feat: allow custom retention days for extended auditing policy (#91)

equinor · Jun 5, 2023 · 076fd59 · 076fd59
1 parent e9c0ca7
commit 076fd59
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 11 deletions.
diff --git a/main.tf b/main.tf
@@ -84,6 +84,7 @@ resource "azurerm_mssql_failover_group" "this" {
 resource "azurerm_mssql_server_extended_auditing_policy" "this" {
   server_id              = azurerm_mssql_server.this.id
   log_monitoring_enabled = true
+  retention_in_days      = var.extended_auditing_policy_retention_in_days
 }
 
 # Create diagnostic setting for master database to enable server wide.
@@ -142,8 +143,8 @@ resource "azurerm_mssql_server_security_alert_policy" "this" {
   server_name          = azurerm_mssql_server.this.name
   state                = "Enabled"
   disabled_alerts      = []
-  email_addresses      = var.security_alert_policy_email_addresses
   email_account_admins = var.security_alert_policy_email_account_admins
+  email_addresses      = var.security_alert_policy_email_addresses
 }
 
 resource "azurerm_mssql_server_vulnerability_assessment" "this" {

diff --git a/variables.tf b/variables.tf
@@ -34,6 +34,12 @@ variable "storage_account_access_key" {
   sensitive   = true
 }
 
+variable "storage_container_name" {
+  description = "The name of this Storage Container."
+  type        = string
+  default     = "vulnerability-assessment"
+}
+
 variable "azuread_administrator" {
   description = "An Azure AD administrator to configure for this SQL server."
 
@@ -91,6 +97,12 @@ variable "failover_groups" {
   default = {}
 }
 
+variable "extended_auditing_policy_retention_in_days" {
+  description = "The number of days to retain logs in the Storage Account for this SQL server."
+  type        = number
+  default     = 0
+}
+
 variable "diagnostic_setting_name" {
   description = "The name of this diagnostic setting."
   type        = string
@@ -103,22 +115,16 @@ variable "diagnostic_setting_enabled_log_categories" {
   default     = ["SQLSecurityAuditEvents"]
 }
 
-variable "security_alert_policy_email_addresses" {
-  description = "A list of custom email addresses to which the alert for this SQL server is sent."
-  type        = list(string)
-  default     = []
-}
-
 variable "security_alert_policy_email_account_admins" {
   description = "Are alerts for this SQL server sent to subscription owners and administrators?"
   type        = bool
   default     = true
 }
 
-variable "storage_container_name" {
-  description = "The name of this Storage Container."
-  type        = string
-  default     = "vulnerability-assessment"
+variable "security_alert_policy_email_addresses" {
+  description = "A list of custom email addresses to which the alert for this SQL server is sent."
+  type        = list(string)
+  default     = []
 }
 
 variable "vulnerability_assessment_recurring_scans_enabled" {
@@ -138,6 +144,7 @@ variable "vulnerability_assessment_recurring_scans_emails" {
   type        = list(string)
   default     = []
 }
+
 variable "tags" {
   description = "A mapping of tags to assign to the resources."
   type        = map(string)