql-database-with-management/modules/sql-database.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/examples/301/sql-database-with-management/modules/sql-database.bicep b/docs/examples/301/sql-database-with-management/modules/sql-database.bicep index 9d851b11bac..b46386ee1ad 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-database.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-database.bicep @@ -181,4 +181,4 @@ resource diagnosticSetings 'microsoft.insights/diagnosticSettings@2017-05-01-pre enabled: true }] } -} \ No newline at end of file +} From a9d42752ca8d5d433576d1f616b2f18b5073501b Mon Sep 17 00:00:00 2001 From: Stanislav Zhelyazkov Date: Wed, 21 Apr 2021 15:30:04 +0300 Subject: [PATCH 09/11] compiled modules as well --- .../modules/audit-settings.json | 43 + .../modules/azure-defender.json | 33 + .../modules/short-term-backup.json | 30 + .../modules/sql-database.json | 370 ++++++++ .../modules/sql-firewall-rule.json | 37 + .../modules/sql-logical-server.json | 713 +++++++++++++++ .../modules/sql-logical-servers.json | 816 ++++++++++++++++++ .../modules/transparent-data-encryption.json | 30 + 8 files changed, 2072 insertions(+) create mode 100644 docs/examples/301/sql-database-with-management/modules/audit-settings.json create mode 100644 docs/examples/301/sql-database-with-management/modules/azure-defender.json create mode 100644 docs/examples/301/sql-database-with-management/modules/short-term-backup.json create mode 100644 docs/examples/301/sql-database-with-management/modules/sql-database.json create mode 100644 docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.json create mode 100644 docs/examples/301/sql-database-with-management/modules/sql-logical-server.json create mode 100644 docs/examples/301/sql-database-with-management/modules/sql-logical-servers.json create mode 100644 docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.json diff --git a/docs/examples/301/sql-database-with-management/modules/audit-settings.json b/docs/examples/301/sql-database-with-management/modules/audit-settings.json new file mode 100644 index 00000000000..33182fce6b3 --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/audit-settings.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "981955417693896583" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "variables": { + "defaultAuditActionsAndGroups": [ + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP", + "BATCH_COMPLETED_GROUP" + ] + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "state": "[if(parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", + "auditActionsAndGroups": "[if(not(empty(parameters('sqlDatabase').auditActionsAndGroups)), parameters('sqlDatabase').auditActionsAndGroups, variables('defaultAuditActionsAndGroups'))]", + "storageEndpoint": "", + "storageAccountAccessKey": "", + "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000", + "retentionDays": 0, + "isAzureMonitorTargetEnabled": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs]" + } + } + ] +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/azure-defender.json b/docs/examples/301/sql-database-with-management/modules/azure-defender.json new file mode 100644 index 00000000000..5c106ec65bc --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/azure-defender.json @@ -0,0 +1,33 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "7930707696094790980" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "state": "[if(parameters('sqlDatabase').azureDefender.enabled, 'Enabled', 'Disabled')]", + "emailAddresses": "[parameters('sqlDatabase').azureDefender.emailAddresses]", + "emailAccountAdmins": "[parameters('sqlDatabase').azureDefender.emailAccountAdmins]", + "disabledAlerts": "[parameters('sqlDatabase').azureDefender.disabledRules]" + } + } + ] +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/short-term-backup.json b/docs/examples/301/sql-database-with-management/modules/short-term-backup.json new file mode 100644 index 00000000000..24daadb4c5b --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/short-term-backup.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "11662974089594234440" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "retentionDays": "[parameters('sqlDatabase').shortTermBackupRetention]" + } + } + ] +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/sql-database.json b/docs/examples/301/sql-database-with-management/modules/sql-database.json new file mode 100644 index 00000000000..195dd3c3448 --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/sql-database.json @@ -0,0 +1,370 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "358706201153740767" + } + }, + "parameters": { + "sqlServerName": { + "type": "string", + "metadata": { + "description": "The name of the SQL server." + } + }, + "sqlDatabase": { + "type": "object", + "metadata": { + "description": "The SQL database parameters object." + } + }, + "tags": { + "type": "object" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2020-02-02-preview", + "name": "[format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "location": "[resourceGroup().location]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('sqlDatabase').skuName]", + "tier": "[parameters('sqlDatabase').tier]" + }, + "properties": { + "zoneRedundant": "[parameters('sqlDatabase').zoneRedundant]", + "collation": "[parameters('sqlDatabase').collation]", + "maxSizeBytes": "[if(equals(parameters('sqlDatabase').dataMaxSize, 0), null(), mul(mul(mul(1024, 1024), 1024), parameters('sqlDatabase').dataMaxSize))]", + "licenseType": "[if(parameters('sqlDatabase').hybridBenefit, 'BasePrice', 'LicenseIncluded')]", + "readScale": "[if(equals(parameters('sqlDatabase').readReplicas, 0), 'Disabled', 'Enabled')]", + "readReplicaCount": "[parameters('sqlDatabase').readReplicas]", + "minCapacity": "[if(equals(parameters('sqlDatabase').minimumCores, 0), '', string(parameters('sqlDatabase').minimumCores))]", + "autoPauseDelay": "[if(equals(parameters('sqlDatabase').autoPauseDelay, 0), '', string(parameters('sqlDatabase').autoPauseDelay))]" + } + }, + { + "condition": "[parameters('sqlDatabase').longTermBackup.enabled]", + "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "properties": { + "weeklyRetention": "[parameters('sqlDatabase').longTermBackup.weeklyRetention]", + "monthlyRetention": "[parameters('sqlDatabase').longTermBackup.monthlyRetention]", + "yearlyRetention": "[parameters('sqlDatabase').longTermBackup.yearlyRetention]", + "weekOfYear": "[parameters('sqlDatabase').longTermBackup.weekOfYear]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('shortTermBackup-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "condition": "[and(and(parameters('sqlDatabase').azureDefender.enabled, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "properties": { + "recurringScans": { + "isEnabled": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans]", + "emailSubscriptionAdmins": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", + "emails": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emails]" + }, + "storageContainerPath": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('azureDefender-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "condition": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "name": "SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1", + "properties": { + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlDatabase').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlDatabase').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlDatabase').diagnosticLogsAndMetrics.name)]", + "logs": [ + { + "category": "SQLSecurityAuditEvents", + "enabled": true + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('auditSettings-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "condition": "[not(empty(parameters('sqlDatabase').diagnosticLogsAndMetrics.name))]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "name": "sendLogsAndMetrics", + "properties": { + "copy": [ + { + "name": "logs", + "count": "[length(parameters('sqlDatabase').diagnosticLogsAndMetrics.logs)]", + "input": { + "category": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.logs[copyIndex('logs')]]", + "enabled": true + } + }, + { + "name": "metrics", + "count": "[length(parameters('sqlDatabase').diagnosticLogsAndMetrics.metrics)]", + "input": { + "category": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.metrics[copyIndex('metrics')]]", + "enabled": true + } + } + ], + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlDatabase').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlDatabase').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlDatabase').diagnosticLogsAndMetrics.name)]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "17127545981622889090" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "name": "[format('{0}/{1}/current', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "status": "[parameters('sqlDatabase').dataEncryption]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]" + ] + }, + { + "condition": "[not(equals(parameters('sqlDatabase').shortTermBackupRetention, 0))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('shortTermBackup-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "11662974089594234440" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "retentionDays": "[parameters('sqlDatabase').shortTermBackupRetention]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('azureDefender-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "7930707696094790980" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "state": "[if(parameters('sqlDatabase').azureDefender.enabled, 'Enabled', 'Disabled')]", + "emailAddresses": "[parameters('sqlDatabase').azureDefender.emailAddresses]", + "emailAccountAdmins": "[parameters('sqlDatabase').azureDefender.emailAccountAdmins]", + "disabledAlerts": "[parameters('sqlDatabase').azureDefender.disabledRules]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('auditSettings-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "981955417693896583" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "variables": { + "defaultAuditActionsAndGroups": [ + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP", + "BATCH_COMPLETED_GROUP" + ] + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "state": "[if(parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", + "auditActionsAndGroups": "[if(not(empty(parameters('sqlDatabase').auditActionsAndGroups)), parameters('sqlDatabase').auditActionsAndGroups, variables('defaultAuditActionsAndGroups'))]", + "storageEndpoint": "", + "storageAccountAccessKey": "", + "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000", + "retentionDays": 0, + "isAzureMonitorTargetEnabled": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + } + ] +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.json b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.json new file mode 100644 index 00000000000..7888aa18c95 --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.json @@ -0,0 +1,37 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "13513172714425909162" + } + }, + "parameters": { + "sqlFirewallRule": { + "type": "object", + "metadata": { + "description": "Firewall rule" + } + }, + "sqlServerName": { + "type": "string", + "metadata": { + "description": "The name of the SQL Logical server." + } + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/firewallRules", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlServerName'), parameters('sqlFirewallRule').name)]", + "properties": { + "startIpAddress": "[parameters('sqlFirewallRule').startIpAddress]", + "endIpAddress": "[parameters('sqlFirewallRule').endIpAddress]" + } + } + ] +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.json b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.json new file mode 100644 index 00000000000..d8f8061f93b --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.json @@ -0,0 +1,713 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "11038828717948749659" + } + }, + "parameters": { + "sqlLogicalServer": { + "type": "object", + "metadata": { + "description": "SQL Logical server." + } + }, + "password": { + "type": "secureString", + "metadata": { + "description": "The SQL Logical Server password." + } + }, + "tags": { + "type": "object" + } + }, + "functions": [], + "variables": { + "defaultAuditActionsAndGroups": [ + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP", + "BATCH_COMPLETED_GROUP" + ], + "defaultSqlDatabaseProperties": { + "name": "", + "status": "", + "tags": {}, + "skuName": "", + "tier": "", + "zoneRedundant": false, + "collation": "SQL_Latin1_General_CP1_CI_AS", + "dataMaxSize": 0, + "hybridBenefit": false, + "readReplicas": 0, + "minimumCores": 0, + "autoPauseDelay": 0, + "dataEncryption": "Enabled", + "shortTermBackupRetention": 0, + "longTermBackup": { + "enabled": false, + "weeklyRetention": "P1W", + "monthlyRetention": "P4W", + "yearlyRetention": "P52W", + "weekOfYear": 1 + }, + "azureDefender": { + "enabled": false, + "emailAccountAdmins": false, + "emailAddresses": [], + "disabledRules": [], + "vulnerabilityAssessments": { + "recurringScans": false, + "storageAccount": { + "resourceGroupName": "", + "name": "", + "containerName": "" + }, + "emailSubscriptionAdmins": false, + "emails": [] + } + }, + "auditActionsAndGroups": [], + "diagnosticLogsAndMetrics": { + "name": "", + "resourceGroupName": "", + "subscriptionId": "[subscription().subscriptionId]", + "logs": [], + "metrics": [], + "auditLogs": false + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2020-02-02-preview", + "name": "[parameters('sqlLogicalServer').name]", + "location": "[resourceGroup().location]", + "tags": "[parameters('tags')]", + "identity": { + "type": "[if(parameters('sqlLogicalServer').systemManagedIdentity, 'SystemAssigned', 'None')]" + }, + "properties": { + "administratorLogin": "[parameters('sqlLogicalServer').userName]", + "administratorLoginPassword": "[parameters('password')]", + "version": "12.0", + "minimalTlsVersion": "[parameters('sqlLogicalServer').minimalTlsVersion]", + "publicNetworkAccess": "[parameters('sqlLogicalServer').publicNetworkAccess]" + } + }, + { + "condition": "[not(empty(parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.objectId))]", + "type": "Microsoft.Sql/servers/administrators", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'activeDirectory')]", + "properties": { + "administratorType": "ActiveDirectory", + "login": "[parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.name]", + "sid": "[parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.objectId]", + "tenantId": "[parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.tenantId]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "type": "Microsoft.Sql/servers/securityAlertPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", + "properties": { + "state": "[if(parameters('sqlLogicalServer').azureDefender.enabled, 'Enabled', 'Disabled')]", + "emailAddresses": "[parameters('sqlLogicalServer').azureDefender.emailAddresses]", + "emailAccountAdmins": "[parameters('sqlLogicalServer').azureDefender.emailAccountAdmins]", + "disabledAlerts": "[parameters('sqlLogicalServer').azureDefender.disabledAlerts]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "condition": "[and(and(parameters('sqlLogicalServer').azureDefender.enabled, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", + "type": "Microsoft.Sql/servers/vulnerabilityAssessments", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", + "properties": { + "recurringScans": { + "isEnabled": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.recurringScans]", + "emailSubscriptionAdmins": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", + "emails": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.emails]" + }, + "storageContainerPath": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/securityAlertPolicies', parameters('sqlLogicalServer').name, 'Default')]", + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "type": "Microsoft.Sql/servers/auditingSettings", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", + "properties": { + "state": "[if(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", + "auditActionsAndGroups": "[if(not(empty(parameters('sqlLogicalServer').auditActionsAndGroups)), parameters('sqlLogicalServer').auditActionsAndGroups, variables('defaultAuditActionsAndGroups'))]", + "storageEndpoint": "", + "storageAccountAccessKey": "", + "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000", + "retentionDays": 0, + "isAzureMonitorTargetEnabled": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs]", + "isDevopsAuditEnabled": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.microsoftSupportOperationsAuditLogs]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "condition": "[and(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs, not(empty(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.name)))]", + "copy": { + "name": "dummyDeployments", + "count": "[length(range(0, 5))]", + "mode": "serial", + "batchSize": 1 + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[format('dummyTemplateSqlServer-{0}-{1}', uniqueString(parameters('sqlLogicalServer').name), copyIndex())]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "condition": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', parameters('sqlLogicalServer').name, 'master')]", + "name": "SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1", + "properties": { + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlLogicalServer').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlLogicalServer').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlLogicalServer').diagnosticLogsAndMetrics.name)]", + "logs": [ + { + "category": "SQLSecurityAuditEvents", + "enabled": true + }, + { + "category": "DevOpsOperationsAudit", + "enabled": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.microsoftSupportOperationsAuditLogs]" + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/auditingSettings', parameters('sqlLogicalServer').name, 'Default')]", + "dummyDeployments", + "sqlDatabases", + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "condition": "[not(empty(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.name))]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', parameters('sqlLogicalServer').name, 'master')]", + "name": "sendLogsAndMetrics", + "properties": { + "copy": [ + { + "name": "logs", + "count": "[length(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.logs)]", + "input": { + "category": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.logs[copyIndex('logs')]]", + "enabled": true + } + }, + { + "name": "metrics", + "count": "[length(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.metrics)]", + "input": { + "category": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.metrics[copyIndex('metrics')]]", + "enabled": true + } + } + ], + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlLogicalServer').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlLogicalServer').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlLogicalServer').diagnosticLogsAndMetrics.name)]" + }, + "dependsOn": [ + "dummyDeployments", + "sqlDatabases", + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "copy": { + "name": "sqlFirewallRules", + "count": "[length(parameters('sqlLogicalServer').firewallRules)]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('sqlFirewallRule-{0}-{1}', uniqueString(parameters('sqlLogicalServer').name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlFirewallRule": { + "value": "[parameters('sqlLogicalServer').firewallRules[copyIndex()]]" + }, + "sqlServerName": { + "value": "[parameters('sqlLogicalServer').name]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "13513172714425909162" + } + }, + "parameters": { + "sqlFirewallRule": { + "type": "object", + "metadata": { + "description": "Firewall rule" + } + }, + "sqlServerName": { + "type": "string", + "metadata": { + "description": "The name of the SQL Logical server." + } + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/firewallRules", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlServerName'), parameters('sqlFirewallRule').name)]", + "properties": { + "startIpAddress": "[parameters('sqlFirewallRule').startIpAddress]", + "endIpAddress": "[parameters('sqlFirewallRule').endIpAddress]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "copy": { + "name": "sqlDatabases", + "count": "[length(parameters('sqlLogicalServer').databases)]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('sqlDb-{0}-{1}', uniqueString(parameters('sqlLogicalServer').name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlServerName": { + "value": "[parameters('sqlLogicalServer').name]" + }, + "sqlDatabase": { + "value": "[union(variables('defaultSqlDatabaseProperties'), parameters('sqlLogicalServer').databases[copyIndex()])]" + }, + "tags": { + "value": "[union(parameters('tags'), union(variables('defaultSqlDatabaseProperties'), parameters('sqlLogicalServer').databases[copyIndex()]).tags)]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "358706201153740767" + } + }, + "parameters": { + "sqlServerName": { + "type": "string", + "metadata": { + "description": "The name of the SQL server." + } + }, + "sqlDatabase": { + "type": "object", + "metadata": { + "description": "The SQL database parameters object." + } + }, + "tags": { + "type": "object" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2020-02-02-preview", + "name": "[format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "location": "[resourceGroup().location]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('sqlDatabase').skuName]", + "tier": "[parameters('sqlDatabase').tier]" + }, + "properties": { + "zoneRedundant": "[parameters('sqlDatabase').zoneRedundant]", + "collation": "[parameters('sqlDatabase').collation]", + "maxSizeBytes": "[if(equals(parameters('sqlDatabase').dataMaxSize, 0), null(), mul(mul(mul(1024, 1024), 1024), parameters('sqlDatabase').dataMaxSize))]", + "licenseType": "[if(parameters('sqlDatabase').hybridBenefit, 'BasePrice', 'LicenseIncluded')]", + "readScale": "[if(equals(parameters('sqlDatabase').readReplicas, 0), 'Disabled', 'Enabled')]", + "readReplicaCount": "[parameters('sqlDatabase').readReplicas]", + "minCapacity": "[if(equals(parameters('sqlDatabase').minimumCores, 0), '', string(parameters('sqlDatabase').minimumCores))]", + "autoPauseDelay": "[if(equals(parameters('sqlDatabase').autoPauseDelay, 0), '', string(parameters('sqlDatabase').autoPauseDelay))]" + } + }, + { + "condition": "[parameters('sqlDatabase').longTermBackup.enabled]", + "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "properties": { + "weeklyRetention": "[parameters('sqlDatabase').longTermBackup.weeklyRetention]", + "monthlyRetention": "[parameters('sqlDatabase').longTermBackup.monthlyRetention]", + "yearlyRetention": "[parameters('sqlDatabase').longTermBackup.yearlyRetention]", + "weekOfYear": "[parameters('sqlDatabase').longTermBackup.weekOfYear]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('shortTermBackup-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "condition": "[and(and(parameters('sqlDatabase').azureDefender.enabled, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "properties": { + "recurringScans": { + "isEnabled": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans]", + "emailSubscriptionAdmins": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", + "emails": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emails]" + }, + "storageContainerPath": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('azureDefender-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "condition": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "name": "SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1", + "properties": { + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlDatabase').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlDatabase').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlDatabase').diagnosticLogsAndMetrics.name)]", + "logs": [ + { + "category": "SQLSecurityAuditEvents", + "enabled": true + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('auditSettings-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "condition": "[not(empty(parameters('sqlDatabase').diagnosticLogsAndMetrics.name))]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "name": "sendLogsAndMetrics", + "properties": { + "copy": [ + { + "name": "logs", + "count": "[length(parameters('sqlDatabase').diagnosticLogsAndMetrics.logs)]", + "input": { + "category": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.logs[copyIndex('logs')]]", + "enabled": true + } + }, + { + "name": "metrics", + "count": "[length(parameters('sqlDatabase').diagnosticLogsAndMetrics.metrics)]", + "input": { + "category": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.metrics[copyIndex('metrics')]]", + "enabled": true + } + } + ], + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlDatabase').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlDatabase').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlDatabase').diagnosticLogsAndMetrics.name)]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "17127545981622889090" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "name": "[format('{0}/{1}/current', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "status": "[parameters('sqlDatabase').dataEncryption]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]" + ] + }, + { + "condition": "[not(equals(parameters('sqlDatabase').shortTermBackupRetention, 0))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('shortTermBackup-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "11662974089594234440" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "retentionDays": "[parameters('sqlDatabase').shortTermBackupRetention]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('azureDefender-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "7930707696094790980" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "state": "[if(parameters('sqlDatabase').azureDefender.enabled, 'Enabled', 'Disabled')]", + "emailAddresses": "[parameters('sqlDatabase').azureDefender.emailAddresses]", + "emailAccountAdmins": "[parameters('sqlDatabase').azureDefender.emailAccountAdmins]", + "disabledAlerts": "[parameters('sqlDatabase').azureDefender.disabledRules]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('auditSettings-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "981955417693896583" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "variables": { + "defaultAuditActionsAndGroups": [ + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP", + "BATCH_COMPLETED_GROUP" + ] + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "state": "[if(parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", + "auditActionsAndGroups": "[if(not(empty(parameters('sqlDatabase').auditActionsAndGroups)), parameters('sqlDatabase').auditActionsAndGroups, variables('defaultAuditActionsAndGroups'))]", + "storageEndpoint": "", + "storageAccountAccessKey": "", + "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000", + "retentionDays": 0, + "isAzureMonitorTargetEnabled": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + } + ] +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.json b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.json new file mode 100644 index 00000000000..3f06c121aca --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.json @@ -0,0 +1,816 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "17292316314592963422" + } + }, + "parameters": { + "sqlLogicalServers": { + "type": "array", + "metadata": { + "description": "SQL logical servers." + } + }, + "tags": { + "type": "object" + }, + "password": { + "type": "secureString" + } + }, + "functions": [], + "variables": { + "defaultSqlLogicalServerProperties": { + "name": "", + "tags": {}, + "userName": "", + "passwordFromKeyVault": { + "subscriptionId": "[subscription().subscriptionId]", + "resourceGroupName": "", + "name": "", + "secretName": "" + }, + "systemManagedIdentity": false, + "minimalTlsVersion": "1.2", + "publicNetworkAccess": "Enabled", + "azureActiveDirectoryAdministrator": { + "name": "", + "objectId": "", + "tenantId": "[subscription().tenantId]" + }, + "firewallRules": [], + "azureDefender": { + "enabled": false, + "emailAccountAdmins": false, + "emailAddresses": [], + "disabledRules": [], + "vulnerabilityAssessments": { + "recurringScans": false, + "storageAccount": { + "resourceGroupName": "", + "name": "", + "containerName": "" + }, + "emailSubscriptionAdmins": false, + "emails": [] + } + }, + "auditActionsAndGroups": [], + "diagnosticLogsAndMetrics": { + "name": "", + "resourceGroupName": "", + "subscriptionId": "[subscription().subscriptionId]", + "logs": [], + "metrics": [], + "auditLogs": false, + "microsoftSupportOperationsAuditLogs": false + }, + "databases": [] + } + }, + "resources": [ + { + "copy": { + "name": "sqlLogicalServer", + "count": "[length(parameters('sqlLogicalServers'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('sqlLogicalServer-{0}', copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlLogicalServer": { + "value": "[union(variables('defaultSqlLogicalServerProperties'), parameters('sqlLogicalServers')[copyIndex()])]" + }, + "password": { + "value": "[parameters('password')]" + }, + "tags": { + "value": "[union(parameters('tags'), union(variables('defaultSqlLogicalServerProperties'), parameters('sqlLogicalServers')[copyIndex()]).tags)]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "11038828717948749659" + } + }, + "parameters": { + "sqlLogicalServer": { + "type": "object", + "metadata": { + "description": "SQL Logical server." + } + }, + "password": { + "type": "secureString", + "metadata": { + "description": "The SQL Logical Server password." + } + }, + "tags": { + "type": "object" + } + }, + "functions": [], + "variables": { + "defaultAuditActionsAndGroups": [ + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP", + "BATCH_COMPLETED_GROUP" + ], + "defaultSqlDatabaseProperties": { + "name": "", + "status": "", + "tags": {}, + "skuName": "", + "tier": "", + "zoneRedundant": false, + "collation": "SQL_Latin1_General_CP1_CI_AS", + "dataMaxSize": 0, + "hybridBenefit": false, + "readReplicas": 0, + "minimumCores": 0, + "autoPauseDelay": 0, + "dataEncryption": "Enabled", + "shortTermBackupRetention": 0, + "longTermBackup": { + "enabled": false, + "weeklyRetention": "P1W", + "monthlyRetention": "P4W", + "yearlyRetention": "P52W", + "weekOfYear": 1 + }, + "azureDefender": { + "enabled": false, + "emailAccountAdmins": false, + "emailAddresses": [], + "disabledRules": [], + "vulnerabilityAssessments": { + "recurringScans": false, + "storageAccount": { + "resourceGroupName": "", + "name": "", + "containerName": "" + }, + "emailSubscriptionAdmins": false, + "emails": [] + } + }, + "auditActionsAndGroups": [], + "diagnosticLogsAndMetrics": { + "name": "", + "resourceGroupName": "", + "subscriptionId": "[subscription().subscriptionId]", + "logs": [], + "metrics": [], + "auditLogs": false + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2020-02-02-preview", + "name": "[parameters('sqlLogicalServer').name]", + "location": "[resourceGroup().location]", + "tags": "[parameters('tags')]", + "identity": { + "type": "[if(parameters('sqlLogicalServer').systemManagedIdentity, 'SystemAssigned', 'None')]" + }, + "properties": { + "administratorLogin": "[parameters('sqlLogicalServer').userName]", + "administratorLoginPassword": "[parameters('password')]", + "version": "12.0", + "minimalTlsVersion": "[parameters('sqlLogicalServer').minimalTlsVersion]", + "publicNetworkAccess": "[parameters('sqlLogicalServer').publicNetworkAccess]" + } + }, + { + "condition": "[not(empty(parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.objectId))]", + "type": "Microsoft.Sql/servers/administrators", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'activeDirectory')]", + "properties": { + "administratorType": "ActiveDirectory", + "login": "[parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.name]", + "sid": "[parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.objectId]", + "tenantId": "[parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.tenantId]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "type": "Microsoft.Sql/servers/securityAlertPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", + "properties": { + "state": "[if(parameters('sqlLogicalServer').azureDefender.enabled, 'Enabled', 'Disabled')]", + "emailAddresses": "[parameters('sqlLogicalServer').azureDefender.emailAddresses]", + "emailAccountAdmins": "[parameters('sqlLogicalServer').azureDefender.emailAccountAdmins]", + "disabledAlerts": "[parameters('sqlLogicalServer').azureDefender.disabledAlerts]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "condition": "[and(and(parameters('sqlLogicalServer').azureDefender.enabled, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", + "type": "Microsoft.Sql/servers/vulnerabilityAssessments", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", + "properties": { + "recurringScans": { + "isEnabled": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.recurringScans]", + "emailSubscriptionAdmins": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", + "emails": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.emails]" + }, + "storageContainerPath": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/securityAlertPolicies', parameters('sqlLogicalServer').name, 'Default')]", + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "type": "Microsoft.Sql/servers/auditingSettings", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", + "properties": { + "state": "[if(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", + "auditActionsAndGroups": "[if(not(empty(parameters('sqlLogicalServer').auditActionsAndGroups)), parameters('sqlLogicalServer').auditActionsAndGroups, variables('defaultAuditActionsAndGroups'))]", + "storageEndpoint": "", + "storageAccountAccessKey": "", + "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000", + "retentionDays": 0, + "isAzureMonitorTargetEnabled": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs]", + "isDevopsAuditEnabled": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.microsoftSupportOperationsAuditLogs]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "condition": "[and(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs, not(empty(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.name)))]", + "copy": { + "name": "dummyDeployments", + "count": "[length(range(0, 5))]", + "mode": "serial", + "batchSize": 1 + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[format('dummyTemplateSqlServer-{0}-{1}', uniqueString(parameters('sqlLogicalServer').name), copyIndex())]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "condition": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', parameters('sqlLogicalServer').name, 'master')]", + "name": "SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1", + "properties": { + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlLogicalServer').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlLogicalServer').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlLogicalServer').diagnosticLogsAndMetrics.name)]", + "logs": [ + { + "category": "SQLSecurityAuditEvents", + "enabled": true + }, + { + "category": "DevOpsOperationsAudit", + "enabled": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.microsoftSupportOperationsAuditLogs]" + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/auditingSettings', parameters('sqlLogicalServer').name, 'Default')]", + "dummyDeployments", + "sqlDatabases", + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "condition": "[not(empty(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.name))]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', parameters('sqlLogicalServer').name, 'master')]", + "name": "sendLogsAndMetrics", + "properties": { + "copy": [ + { + "name": "logs", + "count": "[length(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.logs)]", + "input": { + "category": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.logs[copyIndex('logs')]]", + "enabled": true + } + }, + { + "name": "metrics", + "count": "[length(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.metrics)]", + "input": { + "category": "[parameters('sqlLogicalServer').diagnosticLogsAndMetrics.metrics[copyIndex('metrics')]]", + "enabled": true + } + } + ], + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlLogicalServer').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlLogicalServer').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlLogicalServer').diagnosticLogsAndMetrics.name)]" + }, + "dependsOn": [ + "dummyDeployments", + "sqlDatabases", + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "copy": { + "name": "sqlFirewallRules", + "count": "[length(parameters('sqlLogicalServer').firewallRules)]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('sqlFirewallRule-{0}-{1}', uniqueString(parameters('sqlLogicalServer').name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlFirewallRule": { + "value": "[parameters('sqlLogicalServer').firewallRules[copyIndex()]]" + }, + "sqlServerName": { + "value": "[parameters('sqlLogicalServer').name]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "13513172714425909162" + } + }, + "parameters": { + "sqlFirewallRule": { + "type": "object", + "metadata": { + "description": "Firewall rule" + } + }, + "sqlServerName": { + "type": "string", + "metadata": { + "description": "The name of the SQL Logical server." + } + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/firewallRules", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', parameters('sqlServerName'), parameters('sqlFirewallRule').name)]", + "properties": { + "startIpAddress": "[parameters('sqlFirewallRule').startIpAddress]", + "endIpAddress": "[parameters('sqlFirewallRule').endIpAddress]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + }, + { + "copy": { + "name": "sqlDatabases", + "count": "[length(parameters('sqlLogicalServer').databases)]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('sqlDb-{0}-{1}', uniqueString(parameters('sqlLogicalServer').name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlServerName": { + "value": "[parameters('sqlLogicalServer').name]" + }, + "sqlDatabase": { + "value": "[union(variables('defaultSqlDatabaseProperties'), parameters('sqlLogicalServer').databases[copyIndex()])]" + }, + "tags": { + "value": "[union(parameters('tags'), union(variables('defaultSqlDatabaseProperties'), parameters('sqlLogicalServer').databases[copyIndex()]).tags)]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "358706201153740767" + } + }, + "parameters": { + "sqlServerName": { + "type": "string", + "metadata": { + "description": "The name of the SQL server." + } + }, + "sqlDatabase": { + "type": "object", + "metadata": { + "description": "The SQL database parameters object." + } + }, + "tags": { + "type": "object" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2020-02-02-preview", + "name": "[format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "location": "[resourceGroup().location]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('sqlDatabase').skuName]", + "tier": "[parameters('sqlDatabase').tier]" + }, + "properties": { + "zoneRedundant": "[parameters('sqlDatabase').zoneRedundant]", + "collation": "[parameters('sqlDatabase').collation]", + "maxSizeBytes": "[if(equals(parameters('sqlDatabase').dataMaxSize, 0), null(), mul(mul(mul(1024, 1024), 1024), parameters('sqlDatabase').dataMaxSize))]", + "licenseType": "[if(parameters('sqlDatabase').hybridBenefit, 'BasePrice', 'LicenseIncluded')]", + "readScale": "[if(equals(parameters('sqlDatabase').readReplicas, 0), 'Disabled', 'Enabled')]", + "readReplicaCount": "[parameters('sqlDatabase').readReplicas]", + "minCapacity": "[if(equals(parameters('sqlDatabase').minimumCores, 0), '', string(parameters('sqlDatabase').minimumCores))]", + "autoPauseDelay": "[if(equals(parameters('sqlDatabase').autoPauseDelay, 0), '', string(parameters('sqlDatabase').autoPauseDelay))]" + } + }, + { + "condition": "[parameters('sqlDatabase').longTermBackup.enabled]", + "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "properties": { + "weeklyRetention": "[parameters('sqlDatabase').longTermBackup.weeklyRetention]", + "monthlyRetention": "[parameters('sqlDatabase').longTermBackup.monthlyRetention]", + "yearlyRetention": "[parameters('sqlDatabase').longTermBackup.yearlyRetention]", + "weekOfYear": "[parameters('sqlDatabase').longTermBackup.weekOfYear]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('shortTermBackup-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "condition": "[and(and(parameters('sqlDatabase').azureDefender.enabled, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "properties": { + "recurringScans": { + "isEnabled": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans]", + "emailSubscriptionAdmins": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", + "emails": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emails]" + }, + "storageContainerPath": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('azureDefender-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "condition": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "name": "SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1", + "properties": { + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlDatabase').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlDatabase').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlDatabase').diagnosticLogsAndMetrics.name)]", + "logs": [ + { + "category": "SQLSecurityAuditEvents", + "enabled": true + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('auditSettings-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "condition": "[not(empty(parameters('sqlDatabase').diagnosticLogsAndMetrics.name))]", + "type": "microsoft.insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Sql/servers/{0}/databases/{1}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "name": "sendLogsAndMetrics", + "properties": { + "copy": [ + { + "name": "logs", + "count": "[length(parameters('sqlDatabase').diagnosticLogsAndMetrics.logs)]", + "input": { + "category": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.logs[copyIndex('logs')]]", + "enabled": true + } + }, + { + "name": "metrics", + "count": "[length(parameters('sqlDatabase').diagnosticLogsAndMetrics.metrics)]", + "input": { + "category": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.metrics[copyIndex('metrics')]]", + "enabled": true + } + } + ], + "workspaceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('sqlDatabase').diagnosticLogsAndMetrics.subscriptionId, parameters('sqlDatabase').diagnosticLogsAndMetrics.resourceGroupName), 'Microsoft.OperationalInsights/workspaces', parameters('sqlDatabase').diagnosticLogsAndMetrics.name)]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "17127545981622889090" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "name": "[format('{0}/{1}/current', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "status": "[parameters('sqlDatabase').dataEncryption]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]" + ] + }, + { + "condition": "[not(equals(parameters('sqlDatabase').shortTermBackupRetention, 0))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('shortTermBackup-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "11662974089594234440" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "retentionDays": "[parameters('sqlDatabase').shortTermBackupRetention]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('azureDefender-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "7930707696094790980" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "state": "[if(parameters('sqlDatabase').azureDefender.enabled, 'Enabled', 'Disabled')]", + "emailAddresses": "[parameters('sqlDatabase').azureDefender.emailAddresses]", + "emailAccountAdmins": "[parameters('sqlDatabase').azureDefender.emailAccountAdmins]", + "disabledAlerts": "[parameters('sqlDatabase').azureDefender.disabledRules]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[format('auditSettings-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "sqlDatabase": { + "value": "[parameters('sqlDatabase')]" + }, + "sqlServerName": { + "value": "[parameters('sqlServerName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "981955417693896583" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "variables": { + "defaultAuditActionsAndGroups": [ + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP", + "BATCH_COMPLETED_GROUP" + ] + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2020-08-01-preview", + "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "state": "[if(parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", + "auditActionsAndGroups": "[if(not(empty(parameters('sqlDatabase').auditActionsAndGroups)), parameters('sqlDatabase').auditActionsAndGroups, variables('defaultAuditActionsAndGroups'))]", + "storageEndpoint": "", + "storageAccountAccessKey": "", + "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000", + "retentionDays": 0, + "isAzureMonitorTargetEnabled": "[parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + ] + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" + ] + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.json b/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.json new file mode 100644 index 00000000000..aa06b739db4 --- /dev/null +++ b/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.3.255.40792", + "templateHash": "17127545981622889090" + } + }, + "parameters": { + "sqlDatabase": { + "type": "object" + }, + "sqlServerName": { + "type": "string" + } + }, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "name": "[format('{0}/{1}/current', parameters('sqlServerName'), parameters('sqlDatabase').name)]", + "properties": { + "status": "[parameters('sqlDatabase').dataEncryption]" + } + } + ] +} \ No newline at end of file From 6f9711f3dadeba1adefafe99b8600ddc5ac9df51 Mon Sep 17 00:00:00 2001 From: Stanislav Zhelyazkov Date: Thu, 22 Apr 2021 09:40:58 +0300 Subject: [PATCH 10/11] updated json after SetBaseline.ps1 --- .../sql-database-with-management/main.json | 40 +++++++++---------- .../modules/audit-settings.json | 4 +- .../modules/azure-defender.json | 4 +- .../modules/short-term-backup.json | 4 +- .../modules/sql-database.json | 24 +++++------ .../modules/sql-firewall-rule.json | 4 +- .../modules/sql-logical-server.json | 32 +++++++-------- .../modules/sql-logical-servers.json | 36 ++++++++--------- .../modules/transparent-data-encryption.json | 4 +- 9 files changed, 76 insertions(+), 76 deletions(-) diff --git a/docs/examples/301/sql-database-with-management/main.json b/docs/examples/301/sql-database-with-management/main.json index 4ae88ce0db5..6cb6feaa092 100644 --- a/docs/examples/301/sql-database-with-management/main.json +++ b/docs/examples/301/sql-database-with-management/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "15145536707706943368" + "version": "dev", + "templateHash": "8174275676903462239" } }, "parameters": { @@ -63,8 +63,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "17292316314592963422" + "version": "dev", + "templateHash": "3006884168629079235" } }, "parameters": { @@ -162,8 +162,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "11038828717948749659" + "version": "dev", + "templateHash": "10996646171408784195" } }, "parameters": { @@ -432,8 +432,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "13513172714425909162" + "version": "dev", + "templateHash": "4663537880944763431" } }, "parameters": { @@ -498,8 +498,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "358706201153740767" + "version": "dev", + "templateHash": "4510101890649346043" } }, "parameters": { @@ -546,7 +546,7 @@ "condition": "[parameters('sqlDatabase').longTermBackup.enabled]", "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", "apiVersion": "2020-08-01-preview", - "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "weeklyRetention": "[parameters('sqlDatabase').longTermBackup.weeklyRetention]", "monthlyRetention": "[parameters('sqlDatabase').longTermBackup.monthlyRetention]", @@ -563,7 +563,7 @@ "condition": "[and(and(parameters('sqlDatabase').azureDefender.enabled, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", "apiVersion": "2020-08-01-preview", - "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "recurringScans": { "isEnabled": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans]", @@ -655,8 +655,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "17127545981622889090" + "version": "dev", + "templateHash": "11452411779990848351" } }, "parameters": { @@ -708,8 +708,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "11662974089594234440" + "version": "dev", + "templateHash": "15978855867572262081" } }, "parameters": { @@ -761,8 +761,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "7930707696094790980" + "version": "dev", + "templateHash": "3149608550700302182" } }, "parameters": { @@ -817,8 +817,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "981955417693896583" + "version": "dev", + "templateHash": "13898863446734417779" } }, "parameters": { diff --git a/docs/examples/301/sql-database-with-management/modules/audit-settings.json b/docs/examples/301/sql-database-with-management/modules/audit-settings.json index 33182fce6b3..c9956d44d5a 100644 --- a/docs/examples/301/sql-database-with-management/modules/audit-settings.json +++ b/docs/examples/301/sql-database-with-management/modules/audit-settings.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "981955417693896583" + "version": "dev", + "templateHash": "13898863446734417779" } }, "parameters": { diff --git a/docs/examples/301/sql-database-with-management/modules/azure-defender.json b/docs/examples/301/sql-database-with-management/modules/azure-defender.json index 5c106ec65bc..0de1f475efb 100644 --- a/docs/examples/301/sql-database-with-management/modules/azure-defender.json +++ b/docs/examples/301/sql-database-with-management/modules/azure-defender.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "7930707696094790980" + "version": "dev", + "templateHash": "3149608550700302182" } }, "parameters": { diff --git a/docs/examples/301/sql-database-with-management/modules/short-term-backup.json b/docs/examples/301/sql-database-with-management/modules/short-term-backup.json index 24daadb4c5b..9eea08c043b 100644 --- a/docs/examples/301/sql-database-with-management/modules/short-term-backup.json +++ b/docs/examples/301/sql-database-with-management/modules/short-term-backup.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "11662974089594234440" + "version": "dev", + "templateHash": "15978855867572262081" } }, "parameters": { diff --git a/docs/examples/301/sql-database-with-management/modules/sql-database.json b/docs/examples/301/sql-database-with-management/modules/sql-database.json index 195dd3c3448..e7f6bd3ac1e 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-database.json +++ b/docs/examples/301/sql-database-with-management/modules/sql-database.