pulumi-azure-kotlin/com.pulumi.azure.mssql.kotlin/ManagedInstanceSecurityAlertPolicy

ManagedInstanceSecurityAlertPolicy

class ManagedInstanceSecurityAlertPolicy : KotlinCustomResource

Manages a Security Alert Policy for an MS SQL Managed Instance.

Example Usage

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.network.NetworkSecurityGroup;
import com.pulumi.azure.network.NetworkSecurityGroupArgs;
import com.pulumi.azure.network.NetworkSecurityRule;
import com.pulumi.azure.network.NetworkSecurityRuleArgs;
import com.pulumi.azure.network.VirtualNetwork;
import com.pulumi.azure.network.VirtualNetworkArgs;
import com.pulumi.azure.network.Subnet;
import com.pulumi.azure.network.SubnetArgs;
import com.pulumi.azure.network.inputs.SubnetDelegationArgs;
import com.pulumi.azure.network.inputs.SubnetDelegationServiceDelegationArgs;
import com.pulumi.azure.network.SubnetNetworkSecurityGroupAssociation;
import com.pulumi.azure.network.SubnetNetworkSecurityGroupAssociationArgs;
import com.pulumi.azure.network.RouteTable;
import com.pulumi.azure.network.RouteTableArgs;
import com.pulumi.azure.network.SubnetRouteTableAssociation;
import com.pulumi.azure.network.SubnetRouteTableAssociationArgs;
import com.pulumi.azure.mssql.ManagedInstance;
import com.pulumi.azure.mssql.ManagedInstanceArgs;
import com.pulumi.azure.mssql.ManagedInstanceSecurityAlertPolicy;
import com.pulumi.azure.mssql.ManagedInstanceSecurityAlertPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new ResourceGroup("example", ResourceGroupArgs.builder()
            .name("database-rg")
            .location("West Europe")
            .build());
        var exampleNetworkSecurityGroup = new NetworkSecurityGroup("exampleNetworkSecurityGroup", NetworkSecurityGroupArgs.builder()
            .name("mi-security-group")
            .location(example.location())
            .resourceGroupName(example.name())
            .build());
        var allowManagementInbound = new NetworkSecurityRule("allowManagementInbound", NetworkSecurityRuleArgs.builder()
            .name("allow_management_inbound")
            .priority(106)
            .direction("Inbound")
            .access("Allow")
            .protocol("Tcp")
            .sourcePortRange("*")
            .destinationPortRanges(
                "9000",
                "9003",
                "1438",
                "1440",
                "1452")
            .sourceAddressPrefix("*")
            .destinationAddressPrefix("*")
            .resourceGroupName(example.name())
            .networkSecurityGroupName(exampleNetworkSecurityGroup.name())
            .build());
        var allowMisubnetInbound = new NetworkSecurityRule("allowMisubnetInbound", NetworkSecurityRuleArgs.builder()
            .name("allow_misubnet_inbound")
            .priority(200)
            .direction("Inbound")
            .access("Allow")
            .protocol("*")
            .sourcePortRange("*")
            .destinationPortRange("*")
            .sourceAddressPrefix("10.0.0.0/24")
            .destinationAddressPrefix("*")
            .resourceGroupName(example.name())
            .networkSecurityGroupName(exampleNetworkSecurityGroup.name())
            .build());
        var allowHealthProbeInbound = new NetworkSecurityRule("allowHealthProbeInbound", NetworkSecurityRuleArgs.builder()
            .name("allow_health_probe_inbound")
            .priority(300)
            .direction("Inbound")
            .access("Allow")
            .protocol("*")
            .sourcePortRange("*")
            .destinationPortRange("*")
            .sourceAddressPrefix("AzureLoadBalancer")
            .destinationAddressPrefix("*")
            .resourceGroupName(example.name())
            .networkSecurityGroupName(exampleNetworkSecurityGroup.name())
            .build());
        var allowTdsInbound = new NetworkSecurityRule("allowTdsInbound", NetworkSecurityRuleArgs.builder()
            .name("allow_tds_inbound")
            .priority(1000)
            .direction("Inbound")
            .access("Allow")
            .protocol("Tcp")
            .sourcePortRange("*")
            .destinationPortRange("1433")
            .sourceAddressPrefix("VirtualNetwork")
            .destinationAddressPrefix("*")
            .resourceGroupName(example.name())
            .networkSecurityGroupName(exampleNetworkSecurityGroup.name())
            .build());
        var denyAllInbound = new NetworkSecurityRule("denyAllInbound", NetworkSecurityRuleArgs.builder()
            .name("deny_all_inbound")
            .priority(4096)
            .direction("Inbound")
            .access("Deny")
            .protocol("*")
            .sourcePortRange("*")
            .destinationPortRange("*")
            .sourceAddressPrefix("*")
            .destinationAddressPrefix("*")
            .resourceGroupName(example.name())
            .networkSecurityGroupName(exampleNetworkSecurityGroup.name())
            .build());
        var allowManagementOutbound = new NetworkSecurityRule("allowManagementOutbound", NetworkSecurityRuleArgs.builder()
            .name("allow_management_outbound")
            .priority(102)
            .direction("Outbound")
            .access("Allow")
            .protocol("Tcp")
            .sourcePortRange("*")
            .destinationPortRanges(
                "80",
                "443",
                "12000")
            .sourceAddressPrefix("*")
            .destinationAddressPrefix("*")
            .resourceGroupName(example.name())
            .networkSecurityGroupName(exampleNetworkSecurityGroup.name())
            .build());
        var allowMisubnetOutbound = new NetworkSecurityRule("allowMisubnetOutbound", NetworkSecurityRuleArgs.builder()
            .name("allow_misubnet_outbound")
            .priority(200)
            .direction("Outbound")
            .access("Allow")
            .protocol("*")
            .sourcePortRange("*")
            .destinationPortRange("*")
            .sourceAddressPrefix("10.0.0.0/24")
            .destinationAddressPrefix("*")
            .resourceGroupName(example.name())
            .networkSecurityGroupName(exampleNetworkSecurityGroup.name())
            .build());
        var denyAllOutbound = new NetworkSecurityRule("denyAllOutbound", NetworkSecurityRuleArgs.builder()
            .name("deny_all_outbound")
            .priority(4096)
            .direction("Outbound")
            .access("Deny")
            .protocol("*")
            .sourcePortRange("*")
            .destinationPortRange("*")
            .sourceAddressPrefix("*")
            .destinationAddressPrefix("*")
            .resourceGroupName(example.name())
            .networkSecurityGroupName(exampleNetworkSecurityGroup.name())
            .build());
        var exampleVirtualNetwork = new VirtualNetwork("exampleVirtualNetwork", VirtualNetworkArgs.builder()
            .name("vnet-mi")
            .resourceGroupName(example.name())
            .addressSpaces("10.0.0.0/16")
            .location(example.location())
            .build());
        var exampleSubnet = new Subnet("exampleSubnet", SubnetArgs.builder()
            .name("subnet-mi")
            .resourceGroupName(example.name())
            .virtualNetworkName(exampleVirtualNetwork.name())
            .addressPrefixes("10.0.0.0/24")
            .delegations(SubnetDelegationArgs.builder()
                .name("managedinstancedelegation")
                .serviceDelegation(SubnetDelegationServiceDelegationArgs.builder()
                    .name("Microsoft.Sql/managedInstances")
                    .actions(
                        "Microsoft.Network/virtualNetworks/subnets/join/action",
                        "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
                        "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action")
                    .build())
                .build())
            .build());
        var exampleSubnetNetworkSecurityGroupAssociation = new SubnetNetworkSecurityGroupAssociation("exampleSubnetNetworkSecurityGroupAssociation", SubnetNetworkSecurityGroupAssociationArgs.builder()
            .subnetId(exampleSubnet.id())
            .networkSecurityGroupId(exampleNetworkSecurityGroup.id())
            .build());
        var exampleRouteTable = new RouteTable("exampleRouteTable", RouteTableArgs.builder()
            .name("routetable-mi")
            .location(example.location())
            .resourceGroupName(example.name())
            .disableBgpRoutePropagation(false)
            .build());
        var exampleSubnetRouteTableAssociation = new SubnetRouteTableAssociation("exampleSubnetRouteTableAssociation", SubnetRouteTableAssociationArgs.builder()
            .subnetId(exampleSubnet.id())
            .routeTableId(exampleRouteTable.id())
            .build());
        var exampleManagedInstance = new ManagedInstance("exampleManagedInstance", ManagedInstanceArgs.builder()
            .name("managedsqlinstance")
            .resourceGroupName(example.name())
            .location(example.location())
            .licenseType("BasePrice")
            .skuName("GP_Gen5")
            .storageSizeInGb(32)
            .subnetId(exampleSubnet.id())
            .vcores(4)
            .administratorLogin("mradministrator")
            .administratorLoginPassword("thisIsDog11")
            .build());
        var exampleManagedInstanceSecurityAlertPolicy = new ManagedInstanceSecurityAlertPolicy("exampleManagedInstanceSecurityAlertPolicy", ManagedInstanceSecurityAlertPolicyArgs.builder()
            .resourceGroupName(example.name())
            .managedInstanceName(exampleManagedInstance.name())
            .enabled(true)
            .storageEndpoint(exampleAzurermStorageAccount.primaryBlobEndpoint())
            .storageAccountAccessKey(exampleAzurermStorageAccount.primaryAccessKey())
            .disabledAlerts(
                "Sql_Injection",
                "Data_Exfiltration")
            .retentionDays(20)
            .build());
    }
}
Content copied to clipboard

