Setting Transparent Data Encryption on Azure SQL DB using an ARM Template - azure

Is it possible to turn Transparent Data Encryption on for a SQL Azure DB using an ARM json template? If so, how?

The Template Should look like this.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serverName": {
"type": "string",
"defaultValue": "TDETest2",
"metadata": {
"description": "The name of the new SQL Server to create."
}
},
"administratorLogin": {
"type": "string",
"metadata": {
"description": "The admin user of the SQL Server"
}
},
"administratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The password of the admin user of the SQL Server"
}
},
"databaseName": {
"type": "string",
"defaultValue": "TDETest2",
"metadata": {
"description": "The name of the new database to create."
}
},
"collation": {
"type": "string",
"defaultValue": "SQL_Latin1_General_CP1_CI_AS",
"metadata": {
"description": "The database collation for governing the proper use of characters."
}
},
"edition": {
"type": "string",
"defaultValue": "Basic",
"allowedValues": [
"Basic",
"Standard",
"Premium"
],
"metadata": {
"description": "The type of database to create."
}
},
"maxSizeBytes": {
"type": "string",
"defaultValue": "1073741824",
"metadata": {
"description": "The maximum size, in bytes, for the database"
}
},
"requestedServiceObjectiveName": {
"type": "string",
"defaultValue": "Basic",
"allowedValues": [
"Basic",
"S0",
"S1",
"S2",
"P1",
"P2",
"P3"
],
"metadata": {
"description": "Describes the performance level for Edition"
}
}
},
"variables": {
},
"resources": [
{
"name": "[parameters('serverName')]",
"type": "Microsoft.Sql/servers",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "SqlServer"
},
"apiVersion": "2014-04-01-preview",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]"
},
"resources": [
{
"name": "[parameters('databaseName')]",
"type": "databases",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "Database"
},
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[parameters('serverName')]"
],
"properties": {
"edition": "[parameters('edition')]",
"collation": "[parameters('collation')]",
"maxSizeBytes": "[parameters('maxSizeBytes')]",
"requestedServiceObjectiveName": "[parameters('requestedServiceObjectiveName')]"
},
"resources":[
{
"name": "current",
"type": "transparentDataEncryption",
"dependsOn": [
"[parameters('databaseName')]"
],
"location": null,
"apiVersion": "2014-04-01",
"properties": {
"status": "Disabled"
}
}
]
},
{
"type": "firewallrules",
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[parameters('serverName')]"
],
"location": "[resourceGroup().location]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
}
}
]
}
],
"outputs": {
"sqlSvrFqdn": {
"type": "string",
"value": "[reference(concat('Microsoft.Sql/servers/', parameters('serverName'))).fullyQualifiedDomainName]"
}
}
}
transparentDataEncryption should be a resource that belongs to an SQL database. Hence I am putting it under the resources of the database template.
However, after testing this template, I get the following error message.
Code : InvalidTemplate
Message : Deployment template validation failed: 'The template resource 'Microsoft.Sql/servers/TDETest2/databases/TDETest2' cannot reference itself. Please see http://aka.ms/arm-template-expressions/#reference for usage details.'.
That means Transparent Data Encryption is not supported yet in ARM Template. I have posted a feature request. Please vote here
Thanks for #JeffBailey. I find out that I have made a mistake in my template, using serverName instead of databaseName in the dependsOn of the transparentDataEncryption. The template has been updated.

You need to add the resource:
"resources":[
{
"name": "current",
"type": "transparentDataEncryption",
"dependsOn": [
"[parameters('databaseName')]"
],
"location": null,
"apiVersion": "2014-04-01",
"properties": {
"status": "Enabled"
}
}
]
And the database version has to be version 12:
"resources": [
{
"name": "[parameters('serverName')]",
"type": "Microsoft.Sql/servers",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "SqlServer"
},
"apiVersion": "2014-04-01-preview",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "12.0"
},

Now encryption is on by default, you don't need to set it as enabled.

