Azure · MrRoundRobin · May 9, 2022 · May 6, 2022 · May 6, 2022 · May 8, 2022
@@ -28,12 +28,22 @@
             "value": [
                 {
                     "roleDefinitionIdOrName": "Reader",
-                    "principalIds": [
-                        "<<deploymentSpId>>"
-                    ]
+                    "principalIds": ["<<deploymentSpId>>"]
                 }
             ]
         },
+        "vulnerabilityAssessmentsObj": {
+            "value": {
+                "name": "default",
+                "emailSubscriptionAdmins": true,
+                "recurringScansIsEnabled": true,
+                "recurringScansEmails": [
+                    "test1@contoso.com",
+                    "test2@contoso.com"
+                ],
+                "vulnerabilityAssessmentsStorageAccountId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
+            }
+        },
         "databases": {
             "value": [
                 {

@@ -53,6 +53,9 @@ var identity = identityType != 'None' ? {
   userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
 } : null
 
+@description('Optional. The vulnerability assessment configuration')
+param vulnerabilityAssessmentsObj object = {}
+
 resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
   name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
   properties: {
@@ -167,6 +170,22 @@ module server_securityAlertPolicies 'securityAlertPolicies/deploy.bicep' = [for
   }
 }]
 
+module server_vulnerabilityAssessment 'vulnerabilityAssessments/deploy.bicep' = if (!empty(vulnerabilityAssessmentsObj)) {
+  name: '${uniqueString(deployment().name, location)}-Sql-VulnAssessm'
+  params: {
+    serverName: server.name
+    name: vulnerabilityAssessmentsObj.name
+    recurringScansEmails: contains(vulnerabilityAssessmentsObj, 'recurringScansEmails') ? vulnerabilityAssessmentsObj.recurringScansEmails : []
+    recurringScansEmailSubscriptionAdmins: contains(vulnerabilityAssessmentsObj, 'recurringScansEmailSubscriptionAdmins') ? vulnerabilityAssessmentsObj.recurringScansEmailSubscriptionAdmins : false
+    recurringScansIsEnabled: contains(vulnerabilityAssessmentsObj, 'recurringScansIsEnabled') ? vulnerabilityAssessmentsObj.recurringScansIsEnabled : false
+    vulnerabilityAssessmentsStorageAccountId: contains(vulnerabilityAssessmentsObj, 'vulnerabilityAssessmentsStorageAccountId') ? vulnerabilityAssessmentsObj.vulnerabilityAssessmentsStorageAccountId : ''
+    enableDefaultTelemetry: enableDefaultTelemetry
+  }
+  dependsOn: [
+    server_securityAlertPolicies
+  ]
+}
+
 @description('The name of the deployed SQL server.')
 output name string = server.name
 

@@ -19,6 +19,7 @@ This module deploys a SQL server.
 | `Microsoft.Sql/servers/databases` | [2021-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-02-01-preview/servers/databases) |
 | `Microsoft.Sql/servers/firewallRules` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-05-01-preview/servers/firewallRules) |
 | `Microsoft.Sql/servers/securityAlertPolicies` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-05-01-preview/servers/securityAlertPolicies) |
+| `Microsoft.Sql/servers/vulnerabilityAssessments` | [2021-11-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01-preview/servers/vulnerabilityAssessments) |
 
 ## Parameters
 
@@ -43,6 +44,7 @@ This module deploys a SQL server.
 | `systemAssignedIdentity` | bool | `False` |  | Enables system assigned managed identity on the resource. |
 | `tags` | object | `{object}` |  | Tags of the resource. |
 | `userAssignedIdentities` | object | `{object}` |  | The ID(s) to assign to the resource. |
+| `vulnerabilityAssessmentsObj` | _[vulnerabilityAssessments](vulnerabilityAssessments/readme.md)_ object | `{object}` |  | The vulnerability assessment configuration |
 
