azure_sql_server

active_directory_administrators

Type: UNORDERED_LIST_STRUCT
Provider name: ServerAzureADAdministrator

  • administrator_type
    Type: STRING
    Provider name: properties.administratorType
    Description: Type of the sever administrator.
  • azure_ad_only_authentication
    Type: BOOLEAN
    Provider name: properties.azureADOnlyAuthentication
    Description: Azure Active Directory only Authentication enabled.
  • id
    Type: STRING
    Provider name: id
    Description: Resource ID.
  • login
    Type: STRING
    Provider name: properties.login
    Description: Login name of the server administrator.
  • name
    Type: STRING
    Provider name: name
    Description: Resource name.
  • sid
    Type: STRING
    Provider name: properties.sid
    Description: SID (object ID) of the server administrator.
  • tenant_id
    Type: STRING
    Provider name: properties.tenantId
    Description: Tenant ID of the administrator.
  • type
    Type: STRING
    Provider name: type
    Description: Resource type.

administrator_login

Type: STRING
Provider name: properties.administratorLogin
Description: Administrator username for the server. Once created it cannot be changed.

administrator_login_password

Type: STRING
Provider name: properties.administratorLoginPassword
Description: The administrator login password (required for server creation).

administrators

Type: STRUCT
Provider name: properties.administrators
Description: The Azure Active Directory identity of the server.

  • administrator_type
    Type: STRING
    Provider name: administratorType
    Description: Type of the sever administrator.
  • azure_ad_only_authentication
    Type: BOOLEAN
    Provider name: azureADOnlyAuthentication
    Description: Azure Active Directory only Authentication enabled.
  • login
    Type: STRING
    Provider name: login
    Description: Login name of the server administrator.
  • principal_type
    Type: STRING
    Provider name: principalType
    Description: Principal Type of the sever administrator.
  • sid
    Type: STRING
    Provider name: sid
    Description: SID (object ID) of the server administrator.
  • tenant_id
    Type: STRING
    Provider name: tenantId
    Description: Tenant ID of the administrator.

advanced_threat_protection_setting

Type: STRUCT
Provider name: ServerAdvancedThreatProtection

  • creation_time
    Type: STRING
    Provider name: properties.creationTime
    Description: Specifies the UTC creation time of the policy.
  • id
    Type: STRING
    Provider name: id
    Description: Resource ID.
  • name
    Type: STRING
    Provider name: name
    Description: Resource name.
  • state
    Type: STRING
    Provider name: properties.state
    Description: Specifies the state of the Advanced Threat Protection, whether it is enabled or disabled or a state has not been applied yet on the specific database or server.
  • type
    Type: STRING
    Provider name: type
    Description: Resource type.

alert_policies

Type: UNORDERED_LIST_STRUCT
Provider name: ServerSecurityAlertPolicy

  • creation_time
    Type: STRING
    Provider name: properties.creationTime
    Description: Specifies the UTC creation time of the policy.
  • disabled_alerts
    Type: UNORDERED_LIST_STRING
    Provider name: properties.disabledAlerts
    Description: Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force
  • email_account_admins
    Type: BOOLEAN
    Provider name: properties.emailAccountAdmins
    Description: Specifies that the alert is sent to the account administrators.
  • email_addresses
    Type: UNORDERED_LIST_STRING
    Provider name: properties.emailAddresses
    Description: Specifies an array of e-mail addresses to which the alert is sent.
  • id
    Type: STRING
    Provider name: id
    Description: Resource ID.
  • name
    Type: STRING
    Provider name: name
    Description: Resource name.
  • state
    Type: STRING
    Provider name: properties.state
    Description: Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database.
  • storage_account_access_key
    Type: STRING
    Provider name: properties.storageAccountAccessKey
    Description: Specifies the identifier key of the Threat Detection audit storage account.
  • storage_endpoint
    Type: STRING
    Provider name: properties.storageEndpoint
    Description: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.
  • system_data
    Type: STRUCT
    Provider name: systemData
    Description: SystemData of SecurityAlertPolicyResource.
    • created_at
      Type: STRING
      Provider name: createdAt
      Description: The timestamp of resource creation (UTC).
    • created_by
      Type: STRING
      Provider name: createdBy
      Description: The identity that created the resource.
    • created_by_type
      Type: STRING
      Provider name: createdByType
      Description: The type of identity that created the resource.
    • last_modified_at
      Type: STRING
      Provider name: lastModifiedAt
      Description: The timestamp of resource last modification (UTC)
    • last_modified_by
      Type: STRING
      Provider name: lastModifiedBy
      Description: The identity that last modified the resource.
    • last_modified_by_type
      Type: STRING
      Provider name: lastModifiedByType
      Description: The type of identity that last modified the resource.
  • type
    Type: STRING
    Provider name: type
    Description: Resource type.