Related

ARM template for elastic database pool fails

I'm having issues trying to deploy an ARM with ElasticPool GeneralPurpose edition. ihave to tried this in mulitple environment but it keeps failing. I'm using the code below which referenced from the Github repository of starter templates
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"administratorLogin": {
"type": "string",
"metadata": {
"description": "The SQL Server administrator login"
}
},
"administratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The SQL Server administrator login password."
}
},
"serverName": {
"type": "string",
"metadata": {
"description": "The SQL Server name."
}
},
"elasticPoolName": {
"type": "string",
"metadata": {
"description": "The Elastic Pool name."
}
},
"edition": {
"type": "string",
"defaultValue": "Standard",
"allowedValues": [
"Basic",
"Standard",
"Premium",
"GP_Gen5",
"BC_Gen5"
],
"metadata": {
"description": "The Elastic Pool edition."
}
},
"capacity": {
"type": "int",
"metadata": {
"description": "The Elastic Pool DTU or nomber of vcore."
}
},
"databaseCapacityMin": {
"type": "int",
"defaultValue": 0,
"metadata": {
"description": "The Elastic Pool database capacity min."
}
},
"databaseCapacityMax": {
"type": "int",
"metadata": {
"description": "The Elastic Pool database capacity max."
}
},
"databasesNames": {
"type": "array",
"defaultValue": [
"db1",
"db2"
],
"metadata": {
"description": "The SQL Databases names."
}
},
"databaseCollation": {
"type": "string",
"defaultValue": "SQL_Latin1_General_CP1_CI_AS",
"metadata": {
"description": "The SQL Database collation."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"editionToSkuMap": {
"Basic": {
"family": null,
"name": "BasicPool",
"tier": "Basic"
},
"Standard": {
"family": null,
"name": "StandardPool",
"tier": "Standard"
},
"Premium": {
"family": null,
"name": "PremiumPool",
"tier": "Premium"
},
"GP_Gen5": {
"family": "Gen5",
"name": "GP_Gen5",
"tier": "GeneralPurpose"
},
"BC_Gen5": {
"family": "Gen5",
"name": "BC_Gen5",
"tier": "BusinessCritical"
}
},
"skuName": "[variables('editionToSkuMap')[parameters('edition')].name]",
"skuTier": "[variables('editionToSkuMap')[parameters('edition')].tier]",
"skuFamily": "[variables('editionToSkuMap')[parameters('edition')].family]"
},
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2020-02-02-preview",
"location": "[parameters('location')]",
"name": "[parameters('serverName')]",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "12.0"
}
},
{
"type": "Microsoft.Sql/servers/elasticPools",
"apiVersion": "2020-02-02-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"location": "[parameters('location')]",
"name": "[concat(parameters('serverName'), '/', parameters('elasticPoolName'))]",
"sku": {
"name": "[variables('skuName')]",
"tier": "[variables('skuTier')]",
"family": "[variables('skuFamily')]",
"capacity": "[parameters('capacity')]"
},
"properties": {
"perDatabaseSettings": {
"minCapacity": "[parameters('databaseCapacityMin')]",
"maxCapacity": "[parameters('databaseCapacityMax')]"
}
}
},
{
"type": "Microsoft.Sql/servers/databases",
"name": "[concat(parameters('serverName'), '/', parameters('databasesNames')[copyIndex()])]",
"location": "[parameters('location')]",
"apiVersion": "2020-02-02-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers/', parameters('serverName'))]",
"[resourceId('Microsoft.Sql/servers/elasticpools', parameters('serverName'), parameters('elasticPoolName'))]"
],
"sku": {
"name": "ElasticPool",
"tier": "[variables('skuTier')]",
"capacity": 0
},
"properties": {
"collation": "[parameters('databaseCollation')]",
"elasticPoolId": "[resourceId('Microsoft.Sql/servers/elasticpools', parameters('serverName'), parameters('elasticPoolName'))]"
},
"copy": {
"name": "addDatabasesInElasticPool",
"count": "[length(parameters('databasesNames'))]"
}
},
{
"apiVersion": "2020-02-02-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"location": "[parameters('location')]",
"name": "[concat(parameters('serverName'), '/', 'AllowAllWindowsAzureIps')]",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
},
"type": "Microsoft.Sql/servers/firewallrules"
}
]
}
The deployment fails with this error
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InvalidTierSkuCombination","message":"The tier 'GeneralPurpose' does not support the sku 'SQLDB_GP_Gen5'."}]}
Please what can be issue here?
I think the error message explains the cause of the deployment failure
The tier 'GeneralPurpose' does not support the sku 'SQLDB_GP_Gen5'
The mapping of tier to sku is controlled by the input parameter edition, and the editionToSkuMap variable map, which indicates to me that the variable map is not correct. You'll likely need to dig into what the valid sku values are for a tier with the az CLI
az sql elastic-pool list-editions -l -o table
and update the variable mapping, then try to deploy again. It's probably worth opening an issue on the Azure Quickstart templates repository too
Please download this template (template.json & parameters.json) from GitHub that will allow you to create an Azure SQL Database Elastic Pool - General Purpose with one database included.

