Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support enabling audit logs on MySQL Flexible Server #51

Open
epopisces opened this issue Nov 20, 2023 · 1 comment
Open

Support enabling audit logs on MySQL Flexible Server #51

epopisces opened this issue Nov 20, 2023 · 1 comment
Labels
bicep Items related to the Bicep IaC terraform Items related to the Terraform IaC code
Milestone
Backlog

Comments

@epopisces
Copy link

epopisces commented Nov 20, 2023
edited
Loading

To enable audit logs to a LAW in Azure, the following MySQL configuration entries are needed:
"audit_log_enabled" = "ON",
"audit_log_events" = "ADMIN,CONNECTION,DCL,DDL"

The latter may vary depend on what logging is desired from the server.

Via Terraform these could be implemented via a pair of azurerm_mysql_flexible_server_configuration resources:

resource "azurerm_mysql_flexible_server_configuration" "audit_log_enabled" {
  resource_group_name = azurerm_resource_group.redcap.name
  server_name         = azurerm_mysql_flexible_server.redcap.name
  name                = "audit_log_enabled"
  value               = "ON"
}

resource "azurerm_mysql_flexible_server_configuration" "audit_log_events" {
  resource_group_name = azurerm_resource_group.redcap.name
  server_name         = azurerm_mysql_flexible_server.redcap.name
  name                = "audit_log_events"
  value               = "ADMIN,CONNECTION,DCL,DDL"
}

These could either be enabled via an option variable in the variables.tf file (e.g. enable_audit_log), or even better such a variable could add the above defined in locals as an argument to a merge() function such as suggested in #50 (preferred).

This will also require a diagnostic setting resource and a LAW to house logs. In Terraform:

resource "azurerm_monitor_diagnostic_setting" "logging" {
  count                      = var.enable_audit_log
  name                       = "mds-mysql-redcap"
  target_resource_id         = azurerm_mysql_flexible_server.redcap.id
  log_analytics_workspace_id = var.log_analytics_workspace_id

  # https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs-categories#microsoftdbformysqlflexibleservers
  enabled_log {
    category = "MySQLAuditLogs"
  }

  metric {
    category = "AllMetrics"
  }
}
@epopisces epopisces changed the title Support enabling audit logs on MySQL Flexible Server Terraform: support enabling audit logs on MySQL Flexible Server Nov 20, 2023
@epopisces epopisces changed the title Terraform: support enabling audit logs on MySQL Flexible Server Support enabling audit logs on MySQL Flexible Server Nov 20, 2023
@epopisces epopisces mentioned this issue Nov 20, 2023
Open
@SvenAelterman SvenAelterman added the terraform Items related to the Terraform IaC code label Nov 25, 2023
@SvenAelterman
Copy link
Contributor

From a governance perspective, I prefer that auditing is enabled via Azure Policy. I am not sure if MySQL database auditing can be enabled via Policy, in which case we'll consider that for implementation in Bicep.

@SvenAelterman SvenAelterman added this to the Backlog milestone Dec 23, 2023
@SvenAelterman SvenAelterman added the bicep Items related to the Bicep IaC label Nov 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bicep Items related to the Bicep IaC terraform Items related to the Terraform IaC code
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
2 participants
@epopisces @SvenAelterman