feat(DO-1067): Security improvements due to tfsec findings and changi…

…ng to mssql resources due to deprecation of azure_sql resources
dodevops · May 23, 2022 · fba0365 · fba0365
1 parent a99ebe7
commit fba0365
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -34,9 +34,11 @@ No modules.
 
 The following resources are used by this module:
 
-- [azurerm_sql_database.azuresqldb](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_database) (resource)
-- [azurerm_sql_firewall_rule.azure-sql-enable-access-firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule) (resource)
-- [azurerm_sql_server.azuresqldbsrv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server) (resource)
+- [azurerm_mssql_database.azuresqldb](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database) (resource)
+- [azurerm_mssql_database_extended_auditing_policy.azuresql-audit-policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database_extended_auditing_policy) (resource)
+- [azurerm_mssql_firewall_rule.azure-sql-enable-access-firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_firewall_rule) (resource)
+- [azurerm_mssql_server.azuresqldbsrv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server) (resource)
+- [azurerm_storage_account.azuresql-audit-storage-account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) (resource)
 
 ## Required Inputs
 
@@ -90,6 +92,22 @@ Type: `string`
 
 Default: `"Standard"`
 
+### enable\_audit
+
+Description: Enable audit of database access and usage
+
+Type: `bool`
+
+Default: `true`
+
+### public\_access
+
+Description: Whether or not public network access is allowed for this server
+
+Type: `bool`
+
+Default: `false`
+
 ### sqlserver\_version
 
 Description: SQL server version to use

diff --git a/main.tf b/main.tf
@@ -1,25 +1,59 @@
-resource "azurerm_sql_server" "azuresqldbsrv" {
-  name                         = "${lower(var.project)}${lower(var.stage)}dbsrv${var.suffix}"
-  location                     = var.location
-  resource_group_name          = var.resource_group
-  version                      = var.sqlserver_version
-  administrator_login          = "${lower(var.project)}${lower(var.stage)}admusr${var.suffix}"
-  administrator_login_password = var.administrator_login_password
+resource "azurerm_mssql_server" "azuresqldbsrv" {
+  name                          = "${lower(var.project)}${lower(var.stage)}dbsrv${var.suffix}"
+  location                      = var.location
+  resource_group_name           = var.resource_group
+  version                       = var.sqlserver_version
+  administrator_login           = "${lower(var.project)}${lower(var.stage)}admusr${var.suffix}"
+  administrator_login_password  = var.administrator_login_password
+  public_network_access_enabled = var.public_access
+  minimum_tls_version           = "1.2"
 }
 
-resource "azurerm_sql_database" "azuresqldb" {
+resource "azurerm_mssql_database" "azuresqldb" {
   name                             = "${lower(var.project)}${lower(var.stage)}db${var.suffix}"
+  server_id                        = azurerm_mssql_server.azuresqldbsrv.id
   location                         = var.location
   resource_group_name              = var.resource_group
-  server_name                      = azurerm_sql_server.azuresqldbsrv.name
+  server_name                      = azurerm_mssql_server.azuresqldbsrv.name
   edition                          = var.edition
   requested_service_objective_name = var.performance_class
 }
 
-resource "azurerm_sql_firewall_rule" "azure-sql-enable-access-firewall" {
+resource "azurerm_mssql_firewall_rule" "azure-sql-enable-access-firewall" {
   name                = "${lower(var.project)}${lower(var.stage)}dbsrvaccessfromazure${var.suffix}"
+  server_id           = azurerm_mssql_server.azuresqldbsrv.id
   resource_group_name = var.resource_group
-  server_name         = azurerm_sql_server.azuresqldbsrv.name
+  server_name         = azurerm_mssql_server.azuresqldbsrv.name
   start_ip_address    = "0.0.0.0"
   end_ip_address      = "0.0.0.0"
+}
+
+resource "azurerm_storage_account" "azuresql-audit-storage-account" {
+  count = var.enable_audit ? 1 : 0
+
+  name                     = "${lower(var.project)}${lower(var.stage)}storaccdbaudit${var.suffix}"
+  resource_group_name      = var.resource_group
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+  min_tls_version          = "TLS1_2"
+  queue_properties {
+    logging {
+      delete                = true
+      read                  = true
+      write                 = true
+      version               = "2.0"
+      retention_policy_days = 14
+    }
+  }
+}
+
+resource "azurerm_mssql_database_extended_auditing_policy" "azuresql-audit-policy" {
+  count = var.enable_audit ? 1 : 0
+
+  database_id                             = azurerm_mssql_database.azuresqldb.id
+  storage_endpoint                        = azurerm_storage_account.azuresql-audit-storage-account[0].primary_blob_endpoint
+  storage_account_access_key              = azurerm_storage_account.azuresql-audit-storage-account[0].primary_access_key
+  storage_account_access_key_is_secondary = false
+  retention_in_days                       = 90
 }
diff --git a/vars.tf b/vars.tf
@@ -44,4 +44,16 @@ variable "suffix" {
   type        = string
   description = "suffix for special databases"
   default     = ""
+}
+
+variable "public_access" {
+  type        = bool
+  description = "Whether or not public network access is allowed for this server"
+  default     = false
+}
+
+variable "enable_audit" {
+  type        = bool
+  description = "Enable audit of database access and usage"
+  default     = true
 }