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "358706201153740767" + "version": "dev", + "templateHash": "4510101890649346043" } }, "parameters": { @@ -52,7 +52,7 @@ "condition": "[parameters('sqlDatabase').longTermBackup.enabled]", "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", "apiVersion": "2020-08-01-preview", - "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "weeklyRetention": "[parameters('sqlDatabase').longTermBackup.weeklyRetention]", "monthlyRetention": "[parameters('sqlDatabase').longTermBackup.monthlyRetention]", @@ -69,7 +69,7 @@ "condition": "[and(and(parameters('sqlDatabase').azureDefender.enabled, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", "apiVersion": "2020-08-01-preview", - "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "recurringScans": { "isEnabled": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans]", @@ -161,8 +161,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "17127545981622889090" + "version": "dev", + "templateHash": "11452411779990848351" } }, "parameters": { @@ -214,8 +214,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "11662974089594234440" + "version": "dev", + "templateHash": "15978855867572262081" } }, "parameters": { @@ -267,8 +267,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "7930707696094790980" + "version": "dev", + "templateHash": "3149608550700302182" } }, "parameters": { @@ -323,8 +323,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "981955417693896583" + "version": "dev", + "templateHash": "13898863446734417779" } }, "parameters": { diff --git a/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.json b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.json index 7888aa18c95..1d22ce8fb3d 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.json +++ b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "13513172714425909162" + "version": "dev", + "templateHash": "4663537880944763431" } }, "parameters": { diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.json b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.json index d8f8061f93b..6a2c3771398 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.json +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "11038828717948749659" + "version": "dev", + "templateHash": "10996646171408784195" } }, "parameters": { @@ -274,8 +274,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "13513172714425909162" + "version": "dev", + "templateHash": "4663537880944763431" } }, "parameters": { @@ -340,8 +340,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "358706201153740767" + "version": "dev", + "templateHash": "4510101890649346043" } }, "parameters": { @@ -388,7 +388,7 @@ "condition": "[parameters('sqlDatabase').longTermBackup.enabled]", "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", "apiVersion": "2020-08-01-preview", - "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "weeklyRetention": "[parameters('sqlDatabase').longTermBackup.weeklyRetention]", "monthlyRetention": "[parameters('sqlDatabase').longTermBackup.monthlyRetention]", @@ -405,7 +405,7 @@ "condition": "[and(and(parameters('sqlDatabase').azureDefender.enabled, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", "apiVersion": "2020-08-01-preview", - "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "recurringScans": { "isEnabled": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans]", @@ -497,8 +497,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "17127545981622889090" + "version": "dev", + "templateHash": "11452411779990848351" } }, "parameters": { @@ -550,8 +550,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "11662974089594234440" + "version": "dev", + "templateHash": "15978855867572262081" } }, "parameters": { @@ -603,8 +603,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "7930707696094790980" + "version": "dev", + "templateHash": "3149608550700302182" } }, "parameters": { @@ -659,8 +659,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "981955417693896583" + "version": "dev", + "templateHash": "13898863446734417779" } }, "parameters": { diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.json b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.json index 3f06c121aca..1fd9d7b8c8a 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.json +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "17292316314592963422" + "version": "dev", + "templateHash": "3006884168629079235" } }, "parameters": { @@ -103,8 +103,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "11038828717948749659" + "version": "dev", + "templateHash": "10996646171408784195" } }, "parameters": { @@ -373,8 +373,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "13513172714425909162" + "version": "dev", + "templateHash": "4663537880944763431" } }, "parameters": { @@ -439,8 +439,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "358706201153740767" + "version": "dev", + "templateHash": "4510101890649346043" } }, "parameters": { @@ -487,7 +487,7 @@ "condition": "[parameters('sqlDatabase').longTermBackup.enabled]", "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", "apiVersion": "2020-08-01-preview", - "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "weeklyRetention": "[parameters('sqlDatabase').longTermBackup.weeklyRetention]", "monthlyRetention": "[parameters('sqlDatabase').longTermBackup.monthlyRetention]", @@ -504,7 +504,7 @@ "condition": "[and(and(parameters('sqlDatabase').azureDefender.enabled, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", "apiVersion": "2020-08-01-preview", - "name": "[format('{0}/{1}', format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), 'Default')]", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "recurringScans": { "isEnabled": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans]", @@ -596,8 +596,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "17127545981622889090" + "version": "dev", + "templateHash": "11452411779990848351" } }, "parameters": { @@ -649,8 +649,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "11662974089594234440" + "version": "dev", + "templateHash": "15978855867572262081" } }, "parameters": { @@ -702,8 +702,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "7930707696094790980" + "version": "dev", + "templateHash": "3149608550700302182" } }, "parameters": { @@ -758,8 +758,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "981955417693896583" + "version": "dev", + "templateHash": "13898863446734417779" } }, "parameters": { diff --git a/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.json b/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.json index aa06b739db4..e82b6174dc1 100644 --- a/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.json +++ b/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.3.255.40792", - "templateHash": "17127545981622889090" + "version": "dev", + "templateHash": "11452411779990848351" } }, "parameters": { From 9c8b8493ea9dcc082ac80d066d52be41207848d8 Mon Sep 17 00:00:00 2001 From: Stanislav Zhelyazkov Date: Wed, 2 Jun 2021 16:52:07 +0300 Subject: [PATCH 11/11] improves sql-database-with-management example --- .../sql-database-with-management/main.bicep | 58 +-- .../sql-database-with-management/main.json | 149 ++---- .../modules/audit-settings.bicep | 44 +- .../modules/audit-settings.json | 4 +- .../modules/azure-defender.bicep | 2 +- .../modules/azure-defender.json | 4 +- .../modules/short-term-backup.bicep | 2 +- .../modules/short-term-backup.json | 4 +- .../modules/sql-database.bicep | 346 ++++++------- .../modules/sql-database.json | 103 ++-- .../modules/sql-firewall-rule.bicep | 2 +- .../modules/sql-firewall-rule.json | 4 +- .../modules/sql-logical-server.bicep | 486 +++++++++--------- .../modules/sql-logical-server.json | 127 ++--- .../modules/sql-logical-servers.bicep | 128 ++--- .../modules/sql-logical-servers.json | 139 ++--- .../modules/transparent-data-encryption.bicep | 9 - .../modules/transparent-data-encryption.json | 30 -- .../parameters.json | 8 - 19 files changed, 706 insertions(+), 943 deletions(-) delete mode 100644 docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep delete mode 100644 docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.json diff --git a/docs/examples/301/sql-database-with-management/main.bicep b/docs/examples/301/sql-database-with-management/main.bicep index 60eccbf3cd0..29e16c56f20 100644 --- a/docs/examples/301/sql-database-with-management/main.bicep +++ b/docs/examples/301/sql-database-with-management/main.bicep @@ -1,31 +1,27 @@ -targetScope = 'subscription' - -@description('Resource Group object definition.') -param resourceGroup object - -@secure() -param password string - -var defaultResourceGroupProperties = { - tags: {} - deploy: true -} - -// Deploy Resource Group -resource sqlRg 'Microsoft.Resources/resourceGroups@2020-10-01' = if (union(defaultResourceGroupProperties, resourceGroup).deploy) { - name: resourceGroup.name - location: resourceGroup.location - tags: union(defaultResourceGroupProperties, resourceGroup).tags - properties: {} -} - -// Start SQL Logical Servers deployment -module sqlLogicalServers 'modules/sql-logical-servers.bicep' = { - name: 'sqlLogicalServers' - scope: sqlRg - params: { - sqlLogicalServers: resourceGroup.sqlLogicalServers - tags: union(defaultResourceGroupProperties, resourceGroup).tags - password: password - } -} +targetScope = 'subscription' + +@description('Resource Group object definition.') +param resourceGroup object + +var defaultResourceGroupProperties = { + tags: {} + deploy: true +} + +// Deploy Resource Group +resource sqlRg 'Microsoft.Resources/resourceGroups@2021-04-01' = if (union(defaultResourceGroupProperties, resourceGroup).deploy) { + name: resourceGroup.name + location: resourceGroup.location + tags: union(defaultResourceGroupProperties, resourceGroup).tags + properties: {} +} + +// Start SQL Logical Servers deployment +module sqlLogicalServers 'modules/sql-logical-servers.bicep' = { + name: 'sqlLogicalServers' + scope: sqlRg + params: { + sqlLogicalServers: resourceGroup.sqlLogicalServers + tags: union(defaultResourceGroupProperties, resourceGroup).tags + } +} diff --git a/docs/examples/301/sql-database-with-management/main.json b/docs/examples/301/sql-database-with-management/main.json index 6cb6feaa092..4e22936b77e 100644 --- a/docs/examples/301/sql-database-with-management/main.json +++ b/docs/examples/301/sql-database-with-management/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "8174275676903462239" + "templateHash": "16762398584324868450" } }, "parameters": { @@ -14,9 +14,6 @@ "metadata": { "description": "Resource Group object definition." } - }, - "password": { - "type": "secureString" } }, "functions": [], @@ -30,7 +27,7 @@ { "condition": "[union(variables('defaultResourceGroupProperties'), parameters('resourceGroup')).deploy]", "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2020-10-01", + "apiVersion": "2021-04-01", "name": "[parameters('resourceGroup').name]", "location": "[parameters('resourceGroup').location]", "tags": "[union(variables('defaultResourceGroupProperties'), parameters('resourceGroup')).tags]", @@ -52,9 +49,6 @@ }, "tags": { "value": "[union(variables('defaultResourceGroupProperties'), parameters('resourceGroup')).tags]" - }, - "password": { - "value": "[parameters('password')]" } }, "template": { @@ -64,7 +58,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "3006884168629079235" + "templateHash": "11793311320811469641" } }, "parameters": { @@ -76,9 +70,6 @@ }, "tags": { "type": "object" - }, - "password": { - "type": "secureString" } }, "functions": [], @@ -150,7 +141,12 @@ "value": "[union(variables('defaultSqlLogicalServerProperties'), parameters('sqlLogicalServers')[copyIndex()])]" }, "password": { - "value": "[parameters('password')]" + "reference": { + "keyVault": { + "id": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', union(variables('defaultSqlLogicalServerProperties'), parameters('sqlLogicalServers')[copyIndex()]).passwordFromKeyVault.subscriptionId, parameters('sqlLogicalServers')[copyIndex()].passwordFromKeyVault.resourceGroupName), 'Microsoft.KeyVault/vaults', parameters('sqlLogicalServers')[copyIndex()].passwordFromKeyVault.name)]" + }, + "secretName": "[parameters('sqlLogicalServers')[copyIndex()].passwordFromKeyVault.secretName]" + } }, "tags": { "value": "[union(parameters('tags'), union(variables('defaultSqlLogicalServerProperties'), parameters('sqlLogicalServers')[copyIndex()]).tags)]" @@ -163,7 +159,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "10996646171408784195" + "templateHash": "12260651447744530468" } }, "parameters": { @@ -242,7 +238,7 @@ "resources": [ { "type": "Microsoft.Sql/servers", - "apiVersion": "2020-02-02-preview", + "apiVersion": "2021-02-01-preview", "name": "[parameters('sqlLogicalServer').name]", "location": "[resourceGroup().location]", "tags": "[parameters('tags')]", @@ -260,7 +256,7 @@ { "condition": "[not(empty(parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.objectId))]", "type": "Microsoft.Sql/servers/administrators", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'activeDirectory')]", "properties": { "administratorType": "ActiveDirectory", @@ -274,13 +270,13 @@ }, { "type": "Microsoft.Sql/servers/securityAlertPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", "properties": { "state": "[if(parameters('sqlLogicalServer').azureDefender.enabled, 'Enabled', 'Disabled')]", "emailAddresses": "[parameters('sqlLogicalServer').azureDefender.emailAddresses]", "emailAccountAdmins": "[parameters('sqlLogicalServer').azureDefender.emailAccountAdmins]", - "disabledAlerts": "[parameters('sqlLogicalServer').azureDefender.disabledAlerts]" + "disabledAlerts": "[parameters('sqlLogicalServer').azureDefender.disabledRules]" }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" @@ -289,7 +285,7 @@ { "condition": "[and(and(parameters('sqlLogicalServer').azureDefender.enabled, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", "type": "Microsoft.Sql/servers/vulnerabilityAssessments", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", "properties": { "recurringScans": { @@ -297,8 +293,8 @@ "emailSubscriptionAdmins": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", "emails": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.emails]" }, - "storageContainerPath": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", - "storageAccountAccessKey": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + "storageContainerPath": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), format('{0}{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').primaryEndpoints.blob, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').keys[0].value, '')]" }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/securityAlertPolicies', parameters('sqlLogicalServer').name, 'Default')]", @@ -307,7 +303,7 @@ }, { "type": "Microsoft.Sql/servers/auditingSettings", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", "properties": { "state": "[if(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", @@ -332,7 +328,7 @@ "batchSize": 1 }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2021-04-01", "name": "[format('dummyTemplateSqlServer-{0}-{1}', uniqueString(parameters('sqlLogicalServer').name), copyIndex())]", "properties": { "mode": "Incremental", @@ -433,7 +429,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "4663537880944763431" + "templateHash": "10929616126180001294" } }, "parameters": { @@ -454,7 +450,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/firewallRules", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlServerName'), parameters('sqlFirewallRule').name)]", "properties": { "startIpAddress": "[parameters('sqlFirewallRule').startIpAddress]", @@ -499,7 +495,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "4510101890649346043" + "templateHash": "12413819060224235299" } }, "parameters": { @@ -538,14 +534,25 @@ "licenseType": "[if(parameters('sqlDatabase').hybridBenefit, 'BasePrice', 'LicenseIncluded')]", "readScale": "[if(equals(parameters('sqlDatabase').readReplicas, 0), 'Disabled', 'Enabled')]", "readReplicaCount": "[parameters('sqlDatabase').readReplicas]", - "minCapacity": "[if(equals(parameters('sqlDatabase').minimumCores, 0), '', string(parameters('sqlDatabase').minimumCores))]", - "autoPauseDelay": "[if(equals(parameters('sqlDatabase').autoPauseDelay, 0), '', string(parameters('sqlDatabase').autoPauseDelay))]" + "minCapacity": "[if(equals(parameters('sqlDatabase').minimumCores, 0), null(), parameters('sqlDatabase').minimumCores)]", + "autoPauseDelay": "[if(equals(parameters('sqlDatabase').autoPauseDelay, 0), null(), parameters('sqlDatabase').autoPauseDelay)]" } }, + { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]", + "properties": { + "status": "[parameters('sqlDatabase').dataEncryption]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]" + ] + }, { "condition": "[parameters('sqlDatabase').longTermBackup.enabled]", "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "weeklyRetention": "[parameters('sqlDatabase').longTermBackup.weeklyRetention]", @@ -556,13 +563,13 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('shortTermBackup-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { "condition": "[and(and(parameters('sqlDatabase').azureDefender.enabled, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "recurringScans": { @@ -570,13 +577,13 @@ "emailSubscriptionAdmins": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", "emails": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emails]" }, - "storageContainerPath": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", - "storageAccountAccessKey": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + "storageContainerPath": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), format('{0}{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').primaryEndpoints.blob, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').keys[0].value, '')]" }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('azureDefender-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -597,7 +604,7 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('auditSettings-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -629,59 +636,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "sqlDatabase": { - "value": "[parameters('sqlDatabase')]" - }, - "sqlServerName": { - "value": "[parameters('sqlServerName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "dev", - "templateHash": "11452411779990848351" - } - }, - "parameters": { - "sqlDatabase": { - "type": "object" - }, - "sqlServerName": { - "type": "string" - } - }, - "functions": [], - "resources": [ - { - "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", - "apiVersion": "2014-04-01", - "name": "[format('{0}/{1}/current', parameters('sqlServerName'), parameters('sqlDatabase').name)]", - "properties": { - "status": "[parameters('sqlDatabase').dataEncryption]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -709,7 +664,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "15978855867572262081" + "templateHash": "1280408386363466909" } }, "parameters": { @@ -724,7 +679,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "retentionDays": "[parameters('sqlDatabase').shortTermBackupRetention]" @@ -735,7 +690,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -762,7 +717,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "3149608550700302182" + "templateHash": "15009839048358250877" } }, "parameters": { @@ -777,7 +732,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "state": "[if(parameters('sqlDatabase').azureDefender.enabled, 'Enabled', 'Disabled')]", @@ -791,7 +746,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -818,7 +773,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "13898863446734417779" + "templateHash": "4499755266351443773" } }, "parameters": { @@ -840,7 +795,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/auditingSettings", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "state": "[if(parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", @@ -857,7 +812,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] } ] diff --git a/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep b/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep index 6932840aaa8..13456a98992 100644 --- a/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep +++ b/docs/examples/301/sql-database-with-management/modules/audit-settings.bicep @@ -1,22 +1,22 @@ -param sqlDatabase object -param sqlServerName string - -var defaultAuditActionsAndGroups = [ - 'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP' - 'FAILED_DATABASE_AUTHENTICATION_GROUP' - 'BATCH_COMPLETED_GROUP' -] - -// Audit settings need for enabling auditing to Log Analytics workspace -resource auditSettings 'Microsoft.Sql/servers/databases/auditingSettings@2020-08-01-preview' = { - name: '${sqlServerName}/${sqlDatabase.name}/Default' - properties: { - state: sqlDatabase.diagnosticLogsAndMetrics.auditLogs ? 'Enabled' : 'Disabled' - auditActionsAndGroups: !empty(sqlDatabase.auditActionsAndGroups) ? sqlDatabase.auditActionsAndGroups : defaultAuditActionsAndGroups - storageEndpoint: '' - storageAccountAccessKey: '' - storageAccountSubscriptionId: '00000000-0000-0000-0000-000000000000' - retentionDays: 0 - isAzureMonitorTargetEnabled: sqlDatabase.diagnosticLogsAndMetrics.auditLogs - } -} +param sqlDatabase object +param sqlServerName string + +var defaultAuditActionsAndGroups = [ + 'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP' + 'FAILED_DATABASE_AUTHENTICATION_GROUP' + 'BATCH_COMPLETED_GROUP' +] + +// Audit settings need for enabling auditing to Log Analytics workspace +resource auditSettings 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = { + name: '${sqlServerName}/${sqlDatabase.name}/Default' + properties: { + state: sqlDatabase.diagnosticLogsAndMetrics.auditLogs ? 'Enabled' : 'Disabled' + auditActionsAndGroups: !empty(sqlDatabase.auditActionsAndGroups) ? sqlDatabase.auditActionsAndGroups : defaultAuditActionsAndGroups + storageEndpoint: '' + storageAccountAccessKey: '' + storageAccountSubscriptionId: '00000000-0000-0000-0000-000000000000' + retentionDays: 0 + isAzureMonitorTargetEnabled: sqlDatabase.diagnosticLogsAndMetrics.auditLogs + } +} diff --git a/docs/examples/301/sql-database-with-management/modules/audit-settings.json b/docs/examples/301/sql-database-with-management/modules/audit-settings.json index c9956d44d5a..e8bf9bfd4ff 100644 --- a/docs/examples/301/sql-database-with-management/modules/audit-settings.json +++ b/docs/examples/301/sql-database-with-management/modules/audit-settings.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "13898863446734417779" + "templateHash": "4499755266351443773" } }, "parameters": { @@ -27,7 +27,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/auditingSettings", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "state": "[if(parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", diff --git a/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep b/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep index 7fb137870de..3ee7fbff561 100644 --- a/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep +++ b/docs/examples/301/sql-database-with-management/modules/azure-defender.bicep @@ -2,7 +2,7 @@ param sqlDatabase object param sqlServerName string // Azure Defender -resource azureDefender 'Microsoft.Sql/servers/databases/securityAlertPolicies@2020-08-01-preview' = { +resource azureDefender 'Microsoft.Sql/servers/databases/securityAlertPolicies@2021-02-01-preview' = { name: '${sqlServerName}/${sqlDatabase.name}/Default' properties: { state: sqlDatabase.azureDefender.enabled ? 'Enabled' : 'Disabled' diff --git a/docs/examples/301/sql-database-with-management/modules/azure-defender.json b/docs/examples/301/sql-database-with-management/modules/azure-defender.json index 0de1f475efb..7b66ac262c6 100644 --- a/docs/examples/301/sql-database-with-management/modules/azure-defender.json +++ b/docs/examples/301/sql-database-with-management/modules/azure-defender.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "3149608550700302182" + "templateHash": "15009839048358250877" } }, "parameters": { @@ -20,7 +20,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "state": "[if(parameters('sqlDatabase').azureDefender.enabled, 'Enabled', 'Disabled')]", diff --git a/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep b/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep index 49ef2e601dc..7feaf1d8007 100644 --- a/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep +++ b/docs/examples/301/sql-database-with-management/modules/short-term-backup.bicep @@ -2,7 +2,7 @@ param sqlDatabase object param sqlServerName string // Short term backup -resource shortTermBackup 'Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies@2020-08-01-preview' = { +resource shortTermBackup 'Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies@2021-02-01-preview' = { name: '${sqlServerName}/${sqlDatabase.name}/Default' properties: { retentionDays: sqlDatabase.shortTermBackupRetention diff --git a/docs/examples/301/sql-database-with-management/modules/short-term-backup.json b/docs/examples/301/sql-database-with-management/modules/short-term-backup.json index 9eea08c043b..6e0f1b274ac 100644 --- a/docs/examples/301/sql-database-with-management/modules/short-term-backup.json +++ b/docs/examples/301/sql-database-with-management/modules/short-term-backup.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "15978855867572262081" + "templateHash": "1280408386363466909" } }, "parameters": { @@ -20,7 +20,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "retentionDays": "[parameters('sqlDatabase').shortTermBackupRetention]" diff --git a/docs/examples/301/sql-database-with-management/modules/sql-database.bicep b/docs/examples/301/sql-database-with-management/modules/sql-database.bicep index b46386ee1ad..172080b64fa 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-database.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-database.bicep @@ -1,184 +1,162 @@ -@description('The name of the SQL server.') -param sqlServerName string - -@description('The SQL database parameters object.') -param sqlDatabase object - -param tags object - -resource sqlDb 'Microsoft.Sql/servers/databases@2020-02-02-preview' = { - name: '${sqlServerName}/${sqlDatabase.name}' - location: resourceGroup().location - tags: tags - sku: { - name: sqlDatabase.skuName - tier: sqlDatabase.tier - } - properties: { - zoneRedundant: sqlDatabase.zoneRedundant - collation: sqlDatabase.collation - maxSizeBytes: sqlDatabase.dataMaxSize == 0 ? any(null) : 1024 * 1024 * 1024 * sqlDatabase.dataMaxSize - licenseType: sqlDatabase.hybridBenefit ? 'BasePrice' : 'LicenseIncluded' - readScale: sqlDatabase.readReplicas == 0 ? 'Disabled' : 'Enabled' - readReplicaCount: sqlDatabase.readReplicas - minCapacity: sqlDatabase.minimumCores == 0 ? any('') : any(string(sqlDatabase.minimumCores)) - autoPauseDelay: sqlDatabase.autoPauseDelay == 0 ? any('') : any(string(sqlDatabase.autoPauseDelay)) - } -} - -module transparentDataEncryption 'transparent-data-encryption.bicep' = { - dependsOn: [ - sqlDb - ] - name: 'transparentDataEncryption-${uniqueString(sqlServerName, sqlDatabase.name)}' - params: { - sqlDatabase: sqlDatabase - sqlServerName: sqlServerName - } -} - -// Works -//resource transparentDataEncryption 'Microsoft.Sql/servers/databases/transparentDataEncryption@2014-04-01' = { -// dependsOn: [ -// sqlDb -// ] -// name: '${sqlServerName}/${sqlDatabase.name}/current' -// properties: { -// status: sqlDatabase.dataEncryption -// } -//} - -// Does not work -//resource transparentDataEncryption 'Microsoft.Sql/servers/databases/transparentDataEncryption@2014-04-01' = { -// name: 'current' -// parent: sqlDb -// properties: { -// status: sqlDatabase.dataEncryption -// } -//} - -// Short term backup -module shortTermBackup 'short-term-backup.bicep' = if (!(sqlDatabase.shortTermBackupRetention == 0)) { - dependsOn: [ - transparentDataEncryption - sqlDb - ] - name: 'shortTermBackup-${uniqueString(sqlServerName, sqlDatabase.name)}' - params: { - sqlDatabase: sqlDatabase - sqlServerName: sqlServerName - } -} - -// Long term backup -resource longTermBackup 'Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies@2020-08-01-preview' = if (sqlDatabase.longTermBackup.enabled) { - dependsOn: [ - transparentDataEncryption - shortTermBackup - ] - name: 'Default' - parent: sqlDb - properties: { - weeklyRetention: sqlDatabase.longTermBackup.weeklyRetention - monthlyRetention: sqlDatabase.longTermBackup.monthlyRetention - yearlyRetention: sqlDatabase.longTermBackup.yearlyRetention - weekOfYear: sqlDatabase.longTermBackup.weekOfYear - } -} - -// Azure Defender -module azureDefender 'azure-defender.bicep' = { - dependsOn: [ - transparentDataEncryption - sqlDb - ] - name: 'azureDefender-${uniqueString(sqlServerName, sqlDatabase.name)}' - params: { - sqlDatabase: sqlDatabase - sqlServerName: sqlServerName - } -} - -// Get existing storage account -resource storageAccountVulnerabilityAssessments 'Microsoft.Storage/storageAccounts@2021-01-01' existing = if (sqlDatabase.azureDefender.enabled && sqlDatabase.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name)) { - scope: resourceGroup(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName) - name: sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name -} - -// Vulnerability Assessments -// Can be enabled only if Azure Defender is enabled as well -resource vulnerabilityAssessments 'Microsoft.Sql/servers/databases/vulnerabilityAssessments@2020-08-01-preview' = if (sqlDatabase.azureDefender.enabled && sqlDatabase.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name)) { - dependsOn: [ - transparentDataEncryption - azureDefender - ] - name: 'Default' - parent: sqlDb - properties: { - recurringScans: { - isEnabled: sqlDatabase.azureDefender.vulnerabilityAssessments.recurringScans - emailSubscriptionAdmins: sqlDatabase.azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins - emails: sqlDatabase.azureDefender.vulnerabilityAssessments.emails - } - storageContainerPath: !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name) ? concat(storageAccountVulnerabilityAssessments.properties.primaryEndpoints.blob, sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.containerName) : '' - storageAccountAccessKey: !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name) ? listKeys(storageAccountVulnerabilityAssessments.id, storageAccountVulnerabilityAssessments.apiVersion).keys[0].value : '' - } -} - -// Audit settings need for enabling auditing to Log Analytics workspace -module auditSettings 'audit-settings.bicep' = { - dependsOn: [ - transparentDataEncryption - sqlDb - ] - name: 'auditSettings-${uniqueString(sqlServerName, sqlDatabase.name)}' - params: { - sqlDatabase: sqlDatabase - sqlServerName: sqlServerName - } -} - -// Get existing Log Analytics workspace -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-10-01' existing = if (sqlDatabase.diagnosticLogsAndMetrics.auditLogs || !empty(sqlDatabase.diagnosticLogsAndMetrics.name)) { - scope: resourceGroup(sqlDatabase.diagnosticLogsAndMetrics.subscriptionId, sqlDatabase.diagnosticLogsAndMetrics.resourceGroupName) - name: sqlDatabase.diagnosticLogsAndMetrics.name -} - -// Sends audit logs to Log Analytics Workspace -resource auditDiagnosticSetings 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (sqlDatabase.diagnosticLogsAndMetrics.auditLogs) { - dependsOn: [ - transparentDataEncryption - auditSettings - ] - scope: sqlDb - name: 'SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1' - properties: { - workspaceId: logAnalyticsWorkspace.id - logs: [ - { - category: 'SQLSecurityAuditEvents' - enabled: true - } - ] - } -} - -// Send other logs and metrics to Log Analytics -resource diagnosticSetings 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (!empty(sqlDatabase.diagnosticLogsAndMetrics.name)) { - dependsOn: [ - transparentDataEncryption - ] - scope: sqlDb - name: 'sendLogsAndMetrics' - properties: { - workspaceId: logAnalyticsWorkspace.id - logs: [for log in sqlDatabase.diagnosticLogsAndMetrics.logs: { - category: log - enabled: true - }] - metrics: [for metric in sqlDatabase.diagnosticLogsAndMetrics.metrics: { - category: metric - enabled: true - }] - } -} +@description('The name of the SQL server.') +param sqlServerName string + +@description('The SQL database parameters object.') +param sqlDatabase object + +param tags object + +resource sqlDb 'Microsoft.Sql/servers/databases@2020-02-02-preview' = { + name: '${sqlServerName}/${sqlDatabase.name}' + location: resourceGroup().location + tags: tags + sku: { + name: sqlDatabase.skuName + tier: sqlDatabase.tier + } + properties: { + zoneRedundant: sqlDatabase.zoneRedundant + collation: sqlDatabase.collation + maxSizeBytes: sqlDatabase.dataMaxSize == 0 ? null : 1024 * 1024 * 1024 * sqlDatabase.dataMaxSize + licenseType: sqlDatabase.hybridBenefit ? 'BasePrice' : 'LicenseIncluded' + readScale: sqlDatabase.readReplicas == 0 ? 'Disabled' : 'Enabled' + readReplicaCount: sqlDatabase.readReplicas + minCapacity: sqlDatabase.minimumCores == 0 ? null : sqlDatabase.minimumCores + autoPauseDelay: sqlDatabase.autoPauseDelay == 0 ? null : sqlDatabase.autoPauseDelay + } +} + +// Transparent Data Encryption +resource transparentDataEncryption 'Microsoft.Sql/servers/databases/transparentDataEncryption@2014-04-01' = { + name: 'current' + parent: sqlDb + properties: { + status: sqlDatabase.dataEncryption + } +} + +// Short term backup +module shortTermBackup 'short-term-backup.bicep' = if (!