private static void DetermineTargetsState(
AuditModelType model,
BlobAuditingPolicyState policyState)
{
if (policyState == BlobAuditingPolicyState.Disabled)
{
model.BlobStorageTargetState = AuditStateType.Disabled;
model.EventHubTargetState = AuditStateType.Disabled;
model.LogAnalyticsTargetState = AuditStateType.Disabled;
}
else
{
if (string.IsNullOrEmpty(model.StorageAccountResourceId))
{
model.BlobStorageTargetState = AuditStateType.Disabled;
}
else
{
model.BlobStorageTargetState = AuditStateType.Enabled;
}
if (model.IsAzureMonitorTargetEnabled == null ||
model.IsAzureMonitorTargetEnabled == false ||
model.DiagnosticsEnablingAuditCategory == null)
{
model.EventHubTargetState = AuditStateType.Disabled;
model.LogAnalyticsTargetState = AuditStateType.Disabled;
}
else
{
DiagnosticSettingsResource eventHubSettings = model.DiagnosticsEnablingAuditCategory.FirstOrDefault(
settings => !string.IsNullOrEmpty(settings.EventHubAuthorizationRuleId));
if (eventHubSettings == null)
{
model.EventHubTargetState = AuditStateType.Disabled;
}
else
{
model.EventHubTargetState = AuditStateType.Enabled;
model.EventHubName = eventHubSettings.EventHubName;
model.EventHubAuthorizationRuleResourceId = eventHubSettings.EventHubAuthorizationRuleId;
}
DiagnosticSettingsResource logAnalyticsSettings = model.DiagnosticsEnablingAuditCategory.FirstOrDefault(
settings => !string.IsNullOrEmpty(settings.WorkspaceId));
if (logAnalyticsSettings == null)
{
model.LogAnalyticsTargetState = AuditStateType.Disabled;
}
else
{
model.LogAnalyticsTargetState = AuditStateType.Enabled;
model.WorkspaceResourceId = logAnalyticsSettings.WorkspaceId;
}
}
}
}
/// <summary>
/// Initializes a new instance of the ServerDevOpsAuditingSettings
/// class.
/// </summary>
/// <param name="state">Specifies the state of the audit. If state is
/// Enabled, storageEndpoint or isAzureMonitorTargetEnabled are
/// required. Possible values include: 'Enabled', 'Disabled'</param>
/// <param name="id">Resource ID.</param>
/// <param name="name">Resource name.</param>
/// <param name="type">Resource type.</param>
/// <param name="systemData">SystemData of
/// ServerDevOpsAuditSettingsResource.</param>
/// <param name="isAzureMonitorTargetEnabled">Specifies whether DevOps
/// audit events are sent to Azure Monitor.
/// In order to send the events to Azure Monitor, specify 'State' as
/// 'Enabled' and 'IsAzureMonitorTargetEnabled' as true.
///
/// When using REST API to configure DevOps audit, Diagnostic Settings
/// with 'DevOpsOperationsAudit' diagnostic logs category on the master
/// database should be also created.
///
/// Diagnostic Settings URI format:
/// PUT
/// https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/master/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview
///
/// For more information, see [Diagnostic Settings REST
/// API](https://go.microsoft.com/fwlink/?linkid=2033207)
/// or [Diagnostic Settings
/// PowerShell](https://go.microsoft.com/fwlink/?linkid=2033043)
/// </param>
/// <param name="storageEndpoint">Specifies the blob storage endpoint
/// (e.g. https://MyAccount.blob.core.windows.net). If state is
/// Enabled, storageEndpoint or isAzureMonitorTargetEnabled is
/// required.</param>
/// <param name="storageAccountAccessKey">Specifies the identifier key
/// of the auditing storage account.
/// If state is Enabled and storageEndpoint is specified, not
/// specifying the storageAccountAccessKey will use SQL server
/// system-assigned managed identity to access the storage.
/// Prerequisites for using managed identity authentication:
/// 1. Assign SQL Server a system-assigned managed identity in Azure
/// Active Directory (AAD).
/// 2. Grant SQL Server identity access to the storage account by
/// adding 'Storage Blob Data Contributor' RBAC role to the server
/// identity.
/// For more information, see [Auditing to storage using Managed
/// Identity
/// authentication](https://go.microsoft.com/fwlink/?linkid=2114355)</param>
/// <param name="storageAccountSubscriptionId">Specifies the blob
/// storage subscription Id.</param>
public ServerDevOpsAuditingSettings(BlobAuditingPolicyState state, string id = default(string), string name = default(string), string type = default(string), SystemData systemData = default(SystemData), bool?isAzureMonitorTargetEnabled = default(bool?), string storageEndpoint = default(string), string storageAccountAccessKey = default(string), System.Guid?storageAccountSubscriptionId = default(System.Guid?))