audit_setting

Type: STRUCT
Provider name: ServerBlobAuditingPolicy

  • audit_actions_and_groups
    Type: UNORDERED_LIST_STRING
    Provider name: properties.auditActionsAndGroups
    Description: Specifies the Actions-Groups and Actions to audit.The recommended set of action groups to use is the following combination - this will audit all the queries and stored procedures executed against the database, as well as successful and failed logins:BATCH_COMPLETED_GROUP,SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP,FAILED_DATABASE_AUTHENTICATION_GROUP.This above combination is also the set that is configured by default when enabling auditing from the Azure portal.The supported action groups to audit are (note: choose only specific groups that cover your auditing needs. Using unnecessary groups could lead to very large quantities of audit records):APPLICATION_ROLE_CHANGE_PASSWORD_GROUPBACKUP_RESTORE_GROUPDATABASE_LOGOUT_GROUPDATABASE_OBJECT_CHANGE_GROUPDATABASE_OBJECT_OWNERSHIP_CHANGE_GROUPDATABASE_OBJECT_PERMISSION_CHANGE_GROUPDATABASE_OPERATION_GROUPDATABASE_PERMISSION_CHANGE_GROUPDATABASE_PRINCIPAL_CHANGE_GROUPDATABASE_PRINCIPAL_IMPERSONATION_GROUPDATABASE_ROLE_MEMBER_CHANGE_GROUPFAILED_DATABASE_AUTHENTICATION_GROUPSCHEMA_OBJECT_ACCESS_GROUPSCHEMA_OBJECT_CHANGE_GROUPSCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUPSCHEMA_OBJECT_PERMISSION_CHANGE_GROUPSUCCESSFUL_DATABASE_AUTHENTICATION_GROUPUSER_CHANGE_PASSWORD_GROUPBATCH_STARTED_GROUPBATCH_COMPLETED_GROUPDBCC_GROUPDATABASE_OWNERSHIP_CHANGE_GROUPDATABASE_CHANGE_GROUPThese are groups that cover all sql statements and stored procedures executed against the database, and should not be used in combination with other groups as this will result in duplicate audit logs.For more information, see Database-Level Audit Action Groups.For Database auditing policy, specific Actions can also be specified (note that Actions cannot be specified for Server auditing policy). The supported actions to audit are:SELECTUPDATEINSERTDELETEEXECUTERECEIVEREFERENCESThe general form for defining an action to be audited is:{action} ON {object} BY {principal}Note that in the above format can refer to an object like a table, view, or stored procedure, or an entire database or schema. For the latter cases, the forms DATABASE::{db_name} and SCHEMA::{schema_name} are used, respectively.For example:SELECT on dbo.myTable by publicSELECT on DATABASE::myDatabase by publicSELECT on SCHEMA::mySchema by publicFor more information, see Database-Level Audit Actions
  • id
    Type: STRING
    Provider name: id
    Description: Resource ID.
  • is_azure_monitor_target_enabled
    Type: BOOLEAN
    Provider name: properties.isAzureMonitorTargetEnabled
    Description: Specifies whether audit events are sent to Azure Monitor. In order to send the events to Azure Monitor, specify ‘state’ as ‘Enabled’ and ‘isAzureMonitorTargetEnabled’ as true.When using REST API to configure auditing, Diagnostic Settings with ‘SQLSecurityAuditEvents’ diagnostic logs category on the database should be also created.Note that for server level audit you should use the ‘master’ database as {databaseName}.Diagnostic Settings URI format:PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-previewFor more information, see Diagnostic Settings REST APIor Diagnostic Settings PowerShell
  • is_storage_secondary_key_in_use
    Type: BOOLEAN
    Provider name: properties.isStorageSecondaryKeyInUse
    Description: Specifies whether storageAccountAccessKey value is the storage’s secondary key.
  • name
    Type: STRING
    Provider name: name
    Description: Resource name.
  • queue_delay_ms
    Type: INT32
    Provider name: properties.queueDelayMs
    Description: Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be processed.The default minimum value is 1000 (1 second). The maximum is 2,147,483,647.
  • retention_days
    Type: INT64
    Provider name: properties.retentionDays
    Description: Specifies the number of days to keep in the audit logs in the storage account.
  • state
    Type: STRING
    Provider name: properties.state
    Description: Specifies the state of the policy. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.
  • storage_account_access_key
    Type: STRING
    Provider name: properties.storageAccountAccessKey
    Description: Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage.Prerequisites for using managed identity authentication:1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD).2. Grant SQL Server identity access to the storage account by adding ‘Storage Blob Data Contributor’ RBAC role to the server identity.For more information, see Auditing to storage using Managed Identity authentication
  • storage_account_subscription_id
    Type: STRING
    Provider name: properties.storageAccountSubscriptionId
    Description: Specifies the blob storage subscription Id.
  • storage_endpoint
    Type: STRING
    Provider name: properties.storageEndpoint
    Description: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required.
  • type
    Type: STRING
    Provider name: type
    Description: Resource type.
  • encryption_protector

