diff --git a/arm/Microsoft.Sql/servers/.parameters/parameters.json b/arm/Microsoft.Sql/servers/.parameters/parameters.json index 2c5e6acb9f..25727edea5 100644 --- a/arm/Microsoft.Sql/servers/.parameters/parameters.json +++ b/arm/Microsoft.Sql/servers/.parameters/parameters.json @@ -28,12 +28,22 @@ "value": [ { "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] + "principalIds": ["<>"] } ] }, + "vulnerabilityAssessmentsObj": { + "value": { + "name": "default", + "emailSubscriptionAdmins": true, + "recurringScansIsEnabled": true, + "recurringScansEmails": [ + "test1@contoso.com", + "test2@contoso.com" + ], + "vulnerabilityAssessmentsStorageAccountId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" + } + }, "databases": { "value": [ { diff --git a/arm/Microsoft.Sql/servers/deploy.bicep b/arm/Microsoft.Sql/servers/deploy.bicep index db2a46ff0b..0fe6c487b8 100644 --- a/arm/Microsoft.Sql/servers/deploy.bicep +++ b/arm/Microsoft.Sql/servers/deploy.bicep @@ -53,6 +53,9 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +@description('Optional. The vulnerability assessment configuration') +param vulnerabilityAssessmentsObj object = {} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -167,6 +170,22 @@ module server_securityAlertPolicies 'securityAlertPolicies/deploy.bicep' = [for } }] +module server_vulnerabilityAssessment 'vulnerabilityAssessments/deploy.bicep' = if (!empty(vulnerabilityAssessmentsObj)) { + name: '${uniqueString(deployment().name, location)}-Sql-VulnAssessm' + params: { + serverName: server.name + name: vulnerabilityAssessmentsObj.name + recurringScansEmails: contains(vulnerabilityAssessmentsObj, 'recurringScansEmails') ? vulnerabilityAssessmentsObj.recurringScansEmails : [] + recurringScansEmailSubscriptionAdmins: contains(vulnerabilityAssessmentsObj, 'recurringScansEmailSubscriptionAdmins') ? vulnerabilityAssessmentsObj.recurringScansEmailSubscriptionAdmins : false + recurringScansIsEnabled: contains(vulnerabilityAssessmentsObj, 'recurringScansIsEnabled') ? vulnerabilityAssessmentsObj.recurringScansIsEnabled : false + vulnerabilityAssessmentsStorageAccountId: contains(vulnerabilityAssessmentsObj, 'vulnerabilityAssessmentsStorageAccountId') ? vulnerabilityAssessmentsObj.vulnerabilityAssessmentsStorageAccountId : '' + enableDefaultTelemetry: enableDefaultTelemetry + } + dependsOn: [ + server_securityAlertPolicies + ] +} + @description('The name of the deployed SQL server.') output name string = server.name diff --git a/arm/Microsoft.Sql/servers/readme.md b/arm/Microsoft.Sql/servers/readme.md index d38789ae87..33b70a1c44 100644 --- a/arm/Microsoft.Sql/servers/readme.md +++ b/arm/Microsoft.Sql/servers/readme.md @@ -19,6 +19,7 @@ This module deploys a SQL server. | `Microsoft.Sql/servers/databases` | [2021-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-02-01-preview/servers/databases) | | `Microsoft.Sql/servers/firewallRules` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-05-01-preview/servers/firewallRules) | | `Microsoft.Sql/servers/securityAlertPolicies` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-05-01-preview/servers/securityAlertPolicies) | +| `Microsoft.Sql/servers/vulnerabilityAssessments` | [2021-11-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01-preview/servers/vulnerabilityAssessments) | ## Parameters @@ -43,6 +44,7 @@ This module deploys a SQL server. | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +| `vulnerabilityAssessmentsObj` | _[vulnerabilityAssessments](vulnerabilityAssessments/readme.md)_ object | `{object}` | | The vulnerability assessment configuration | ### Parameter Usage: `roleAssignments` diff --git a/arm/Microsoft.Sql/servers/vulnerabilityAssessments/deploy.bicep b/arm/Microsoft.Sql/servers/vulnerabilityAssessments/deploy.bicep new file mode 100644 index 0000000000..1a9bf98fa3 --- /dev/null +++ b/arm/Microsoft.Sql/servers/vulnerabilityAssessments/deploy.bicep @@ -0,0 +1,59 @@ +@description('Required. The name of the vulnerability assessment') +param name string + +@description('Required. The Name of SQL Server') +param serverName string + +@description('Optional. Recurring scans state.') +param recurringScansIsEnabled bool = false + +@description('Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators.') +param recurringScansEmailSubscriptionAdmins bool = false + +@description('Optional. Specifies an array of email addresses to which the scan notification is sent.') +param recurringScansEmails array = [] + +@description('Optional. A blob storage to hold the scan results.') +param vulnerabilityAssessmentsStorageAccountId string = '' + +@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-9319755b-f697-4146-b966-4656e0b46cac-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource server 'Microsoft.Sql/servers@2021-05-01-preview' existing = { + name: serverName +} + +resource vulnerabilityAssessment 'Microsoft.Sql/servers/vulnerabilityAssessments@2021-11-01-preview' = { + name: name + parent: server + properties: { + storageContainerPath: 'https://${last(split(vulnerabilityAssessmentsStorageAccountId, '/'))}.blob.${environment().suffixes.storage}/vulnerability-assessment/' + storageAccountAccessKey: listKeys(vulnerabilityAssessmentsStorageAccountId, '2019-06-01').keys[0].value + recurringScans: { + isEnabled: recurringScansIsEnabled + emailSubscriptionAdmins: recurringScansEmailSubscriptionAdmins + emails: recurringScansEmails + } + } +} + +@description('The name of the deployed vulnerability assessment') +output name string = vulnerabilityAssessment.name + +@description('The resource ID of the deployed vulnerability assessment') +output resourceId string = vulnerabilityAssessment.id + +@description('The resource group of the deployed vulnerability assessment') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Sql/servers/vulnerabilityAssessments/readme.md b/arm/Microsoft.Sql/servers/vulnerabilityAssessments/readme.md new file mode 100644 index 0000000000..c86bdeedce --- /dev/null +++ b/arm/Microsoft.Sql/servers/vulnerabilityAssessments/readme.md @@ -0,0 +1,41 @@ +# SQL Server Vulnerability Assessments `[Microsoft.Sql/servers/vulnerabilityAssessments]` + +This module deploys a vulnerability assessment for a SQL server. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Sql/servers/vulnerabilityAssessments` | [2021-11-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01-preview/servers/vulnerabilityAssessments) | + +## Parameters + +**Required parameters** +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the vulnerability assessment | +| `serverName` | string | The Name of SQL Server | + +**Optional parameters** +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `recurringScansEmails` | array | `[]` | Specifies an array of email addresses to which the scan notification is sent. | +| `recurringScansEmailSubscriptionAdmins` | bool | `False` | Specifies that the schedule scan notification will be is sent to the subscription administrators. | +| `recurringScansIsEnabled` | bool | `False` | Recurring scans state. | +| `vulnerabilityAssessmentsStorageAccountId` | string | `''` | A blob storage to hold the scan results. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed vulnerability assessment | +| `resourceGroupName` | string | The resource group of the deployed vulnerability assessment | +| `resourceId` | string | The resource ID of the deployed vulnerability assessment | diff --git a/arm/Microsoft.Sql/servers/vulnerabilityAssessments/version.json b/arm/Microsoft.Sql/servers/vulnerabilityAssessments/version.json new file mode 100644 index 0000000000..f64f5fbd13 --- /dev/null +++ b/arm/Microsoft.Sql/servers/vulnerabilityAssessments/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.5" +}