How to reference an existing storage account created in Azure portal in an ARM template

`
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"InputstorageAccount": {
"defaultValue": "inputstgdev",
"type": "String"
},
"GitrepoBranch": {
"type": "string",
"defaultValue": "master",
"metadata": {
"description": "Name of the branch to use when deploying (Default = master)."
}
},
"GitrepoURL": {
"type": "string",
"defaultValue": "https://github.com/FBoucher/AzUnzipEverything.git",
"metadata": {
"description": "URL to repo (Default = master)."
}
},
"InputcontainerName": {
"type": "string",
"defaultValue": "inputcontainer",
"metadata": {
"description": "Specifies the name of the blob container."
}
},
"OutputstorageAccount": {
"defaultValue": "outputstgdev",
"type": "String"
},
"OutputcontainerName": {
"type": "string",
"defaultValue": "outputcontainer",
"metadata": {
"description": "Specifies the name of the blob container."
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('InputstorageAccount'), '/default/', parameters('InputcontainerName'))]",
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('OutputstorageAccount'), '/default/', parameters('OutputcontainerName'))]",
"properties": {
"publicAccess": "None"
}
},
{
"name": "serviceplan",
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2018-02-01",
"location": "[resourceGroup().location]",
"sku": {
"name": "F1",
"capacity": 1
},
"tags": {
"displayName": "serviceplan"
},
"properties": {
"name": "serviceplan"
}
},
{
"name": "functionapp",
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"location": "[resourceGroup().location]",
"kind": "functionapp",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', 'serviceplan')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('InputstorageAccount'))]"
],
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'serviceplan')]",
"siteConfig": {
"appSettings": [
{
"name": "AzureWebJobsDashboard",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('InputstorageAccount'), ';AccountKey=', listKeys(parameters('InputcontainerName'),'2015-05-01-preview').key1)]"
},
{
"name": "AzureWebJobsStorage",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('InputstorageAccount'), ';AccountKey=', listKeys(parameters('InputcontainerName'),'2015-05-01-preview').key1)]"
},
{
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('InputstorageAccount'), ';AccountKey=', listKeys(parameters('InputcontainerName'),'2015-05-01-preview').key1)]"
},
{
"name": "WEBSITE_CONTENTSHARE",
"value": "[toLower('functionapp')]"
},
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~2"
},
{
"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
"value": "[reference(resourceId('microsoft.insights/components/', 'applicationInsightsName'), '2015-05-01').InstrumentationKey]"
},
{
"name": "FUNCTIONS_WORKER_RUNTIME",
"value": "dotnet"
}
]
}
},
"resources":[
{
"apiVersion": "2015-08-01",
"name": "web",
"type": "sourcecontrols",
"dependsOn": [
"[resourceId('Microsoft.Web/sites/', parameters('InputstorageAccount'))]"
],
"properties": {
"RepoUrl": "[parameters('GitrepoURL')]",
"branch": "[parameters('GitrepoBranch')]",
"publishRunbook": true,
"IsManualIntegration": true
}
}
]
}
]
}
`I have a storage account called STGaccount which I created with the Azure portal and would like to use ARM template to create a container called inputcontainer in this STGaccount. Each time I try to do so I get an error message saying that the storage account STGaccount I am trying to create with the ARM template already exist in the resource group....So i guess I am writing my ARM template in a way that it still creates a new storage account with a name similar to the one I already have in the resource group. What I actually want to do is to reference the already existing storage account in my ARM template such that i do not have to create a new one.
Thanks in advance as I look forward to your response
Try this ARM template, this will help you to create a container in the existing Storage account.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"defaultValue": "STGaccount",
"type": "String"
},
"containerName": {
"type": "string",
"defaultValue": "inputcontainer",
"metadata": {
"description": "Specifies the name of the blob container."
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccountName'), '/default/', parameters('containerName'))]",
"properties": {
"publicAccess": "None"
}
}
]
}