: base(id, name, type)
{
SystemData = systemData;
IsAzureMonitorTargetEnabled = isAzureMonitorTargetEnabled;
State = state;
StorageEndpoint = storageEndpoint;
StorageAccountAccessKey = storageAccountAccessKey;
StorageAccountSubscriptionId = storageAccountSubscriptionId;
CustomInit();
}
internal static string ToSerializedValue(this BlobAuditingPolicyState value)
{
switch (value)
{
case BlobAuditingPolicyState.Enabled:
return("Enabled");
case BlobAuditingPolicyState.Disabled:
return("Disabled");
}
return(null);
}
internal void ModelizeAuditPolicy(AuditModelType model,
BlobAuditingPolicyState state,
string storageEndpoint,
bool?isSecondary,
Guid?storageAccountSubscriptionId,
bool?isAzureMonitorTargetEnabled,
int?retentionDays)
{
model.IsAzureMonitorTargetEnabled = isAzureMonitorTargetEnabled;
ModelizeStorageInfo(model, storageEndpoint, isSecondary, storageAccountSubscriptionId, IsAuditEnabled(state), retentionDays);
DetermineTargetsState(model, state);
}
/// <summary>
/// Initializes a new instance of the ServerBlobAuditingPolicyInner
/// class.
/// </summary>
/// <param name="state">Specifies the state of the policy. If state is
/// Enabled, storageEndpoint or isAzureMonitorTargetEnabled are
/// required. Possible values include: 'Enabled', 'Disabled'</param>
/// <param name="storageEndpoint">Specifies the blob storage endpoint
/// (e.g. https://MyAccount.blob.core.windows.net). If state is
/// Enabled, storageEndpoint is required.</param>
/// <param name="storageAccountAccessKey">Specifies the identifier key
/// of the auditing storage account. If state is Enabled and
/// storageEndpoint is specified, storageAccountAccessKey is
/// required.</param>
/// <param name="retentionDays">Specifies the number of days to keep in
/// the audit logs in the storage account.</param>
/// <param name="auditActionsAndGroups">Specifies the Actions-Groups
/// and Actions to audit.
///
/// The recommended set of action groups to use is the following
/// combination - this will audit all the queries and stored procedures
/// executed against the database, as well as successful and failed
/// logins:
///
/// BATCH_COMPLETED_GROUP,
/// SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP,
/// FAILED_DATABASE_AUTHENTICATION_GROUP.
///
/// This above combination is also the set that is configured by
/// default when enabling auditing from the Azure portal.
///
/// The supported action groups to audit are (note: choose only
/// specific groups that cover your auditing needs. Using unnecessary
/// groups could lead to very large quantities of audit records):
///
/// APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
/// BACKUP_RESTORE_GROUP
/// DATABASE_LOGOUT_GROUP
/// DATABASE_OBJECT_CHANGE_GROUP
/// DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
/// DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
/// DATABASE_OPERATION_GROUP
/// DATABASE_PERMISSION_CHANGE_GROUP
/// DATABASE_PRINCIPAL_CHANGE_GROUP
/// DATABASE_PRINCIPAL_IMPERSONATION_GROUP
/// DATABASE_ROLE_MEMBER_CHANGE_GROUP
/// FAILED_DATABASE_AUTHENTICATION_GROUP
/// SCHEMA_OBJECT_ACCESS_GROUP
/// SCHEMA_OBJECT_CHANGE_GROUP
/// SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
/// SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
/// SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP
/// USER_CHANGE_PASSWORD_GROUP
/// BATCH_STARTED_GROUP
/// BATCH_COMPLETED_GROUP
///
/// These are groups that cover all sql statements and stored
/// procedures executed against the database, and should not be used in
/// combination with other groups as this will result in duplicate
/// audit logs.
///
/// For more information, see [Database-Level Audit Action
/// Groups](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-action-groups).
///
/// For Database auditing policy, specific Actions can also be
/// specified (note that Actions cannot be specified for Server
/// auditing policy). The supported actions to audit are:
/// SELECT
/// UPDATE
/// INSERT
/// DELETE
/// EXECUTE
/// RECEIVE
/// REFERENCES
///
/// The general form for defining an action to be audited is:
/// {action} ON {object} BY {principal}
///
/// Note that <object> in the above format can refer to an object
/// like a table, view, or stored procedure, or an entire database or
/// schema. For the latter cases, the forms DATABASE::{db_name} and
/// SCHEMA::{schema_name} are used, respectively.
