diff --git a/avm/res/sql/server/README.md b/avm/res/sql/server/README.md index dc5670500d..a9890a3eca 100644 --- a/avm/res/sql/server/README.md +++ b/avm/res/sql/server/README.md @@ -2171,7 +2171,7 @@ param vulnerabilityAssessmentsObj = { | Parameter | Type | Description | | :-- | :-- | :-- | -| [`auditSettings`](#parameter-auditsettings) | object | The audit settings configuration. | +| [`auditSettings`](#parameter-auditsettings) | object | The audit settings configuration. If you want to disable auditing, set the parmaeter to an empty object. | | [`databases`](#parameter-databases) | array | The databases to create in the server. | | [`elasticPools`](#parameter-elasticpools) | array | The Elastic Pools to create in the server. | | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | @@ -2308,11 +2308,16 @@ The resource ID of a user assigned identity to be used by default. Required if " ### Parameter: `auditSettings` -The audit settings configuration. +The audit settings configuration. If you want to disable auditing, set the parmaeter to an empty object. - Required: No - Type: object -- Default: `{}` +- Default: + ```Bicep + { + state: 'Enabled' + } + ``` **Optional parameters** diff --git a/avm/res/sql/server/audit-settings/main.bicep b/avm/res/sql/server/audit-settings/main.bicep index 8d23380517..8bcde709e9 100644 --- a/avm/res/sql/server/audit-settings/main.bicep +++ b/avm/res/sql/server/audit-settings/main.bicep @@ -48,6 +48,11 @@ resource server 'Microsoft.Sql/servers@2023-08-01-preview' existing = { } // Assign SQL Server MSI access to storage account +var primaryUserAssignedIdentityPrincipalId = filter( + items(server.identity.userAssignedIdentities), + identity => identity.key == server.properties.primaryUserAssignedIdentityId +)[0].value.principalId + module storageAccount_sbdc_rbac 'modules/nested_storageRoleAssignment.bicep' = if (isManagedIdentityInUse && !empty(storageAccountResourceId)) { name: '${server.name}-stau-rbac' scope: (isManagedIdentityInUse && !empty(storageAccountResourceId)) @@ -55,7 +60,9 @@ module storageAccount_sbdc_rbac 'modules/nested_storageRoleAssignment.bicep' = i : resourceGroup() params: { storageAccountName: last(split(storageAccountResourceId!, '/')) - managedInstanceIdentityPrincipalId: server.identity.principalId + managedIdentityPrincipalId: server.identity.type == 'UserAssigned' + ? primaryUserAssignedIdentityPrincipalId + : server.identity.principalId } } diff --git a/avm/res/sql/server/audit-settings/main.json b/avm/res/sql/server/audit-settings/main.json index 5271c6c6b1..0692800d1c 100644 --- a/avm/res/sql/server/audit-settings/main.json +++ b/avm/res/sql/server/audit-settings/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "14061468320361890476" + "templateHash": "14231897538103218394" }, "name": "Azure SQL Server Audit Settings", "description": "This module deploys an Azure SQL Server Audit Settings.", @@ -139,9 +139,7 @@ "storageAccountName": { "value": "[last(split(parameters('storageAccountResourceId'), '/'))]" }, - "managedInstanceIdentityPrincipalId": { - "value": "[reference('server', '2023-08-01-preview', 'full').identity.principalId]" - } + "managedIdentityPrincipalId": "[if(equals(reference('server', '2023-08-01-preview', 'full').identity.type, 'UserAssigned'), createObject('value', filter(items(reference('server', '2023-08-01-preview', 'full').identity.userAssignedIdentities), lambda('identity', equals(lambdaVariables('identity').key, reference('server').primaryUserAssignedIdentityId)))[0].value.principalId), createObject('value', reference('server', '2023-08-01-preview', 'full').identity.principalId))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -150,14 +148,14 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "12732093554587495593" + "templateHash": "6533631702047528762" } }, "parameters": { "storageAccountName": { "type": "string" }, - "managedInstanceIdentityPrincipalId": { + "managedIdentityPrincipalId": { "type": "string" } }, @@ -166,10 +164,10 @@ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]", - "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedInstanceIdentityPrincipalId')))]", + "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedIdentityPrincipalId')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "principalId": "[parameters('managedInstanceIdentityPrincipalId')]", + "principalId": "[parameters('managedIdentityPrincipalId')]", "principalType": "ServicePrincipal" } } diff --git a/avm/res/sql/server/audit-settings/modules/nested_storageRoleAssignment.bicep b/avm/res/sql/server/audit-settings/modules/nested_storageRoleAssignment.bicep index f9246f4ceb..1cdcb2eafa 100644 --- a/avm/res/sql/server/audit-settings/modules/nested_storageRoleAssignment.bicep +++ b/avm/res/sql/server/audit-settings/modules/nested_storageRoleAssignment.bicep @@ -1,5 +1,5 @@ param storageAccountName string -param managedInstanceIdentityPrincipalId string +param managedIdentityPrincipalId string resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = { name: storageAccountName @@ -7,14 +7,14 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing // Assign Storage Blob Data Contributor RBAC role resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('${storageAccount.id}-${managedInstanceIdentityPrincipalId}-Storage-Blob-Data-Contributor') + name: guid('${storageAccount.id}-${managedIdentityPrincipalId}-Storage-Blob-Data-Contributor') scope: storageAccount properties: { roleDefinitionId: subscriptionResourceId( 'Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' ) - principalId: managedInstanceIdentityPrincipalId + principalId: managedIdentityPrincipalId principalType: 'ServicePrincipal' } } diff --git a/avm/res/sql/server/main.bicep b/avm/res/sql/server/main.bicep index 02e2e18537..5b84d04536 100644 --- a/avm/res/sql/server/main.bicep +++ b/avm/res/sql/server/main.bicep @@ -123,8 +123,10 @@ param encryptionProtectorObj encryptionProtectorType? @description('Optional. The vulnerability assessment configuration.') param vulnerabilityAssessmentsObj vulnerabilityAssessmentType? -@description('Optional. The audit settings configuration.') -param auditSettings auditSettingsType = {} //Use the defaults from the child module +@description('Optional. The audit settings configuration. If you want to disable auditing, set the parmaeter to an empty object.') +param auditSettings auditSettingsType = { + state: 'Enabled' +} @description('Optional. Key vault reference and secret settings for the module\'s secrets export.') param secretsExportConfiguration secretsExportConfigurationType? @@ -472,7 +474,7 @@ module server_encryptionProtector 'encryption-protector/main.bicep' = if (encryp ] } -module server_audit_settings 'audit-settings/main.bicep' = if (auditSettings != null) { +module server_audit_settings 'audit-settings/main.bicep' = if (!empty(auditSettings)) { name: '${uniqueString(deployment().name, location)}-Sql-AuditSettings' params: { serverName: server.name diff --git a/avm/res/sql/server/main.json b/avm/res/sql/server/main.json index 06d4cc8a3d..605cefb73a 100644 --- a/avm/res/sql/server/main.json +++ b/avm/res/sql/server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "16838754880391375086" + "templateHash": "1980681326708212688" }, "name": "Azure SQL Servers", "description": "This module deploys an Azure SQL Server.", @@ -2001,9 +2001,11 @@ }, "auditSettings": { "$ref": "#/definitions/auditSettingsType", - "defaultValue": {}, + "defaultValue": { + "state": "Enabled" + }, "metadata": { - "description": "Optional. The audit settings configuration." + "description": "Optional. The audit settings configuration. If you want to disable auditing, set the parmaeter to an empty object." } }, "secretsExportConfiguration": { @@ -5248,7 +5250,7 @@ ] }, "server_audit_settings": { - "condition": "[not(equals(parameters('auditSettings'), null()))]", + "condition": "[not(empty(parameters('auditSettings')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-Sql-AuditSettings', uniqueString(deployment().name, parameters('location')))]", @@ -5300,7 +5302,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "14061468320361890476" + "templateHash": "14231897538103218394" }, "name": "Azure SQL Server Audit Settings", "description": "This module deploys an Azure SQL Server Audit Settings.", @@ -5433,9 +5435,7 @@ "storageAccountName": { "value": "[last(split(parameters('storageAccountResourceId'), '/'))]" }, - "managedInstanceIdentityPrincipalId": { - "value": "[reference('server', '2023-08-01-preview', 'full').identity.principalId]" - } + "managedIdentityPrincipalId": "[if(equals(reference('server', '2023-08-01-preview', 'full').identity.type, 'UserAssigned'), createObject('value', filter(items(reference('server', '2023-08-01-preview', 'full').identity.userAssignedIdentities), lambda('identity', equals(lambdaVariables('identity').key, reference('server').primaryUserAssignedIdentityId)))[0].value.principalId), createObject('value', reference('server', '2023-08-01-preview', 'full').identity.principalId))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -5444,14 +5444,14 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "12732093554587495593" + "templateHash": "6533631702047528762" } }, "parameters": { "storageAccountName": { "type": "string" }, - "managedInstanceIdentityPrincipalId": { + "managedIdentityPrincipalId": { "type": "string" } }, @@ -5460,10 +5460,10 @@ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]", - "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedInstanceIdentityPrincipalId')))]", + "name": "[guid(format('{0}-{1}-Storage-Blob-Data-Contributor', resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), parameters('managedIdentityPrincipalId')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "principalId": "[parameters('managedInstanceIdentityPrincipalId')]", + "principalId": "[parameters('managedIdentityPrincipalId')]", "principalType": "ServicePrincipal" } }