Internal Server Error while Listing the Function App Keys in Azure Government

I am trying to deploy a Http triggered Azure Function App in Azure Government through ARM template. Initially I got the name conflict error There was a conflict. The remote name could not be resolved: 'sftestgovstorage.file.core.windows.net'. I tried to solve this error by following the link. After which I tried listing the function app keys and tried creating a new key. I am getting the error message Internal Server Error.
I even tried adding the WEBSITE_CONTENTAZUREFILECONNECTIONSTRING setting into configuration with the storage account connection string with suffix ;EndpointSuffix=core.usgovcloudapi.net. But I am still not able to list or create new function app keys.
I am using the following code to create a new function key
HttpClient _client = new HttpClient();
_client.DefaultRequestHeaders.Add("Authorization", "Bearer " + jwtToken);
var response = await
_client.PostAsync($"https://functionAppName.azurewebsites.us/admin/host/keys/{keyName}", null);
The ARM template used is
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"coreFunctionApp_appServicePlanName": {
"type": "string",
"metadata": {
"description": "Name of the app service plan to host core function app."
},
"defaultValue": "SL360-Prod-BAM-Appsvc"
},
"coreFunctionApp_applicationInsightsName": {
"type": "string",
"metadata": {
"description": "Name of the application insights for the core function
app."
},
"defaultValue": "SL360-Prod-BAM-AppInsights"
},
"coreFunctionAppName": {
"type": "string",
"metadata": {
"description": "Name of the core function app"
},
"defaultValue": "SL360-Prod-BAM-FunApp"
},
"BAMConnectionString": {
"type": "string",
"metadata": {
"description": "BAM Connection String"
},
"defaultValue": "SL360-BAMConnectionString"
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the Storage account namespace"
},
"defaultValue": "SL360-Prod-BAM-Storage"
},
"storageContainerName": {
"type": "string",
"metadata": {
"description": "Name of the Storage account container"
},
"defaultValue": "SL360-Prod-BAM-Storage-container"
},
"storageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_RAGRS"
],
"metadata": {
"description": "Storage Account type"
}
}
},
"variables": {
"storageAccountid": "
[concat(resourceGroup().id,'/providers/','Microsoft.Storage/storageAccounts/',
parameters('storageAccountName'))]",
"serverFarmApiVersion": "2018-02-01",
"storageApiVersion": "
[providers('Microsoft.Storage','storageAccounts').apiVersions[0]]",
"sitesApiVersion": "2018-11-01",
"insightsApiVersion": "2015-05-01"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "[variables('storageApiVersion')]",
"kind": "Storage",
"location": "[resourceGroup().location]",
"name": "[parameters('storageAccountName')]",
"sku": {
"name": "[parameters('storageAccountType')]"
}
},
{
"apiVersion": "[variables('serverFarmApiVersion')]",
"dependsOn": [],
"location": "[resourceGroup().location]",
"name": "[parameters('coreFunctionApp_appServicePlanName')]",
"properties": {
"name": "[parameters('coreFunctionApp_appServicePlanName')]",
"computeMode": "Dynamic"
},
"sku": {
"name": "Y1",
"tier": "Dynamic"
},
"type": "Microsoft.Web/serverfarms"
},
{
"apiVersion": "[variables('insightsApiVersion')]",
"location": "[resourceGroup().location]",
"name": "[parameters('coreFunctionApp_applicationInsightsName')]",
"properties": {
"Application_Type": "web",
"ApplicationId": "
[parameters('coreFunctionApp_applicationInsightsName')]"
},
"tags": {
"[concat('hidden-link:', resourceGroup().id, '/providers/Microsoft.Web/sites/', parameters('coreFunctionAppName'))]": "Resource"
},
"type": "Microsoft.Insights/components"
}, {
"apiVersion": "[variables('sitesApiVersion')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms',
parameters('coreFunctionApp_appServicePlanName'))]",
"[resourceId('Microsoft.Insights/components',
parameters('coreFunctionApp_applicationInsightsName'))]",
"[resourceId('Microsoft.Storage/storageAccounts',
parameters('storageAccountName'))]"
],
"kind": "functionapp",
"location": "[resourceGroup().location]",
"name": "[parameters('coreFunctionAppName')]",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms',
parameters('coreFunctionApp_appServicePlanName'))]",
"siteConfig": {
"appSettings": [
{
"name": "AzureWebJobsDashboard",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',
parameters('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]"
},
{
"name": "AzureWebJobsStorage",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',
parameters('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]"
},
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~2"
},
{
"name": "WEBSITE_NODE_DEFAULT_VERSION",
"value": "6.5.0"
},
{
"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
"value": "[reference(concat('microsoft.insights/components/',
parameters('coreFunctionApp_applicationInsightsName'))).InstrumentationKey]"
}
]
}
},
"type": "Microsoft.Web/sites"
},
],
"outputs":
"StorageAccessKey": {
"type": "string",
"value": "[listKeys(resourceId('Microsoft.Storage/storageAccounts',
parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]"
}
}
}
Can anyone help me solve this issue?