Import

MS SQL Managed Instance Security Alert Policy can be imported using the resource id, e.g.

$ pulumi import azure:mssql/managedInstanceSecurityAlertPolicy:ManagedInstanceSecurityAlertPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/acceptanceTestResourceGroup1/providers/Microsoft.Sql/managedInstances/instance1/securityAlertPolicies/Default
Content copied to clipboard

Properties

Link copied to clipboard
val disabledAlerts: Output<List<String>>?

Specifies an array of alerts that are disabled. Possible values are Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action and Brute_Force.

Link copied to clipboard
val emailAccountAdminsEnabled: Output<Boolean>?

Boolean flag which specifies if the alert is sent to the account administrators or not. Defaults to false.

Link copied to clipboard
val emailAddresses: Output<List<String>>?

Specifies an array of email addresses to which the alert is sent.

Link copied to clipboard
val enabled: Output<Boolean>?

Specifies the state of the Security Alert Policy, whether it is enabled or disabled. Possible values are true, false.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val managedInstanceName: Output<String>

Specifies the name of the MS SQL Managed Instance. Changing this forces a new resource to be created.

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val resourceGroupName: Output<String>

The name of the resource group that contains the MS SQL Managed Instance. Changing this forces a new resource to be created.

Link copied to clipboard
val retentionDays: Output<Int>?

Specifies the number of days to keep in the Threat Detection audit logs. Defaults to 0.

Link copied to clipboard
val storageAccountAccessKey: Output<String>?

Specifies the identifier key of the Threat Detection audit storage account. This is mandatory when you use storage_endpoint to specify a storage account blob endpoint.

Link copied to clipboard
val storageEndpoint: Output<String>?

Specifies the blob storage endpoint (e.g. https://example.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.

Link copied to clipboard
val urn: Output<String>