 
 ### Parameter Usage: `roleAssignments`

@@ -0,0 +1,59 @@
+@description('Required. The name of the vulnerability assessment')
+param name string
+
+@description('Required. The Name of SQL Server')
+param serverName string
+
+@description('Optional. Recurring scans state.')
+param recurringScansIsEnabled bool = false
+
+@description('Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators.')
+param recurringScansEmailSubscriptionAdmins bool = false
+
+@description('Optional. Specifies an array of email addresses to which the scan notification is sent.')
+param recurringScansEmails array = []
+
+@description('Optional. A blob storage to hold the scan results.')
+param vulnerabilityAssessmentsStorageAccountId string = ''
+
+@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
+param enableDefaultTelemetry bool = true
+
+resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
+  name: 'pid-9319755b-f697-4146-b966-4656e0b46cac-${uniqueString(deployment().name)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+    }
+  }
+}
+
+resource server 'Microsoft.Sql/servers@2021-05-01-preview' existing = {
+  name: serverName
+}
+
+resource vulnerabilityAssessment 'Microsoft.Sql/servers/vulnerabilityAssessments@2021-11-01-preview' = {
+  name: name
+  parent: server
+  properties: {
+    storageContainerPath: 'https://${last(split(vulnerabilityAssessmentsStorageAccountId, '/'))}.blob.${environment().suffixes.storage}/vulnerability-assessment/'
+    storageAccountAccessKey: listKeys(vulnerabilityAssessmentsStorageAccountId, '2019-06-01').keys[0].value
+    recurringScans: {
+      isEnabled: recurringScansIsEnabled
+      emailSubscriptionAdmins: recurringScansEmailSubscriptionAdmins
+      emails: recurringScansEmails
+    }
+  }
+}
+
+@description('The name of the deployed vulnerability assessment')
+output name string = vulnerabilityAssessment.name
+
+@description('The resource ID of the deployed vulnerability assessment')
+output resourceId string = vulnerabilityAssessment.id
+
+@description('The resource group of the deployed vulnerability assessment')
+output resourceGroupName string = resourceGroup().name
@@ -0,0 +1,41 @@
+# SQL Server Vulnerability Assessments `[Microsoft.Sql/servers/vulnerabilityAssessments]`
+
+This module deploys a vulnerability assessment for a SQL server.
+
+## Navigation
+
+- [Resource Types](#Resource-Types)
+- [Parameters](#Parameters)
+- [Outputs](#Outputs)
+
+## Resource Types
+
+| Resource Type | API Version |
+| :-- | :-- |
+| `Microsoft.Sql/servers/vulnerabilityAssessments` | [2021-11-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01-preview/servers/vulnerabilityAssessments) |
+
+## Parameters
+
+**Required parameters**
+| Parameter Name | Type | Description |
+| :-- | :-- | :-- |
+| `name` | string | The name of the vulnerability assessment |
+| `serverName` | string | The Name of SQL Server |
+
+**Optional parameters**
+| Parameter Name | Type | Default Value | Description |
+| :-- | :-- | :-- | :-- |
+| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
+| `recurringScansEmails` | array | `[]` | Specifies an array of email addresses to which the scan notification is sent. |
+| `recurringScansEmailSubscriptionAdmins` | bool | `False` | Specifies that the schedule scan notification will be is sent to the subscription administrators. |
+| `recurringScansIsEnabled` | bool | `False` | Recurring scans state. |
+| `vulnerabilityAssessmentsStorageAccountId` | string | `''` | A blob storage to hold the scan results. |
+
+
+## Outputs
+
+| Output Name | Type | Description |
+| :-- | :-- | :-- |
+| `name` | string | The name of the deployed vulnerability assessment |
+| `resourceGroupName` | string | The resource group of the deployed vulnerability assessment |
+| `resourceId` | string | The resource ID of the deployed vulnerability assessment |
@@ -0,0 +1,4 @@
+{
+  "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
+  "version": "0.5"
+}