How to add the existing virtual network into Azure SQL database using Azure ARM Template?

Currently I am working on to deploy the Azure SQL Database into exisiting virtual network using Azure ARM templates.
azuredeploy.json
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"sqlServerName": {
"type": "string",
"metadata": {
"description": "The SQL Servername."
}
},
"databaseName": {
"type": "string",
"metadata": {
"description": "The SQL Database."
}
},
"collation": {
"type": "string",
"metadata": {
"description": "The Collation of SQL Database and SQL Server."
}
},
"edition": {
"type": "string",
"metadata": {
"description": "The edition of SQL Database."
}
},
"maxSizeBytes": {
"type": "string",
"metadata": {
"description": "The maxsize of SQL Database."
}
},
"sqlAdministratorLogin": {
"type": "string",
"metadata": {
"description": "The administrator username of the SQL Server."
}
},
"sqlAdministratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The administrator password of the SQL Server."
}
},
"transparentDataEncryption": {
"type": "string",
"allowedValues": [
"Enabled",
"Disabled"
],
"defaultValue": "Enabled",
"metadata": {
"description": "Enable or disable Transparent Data Encryption (TDE) for the database."
}
},
"zoneRedundant": {
"type": "bool",
"defaultValue": false
},
"startIpAddress": {
"type": "string",
"metadata": {
"description": "The start IpAddress"
}
},
"endIpAddress": {
"type": "string",
"metadata": {
"description": "The end IpAddress."
}
},
"sampleName": {
"type": "string",
"metadata": {
"description": "The sampleName."
}
},
"existingVnetName": {
"type": "string",
"metadata": {
"description": "The name of the existing virtual netwok."
}
},
"vnetRuleName": {
"type": "string",
"metadata": {
"description": "The name of the virtual netwrok rule."
}
},
"existingVirtualNetworkResourceGroup": {
"type": "string",
"metadata": {
"description": "The name of the exisitng VNET resource group."
}
},
"subscriptionID": {
"type": "string",
"metadata": {
"description": "The ID of the exisitng azure subscription."
}
}
},
"variables": {
"sqlServerName": "[parameters('sqlServerName')]",
"databaseName": "[parameters('databaseName')]",
"databaseEdition": "[parameters('edition')]",
"databaseCollation": "[parameters('collation')]",
"databaseServiceObjectiveName": "Basic",
"vnetID": "[concat('/subscriptions/', parameters('subscriptionID'), '/resourceGroups/',parameters('existingVirtualNetworkResourceGroup'),'/','Microsoft.Network/virtualNetworks', parameters('existingVnetName'))]",
//"vnetID": "[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/virtualNetworks', parameters('existingVnetName'))]"
},
"resources": [
{
"name": "[variables('sqlServerName')]",
"type": "Microsoft.Sql/servers",
"apiVersion": "2014-04-01-preview",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "SqlServer"
},
"properties": {
"administratorLogin": "[parameters('sqlAdministratorLogin')]",
"administratorLoginPassword": "[parameters('sqlAdministratorLoginPassword')]",
"version": "12.0"
},
"resources": [
{
"name": "[variables('databaseName')]",
"type": "databases",
"apiVersion": "2015-01-01",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "Database"
