Vulnerability assessment enablement on Azure SQL server through ARM template

Asked 16/7, 2019 at 11:59 Answered 8/8, 2019 at 8:19

Solved azure powershell azure-rm-template azure-sql-server

I have created my Azure SQL server through ARM templates. To enable the vulnerability assessment I need to enable Advanced data security. I use the following code in my ARM template inside the resource bracket of the SQL server resource to enable this.

 {
                    "name": "vulnerabilityAssessments",
                    "type": "vulnerabilityAssessments",
                    "apiVersion": "2018-06-01-preview",
                    "dependsOn": [
                        "[concat('Microsoft.Sql/servers/', parameters('sqlServerName'))]"
                    ],
                    "properties": {
                        "storageContainerPath": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net/vulnerability-assessment/')]",
                        "storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
                        "recurringScans": {
                            "isEnabled": true,
                            "emailSubscriptionAdmins": false,
                            "emails": "[parameters('emailaddresses')]"
                        }
                    }
                },

As you can see I set my storage account to the vulnerability assessment, but when i deploy this I get the following error:

VulnerabilityAssessmentADSIsDisabled", "message": "Advanced Data Security should be enabled in order to use Vulnerability Assessment."

And when I look into my advanced data security blade of the SQL server I see this been set:

If I set the storage account manually. The vulnerability assessment is enabled.... I tried to change the vulnerability assessment brackets on the database level and tried to debug the storage account reference in the properties but can't seem to see what i do wrong or what I keep forgetting ? Is there anyone who tried to do this already ?

PS: Like you can see in the image periodic recurring scans is off whilst I have enabled this inside the recurring scans array of vulnerability assessment.

Hesperidium answered 16/7, 2019 at 11:59 Comment(0)

The issue you are having is caused by deploying an ARM template with Vulnerability Assessment, but without enabling Advanced Data Security first.

You will have to deploy Advanced Data Security in the ARM template and add a dependency in the Vulnerability Assessment block, so it will only be deployed after Advanced Data Security is deployed.

For example:

{
  "apiVersion": "2017-03-01-preview",
  "type": "Microsoft.Sql/servers/securityAlertPolicies",
  "name": "[concat(parameters('serverName'), '/Default')]",
  "properties": {
    "state": "Enabled",
    "disabledAlerts": [],
    "emailAddresses": [],
    "emailAccountAdmins": true
  }
},
{
  "apiVersion": "2018-06-01-preview",
  "type": "Microsoft.Sql/servers/vulnerabilityAssessments",
  "name": "[concat(parameters('serverName'), '/Default')]",
  "properties": {
        "storageContainerPath": "[if(parameters('enableADS'), concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2018-07-01').primaryEndpoints.blob, 'vulnerability-assessment'), '')]",
        "storageAccountAccessKey": "[if(parameters('enableADS'), listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2018-02-01').keys[0].value, '')]",
    "recurringScans": {
      "isEnabled": true,
      "emailSubscriptionAdmins": true,
      "emails": []
    }
  },
  "dependsOn": [
      "[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
      "[concat('Microsoft.Sql/servers/', parameters('serverName'), '/securityAlertPolicies/Default')]"

  ]
}

Note that in this example I'm assuming that you are using an existing storage. If you're deploying a storage within the same ARM template, you will have to add a dependancy for that too (under "dependsOn"):

"[concat('Microsoft.Storage/storageAccounts/', variables('storageName'))]"

Northerner answered 8/8, 2019 at 8:19 Comment(1)

Thanks, after many deployments I figured the same thing out. but because My solution of splitting the vulnerability assesment into an other resource did the trick. I stopped searching for the root cause. – Hesperidium 8/8, 2019 at 8:24

I have Fixed this issue by splitting the vulnerability assessment in a different resource block. and not put this inside the SQL resource block. The new resource block looks like this :

{
        "name": "[concat(parameters('sqlServerName'), '/vulnerabilityAssessments')]",
        "type": "Microsoft.Sql/servers/vulnerabilityAssessments",
        "apiVersion": "2018-06-01-preview",
        "location": "[parameters('location')]",
        "dependsOn": [
            "[concat('Microsoft.Sql/servers/', parameters('sqlServerName'))]",
            "[concat('Microsoft.Sql/servers/', parameters('sqlServerName'), '/databases/',  parameters('databaseName'))]"
        ],
        "properties": {
            "storageContainerPath": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net/vulnerability-assessment/')]",
            "storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
            "recurringScans": {
                "isEnabled": true,
                "emailSubscriptionAdmins": false,
                "emails": "[parameters('emailaddresses')]"
            }
        }
    },

Hesperidium answered 22/7, 2019 at 7:32 Comment(0)

Recommended topics

Hot tags