///
/// For example:
/// SELECT on dbo.myTable by public
/// SELECT on DATABASE::myDatabase by public
/// SELECT on SCHEMA::mySchema by public
///
/// For more information, see [Database-Level Audit
/// Actions](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-actions)</param>
/// <param name="storageAccountSubscriptionId">Specifies the blob
/// storage subscription Id.</param>
/// <param name="isStorageSecondaryKeyInUse">Specifies whether
/// storageAccountAccessKey value is the storage's secondary
/// key.</param>
/// <param name="isAzureMonitorTargetEnabled">Specifies whether audit
/// events are sent to Azure Monitor.
/// In order to send the events to Azure Monitor, specify 'State' as
/// 'Enabled' and 'IsAzureMonitorTargetEnabled' as true.
///
/// When using REST API to configure auditing, Diagnostic Settings with
/// 'SQLSecurityAuditEvents' diagnostic logs category on the database
/// should be also created.
/// Note that for server level audit you should use the 'master'
/// database as {databaseName}.
///
/// Diagnostic Settings URI format:
/// PUT
/// https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview
///
/// For more information, see [Diagnostic Settings REST
/// API](https://go.microsoft.com/fwlink/?linkid=2033207)
/// or [Diagnostic Settings
/// PowerShell](https://go.microsoft.com/fwlink/?linkid=2033043)
/// </param>
public ServerBlobAuditingPolicyInner(BlobAuditingPolicyState state, string id = default(string), string name = default(string), string type = default(string), string storageEndpoint = default(string), string storageAccountAccessKey = default(string), int?retentionDays = default(int?), IList <string> auditActionsAndGroups = default(IList <string>), System.Guid?storageAccountSubscriptionId = default(System.Guid?), bool?isStorageSecondaryKeyInUse = default(bool?), bool?isAzureMonitorTargetEnabled = default(bool?))
: base(id, name, type)
{
State = state;
StorageEndpoint = storageEndpoint;
StorageAccountAccessKey = storageAccountAccessKey;
RetentionDays = retentionDays;
AuditActionsAndGroups = auditActionsAndGroups;
StorageAccountSubscriptionId = storageAccountSubscriptionId;
IsStorageSecondaryKeyInUse = isStorageSecondaryKeyInUse;
IsAzureMonitorTargetEnabled = isAzureMonitorTargetEnabled;
CustomInit();
}
/// <summary>
/// Initializes a new instance of the
/// ExtendedDatabaseBlobAuditingPolicy class.
/// </summary>
/// <param name="state">Specifies the state of the audit. If state is
/// Enabled, storageEndpoint or isAzureMonitorTargetEnabled are
/// required. Possible values include: 'Enabled', 'Disabled'</param>
/// <param name="id">Resource ID.</param>
/// <param name="name">Resource name.</param>
/// <param name="type">Resource type.</param>
/// <param name="predicateExpression">Specifies condition of where
/// clause when creating an audit.</param>
/// <param name="retentionDays">Specifies the number of days to keep in
/// the audit logs in the storage account.</param>
/// <param name="auditActionsAndGroups">Specifies the Actions-Groups
/// and Actions to audit.
///
/// The recommended set of action groups to use is the following
/// combination - this will audit all the queries and stored procedures
/// executed against the database, as well as successful and failed
/// logins:
///
/// BATCH_COMPLETED_GROUP,
/// SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP,
/// FAILED_DATABASE_AUTHENTICATION_GROUP.
///
/// This above combination is also the set that is configured by
/// default when enabling auditing from the Azure portal.
///
/// The supported action groups to audit are (note: choose only
/// specific groups that cover your auditing needs. Using unnecessary
/// groups could lead to very large quantities of audit records):
///
/// APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
/// BACKUP_RESTORE_GROUP
/// DATABASE_LOGOUT_GROUP
/// DATABASE_OBJECT_CHANGE_GROUP
/// DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
/// DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
/// DATABASE_OPERATION_GROUP
/// DATABASE_PERMISSION_CHANGE_GROUP
/// DATABASE_PRINCIPAL_CHANGE_GROUP
/// DATABASE_PRINCIPAL_IMPERSONATION_GROUP
/// DATABASE_ROLE_MEMBER_CHANGE_GROUP
/// FAILED_DATABASE_AUTHENTICATION_GROUP
/// SCHEMA_OBJECT_ACCESS_GROUP
/// SCHEMA_OBJECT_CHANGE_GROUP
/// SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
/// SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
/// SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP
/// USER_CHANGE_PASSWORD_GROUP
/// BATCH_STARTED_GROUP
/// BATCH_COMPLETED_GROUP
///
/// These are groups that cover all sql statements and stored
/// procedures executed against the database, and should not be used in
/// combination with other groups as this will result in duplicate
/// audit logs.