},
"properties": {
"edition": "[variables('databaseEdition')]",
"collation": "[variables('databaseCollation')]",
"requestedServiceObjectiveName": "[variables('databaseServiceObjectiveName')]",
"maxSizeBytes": "[parameters('maxSizeBytes')]",
"sampleName": "[parameters('sampleName')]",
"zoneRedundant": "[parameters('zoneRedundant')]"
},
"dependsOn": [
"[variables('sqlServerName')]"
],
"resources": [
{
"comments": "Transparent Data Encryption",
"name": "current",
"type": "transparentDataEncryption",
"apiVersion": "2014-04-01-preview",
"properties": {
"status": "[parameters('transparentDataEncryption')]"
},
"dependsOn": [
"[variables('databaseName')]"
]
}
]
},
{
"name": "AllowAllMicrosoftAzureIps",
"type": "firewallrules",
"apiVersion": "2014-04-01",
"location": "[resourceGroup().location]",
"properties": {
"startIpAddress": "[parameters('startIpAddress')]",
"endIpAddress": "[parameters('endIpAddress')]"
},
"dependsOn": [
"[variables('sqlServerName')]"
]
},
{
"comments": "Adding existing VNET to the SQL Server",
"type": "Microsoft.Sql/servers/virtualNetworkRules",
"name": "[concat(parameters('sqlServerName'), '/', parameters('vnetRuleName'))]",
"apiVersion": "2015-05-01-preview",
"scale": null,
"properties": {
"virtualNetworkSubnetId": "[variables('vnetID')]"
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
]
}
]
}
],
"outputs": {
"sqlServerFqdn": {
"type": "string",
"value": "[reference(concat('Microsoft.Sql/servers/', variables('sqlServerName'))).fullyQualifiedDomainName]"
},
"databaseName": {
"type": "string",
"value": "[variables('databaseName')]"
}
}
}
Before I added this Microsoft.Sql/servers/virtualNetworkRules section into azuredeploy.json file at that time I am able to create the new SQL database into azure.
{
"comments": "Adding existing VNET to the SQL Server",
"type": "Microsoft.Sql/servers/virtualNetworkRules",
"name": "[concat(parameters('sqlServerName'), '/', parameters('vnetRuleName'))]",
"apiVersion": "2015-05-01-preview",
"scale": null,
"properties": {
"virtualNetworkSubnetId": "[variables('vnetID')]"
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
]
}
But whenever I added this Microsoft.Sql/servers/virtualNetworkRules section into azuredeploy.json file at that time I am not able to create database into existing virtual network and also it doesn’t give any response.
Can anyone please tell me where I did the mistake in the above azuredeploy.json file?
Finally I resolved the above issue by replacing this section of code with Microsoft.Sql/servers/virtualNetworkRules the below lines of code:
{
"comments": "Adding existing VNET to the SQL Server",
"type": "Microsoft.Sql/servers/virtualNetworkRules",
"name": "[concat(parameters('sqlServerName'), '/', parameters('vnetRuleName'))]",
"apiVersion": "2015-05-01-preview",
"scale": null,
"properties": {
"virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVnetName'), parameters('subnets_default_name'))]",
"ignoreMissingVnetServiceEndpoint": "[parameters('ignoreMissingVnetServiceEndpoint')]"
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
]
}

How to turn on Auditing & Threat Detection for Azure SQL Database in ARM Template?