    Type: STRUCT
    Provider name: EncryptionProtector

    • auto_rotation_enabled
      Type: BOOLEAN
      Provider name: properties.autoRotationEnabled
      Description: Key auto rotation opt-in flag. Either true or false.
    • id
      Type: STRING
      Provider name: id
      Description: Resource ID.
    • kind
      Type: STRING
      Provider name: kind
      Description: Kind of encryption protector. This is metadata used for the Azure portal experience.
    • location
      Type: STRING
      Provider name: location
      Description: Resource location.
    • name
      Type: STRING
      Provider name: name
      Description: Resource name.
    • server_key_name
      Type: STRING
      Provider name: properties.serverKeyName
      Description: The name of the server key.
    • server_key_type
      Type: STRING
      Provider name: properties.serverKeyType
      Description: The encryption protector type like ‘ServiceManaged’, ‘AzureKeyVault’.
    • subregion
      Type: STRING
      Provider name: properties.subregion
      Description: Subregion of the encryption protector.
    • thumbprint
      Type: STRING
      Provider name: properties.thumbprint
      Description: Thumbprint of the server key.
    • type
      Type: STRING
      Provider name: type
      Description: Resource type.
    • uri
      Type: STRING
      Provider name: properties.uri
      Description: The URI of the server key.

    firewall_rules

    Type: UNORDERED_LIST_STRUCT
    Provider name: FirewallRule

    • end_ip_address
      Type: STRING
      Provider name: properties.endIpAddress
      Description: The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value ‘0.0.0.0’ for all Azure-internal IP addresses.
    • id
      Type: STRING
      Provider name: id
      Description: Resource ID.
    • name
      Type: STRING
      Provider name: name
      Description: Resource name.
    • start_ip_address
      Type: STRING
      Provider name: properties.startIpAddress
      Description: The start IP address of the firewall rule. Must be IPv4 format. Use value ‘0.0.0.0’ for all Azure-internal IP addresses.
    • type
      Type: STRING
      Provider name: type
      Description: Resource type.

    fully_qualified_domain_name

    Type: STRING
    Provider name: properties.fullyQualifiedDomainName
    Description: The fully qualified domain name of the server.

    id

    Type: STRING
    Provider name: id
    Description: Resource ID.

    identity

    Type: STRUCT
    Provider name: identity
    Description: The Azure Active Directory identity of the server.