(sqlDatabase.shortTermBackupRetention == 0)) { + dependsOn: [ + transparentDataEncryption + sqlDb + ] + name: 'shortTermBackup-${uniqueString(sqlServerName, sqlDatabase.name)}' + params: { + sqlDatabase: sqlDatabase + sqlServerName: sqlServerName + } +} + +// Long term backup +resource longTermBackup 'Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies@2021-02-01-preview' = if (sqlDatabase.longTermBackup.enabled) { + dependsOn: [ + transparentDataEncryption + shortTermBackup + ] + name: 'Default' + parent: sqlDb + properties: { + weeklyRetention: sqlDatabase.longTermBackup.weeklyRetention + monthlyRetention: sqlDatabase.longTermBackup.monthlyRetention + yearlyRetention: sqlDatabase.longTermBackup.yearlyRetention + weekOfYear: sqlDatabase.longTermBackup.weekOfYear + } +} + +// Azure Defender +module azureDefender 'azure-defender.bicep' = { + dependsOn: [ + transparentDataEncryption + sqlDb + ] + name: 'azureDefender-${uniqueString(sqlServerName, sqlDatabase.name)}' + params: { + sqlDatabase: sqlDatabase + sqlServerName: sqlServerName + } +} + +// Get existing storage account +resource storageAccountVulnerabilityAssessments 'Microsoft.Storage/storageAccounts@2021-04-01' existing = if (sqlDatabase.azureDefender.enabled && sqlDatabase.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name)) { + scope: resourceGroup(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName) + name: sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name +} + +// Vulnerability Assessments +// Can be enabled only if Azure Defender is enabled as well +resource vulnerabilityAssessments 'Microsoft.Sql/servers/databases/vulnerabilityAssessments@2021-02-01-preview' = if (sqlDatabase.azureDefender.enabled && sqlDatabase.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name)) { + dependsOn: [ + transparentDataEncryption + azureDefender + ] + name: 'Default' + parent: sqlDb + properties: { + recurringScans: { + isEnabled: sqlDatabase.azureDefender.vulnerabilityAssessments.recurringScans + emailSubscriptionAdmins: sqlDatabase.azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins + emails: sqlDatabase.azureDefender.vulnerabilityAssessments.emails + } + storageContainerPath: !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name) ? '${storageAccountVulnerabilityAssessments.properties.primaryEndpoints.blob}${sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.containerName}' : '' + storageAccountAccessKey: !empty(sqlDatabase.azureDefender.vulnerabilityAssessments.storageAccount.name) ? listKeys(storageAccountVulnerabilityAssessments.id, storageAccountVulnerabilityAssessments.apiVersion).keys[0].value : '' + } +} + +// Audit settings need for enabling auditing to Log Analytics workspace +module auditSettings 'audit-settings.bicep' = { + dependsOn: [ + transparentDataEncryption + sqlDb + ] + name: 'auditSettings-${uniqueString(sqlServerName, sqlDatabase.name)}' + params: { + sqlDatabase: sqlDatabase + sqlServerName: sqlServerName + } +} + +// Get existing Log Analytics workspace +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-10-01' existing = if (sqlDatabase.diagnosticLogsAndMetrics.auditLogs || !empty(sqlDatabase.diagnosticLogsAndMetrics.name)) { + scope: resourceGroup(sqlDatabase.diagnosticLogsAndMetrics.subscriptionId, sqlDatabase.diagnosticLogsAndMetrics.resourceGroupName) + name: sqlDatabase.diagnosticLogsAndMetrics.name +} + +// Sends audit logs to Log Analytics Workspace +resource auditDiagnosticSettings 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (sqlDatabase.diagnosticLogsAndMetrics.auditLogs) { + dependsOn: [ + transparentDataEncryption + auditSettings + ] + scope: sqlDb + name: 'SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1' + properties: { + workspaceId: logAnalyticsWorkspace.id + logs: [ + { + category: 'SQLSecurityAuditEvents' + enabled: true + } + ] + } +} + +// Send other logs and metrics to Log Analytics +resource diagnosticSettings 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (!empty(sqlDatabase.diagnosticLogsAndMetrics.name)) { + dependsOn: [ + transparentDataEncryption + ] + scope: sqlDb + name: 'sendLogsAndMetrics' + properties: { + workspaceId: logAnalyticsWorkspace.id + logs: [for log in sqlDatabase.diagnosticLogsAndMetrics.logs: { + category: log + enabled: true + }] + metrics: [for metric in sqlDatabase.diagnosticLogsAndMetrics.metrics: { + category: metric + enabled: true + }] + } +} diff --git a/docs/examples/301/sql-database-with-management/modules/sql-database.json b/docs/examples/301/sql-database-with-management/modules/sql-database.json index e7f6bd3ac1e..c776a33ac50 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-database.json +++ b/docs/examples/301/sql-database-with-management/modules/sql-database.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "4510101890649346043" + "templateHash": "12413819060224235299" } }, "parameters": { @@ -44,14 +44,25 @@ "licenseType": "[if(parameters('sqlDatabase').hybridBenefit, 'BasePrice', 'LicenseIncluded')]", "readScale": "[if(equals(parameters('sqlDatabase').readReplicas, 0), 'Disabled', 'Enabled')]", "readReplicaCount": "[parameters('sqlDatabase').readReplicas]", - "minCapacity": "[if(equals(parameters('sqlDatabase').minimumCores, 0), '', string(parameters('sqlDatabase').minimumCores))]", - "autoPauseDelay": "[if(equals(parameters('sqlDatabase').autoPauseDelay, 0), '', string(parameters('sqlDatabase').autoPauseDelay))]" + "minCapacity": "[if(equals(parameters('sqlDatabase').minimumCores, 0), null(), parameters('sqlDatabase').minimumCores)]", + "autoPauseDelay": "[if(equals(parameters('sqlDatabase').autoPauseDelay, 0), null(), parameters('sqlDatabase').autoPauseDelay)]" } }, + { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]", + "properties": { + "status": "[parameters('sqlDatabase').dataEncryption]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]" + ] + }, { "condition": "[parameters('sqlDatabase').longTermBackup.enabled]", "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "weeklyRetention": "[parameters('sqlDatabase').longTermBackup.weeklyRetention]", @@ -62,13 +73,13 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('shortTermBackup-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { "condition": "[and(and(parameters('sqlDatabase').azureDefender.enabled, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "recurringScans": { @@ -76,13 +87,13 @@ "emailSubscriptionAdmins": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", "emails": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emails]" }, - "storageContainerPath": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", - "storageAccountAccessKey": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + "storageContainerPath": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), format('{0}{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').primaryEndpoints.blob, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').keys[0].value, '')]" }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('azureDefender-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -103,7 +114,7 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('auditSettings-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -135,59 +146,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "sqlDatabase": { - "value": "[parameters('sqlDatabase')]" - }, - "sqlServerName": { - "value": "[parameters('sqlServerName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "dev", - "templateHash": "11452411779990848351" - } - }, - "parameters": { - "sqlDatabase": { - "type": "object" - }, - "sqlServerName": { - "type": "string" - } - }, - "functions": [], - "resources": [ - { - "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", - "apiVersion": "2014-04-01", - "name": "[format('{0}/{1}/current', parameters('sqlServerName'), parameters('sqlDatabase').name)]", - "properties": { - "status": "[parameters('sqlDatabase').dataEncryption]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -215,7 +174,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "15978855867572262081" + "templateHash": "1280408386363466909" } }, "parameters": { @@ -230,7 +189,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "retentionDays": "[parameters('sqlDatabase').shortTermBackupRetention]" @@ -241,7 +200,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -268,7 +227,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "3149608550700302182" + "templateHash": "15009839048358250877" } }, "parameters": { @@ -283,7 +242,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "state": "[if(parameters('sqlDatabase').azureDefender.enabled, 'Enabled', 'Disabled')]", @@ -297,7 +256,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -324,7 +283,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "13898863446734417779" + "templateHash": "4499755266351443773" } }, "parameters": { @@ -346,7 +305,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/auditingSettings", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "state": "[if(parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", @@ -363,7 +322,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] } ] diff --git a/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep index 2cb7dc7b395..edf98d307b4 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.bicep @@ -4,7 +4,7 @@ param sqlFirewallRule object @description('The name of the SQL Logical server.') param sqlServerName string -resource firewallRule 'Microsoft.Sql/servers/firewallRules@2020-08-01-preview' = { +resource firewallRule 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = { name: '${sqlServerName}/${sqlFirewallRule.name}' properties: { startIpAddress: sqlFirewallRule.startIpAddress diff --git a/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.json b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.json index 1d22ce8fb3d..44abd80c56c 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.json +++ b/docs/examples/301/sql-database-with-management/modules/sql-firewall-rule.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "4663537880944763431" + "templateHash": "10929616126180001294" } }, "parameters": { @@ -26,7 +26,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/firewallRules", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlServerName'), parameters('sqlFirewallRule').name)]", "properties": { "startIpAddress": "[parameters('sqlFirewallRule').startIpAddress]", diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep index a74696210c2..cdb848c9e1e 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.bicep @@ -1,243 +1,243 @@ -@description('SQL Logical server.') -param sqlLogicalServer object - -@description('The SQL Logical Server password.') -@secure() -param password string - -param tags object - -var defaultAuditActionsAndGroups = [ - 'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP' - 'FAILED_DATABASE_AUTHENTICATION_GROUP' - 'BATCH_COMPLETED_GROUP' -] - -var defaultSqlDatabaseProperties = { - name: '' - status: '' - tags: {} - skuName: '' - tier: '' - zoneRedundant: false - collation: 'SQL_Latin1_General_CP1_CI_AS' - dataMaxSize: 0 - hybridBenefit: false - readReplicas: 0 - minimumCores: 0 - autoPauseDelay: 0 - dataEncryption: 'Enabled' - shortTermBackupRetention: 0 - longTermBackup: { - enabled: false - weeklyRetention: 'P1W' - monthlyRetention: 'P4W' - yearlyRetention: 'P52W' - weekOfYear: 1 - } - azureDefender: { - enabled: false - emailAccountAdmins: false - emailAddresses: [] - disabledRules: [] - vulnerabilityAssessments: { - recurringScans: false - storageAccount: { - resourceGroupName: '' - name: '' - containerName: '' - } - emailSubscriptionAdmins: false - emails: [] - } - } - auditActionsAndGroups: [] - diagnosticLogsAndMetrics: { - name: '' - resourceGroupName: '' - subscriptionId: subscription().subscriptionId - logs: [] - metrics: [] - auditLogs: false - } -} - -resource sqlLogicalServerRes 'Microsoft.Sql/servers@2020-02-02-preview' = { - name: sqlLogicalServer.name - location: resourceGroup().location - tags: tags - identity: { - type: sqlLogicalServer.systemManagedIdentity ? 'SystemAssigned' : 'None' - } - properties: { - administratorLogin: sqlLogicalServer.userName - administratorLoginPassword: password - version: '12.0' - minimalTlsVersion: sqlLogicalServer.minimalTlsVersion - publicNetworkAccess: sqlLogicalServer.publicNetworkAccess - } -} - -// Azure Active Directory integration -resource azureAdIntegration 'Microsoft.Sql/servers/administrators@2020-08-01-preview' = if (!empty(sqlLogicalServer.azureActiveDirectoryAdministrator.objectId)) { - name: 'activeDirectory' - parent: sqlLogicalServerRes - properties: { - administratorType: 'ActiveDirectory' - login: sqlLogicalServer.azureActiveDirectoryAdministrator.name - sid: sqlLogicalServer.azureActiveDirectoryAdministrator.objectId - tenantId: sqlLogicalServer.azureActiveDirectoryAdministrator.tenantId - } -} - -// Azure Defender -resource azureDefender 'Microsoft.Sql/servers/securityAlertPolicies@2020-08-01-preview' = { - name: 'Default' - parent: sqlLogicalServerRes - properties: { - state: sqlLogicalServer.azureDefender.enabled ? 'Enabled' : 'Disabled' - emailAddresses: sqlLogicalServer.azureDefender.emailAddresses - emailAccountAdmins: sqlLogicalServer.azureDefender.emailAccountAdmins - disabledAlerts: sqlLogicalServer.azureDefender.disabledAlerts - } -} - -// Get existing storage account -resource storageAccountVulnerabilityAssessments 'Microsoft.Storage/storageAccounts@2021-01-01' existing = if (sqlLogicalServer.azureDefender.enabled && sqlLogicalServer.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name)) { - scope: resourceGroup(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName) - name: sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name -} - -// Vulnerability Assessments -// Can be enabled only if Azure Defender is enabled as well -resource vulnerabilityAssessments 'Microsoft.Sql/servers/vulnerabilityAssessments@2020-08-01-preview' = if (sqlLogicalServer.azureDefender.enabled && sqlLogicalServer.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name)) { - dependsOn: [ - azureDefender - ] - name: 'Default' - parent: sqlLogicalServerRes - properties: { - recurringScans: { - isEnabled: sqlLogicalServer.azureDefender.vulnerabilityAssessments.recurringScans - emailSubscriptionAdmins: sqlLogicalServer.azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins - emails: sqlLogicalServer.azureDefender.vulnerabilityAssessments.emails - } - storageContainerPath: !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name) ? concat(storageAccountVulnerabilityAssessments.properties.primaryEndpoints.blob, sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.containerName) : '' - storageAccountAccessKey: !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name) ? listKeys(storageAccountVulnerabilityAssessments.id, storageAccountVulnerabilityAssessments.apiVersion).keys[0].value : '' - } -} - -// Audit settings need for enabling auditing to Log Analytics workspace -resource auditSettings 'Microsoft.Sql/servers/auditingSettings@2020-08-01-preview' = { - name: 'Default' - parent: sqlLogicalServerRes - properties: { - state: sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs ? 