Azure SQL Database Threat Detection feature has been in General Preview since November 2015.
https://azure.microsoft.com/en-us/blog/threat-detection-public-preview/
However, I could not find out how can one turn on this feature and its dependency (Azure SQL Database Auditing) in the ARM template, neither in the Azure Quickstart Templates nor Azure Resource Manager Schema GitHubs links.
azure-quickstart-templates
azure-resource-manager-schemas
Appreciate if anyone who knows can answer on this.
Thanks very much.
Here are 2 sample templates:
First one, enable Auditing and Threat Detection for the whole SQL server.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serverName": {
"type": "string",
"metadata": {
"description": "The name of the new database server to create."
}
},
"serverLocation": {
"type": "string",
"metadata": {
"description": "The location of the database server."
}
},
"administratorLogin": {
"type": "string",
"metadata": {
"description": "The account name to use for the database server administrator."
}
},
"administratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The password to use for the database server administrator."
}
},
"databaseName": {
"type": "string",
"metadata": {
"description": "The name of the new database to create."
}
},
"collation": {
"type": "string",
"defaultValue": "SQL_Latin1_General_CP1_CI_AS",
"metadata": {
"description": "The database collation for governing the proper use of characters."
}
},
"edition": {
"type": "string",
"defaultValue": "Standard",
"metadata": {
"description": "The type of database to create. The available options are: Web, Business, Basic, Standard, and Premium."
}
},
"maxSizeBytes": {
"type": "string",
"defaultValue": "1073741824",
"metadata": {
"description": "The maximum size, in bytes, for the database"
}
},
"requestedServiceObjectiveName": {
"type": "string",
"defaultValue": "S0",
"metadata": {
"description": "The name corresponding to the performance level for edition. The available options are: Shared, Basic, S0, S1, S2, S3, P1, P2, and P3."
}
},
"eventTypesToAudit": {
"type": "string",
"defaultValue":"All",
"metadata": {
"description": "The event type to audit."
}
}
},
"resources": [
{
"name": "[parameters('serverName')]",
"type": "Microsoft.Sql/servers",
"location": "[parameters('serverLocation')]",
"apiVersion": "2014-04-01-preview",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "12.0"
},
"resources": [
{
"name": "[parameters('databaseName')]",
"type": "databases",
"location": "[parameters('serverLocation')]",
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"properties": {
"edition": "[parameters('edition')]",
"collation": "[parameters('collation')]",
"maxSizeBytes": "[parameters('maxSizeBytes')]",
"requestedServiceObjectiveName": "[parameters('requestedServiceObjectiveName')]"
}
},
{
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"location": "[parameters('serverLocation')]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
},
"type": "firewallrules"
},
{
"apiVersion": "2014-04-01-preview",
"type": "auditingPolicies",
"name": "Default",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/databases/',parameters('databaseName'))]"
],
"properties": {
"auditingState": "Enabled",
"storageAccountName": "<your-storage-account-name>",
"storageAccountKey": "<your-storage-account-key>",
"storageAccountResourceGroupName": "<your-storage-account-resource-group-name>",
"storageAccountSubscriptionId": "<your-storage-account-subscriptionid>",
"eventTypesToAudit": "parameters('eventTypesToAudit')"
}
},
{
"apiVersion": "2015-05-01-preview",
"type": "securityAlertPolicies",
"name": "Default",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/databases/',parameters('databaseName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/auditingPolicies/Default')]"
],
"properties": {
"state": "Enabled",
"disabledAlerts": "",
"emailAddresses": "abcd#efgh.com",
"emailAccountAdmins": "true"
}
}
]
}
]
}
Second one, enable Auditing and Threat Detection only for a specific database.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serverName": {
"type": "string",
"metadata": {
"description": "The name of the new database server to create."
}
},
"serverLocation": {
"type": "string",
"metadata": {
"description": "The location of the database server."
}
},
"administratorLogin": {
"type": "string",
"metadata": {
"description": "The account name to use for the database server administrator."
}
},
"administratorLoginPassword": {
"type": "securestring",
"metadata": {
"description": "The password to use for the database server administrator."
}
},
"databaseName": {
"type": "string",
"metadata": {
"description": "The name of the new database to create."
}
},
"collation": {
"type": "string",
"defaultValue": "SQL_Latin1_General_CP1_CI_AS",
"metadata": {
"description": "The database collation for governing the proper use of characters."
}
},
"edition": {
"type": "string",
"defaultValue": "Standard",
"metadata": {
