dtos-devops-templates/infrastructure/modules/sql-server/main.tf at 361fb1a678ef14bb84e4f7caa017916e5ac85e1f · NHSDigital/dtos-devops-templates · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
resource "azurerm_mssql_server" "azure_sql_server" {
  name                = var.name
  resource_group_name = var.resource_group_name
  location            = var.location
  version             = var.sqlversion

  minimum_tls_version           = var.tlsver
  public_network_access_enabled = var.public_network_access_enabled

  tags = var.tags

  azuread_administrator {
    azuread_authentication_only = var.ad_auth_only         # set to: true
    login_username              = var.sql_admin_group_name # azurerm_user_assigned_identity.uai-sql.name
    object_id                   = var.sql_admin_object_id  # azurerm_user_assigned_identity.uai-sql.principal_id
  }

  identity {
    type = "SystemAssigned"
  }

  lifecycle {
    ignore_changes = [
      tags,
      express_vulnerability_assessment_enabled
    ]
  }
}


/* --------------------------------------------------------------------------------------------------
  SQL Server Firewall
-------------------------------------------------------------------------------------------------- */

resource "azurerm_mssql_firewall_rule" "firewall_rule" {
  for_each = var.firewall_rules

  name             = each.value.fw_rule_name
  server_id        = azurerm_mssql_server.azure_sql_server.id
  start_ip_address = each.value.start_ip
  end_ip_address   = each.value.end_ip
}


/* --------------------------------------------------------------------------------------------------
  Private Endpoint Configuration for SQL Server
-------------------------------------------------------------------------------------------------- */

module "private_endpoint_sql_server" {
  count = can(var.private_endpoint_properties.private_endpoint_enabled) ? 1 : 0

  source = "../private-endpoint"

  name                = "${var.name}-sql-pep"
  resource_group_name = var.private_endpoint_properties.private_endpoint_resource_group_name
  location            = var.location
  subnet_id           = var.private_endpoint_properties.private_endpoint_subnet_id

  private_dns_zone_group = {
    name                 = "${var.name}-sql-pep-zone-group"
    private_dns_zone_ids = var.private_endpoint_properties.private_dns_zone_ids_sql
  }

  private_service_connection = {
    name                           = "${var.name}-sql-pep-connection"
    private_connection_resource_id = azurerm_mssql_server.azure_sql_server.id
    subresource_names              = ["sqlServer"]
    is_manual_connection           = var.private_endpoint_properties.private_service_connection_is_manual
  }

  tags = var.tags
}


/* --------------------------------------------------------------------------------------------------
  SQL Server Diagnostic Settings
-------------------------------------------------------------------------------------------------- */

module "diagnostic_setting_sql_server" {
  source = "../diagnostic-settings"

  name                       = "${var.name}-sql-server-diagnotic-setting"
  target_resource_id         = "${azurerm_mssql_server.azure_sql_server.id}/databases/master"
  log_analytics_workspace_id = var.log_analytics_workspace_id
  enabled_log                = var.monitor_diagnostic_setting_sql_server_enabled_logs
  enabled_metric             = var.monitor_diagnostic_setting_sql_server_metrics

  # Add dependency on the database we create as the master database will be created by that point too
  depends_on = [azurerm_mssql_database.defaultdb]
}


/* --------------------------------------------------------------------------------------------------
  SQL Server Extended Auditing Policy
-------------------------------------------------------------------------------------------------- */

resource "azurerm_mssql_server_extended_auditing_policy" "azure_sql_server" {
  server_id              = azurerm_mssql_server.azure_sql_server.id
  log_monitoring_enabled = var.log_monitoring_enabled
  retention_in_days      = var.auditing_policy_retention_in_days

  depends_on = [
    module.rbac_assignments
  ]
}


/* --------------------------------------------------------------------------------------------------
  Security Alert Policy for SQL Server
-------------------------------------------------------------------------------------------------- */

resource "azurerm_mssql_server_security_alert_policy" "sql_server_alert_policy" {
  server_name         = azurerm_mssql_server.azure_sql_server.name
  resource_group_name = var.resource_group_name
  state               = var.sql_server_alert_policy_state
  retention_days      = var.security_alert_policy_retention_days
}

/* --------------------------------------------------------------------------------------------------
  Vulnerability Assessment for SQL Server
-------------------------------------------------------------------------------------------------- */
resource "azurerm_mssql_server_vulnerability_assessment" "sql_server_vulnerability_assessment" {
  count = var.vulnerability_assessment_enabled ? 1 : 0

  server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.sql_server_alert_policy.id
  storage_container_path          = var.storage_container_id

  recurring_scans {
    enabled                   = true
    email_subscription_admins = true
  }
}