///
/// For more information, see [Database-Level Audit Action
/// Groups](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-action-groups).
///
/// For Database auditing policy, specific Actions can also be
/// specified (note that Actions cannot be specified for Server
/// auditing policy). The supported actions to audit are:
/// SELECT
/// UPDATE
/// INSERT
/// DELETE
/// EXECUTE
/// RECEIVE
/// REFERENCES
///
/// The general form for defining an action to be audited is:
/// {action} ON {object} BY {principal}
///
/// Note that <object> in the above format can refer to an object
/// like a table, view, or stored procedure, or an entire database or
/// schema. For the latter cases, the forms DATABASE::{db_name} and
/// SCHEMA::{schema_name} are used, respectively.
///
/// For example:
/// SELECT on dbo.myTable by public
/// SELECT on DATABASE::myDatabase by public
/// SELECT on SCHEMA::mySchema by public
///
/// For more information, see [Database-Level Audit
/// Actions](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-actions)</param>
/// <param name="isStorageSecondaryKeyInUse">Specifies whether
/// storageAccountAccessKey value is the storage's secondary
/// key.</param>
/// <param name="isAzureMonitorTargetEnabled">Specifies whether audit
/// events are sent to Azure Monitor.
/// In order to send the events to Azure Monitor, specify 'State' as
/// 'Enabled' and 'IsAzureMonitorTargetEnabled' as true.
///
/// When using REST API to configure auditing, Diagnostic Settings with
/// 'SQLSecurityAuditEvents' diagnostic logs category on the database
/// should be also created.
/// Note that for server level audit you should use the 'master'
/// database as {databaseName}.
///
/// Diagnostic Settings URI format:
/// PUT
/// https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview
///
/// For more information, see [Diagnostic Settings REST
/// API](https://go.microsoft.com/fwlink/?linkid=2033207)
/// or [Diagnostic Settings
/// PowerShell](https://go.microsoft.com/fwlink/?linkid=2033043)
/// </param>
/// <param name="queueDelayMs">Specifies the amount of time in
/// milliseconds that can elapse before audit actions are forced to be
/// processed.
/// The default minimum value is 1000 (1 second). The maximum is
/// 2,147,483,647.</param>
/// <param name="storageEndpoint">Specifies the blob storage endpoint
/// (e.g. https://MyAccount.blob.core.windows.net). If state is
/// Enabled, storageEndpoint or isAzureMonitorTargetEnabled is
/// required.</param>
/// <param name="storageAccountAccessKey">Specifies the identifier key
/// of the auditing storage account.
/// If state is Enabled and storageEndpoint is specified, not
/// specifying the storageAccountAccessKey will use SQL server
/// system-assigned managed identity to access the storage.
/// Prerequisites for using managed identity authentication:
/// 1. Assign SQL Server a system-assigned managed identity in Azure
/// Active Directory (AAD).
/// 2. Grant SQL Server identity access to the storage account by
/// adding 'Storage Blob Data Contributor' RBAC role to the server
/// identity.
/// For more information, see [Auditing to storage using Managed
/// Identity
/// authentication](https://go.microsoft.com/fwlink/?linkid=2114355)</param>
/// <param name="storageAccountSubscriptionId">Specifies the blob
/// storage subscription Id.</param>
public ExtendedDatabaseBlobAuditingPolicy(BlobAuditingPolicyState state, string id = default(string), string name = default(string), string type = default(string), string predicateExpression = default(string), int?retentionDays = default(int?), IList <string> auditActionsAndGroups = default(IList <string>), bool?isStorageSecondaryKeyInUse = default(bool?), bool?isAzureMonitorTargetEnabled = default(bool?), int?queueDelayMs = default(int?), string storageEndpoint = default(string), string storageAccountAccessKey = default(string), System.Guid?storageAccountSubscriptionId = default(System.Guid?))
: base(id, name, type)
{
PredicateExpression = predicateExpression;
RetentionDays = retentionDays;
AuditActionsAndGroups = auditActionsAndGroups;
IsStorageSecondaryKeyInUse = isStorageSecondaryKeyInUse;
IsAzureMonitorTargetEnabled = isAzureMonitorTargetEnabled;
QueueDelayMs = queueDelayMs;
State = state;
StorageEndpoint = storageEndpoint;
StorageAccountAccessKey = storageAccountAccessKey;
StorageAccountSubscriptionId = storageAccountSubscriptionId;
CustomInit();
}
private bool IsAuditEnabled(BlobAuditingPolicyState state)
{
return(state == BlobAuditingPolicyState.Enabled);
}
public static string ToSerialString(this BlobAuditingPolicyState value) => value switch
{