"description": "The type of database to create. The available options are: Web, Business, Basic, Standard, and Premium."
}
},
"maxSizeBytes": {
"type": "string",
"defaultValue": "1073741824",
"metadata": {
"description": "The maximum size, in bytes, for the database"
}
},
"requestedServiceObjectiveName": {
"type": "string",
"defaultValue": "S0",
"metadata": {
"description": "The name corresponding to the performance level for edition. The available options are: Shared, Basic, S0, S1, S2, S3, P1, P2, and P3."
}
},
"eventTypesToAudit": {
"type": "string",
"defaultValue":"All",
"metadata": {
"description": "The event type to audit."
}
}
},
"resources": [
{
"name": "[parameters('serverName')]",
"type": "Microsoft.Sql/servers",
"location": "[parameters('serverLocation')]",
"apiVersion": "2014-04-01-preview",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "12.0"
},
"resources": [
{
"name": "[parameters('databaseName')]",
"type": "databases",
"location": "[parameters('serverLocation')]",
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"properties": {
"edition": "[parameters('edition')]",
"collation": "[parameters('collation')]",
"maxSizeBytes": "[parameters('maxSizeBytes')]",
"requestedServiceObjectiveName": "[parameters('requestedServiceObjectiveName')]"
},
"resources":[
{
"apiVersion": "2014-04-01-preview",
"type": "auditingPolicies",
"name": "Default",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/databases/',parameters('databaseName'))]"
],
"properties": {
"auditingState": "Enabled",
"storageAccountName": "<your-storage-account-name>",
"storageAccountKey": "<your-storage-account-key>",
"storageAccountResourceGroupName": "<your-storage-account-resource-group-name>",
"storageAccountSubscriptionId": "<your-storage-account-subscriptionid>",
"eventTypesToAudit": "parameters('eventTypesToAudit')"
}
},
{
"apiVersion": "2015-05-01-preview",
"type": "securityAlertPolicies",
"name": "Default",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/databases/',parameters('databaseName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/databases/',parameters('databaseName'), '/auditingPolicies/Default')]"
],
"properties": {
"state": "Enabled",
"disabledAlerts": "",
"emailAddresses": "abcd#efgh.com",
"emailAccountAdmins": "true"
}
}
]
},
{
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"location": "[parameters('serverLocation')]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
},
"type": "firewallrules"
}
]
}
]
}
Note: Please don't forget to replace the information for the storage account.
Actually, Yoav Rubin has already answered your question in comment of the blog. And, I have tested the answer, and have done some refinement.
There was a change in the last week which requires 2 more parameters to the securityAlertPolicies section:
"storageEndpoint": "https://<storage account name>.blob.core.windows.net/",
"storageAccountAccessKey": "<storage account key>"
This is so the service can write the alerts generated to your storage account as well.
The answer from Jack Zeng was close, but (at this point in time) you need auditingSettings to point to blob storage, since security alerting doesn't work with table storage. So add the following auditingSettings and securityAlertPolicies as child resources of the Microsoft.Sql/servers resource.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[parameters('sqlserverName')]",
"type": "Microsoft.Sql/servers",
"location": "[resourceGroup().location]",
"apiVersion": "2014-04-01-preview",
"properties": {},
"resources": [
{
"apiVersion": "2015-05-01-preview",
"type": "auditingSettings",
"name": "Default",
"dependsOn": [
"[parameters('sqlserverName')]",
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]"
],
"properties": {
"State": "Enabled",
"storageEndpoint": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net/')]",
"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
"storageAccountSubscriptionId": "[subscription().subscriptionId]",
"eventTypesToAudit": "All"
}
},
{
"apiVersion": "2015-05-01-preview",
"type": "securityAlertPolicies",
"name": "DefaultSecurityAlert",
"dependsOn": [
"[parameters('sqlserverName')]",
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
"[concat('Microsoft.Sql/servers/', parameters('sqlserverName'), '/auditingSettings/Default')]"
],
"properties": {
"state": "Enabled",
"disabledAlerts": "",
"emailAddresses": "[parameters('securityAlertPolicyEmails')]",
"emailAccountAdmins": "Enabled",
"retentionDays": "10",
"storageEndpoint": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net/')]",
"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]"
}
}
]
}
]
}
Sources:
The blob storage auditing config is from here: https://blogs.msdn.microsoft.com/azuresqldbsupport/2017/01/11/arm-template-turning-on-blob-auditing/
The threat detection resource config is from here (note that the storage auditing config from this example didn't work for me): https://blogs.msdn.microsoft.com/azuresqldbsupport/2017/01/11/arm-template-to-deploy-server-with-auditing-and-threat-detection-turned-on/

Resources