Managed
Manages a Security Alert Policy for an MS SQL Managed Instance.
Example Usage
resources:
example:
type: azure:core:ResourceGroup
properties:
name: database-rg
location: West Europe
exampleNetworkSecurityGroup:
type: azure:network:NetworkSecurityGroup
name: example
properties:
name: mi-security-group
location: ${example.location}
resourceGroupName: ${example.name}
allowManagementInbound:
type: azure:network:NetworkSecurityRule
name: allow_management_inbound
properties:
name: allow_management_inbound
priority: 106
direction: Inbound
access: Allow
protocol: Tcp
sourcePortRange: '*'
destinationPortRanges:
- '9000'
- '9003'
- '1438'
- '1440'
- '1452'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
resourceGroupName: ${example.name}
networkSecurityGroupName: ${exampleNetworkSecurityGroup.name}
allowMisubnetInbound:
type: azure:network:NetworkSecurityRule
name: allow_misubnet_inbound
properties:
name: allow_misubnet_inbound
priority: 200
direction: Inbound
access: Allow
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: 10.0.0.0/24
destinationAddressPrefix: '*'
resourceGroupName: ${example.name}
networkSecurityGroupName: ${exampleNetworkSecurityGroup.name}
allowHealthProbeInbound:
type: azure:network:NetworkSecurityRule
name: allow_health_probe_inbound
properties:
name: allow_health_probe_inbound
priority: 300
direction: Inbound
access: Allow
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: AzureLoadBalancer
destinationAddressPrefix: '*'
resourceGroupName: ${example.name}
networkSecurityGroupName: ${exampleNetworkSecurityGroup.name}
allowTdsInbound:
type: azure:network:NetworkSecurityRule
name: allow_tds_inbound
properties:
name: allow_tds_inbound
priority: 1000
direction: Inbound
access: Allow
protocol: Tcp
sourcePortRange: '*'
destinationPortRange: '1433'
sourceAddressPrefix: VirtualNetwork
destinationAddressPrefix: '*'
resourceGroupName: ${example.name}
networkSecurityGroupName: ${exampleNetworkSecurityGroup.name}
denyAllInbound:
type: azure:network:NetworkSecurityRule
name: deny_all_inbound
properties:
name: deny_all_inbound
priority: 4096
direction: Inbound
access: Deny
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
resourceGroupName: ${example.name}
networkSecurityGroupName: ${exampleNetworkSecurityGroup.name}
allowManagementOutbound:
type: azure:network:NetworkSecurityRule
name: allow_management_outbound
properties:
name: allow_management_outbound
priority: 102
direction: Outbound
access: Allow
protocol: Tcp
sourcePortRange: '*'
destinationPortRanges:
- '80'
- '443'
- '12000'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
resourceGroupName: ${example.name}
networkSecurityGroupName: ${exampleNetworkSecurityGroup.name}
allowMisubnetOutbound:
type: azure:network:NetworkSecurityRule
name: allow_misubnet_outbound
properties:
name: allow_misubnet_outbound
priority: 200
direction: Outbound
access: Allow
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: 10.0.0.0/24
destinationAddressPrefix: '*'
resourceGroupName: ${example.name}
networkSecurityGroupName: ${exampleNetworkSecurityGroup.name}
denyAllOutbound:
type: azure:network:NetworkSecurityRule
name: deny_all_outbound
properties:
name: deny_all_outbound
priority: 4096
direction: Outbound
access: Deny
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
resourceGroupName: ${example.name}
networkSecurityGroupName: ${exampleNetworkSecurityGroup.name}
exampleVirtualNetwork:
type: azure:network:VirtualNetwork
name: example
properties:
name: vnet-mi
resourceGroupName: ${example.name}
addressSpaces:
- 10.0.0.0/16
location: ${example.location}
exampleSubnet:
type: azure:network:Subnet
name: example
properties:
name: subnet-mi
resourceGroupName: ${example.name}
virtualNetworkName: ${exampleVirtualNetwork.name}
addressPrefixes:
- 10.0.0.0/24
delegations:
- name: managedinstancedelegation
serviceDelegation:
name: Microsoft.Sql/managedInstances
actions:
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
exampleSubnetNetworkSecurityGroupAssociation:
type: azure:network:SubnetNetworkSecurityGroupAssociation
name: example
properties:
subnetId: ${exampleSubnet.id}
networkSecurityGroupId: ${exampleNetworkSecurityGroup.id}
exampleRouteTable:
type: azure:network:RouteTable
name: example
properties:
name: routetable-mi
location: ${example.location}
resourceGroupName: ${example.name}
disableBgpRoutePropagation: false
options:
dependsOn:
- ${exampleSubnet}
exampleSubnetRouteTableAssociation:
type: azure:network:SubnetRouteTableAssociation
name: example
properties:
subnetId: ${exampleSubnet.id}
routeTableId: ${exampleRouteTable.id}
exampleManagedInstance:
type: azure:mssql:ManagedInstance
name: example
properties:
name: managedsqlinstance
resourceGroupName: ${example.name}
location: ${example.location}
licenseType: BasePrice
skuName: GP_Gen5
storageSizeInGb: 32
subnetId: ${exampleSubnet.id}
vcores: 4
administratorLogin: mradministrator
administratorLoginPassword: thisIsDog11
options:
dependsOn:
- ${exampleSubnetNetworkSecurityGroupAssociation}
- ${exampleSubnetRouteTableAssociation}
exampleManagedInstanceSecurityAlertPolicy:
type: azure:mssql:ManagedInstanceSecurityAlertPolicy
name: example
properties:
resourceGroupName: ${example.name}
managedInstanceName: ${exampleManagedInstance.name}
enabled: true
storageEndpoint: ${exampleAzurermStorageAccount.primaryBlobEndpoint}
storageAccountAccessKey: ${exampleAzurermStorageAccount.primaryAccessKey}
disabledAlerts:
- Sql_Injection
- Data_Exfiltration
retentionDays: 20Content copied to clipboard
Import
MS SQL Managed Instance Security Alert Policy can be imported using the resource id, e.g.
$ pulumi import azure:mssql/managedInstanceSecurityAlertPolicy:ManagedInstanceSecurityAlertPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/acceptanceTestResourceGroup1/providers/Microsoft.Sql/managedInstances/instance1/securityAlertPolicies/DefaultContent copied to clipboard
Properties
Link copied to clipboard
Specifies an array of alerts that are disabled. Possible values are Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action and Brute_Force.
Link copied to clipboard
Boolean flag which specifies if the alert is sent to the account administrators or not. Defaults to false.
Link copied to clipboard
Specifies an array of email addresses to which the alert is sent.
Link copied to clipboard
Specifies the name of the MS SQL Managed Instance. Changing this forces a new resource to be created.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
The name of the resource group that contains the MS SQL Managed Instance. Changing this forces a new resource to be created.
Link copied to clipboard
Specifies the number of days to keep in the Threat Detection audit logs. Defaults to 0.
Link copied to clipboard
Specifies the identifier key of the Threat Detection audit storage account. This is mandatory when you use storage_endpoint to specify a storage account blob endpoint.
Link copied to clipboard
Specifies the blob storage endpoint (e.g. https://example.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.