'Enabled' : 'Disabled' - auditActionsAndGroups: !empty(sqlLogicalServer.auditActionsAndGroups) ? sqlLogicalServer.auditActionsAndGroups : defaultAuditActionsAndGroups - storageEndpoint: '' - storageAccountAccessKey: '' - storageAccountSubscriptionId: '00000000-0000-0000-0000-000000000000' - retentionDays: 0 - isAzureMonitorTargetEnabled: sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs - isDevopsAuditEnabled: sqlLogicalServer.diagnosticLogsAndMetrics.microsoftSupportOperationsAuditLogs - } -} - -// SQL Logical Server Firewall Rules -module sqlFirewallRules 'sql-firewall-rule.bicep' = [for (firewallRules, index) in sqlLogicalServer.firewallRules: { - dependsOn: [ - sqlLogicalServerRes - ] - name: 'sqlFirewallRule-${uniqueString(sqlLogicalServer.name)}-${index}' - params: { - sqlFirewallRule: sqlLogicalServer.firewallRules[index] - sqlServerName: sqlLogicalServer.name - } -}] - -// SQL Databases -module sqlDatabases 'sql-database.bicep' = [for (sqlDatabase, index) in sqlLogicalServer.databases: { - dependsOn: [ - sqlLogicalServerRes - ] - name: 'sqlDb-${uniqueString(sqlLogicalServer.name)}-${index}' - params: { - sqlServerName: sqlLogicalServer.name - sqlDatabase: union(defaultSqlDatabaseProperties, sqlLogicalServer.databases[index]) - tags: union(tags, union(defaultSqlDatabaseProperties, sqlLogicalServer.databases[index]).tags) - } -}] - -// Empty deployment that serves as artificial delay until master database resource is created -@batchSize(1) -resource dummyDeployments 'Microsoft.Resources/deployments@2020-10-01' = [for (dummyDeployment, index) in range(0, 5): if (sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs && !empty(sqlLogicalServer.diagnosticLogsAndMetrics.name)) { - dependsOn: [ - sqlLogicalServerRes - ] - name: 'dummyTemplateSqlServer-${uniqueString(sqlLogicalServer.name)}-${index}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -}] - -// Get existing master database -resource masterDb 'Microsoft.Sql/servers/databases@2020-08-01-preview' existing = if (sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs || !empty(sqlLogicalServer.diagnosticLogsAndMetrics.name)) { - name: 'master' - parent: sqlLogicalServerRes -} - -// Get existing Log Analytics workspace -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-10-01' existing = if (sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs || !empty(sqlLogicalServer.diagnosticLogsAndMetrics.name)) { - scope: resourceGroup(sqlLogicalServer.diagnosticLogsAndMetrics.subscriptionId, sqlLogicalServer.diagnosticLogsAndMetrics.resourceGroupName) - name: sqlLogicalServer.diagnosticLogsAndMetrics.name -} - -// Sends audit logs to Log Analytics Workspace -resource auditDiagnosticSetings 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs) { - dependsOn: [ - auditSettings - sqlDatabases - dummyDeployments - ] - scope: masterDb - name: 'SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1' - properties: { - workspaceId: logAnalyticsWorkspace.id - logs: [ - { - category: 'SQLSecurityAuditEvents' - enabled: true - } - { - category: 'DevOpsOperationsAudit' - enabled: sqlLogicalServer.diagnosticLogsAndMetrics.microsoftSupportOperationsAuditLogs - } - ] - } -} - -// Send other logs and metrics to Log Analytics -resource diagnosticSetings 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (!empty(sqlLogicalServer.diagnosticLogsAndMetrics.name)) { - dependsOn: [ - sqlDatabases - dummyDeployments - ] - scope: masterDb - name: 'sendLogsAndMetrics' - properties: { - workspaceId: logAnalyticsWorkspace.id - logs: [for log in sqlLogicalServer.diagnosticLogsAndMetrics.logs: { - category: log - enabled: true - }] - metrics: [for metric in sqlLogicalServer.diagnosticLogsAndMetrics.metrics: { - category: metric - enabled: true - }] - } -} +@description('SQL Logical server.') +param sqlLogicalServer object + +@description('The SQL Logical Server password.') +@secure() +param password string + +param tags object + +var defaultAuditActionsAndGroups = [ + 'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP' + 'FAILED_DATABASE_AUTHENTICATION_GROUP' + 'BATCH_COMPLETED_GROUP' +] + +var defaultSqlDatabaseProperties = { + name: '' + status: '' + tags: {} + skuName: '' + tier: '' + zoneRedundant: false + collation: 'SQL_Latin1_General_CP1_CI_AS' + dataMaxSize: 0 + hybridBenefit: false + readReplicas: 0 + minimumCores: 0 + autoPauseDelay: 0 + dataEncryption: 'Enabled' + shortTermBackupRetention: 0 + longTermBackup: { + enabled: false + weeklyRetention: 'P1W' + monthlyRetention: 'P4W' + yearlyRetention: 'P52W' + weekOfYear: 1 + } + azureDefender: { + enabled: false + emailAccountAdmins: false + emailAddresses: [] + disabledRules: [] + vulnerabilityAssessments: { + recurringScans: false + storageAccount: { + resourceGroupName: '' + name: '' + containerName: '' + } + emailSubscriptionAdmins: false + emails: [] + } + } + auditActionsAndGroups: [] + diagnosticLogsAndMetrics: { + name: '' + resourceGroupName: '' + subscriptionId: subscription().subscriptionId + logs: [] + metrics: [] + auditLogs: false + } +} + +resource sqlLogicalServerRes 'Microsoft.Sql/servers@2021-02-01-preview' = { + name: sqlLogicalServer.name + location: resourceGroup().location + tags: tags + identity: { + type: sqlLogicalServer.systemManagedIdentity ? 'SystemAssigned' : 'None' + } + properties: { + administratorLogin: sqlLogicalServer.userName + administratorLoginPassword: password + version: '12.0' + minimalTlsVersion: sqlLogicalServer.minimalTlsVersion + publicNetworkAccess: sqlLogicalServer.publicNetworkAccess + } +} + +// Azure Active Directory integration +resource azureAdIntegration 'Microsoft.Sql/servers/administrators@2021-02-01-preview' = if (!empty(sqlLogicalServer.azureActiveDirectoryAdministrator.objectId)) { + name: 'activeDirectory' + parent: sqlLogicalServerRes + properties: { + administratorType: 'ActiveDirectory' + login: sqlLogicalServer.azureActiveDirectoryAdministrator.name + sid: sqlLogicalServer.azureActiveDirectoryAdministrator.objectId + tenantId: sqlLogicalServer.azureActiveDirectoryAdministrator.tenantId + } +} + +// Azure Defender +resource azureDefender 'Microsoft.Sql/servers/securityAlertPolicies@2021-02-01-preview' = { + name: 'Default' + parent: sqlLogicalServerRes + properties: { + state: sqlLogicalServer.azureDefender.enabled ? 'Enabled' : 'Disabled' + emailAddresses: sqlLogicalServer.azureDefender.emailAddresses + emailAccountAdmins: sqlLogicalServer.azureDefender.emailAccountAdmins + disabledAlerts: sqlLogicalServer.azureDefender.disabledRules + } +} + +// Get existing storage account +resource storageAccountVulnerabilityAssessments 'Microsoft.Storage/storageAccounts@2021-04-01' existing = if (sqlLogicalServer.azureDefender.enabled && sqlLogicalServer.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name)) { + scope: resourceGroup(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName) + name: sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name +} + +// Vulnerability Assessments +// Can be enabled only if Azure Defender is enabled as well +resource vulnerabilityAssessments 'Microsoft.Sql/servers/vulnerabilityAssessments@2021-02-01-preview' = if (sqlLogicalServer.azureDefender.enabled && sqlLogicalServer.azureDefender.vulnerabilityAssessments.recurringScans && !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name)) { + dependsOn: [ + azureDefender + ] + name: 'Default' + parent: sqlLogicalServerRes + properties: { + recurringScans: { + isEnabled: sqlLogicalServer.azureDefender.vulnerabilityAssessments.recurringScans + emailSubscriptionAdmins: sqlLogicalServer.azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins + emails: sqlLogicalServer.azureDefender.vulnerabilityAssessments.emails + } + storageContainerPath: !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name) ? '${storageAccountVulnerabilityAssessments.properties.primaryEndpoints.blob}${sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.containerName}' : '' + storageAccountAccessKey: !empty(sqlLogicalServer.azureDefender.vulnerabilityAssessments.storageAccount.name) ? listKeys(storageAccountVulnerabilityAssessments.id, storageAccountVulnerabilityAssessments.apiVersion).keys[0].value : '' + } +} + +// Audit settings need for enabling auditing to Log Analytics workspace +resource auditSettings 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = { + name: 'Default' + parent: sqlLogicalServerRes + properties: { + state: sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs ? 'Enabled' : 'Disabled' + auditActionsAndGroups: !empty(sqlLogicalServer.auditActionsAndGroups) ? sqlLogicalServer.auditActionsAndGroups : defaultAuditActionsAndGroups + storageEndpoint: '' + storageAccountAccessKey: '' + storageAccountSubscriptionId: '00000000-0000-0000-0000-000000000000' + retentionDays: 0 + isAzureMonitorTargetEnabled: sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs + isDevopsAuditEnabled: sqlLogicalServer.diagnosticLogsAndMetrics.microsoftSupportOperationsAuditLogs + } +} + +// SQL Logical Server Firewall Rules +module sqlFirewallRules 'sql-firewall-rule.bicep' = [for (firewallRules, index) in sqlLogicalServer.firewallRules: { + dependsOn: [ + sqlLogicalServerRes + ] + name: 'sqlFirewallRule-${uniqueString(sqlLogicalServer.name)}-${index}' + params: { + sqlFirewallRule: sqlLogicalServer.firewallRules[index] + sqlServerName: sqlLogicalServer.name + } +}] + +// SQL Databases +module sqlDatabases 'sql-database.bicep' = [for (sqlDatabase, index) in sqlLogicalServer.databases: { + dependsOn: [ + sqlLogicalServerRes + ] + name: 'sqlDb-${uniqueString(sqlLogicalServer.name)}-${index}' + params: { + sqlServerName: sqlLogicalServer.name + sqlDatabase: union(defaultSqlDatabaseProperties, sqlLogicalServer.databases[index]) + tags: union(tags, union(defaultSqlDatabaseProperties, sqlLogicalServer.databases[index]).tags) + } +}] + +// Empty deployment that serves as artificial delay until master database resource is created +@batchSize(1) +resource dummyDeployments 'Microsoft.Resources/deployments@2021-04-01' = [for (dummyDeployment, index) in range(0, 5): if (sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs && !empty(sqlLogicalServer.diagnosticLogsAndMetrics.name)) { + dependsOn: [ + sqlLogicalServerRes + ] + name: 'dummyTemplateSqlServer-${uniqueString(sqlLogicalServer.name)}-${index}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +}] + +// Get existing master database +resource masterDb 'Microsoft.Sql/servers/databases@2021-02-01-preview' existing = if (sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs || !empty(sqlLogicalServer.diagnosticLogsAndMetrics.name)) { + name: 'master' + parent: sqlLogicalServerRes +} + +// Get existing Log Analytics workspace +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-10-01' existing = if (sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs || !empty(sqlLogicalServer.diagnosticLogsAndMetrics.name)) { + scope: resourceGroup(sqlLogicalServer.diagnosticLogsAndMetrics.subscriptionId, sqlLogicalServer.diagnosticLogsAndMetrics.resourceGroupName) + name: sqlLogicalServer.diagnosticLogsAndMetrics.name +} + +// Sends audit logs to Log Analytics Workspace +resource auditDiagnosticSettings 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (sqlLogicalServer.diagnosticLogsAndMetrics.auditLogs) { + dependsOn: [ + auditSettings + sqlDatabases + dummyDeployments + ] + scope: masterDb + name: 'SQLSecurityAuditEvents_3d229c42-c7e7-4c97-9a99-ec0d0d8b86c1' + properties: { + workspaceId: logAnalyticsWorkspace.id + logs: [ + { + category: 'SQLSecurityAuditEvents' + enabled: true + } + { + category: 'DevOpsOperationsAudit' + enabled: sqlLogicalServer.diagnosticLogsAndMetrics.microsoftSupportOperationsAuditLogs + } + ] + } +} + +// Send other logs and metrics to Log Analytics +resource diagnosticSettings 'microsoft.insights/diagnosticSettings@2017-05-01-preview' = if (!empty(sqlLogicalServer.diagnosticLogsAndMetrics.name)) { + dependsOn: [ + sqlDatabases + dummyDeployments + ] + scope: masterDb + name: 'sendLogsAndMetrics' + properties: { + workspaceId: logAnalyticsWorkspace.id + logs: [for log in sqlLogicalServer.diagnosticLogsAndMetrics.logs: { + category: log + enabled: true + }] + metrics: [for metric in sqlLogicalServer.diagnosticLogsAndMetrics.metrics: { + category: metric + enabled: true + }] + } +} diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.json b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.json index 6a2c3771398..87bd56ada97 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-logical-server.json +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-server.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "10996646171408784195" + "templateHash": "12260651447744530468" } }, "parameters": { @@ -84,7 +84,7 @@ "resources": [ { "type": "Microsoft.Sql/servers", - "apiVersion": "2020-02-02-preview", + "apiVersion": "2021-02-01-preview", "name": "[parameters('sqlLogicalServer').name]", "location": "[resourceGroup().location]", "tags": "[parameters('tags')]", @@ -102,7 +102,7 @@ { "condition": "[not(empty(parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.objectId))]", "type": "Microsoft.Sql/servers/administrators", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'activeDirectory')]", "properties": { "administratorType": "ActiveDirectory", @@ -116,13 +116,13 @@ }, { "type": "Microsoft.Sql/servers/securityAlertPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", "properties": { "state": "[if(parameters('sqlLogicalServer').azureDefender.enabled, 'Enabled', 'Disabled')]", "emailAddresses": "[parameters('sqlLogicalServer').azureDefender.emailAddresses]", "emailAccountAdmins": "[parameters('sqlLogicalServer').azureDefender.emailAccountAdmins]", - "disabledAlerts": "[parameters('sqlLogicalServer').azureDefender.disabledAlerts]" + "disabledAlerts": "[parameters('sqlLogicalServer').azureDefender.disabledRules]" }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" @@ -131,7 +131,7 @@ { "condition": "[and(and(parameters('sqlLogicalServer').azureDefender.enabled, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", "type": "Microsoft.Sql/servers/vulnerabilityAssessments", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", "properties": { "recurringScans": { @@ -139,8 +139,8 @@ "emailSubscriptionAdmins": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", "emails": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.emails]" }, - "storageContainerPath": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", - "storageAccountAccessKey": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + "storageContainerPath": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), format('{0}{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').primaryEndpoints.blob, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').keys[0].value, '')]" }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/securityAlertPolicies', parameters('sqlLogicalServer').name, 'Default')]", @@ -149,7 +149,7 @@ }, { "type": "Microsoft.Sql/servers/auditingSettings", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", "properties": { "state": "[if(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", @@ -174,7 +174,7 @@ "batchSize": 1 }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2021-04-01", "name": "[format('dummyTemplateSqlServer-{0}-{1}', uniqueString(parameters('sqlLogicalServer').name), copyIndex())]", "properties": { "mode": "Incremental", @@ -275,7 +275,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "4663537880944763431" + "templateHash": "10929616126180001294" } }, "parameters": { @@ -296,7 +296,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/firewallRules", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlServerName'), parameters('sqlFirewallRule').name)]", "properties": { "startIpAddress": "[parameters('sqlFirewallRule').startIpAddress]", @@ -341,7 +341,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "4510101890649346043" + "templateHash": "12413819060224235299" } }, "parameters": { @@ -380,14 +380,25 @@ "licenseType": "[if(parameters('sqlDatabase').hybridBenefit, 'BasePrice', 'LicenseIncluded')]", "readScale": "[if(equals(parameters('sqlDatabase').readReplicas, 0), 'Disabled', 'Enabled')]", "readReplicaCount": "[parameters('sqlDatabase').readReplicas]", - "minCapacity": "[if(equals(parameters('sqlDatabase').minimumCores, 0), '', string(parameters('sqlDatabase').minimumCores))]", - "autoPauseDelay": "[if(equals(parameters('sqlDatabase').autoPauseDelay, 0), '', string(parameters('sqlDatabase').autoPauseDelay))]" + "minCapacity": "[if(equals(parameters('sqlDatabase').minimumCores, 0), null(), parameters('sqlDatabase').minimumCores)]", + "autoPauseDelay": "[if(equals(parameters('sqlDatabase').autoPauseDelay, 0), null(), parameters('sqlDatabase').autoPauseDelay)]" } }, + { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]", + "properties": { + "status": "[parameters('sqlDatabase').dataEncryption]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]" + ] + }, { "condition": "[parameters('sqlDatabase').longTermBackup.enabled]", "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "weeklyRetention": "[parameters('sqlDatabase').longTermBackup.weeklyRetention]", @@ -398,13 +409,13 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('shortTermBackup-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { "condition": "[and(and(parameters('sqlDatabase').azureDefender.enabled, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "recurringScans": { @@ -412,13 +423,13 @@ "emailSubscriptionAdmins": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", "emails": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emails]" }, - "storageContainerPath": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", - "storageAccountAccessKey": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + "storageContainerPath": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), format('{0}{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').primaryEndpoints.blob, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').keys[0].value, '')]" }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('azureDefender-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -439,7 +450,7 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('auditSettings-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -471,59 +482,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "sqlDatabase": { - "value": "[parameters('sqlDatabase')]" - }, - "sqlServerName": { - "value": "[parameters('sqlServerName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "dev", - "templateHash": "11452411779990848351" - } - }, - "parameters": { - "sqlDatabase": { - "type": "object" - }, - "sqlServerName": { - "type": "string" - } - }, - "functions": [], - "resources": [ - { - "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", - "apiVersion": "2014-04-01", - "name": "[format('{0}/{1}/current', parameters('sqlServerName'), parameters('sqlDatabase').name)]", - "properties": { - "status": "[parameters('sqlDatabase').dataEncryption]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -551,7 +510,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "15978855867572262081" + "templateHash": "1280408386363466909" } }, "parameters": { @@ -566,7 +525,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "retentionDays": "[parameters('sqlDatabase').shortTermBackupRetention]" @@ -577,7 +536,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -604,7 +563,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "3149608550700302182" + "templateHash": "15009839048358250877" } }, "parameters": { @@ -619,7 +578,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "state": "[if(parameters('sqlDatabase').azureDefender.enabled, 'Enabled', 'Disabled')]", @@ -633,7 +592,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -660,7 +619,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "13898863446734417779" + "templateHash": "4499755266351443773" } }, "parameters": { @@ -682,7 +641,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/auditingSettings", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "state": "[if(parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", @@ -699,7 +658,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] } ] diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep index ef805e8334a..8f794dfb6f5 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.bicep @@ -1,63 +1,65 @@ -@description('SQL logical servers.') -param sqlLogicalServers array -param tags object - -@secure() -param password string - -var defaultSqlLogicalServerProperties = { - name: '' - tags: {} - userName: '' - passwordFromKeyVault: { - subscriptionId: subscription().subscriptionId - resourceGroupName: '' - name: '' - secretName: '' - } - systemManagedIdentity: false - minimalTlsVersion: '1.2' - publicNetworkAccess: 'Enabled' - azureActiveDirectoryAdministrator: { - name: '' - objectId: '' - tenantId: subscription().tenantId - } - firewallRules: [] - azureDefender: { - enabled: false - emailAccountAdmins: false - emailAddresses: [] - disabledRules: [] - vulnerabilityAssessments: { - recurringScans: false - storageAccount: { - resourceGroupName: '' - name: '' - containerName: '' - } - emailSubscriptionAdmins: false - emails: [] - } - } - auditActionsAndGroups: [] - diagnosticLogsAndMetrics: { - name: '' - resourceGroupName: '' - subscriptionId: subscription().subscriptionId - logs: [] - metrics: [] - auditLogs: false - microsoftSupportOperationsAuditLogs: false - } - databases: [] -} - -module sqlLogicalServer 'sql-logical-server.bicep' = [for (sqlLogicalServer, index) in sqlLogicalServers: { - name: 'sqlLogicalServer-${index}' - params: { - sqlLogicalServer: union(defaultSqlLogicalServerProperties, sqlLogicalServer) - password: password - tags: union(tags, union(defaultSqlLogicalServerProperties, sqlLogicalServer).tags) - } -}] +@description('SQL logical servers.') +param sqlLogicalServers array +param tags object + +var defaultSqlLogicalServerProperties = { + name: '' + tags: {} + userName: '' + passwordFromKeyVault: { + subscriptionId: subscription().subscriptionId + resourceGroupName: '' + name: '' + secretName: '' + } + systemManagedIdentity: false + minimalTlsVersion: '1.2' + publicNetworkAccess: 'Enabled' + azureActiveDirectoryAdministrator: { + name: '' + objectId: '' + tenantId: subscription().tenantId + } + firewallRules: [] + azureDefender: { + enabled: false + emailAccountAdmins: false + emailAddresses: [] + disabledRules: [] + vulnerabilityAssessments: { + recurringScans: false + storageAccount: { + resourceGroupName: '' + name: '' + containerName: '' + } + emailSubscriptionAdmins: false + emails: [] + } + } + auditActionsAndGroups: [] + diagnosticLogsAndMetrics: { + name: '' + resourceGroupName: '' + subscriptionId: subscription().subscriptionId + logs: [] + metrics: [] + auditLogs: false + microsoftSupportOperationsAuditLogs: false + } + databases: [] +} + +resource sqlPassKeyVaults 'Microsoft.KeyVault/vaults@2021-04-01-preview' existing = [for keyVault in sqlLogicalServers: { + name: keyVault.passwordFromKeyVault.name + scope: resourceGroup(union(defaultSqlLogicalServerProperties, keyVault).passwordFromKeyVault.subscriptionId, keyVault.passwordFromKeyVault.resourceGroupName) +}] + +module sqlLogicalServer 'sql-logical-server.bicep' = [for (sqlLogicalServer, index) in sqlLogicalServers: { + name: 'sqlLogicalServer-${index}' + params: { + sqlLogicalServer: union(defaultSqlLogicalServerProperties, sqlLogicalServer) + password: sqlPassKeyVaults[index].getSecret(sqlLogicalServer.passwordFromKeyVault.secretName) + tags: union(tags, union(defaultSqlLogicalServerProperties, sqlLogicalServer).tags) + } +}] diff --git a/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.json b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.json index 1fd9d7b8c8a..87e8e715937 100644 --- a/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.json +++ b/docs/examples/301/sql-database-with-management/modules/sql-logical-servers.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "3006884168629079235" + "templateHash": "11793311320811469641" } }, "parameters": { @@ -17,9 +17,6 @@ }, "tags": { "type": "object" - }, - "password": { - "type": "secureString" } }, "functions": [], @@ -91,7 +88,12 @@ "value": "[union(variables('defaultSqlLogicalServerProperties'), parameters('sqlLogicalServers')[copyIndex()])]" }, "password": { - "value": "[parameters('password')]" + "reference": { + "keyVault": { + "id": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', union(variables('defaultSqlLogicalServerProperties'), parameters('sqlLogicalServers')[copyIndex()]).passwordFromKeyVault.subscriptionId, parameters('sqlLogicalServers')[copyIndex()].passwordFromKeyVault.resourceGroupName), 'Microsoft.KeyVault/vaults', parameters('sqlLogicalServers')[copyIndex()].passwordFromKeyVault.name)]" + }, + "secretName": "[parameters('sqlLogicalServers')[copyIndex()].passwordFromKeyVault.secretName]" + } }, "tags": { "value": "[union(parameters('tags'), union(variables('defaultSqlLogicalServerProperties'), parameters('sqlLogicalServers')[copyIndex()]).tags)]" @@ -104,7 +106,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "10996646171408784195" + "templateHash": "12260651447744530468" } }, "parameters": { @@ -183,7 +185,7 @@ "resources": [ { "type": "Microsoft.Sql/servers", - "apiVersion": "2020-02-02-preview", + "apiVersion": "2021-02-01-preview", "name": "[parameters('sqlLogicalServer').name]", "location": "[resourceGroup().location]", "tags": "[parameters('tags')]", @@ -201,7 +203,7 @@ { "condition": "[not(empty(parameters('sqlLogicalServer').azureActiveDirectoryAdministrator.objectId))]", "type": "Microsoft.Sql/servers/administrators", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'activeDirectory')]", "properties": { "administratorType": "ActiveDirectory", @@ -215,13 +217,13 @@ }, { "type": "Microsoft.Sql/servers/securityAlertPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", "properties": { "state": "[if(parameters('sqlLogicalServer').azureDefender.enabled, 'Enabled', 'Disabled')]", "emailAddresses": "[parameters('sqlLogicalServer').azureDefender.emailAddresses]", "emailAccountAdmins": "[parameters('sqlLogicalServer').azureDefender.emailAccountAdmins]", - "disabledAlerts": "[parameters('sqlLogicalServer').azureDefender.disabledAlerts]" + "disabledAlerts": "[parameters('sqlLogicalServer').azureDefender.disabledRules]" }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers', parameters('sqlLogicalServer').name)]" @@ -230,7 +232,7 @@ { "condition": "[and(and(parameters('sqlLogicalServer').azureDefender.enabled, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", "type": "Microsoft.Sql/servers/vulnerabilityAssessments", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", "properties": { "recurringScans": { @@ -238,8 +240,8 @@ "emailSubscriptionAdmins": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", "emails": "[parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.emails]" }, - "storageContainerPath": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", - "storageAccountAccessKey": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + "storageContainerPath": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), format('{0}{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').primaryEndpoints.blob, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlLogicalServer').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').keys[0].value, '')]" }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/securityAlertPolicies', parameters('sqlLogicalServer').name, 'Default')]", @@ -248,7 +250,7 @@ }, { "type": "Microsoft.Sql/servers/auditingSettings", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlLogicalServer').name, 'Default')]", "properties": { "state": "[if(parameters('sqlLogicalServer').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", @@ -273,7 +275,7 @@ "batchSize": 1 }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", + "apiVersion": "2021-04-01", "name": "[format('dummyTemplateSqlServer-{0}-{1}', uniqueString(parameters('sqlLogicalServer').name), copyIndex())]", "properties": { "mode": "Incremental", @@ -374,7 +376,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "4663537880944763431" + "templateHash": "10929616126180001294" } }, "parameters": { @@ -395,7 +397,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/firewallRules", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}', parameters('sqlServerName'), parameters('sqlFirewallRule').name)]", "properties": { "startIpAddress": "[parameters('sqlFirewallRule').startIpAddress]", @@ -440,7 +442,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "4510101890649346043" + "templateHash": "12413819060224235299" } }, "parameters": { @@ -479,14 +481,25 @@ "licenseType": "[if(parameters('sqlDatabase').hybridBenefit, 'BasePrice', 'LicenseIncluded')]", "readScale": "[if(equals(parameters('sqlDatabase').readReplicas, 0), 'Disabled', 'Enabled')]", "readReplicaCount": "[parameters('sqlDatabase').readReplicas]", - "minCapacity": "[if(equals(parameters('sqlDatabase').minimumCores, 0), '', string(parameters('sqlDatabase').minimumCores))]", - "autoPauseDelay": "[if(equals(parameters('sqlDatabase').autoPauseDelay, 0), '', string(parameters('sqlDatabase').autoPauseDelay))]" + "minCapacity": "[if(equals(parameters('sqlDatabase').minimumCores, 0), null(), parameters('sqlDatabase').minimumCores)]", + "autoPauseDelay": "[if(equals(parameters('sqlDatabase').autoPauseDelay, 0), null(), parameters('sqlDatabase').autoPauseDelay)]" } }, + { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]", + "properties": { + "status": "[parameters('sqlDatabase').dataEncryption]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]" + ] + }, { "condition": "[parameters('sqlDatabase').longTermBackup.enabled]", "type": "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "weeklyRetention": "[parameters('sqlDatabase').longTermBackup.weeklyRetention]", @@ -497,13 +510,13 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('shortTermBackup-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { "condition": "[and(and(parameters('sqlDatabase').azureDefender.enabled, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.recurringScans), not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)))]", "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'Default')]", "properties": { "recurringScans": { @@ -511,13 +524,13 @@ "emailSubscriptionAdmins": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emailSubscriptionAdmins]", "emails": "[parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.emails]" }, - "storageContainerPath": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), concat(reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').primaryEndpoints.blob, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", - "storageAccountAccessKey": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-01-01').keys[0].value, '')]" + "storageContainerPath": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), format('{0}{1}', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').primaryEndpoints.blob, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.containerName), '')]", + "storageAccountAccessKey": "[if(not(empty(parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name)), listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.resourceGroupName), 'Microsoft.Storage/storageAccounts', parameters('sqlDatabase').azureDefender.vulnerabilityAssessments.storageAccount.name), '2021-04-01').keys[0].value, '')]" }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('azureDefender-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -538,7 +551,7 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('auditSettings-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]", "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -570,59 +583,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "sqlDatabase": { - "value": "[parameters('sqlDatabase')]" - }, - "sqlServerName": { - "value": "[parameters('sqlServerName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "dev", - "templateHash": "11452411779990848351" - } - }, - "parameters": { - "sqlDatabase": { - "type": "object" - }, - "sqlServerName": { - "type": "string" - } - }, - "functions": [], - "resources": [ - { - "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", - "apiVersion": "2014-04-01", - "name": "[format('{0}/{1}/current', parameters('sqlServerName'), parameters('sqlDatabase').name)]", - "properties": { - "status": "[parameters('sqlDatabase').dataEncryption]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -650,7 +611,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "15978855867572262081" + "templateHash": "1280408386363466909" } }, "parameters": { @@ -665,7 +626,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "retentionDays": "[parameters('sqlDatabase').shortTermBackupRetention]" @@ -676,7 +637,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -703,7 +664,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "3149608550700302182" + "templateHash": "15009839048358250877" } }, "parameters": { @@ -718,7 +679,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "state": "[if(parameters('sqlDatabase').azureDefender.enabled, 'Enabled', 'Disabled')]", @@ -732,7 +693,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] }, { @@ -759,7 +720,7 @@ "_generator": { "name": "bicep", "version": "dev", - "templateHash": "13898863446734417779" + "templateHash": "4499755266351443773" } }, "parameters": { @@ -781,7 +742,7 @@ "resources": [ { "type": "Microsoft.Sql/servers/databases/auditingSettings", - "apiVersion": "2020-08-01-preview", + "apiVersion": "2021-02-01-preview", "name": "[format('{0}/{1}/Default', parameters('sqlServerName'), parameters('sqlDatabase').name)]", "properties": { "state": "[if(parameters('sqlDatabase').diagnosticLogsAndMetrics.auditLogs, 'Enabled', 'Disabled')]", @@ -798,7 +759,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1])]", - "[resourceId('Microsoft.Resources/deployments', format('transparentDataEncryption-{0}', uniqueString(parameters('sqlServerName'), parameters('sqlDatabase').name)))]" + "[resourceId('Microsoft.Sql/servers/databases/transparentDataEncryption', split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[0], split(format('{0}/{1}', parameters('sqlServerName'), parameters('sqlDatabase').name), '/')[1], 'current')]" ] } ] diff --git a/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep b/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep deleted file mode 100644 index 56f1206e0b1..00000000000 --- a/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.bicep +++ /dev/null @@ -1,9 +0,0 @@ -param sqlDatabase object -param sqlServerName string - -resource transparentDataEncryption 'Microsoft.Sql/servers/databases/transparentDataEncryption@2014-04-01' = { - name: '${sqlServerName}/${sqlDatabase.name}/current' - properties: { - status: sqlDatabase.dataEncryption - } -} diff --git a/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.json b/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.json deleted file mode 100644 index e82b6174dc1..00000000000 --- a/docs/examples/301/sql-database-with-management/modules/transparent-data-encryption.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "dev", - "templateHash": "11452411779990848351" - } - }, - "parameters": { - "sqlDatabase": { - "type": "object" - }, - "sqlServerName": { - "type": "string" - } - }, - "functions": [], - "resources": [ - { - "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", - "apiVersion": "2014-04-01", - "name": "[format('{0}/{1}/current', parameters('sqlServerName'), parameters('sqlDatabase').name)]", - "properties": { - "status": "[parameters('sqlDatabase').dataEncryption]" - } - } - ] -} \ No newline at end of file diff --git a/docs/examples/301/sql-database-with-management/parameters.json b/docs/examples/301/sql-database-with-management/parameters.json index c0f85ef85d3..2b67a99c12a 100644 --- a/docs/examples/301/sql-database-with-management/parameters.json +++ b/docs/examples/301/sql-database-with-management/parameters.json @@ -88,14 +88,6 @@ } ] } - }, - "password": { - "reference": { - "keyVault": { - "id": "" - }, - "secretName": "" - } } } }