feat: Allow disabling audit settings in 'avm/res/sql/server' (#4037)

Also make user assigned identities work for audit storage.

Fixes #3888
Fixes #2307

## Description

<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.

Fixes #123
Fixes #456
Closes #123
Closes #456
-->

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.sql.server](https://github.com/peterbud/bicep-registry-modules/actions/workflows/avm.res.sql.server.yml/badge.svg)](https://github.com/peterbud/bicep-registry-modules/actions/workflows/avm.res.sql.server.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [x] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

avm/res/sql/server/README.md

@@ -2171,7 +2171,7 @@ param vulnerabilityAssessmentsObj = {
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`auditSettings`](#parameter-auditsettings) | object | The audit settings configuration. |
+| [`auditSettings`](#parameter-auditsettings) | object | The audit settings configuration. If you want to disable auditing, set the parmaeter to an empty object. |
 | [`databases`](#parameter-databases) | array | The databases to create in the server. |
 | [`elasticPools`](#parameter-elasticpools) | array | The Elastic Pools to create in the server. |
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
@@ -2308,11 +2308,16 @@ The resource ID of a user assigned identity to be used by default. Required if "
 
 ### Parameter: `auditSettings`
 
-The audit settings configuration.
+The audit settings configuration. If you want to disable auditing, set the parmaeter to an empty object.
 
 - Required: No
 - Type: object
-- Default: `{}`
+- Default:
+  ```Bicep
+  {
+      state: 'Enabled'
+  }
+  ```
 
 **Optional parameters**
 

avm/res/sql/server/audit-settings/main.bicep

@@ -48,14 +48,21 @@ resource server 'Microsoft.Sql/servers@2023-08-01-preview' existing = {
 }
 
 // Assign SQL Server MSI access to storage account
+var primaryUserAssignedIdentityPrincipalId = filter(
+  items(server.identity.userAssignedIdentities),
+  identity => identity.key == server.properties.primaryUserAssignedIdentityId
+)[0].value.principalId
+
 module storageAccount_sbdc_rbac 'modules/nested_storageRoleAssignment.bicep' = if (isManagedIdentityInUse && !empty(storageAccountResourceId)) {
   name: '${server.name}-stau-rbac'
   scope: (isManagedIdentityInUse && !empty(storageAccountResourceId))
     ? resourceGroup(split(storageAccountResourceId!, '/')[2], split(storageAccountResourceId!, '/')[4])
     : resourceGroup()
   params: {
     storageAccountName: last(split(storageAccountResourceId!, '/'))
-    managedInstanceIdentityPrincipalId: server.identity.principalId
+    managedIdentityPrincipalId: server.identity.type == 'UserAssigned'
+      ? primaryUserAssignedIdentityPrincipalId
+      : server.identity.principalId
   }
 }
 

avm/res/sql/server/audit-settings/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.32.4.45862",
-      "templateHash": "14061468320361890476"
+      "templateHash": "14231897538103218394"
     },
     "name": "Azure SQL Server Audit Settings",
     "description": "This module deploys an Azure SQL Server Audit Settings.",
@@ -139,9 +139,7 @@
           "storageAccountName": {
             "value": "[last(split(parameters('storageAccountResourceId'), '/'))]"
           },
-          "managedInstanceIdentityPrincipalId": {
-            "value": "[reference('server', '2023-08-01-preview', 'full').identity.principalId]"
-          }
+          "managedIdentityPrincipalId": "[if(equals(reference('server', '2023-08-01-preview', 'full').identity.type, 'UserAssigned'), createObject('value', filter(items(reference('server', '2023-08-01-preview', 'full').identity.userAssignedIdentities), lambda('identity', equals(lambdaVariables('identity').key, reference('server').primaryUserAssignedIdentityId)))[0].value.principalId), createObject('value', reference('server', '2023-08-01-preview', 'full').identity.principalId))]"
         },
         "template": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -150,14 +148,14 @@
             "_generator": {
               "name": "bicep",
               "version": "0.32.4.45862",
-              "templateHash": "12732093554587495593"
+              "templateHash": "6533631702047528762"
             }
           },
           "parameters": {
             "storageAccountName": {
               "type": "string"
             },
-            "managedInstanceIdentityPrincipalId": {
+            "managedIdentityPrincipalId": {
               "type": "string"
             }
           },
@@ -166,10 +164,10 @@
               "type": "Microsoft.Authorization/roleAssignments",
               "apiVersion": "2022-04-01",
               "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]",
-              "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedInstanceIdentityPrincipalId')))]",
+              "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedIdentityPrincipalId')))]",
               "properties": {
                 "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
-                "principalId": "[parameters('managedInstanceIdentityPrincipalId')]",
+                "principalId": "[parameters('managedIdentityPrincipalId')]",
                 "principalType": "ServicePrincipal"
               }
             }

avm/res/sql/server/audit-settings/modules/nested_storageRoleAssignment.bicep

@@ -1,20 +1,20 @@
 param storageAccountName string
-param managedInstanceIdentityPrincipalId string
+param managedIdentityPrincipalId string
 
 resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = {
   name: storageAccountName
 }
 