    • principal_id
      Type: STRING
      Provider name: principalId
      Description: The Azure Active Directory principal id.
    • tenant_id
      Type: STRING
      Provider name: tenantId
      Description: The Azure Active Directory tenant id.
    • type
      Type: STRING
      Provider name: type
      Description: The identity type. Set this to ‘SystemAssigned’ in order to automatically create and assign an Azure Active Directory principal for the resource.

    key_id

    Type: STRING
    Provider name: properties.keyId
    Description: A CMK URI of the key to use for encryption.

    kind

    Type: STRING
    Provider name: kind
    Description: Kind of sql server. This is metadata used for the Azure portal experience.

    location

    Type: STRING
    Provider name: location
    Description: Resource location.

    minimal_tls_version

    Type: STRING
    Provider name: properties.minimalTlsVersion
    Description: Minimal TLS version. Allowed values: ‘1.0’, ‘1.1’, ‘1.2’

    name

    Type: STRING
    Provider name: name
    Description: Resource name.

    primary_user_assigned_identity_id

    Type: STRING
    Provider name: properties.primaryUserAssignedIdentityId
    Description: The resource id of a user assigned identity to be used by default.

    private_endpoint_connections

    Type: UNORDERED_LIST_STRUCT
    Provider name: properties.privateEndpointConnections
    Description: List of private endpoint connections on a server

    • id
      Type: STRING
      Provider name: id
      Description: Resource ID.
    • private_endpoint
      Type: STRUCT
      Provider name: properties.privateEndpoint
      Description: Private endpoint which the connection belongs to.
      • id
        Type: STRING
        Provider name: id
        Description: Resource id of the private endpoint.
    • private_link_service_connection_state
      Type: STRUCT
      Provider name: properties.privateLinkServiceConnectionState
      Description: Connection state of the private endpoint connection.
      • actions_required
        Type: STRING
        Provider name: actionsRequired
        Description: The actions required for private link service connection.
      • description
        Type: STRING
        Provider name: description
        Description: The private link service connection description.
      • status
        Type: STRING
        Provider name: status
        Description: The private link service connection status.
    • provisioning_state
      Type: STRING
      Provider name: properties.provisioningState
      Description: State of the private endpoint connection.

    public_network_access

    Type: STRING
    Provider name: properties.publicNetworkAccess
    Description: Whether or not public endpoint access is allowed for this server. Value is optional but if passed in, must be ‘Enabled’ or ‘Disabled’

    resource_group

    Type: STRING

    state

    Type: STRING
    Provider name: properties.state
    Description: The state of the server.

    subscription_id

    Type: STRING

    subscription_name

    Type: STRING

    tags

    Type: UNORDERED_LIST_STRING

    type

    Type: STRING
    Provider name: type
    Description: Resource type.

    version

    Type: STRING
    Provider name: properties.version
    Description: The version of the server.

    vulnerability_assessments

    Type: UNORDERED_LIST_STRUCT
    Provider name: ServerVulnerabilityAssessment

    • id
      Type: STRING
      Provider name: id
      Description: Resource ID.
    • name
      Type: STRING
      Provider name: name
      Description: Resource name.
    • recurring_scans
      Type: STRUCT
      Provider name: properties.recurringScans
      Description: The recurring scans settings
      • email_subscription_admins
        Type: BOOLEAN
        Provider name: emailSubscriptionAdmins
        Description: Specifies that the schedule scan notification will be is sent to the subscription administrators.
      • emails
        Type: UNORDERED_LIST_STRING
        Provider name: emails
        Description: Specifies an array of e-mail addresses to which the scan notification is sent.
      • is_enabled
        Type: BOOLEAN
        Provider name: isEnabled
        Description: Recurring scans state.
    • storage_account_access_key
      Type: STRING
      Provider name: properties.storageAccountAccessKey
      Description: Specifies the identifier key of the storage account for vulnerability assessment scan results. If ‘StorageContainerSasKey’ isn’t specified, storageAccountAccessKey is required. Applies only if the storage account is not behind a Vnet or a firewall
    • storage_container_path
      Type: STRING
      Provider name: properties.storageContainerPath
      Description: A blob storage container path to hold the scan results (e.g. https://myStorage.blob.core.windows.net/VaScans/).
    • storage_container_sas_key
      Type: STRING
      Provider name: properties.storageContainerSasKey
      Description: A shared access signature (SAS Key) that has write access to the blob container specified in ‘storageContainerPath’ parameter. If ‘storageAccountAccessKey’ isn’t specified, StorageContainerSasKey is required. Applies only if the storage account is not behind a Vnet or a firewall
    • type
      Type: STRING
      Provider name: type
      Description: Resource type.

    workspace_feature

    Type: STRING
    Provider name: properties.workspaceFeature
    Description: Whether or not existing server has a workspace created and if it allows connection from workspace