 // Assign Storage Blob Data Contributor RBAC role
 resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid('${storageAccount.id}-${managedInstanceIdentityPrincipalId}-Storage-Blob-Data-Contributor')
+  name: guid('${storageAccount.id}-${managedIdentityPrincipalId}-Storage-Blob-Data-Contributor')
   scope: storageAccount
   properties: {
     roleDefinitionId: subscriptionResourceId(
       'Microsoft.Authorization/roleDefinitions',
       'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
     )
-    principalId: managedInstanceIdentityPrincipalId
+    principalId: managedIdentityPrincipalId
     principalType: 'ServicePrincipal'
   }
 }

avm/res/sql/server/main.bicep

@@ -123,8 +123,10 @@ param encryptionProtectorObj encryptionProtectorType?
 @description('Optional. The vulnerability assessment configuration.')
 param vulnerabilityAssessmentsObj vulnerabilityAssessmentType?
 
-@description('Optional. The audit settings configuration.')
-param auditSettings auditSettingsType = {} //Use the defaults from the child module
+@description('Optional. The audit settings configuration. If you want to disable auditing, set the parmaeter to an empty object.')
+param auditSettings auditSettingsType = {
+  state: 'Enabled'
+}
 
 @description('Optional. Key vault reference and secret settings for the module\'s secrets export.')
 param secretsExportConfiguration secretsExportConfigurationType?
@@ -472,7 +474,7 @@ module server_encryptionProtector 'encryption-protector/main.bicep' = if (encryp
   ]
 }
 
-module server_audit_settings 'audit-settings/main.bicep' = if (auditSettings != null) {
+module server_audit_settings 'audit-settings/main.bicep' = if (!empty(auditSettings)) {
   name: '${uniqueString(deployment().name, location)}-Sql-AuditSettings'
   params: {
     serverName: server.name

avm/res/sql/server/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.32.4.45862",
-      "templateHash": "16838754880391375086"
+      "templateHash": "1980681326708212688"
     },
     "name": "Azure SQL Servers",
     "description": "This module deploys an Azure SQL Server.",
@@ -2001,9 +2001,11 @@
     },
     "auditSettings": {
       "$ref": "#/definitions/auditSettingsType",
-      "defaultValue": {},
+      "defaultValue": {
+        "state": "Enabled"
+      },
       "metadata": {
-        "description": "Optional. The audit settings configuration."
+        "description": "Optional. The audit settings configuration. If you want to disable auditing, set the parmaeter to an empty object."
       }
     },
     "secretsExportConfiguration": {
@@ -5248,7 +5250,7 @@
       ]
     },
     "server_audit_settings": {
-      "condition": "[not(equals(parameters('auditSettings'), null()))]",
+      "condition": "[not(empty(parameters('auditSettings')))]",
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2022-09-01",
       "name": "[format('{0}-Sql-AuditSettings', uniqueString(deployment().name, parameters('location')))]",
@@ -5300,7 +5302,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.32.4.45862",
-              "templateHash": "14061468320361890476"
+              "templateHash": "14231897538103218394"
             },
             "name": "Azure SQL Server Audit Settings",
             "description": "This module deploys an Azure SQL Server Audit Settings.",
@@ -5433,9 +5435,7 @@
                   "storageAccountName": {
                     "value": "[last(split(parameters('storageAccountResourceId'), '/'))]"
                   },
-                  "managedInstanceIdentityPrincipalId": {
-                    "value": "[reference('server', '2023-08-01-preview', 'full').identity.principalId]"
-                  }
+                  "managedIdentityPrincipalId": "[if(equals(reference('server', '2023-08-01-preview', 'full').identity.type, 'UserAssigned'), createObject('value', filter(items(reference('server', '2023-08-01-preview', 'full').identity.userAssignedIdentities), lambda('identity', equals(lambdaVariables('identity').key, reference('server').primaryUserAssignedIdentityId)))[0].value.principalId), createObject('value', reference('server', '2023-08-01-preview', 'full').identity.principalId))]"
                 },
                 "template": {
                   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -5444,14 +5444,14 @@
                     "_generator": {
                       "name": "bicep",
                       "version": "0.32.4.45862",
-                      "templateHash": "12732093554587495593"
+                      "templateHash": "6533631702047528762"
                     }
                   },
                   "parameters": {
                     "storageAccountName": {
                       "type": "string"
                     },
-                    "managedInstanceIdentityPrincipalId": {
+                    "managedIdentityPrincipalId": {
                       "type": "string"
                     }
                   },
@@ -5460,10 +5460,10 @@
                       "type": "Microsoft.Authorization/roleAssignments",
                       "apiVersion": "2022-04-01",
                       "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]",
-                      "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedInstanceIdentityPrincipalId')))]",
+                      "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedIdentityPrincipalId')))]",
                       "properties": {
                         "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
-                        "principalId": "[parameters('managedInstanceIdentityPrincipalId')]",
+                        "principalId": "[parameters('managedIdentityPrincipalId')]",
                         "principalType": "ServicePrincipal"
                       }
                     }