From 9e49f0510fc57175d0c66460ba742c849ac01123 Mon Sep 17 00:00:00 2001 From: Luba Libov <39737466+lubalibu@users.noreply.github.com> Date: Tue, 28 Apr 2020 10:28:10 +0300 Subject: [PATCH] Update Sql Auditing swager (#8897) * Update Sql Auditing swagger 1. Support auditing to storage with Vnet/Firewall rules API- supporting blob storage authentication with managed identity 2. Add List audit API * update DatabaseExtendedAuditingSettingsList examp * Update DatabaseExtendedAuditingSettingsList.json Co-authored-by: bashahee <32364196+bashahee@users.noreply.github.com> --- .../2015-05-01-preview/blobAuditing.json | 4 +- .../2017-03-01-preview/blobAuditing.json | 141 +++++++++++++++++- .../DatabaseExtendedAuditingSettingsList.json | 32 ++++ .../ServerExtendedAuditingSettingsList.json | 31 ++++ 4 files changed, 198 insertions(+), 10 deletions(-) create mode 100644 specification/sql/resource-manager/Microsoft.Sql/preview/2017-03-01-preview/examples/DatabaseExtendedAuditingSettingsList.json create mode 100644 specification/sql/resource-manager/Microsoft.Sql/preview/2017-03-01-preview/examples/ServerExtendedAuditingSettingsList.json diff --git a/specification/sql/resource-manager/Microsoft.Sql/preview/2015-05-01-preview/blobAuditing.json b/specification/sql/resource-manager/Microsoft.Sql/preview/2015-05-01-preview/blobAuditing.json index a54e76e1c57c..74a2e385bb4b 100644 --- a/specification/sql/resource-manager/Microsoft.Sql/preview/2015-05-01-preview/blobAuditing.json +++ b/specification/sql/resource-manager/Microsoft.Sql/preview/2015-05-01-preview/blobAuditing.json @@ -103,7 +103,7 @@ } }, "default": { - "description": "*** Error Responses: ***\n\n * 400 BlobAuditingIsNotSupportedOnResourceType - Blob Auditing is currently not supported for this resource type.\n\n * 400 InvalidDatabaseBlobAuditingPolicyCreateRequest - The create database blob auditing policy request does not exist or has no properties object.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 DataSecurityInvalidUserSuppliedParameter - An invalid parameter value was provided by the client.\n\n * 400 BlobAuditingInvalidStorageAccountName - The provided storage account is not valid or does not exist.\n\n * 400 UpdateNotAllowedOnPausedDatabase - User attempted to perform an update on a paused database.\n\n * 400 BlobAuditingInvalidStorageAccountCredentials - The provided storage account or access key is not valid.\n\n * 400 BlobAuditingIsNotSupportedOnGeoDr - Blob auditing can be configured on primary databases only.\n\n * 400 InvalidBlobAuditActionsAndGroupsForDW - Unsupported audit actions or action groups for DW.\n\n * 400 BlobAuditingInsufficientStorageAccountPermissions - Insufficient read or write permissions on the provided storage account.\n\n * 400 BlobAuditingStorageAccountIsDisabled - The provided storage account is disabled.\n\n * 400 InvalidBlobAuditActions - Invalid audit action\n\n * 404 SourceDatabaseNotFound - The source database does not exist.\n\n * 404 DatabaseDoesNotExist - User has specified a database name that does not exist on this server instance.\n\n * 500 DatabaseIsUnavailable - Loading failed. Please try again later." + "description": "*** Error Responses: ***\n\n * 400 BlobAuditingIsNotSupportedOnResourceType - Blob Auditing is currently not supported for this resource type.\n\n * 400 InvalidDatabaseBlobAuditingPolicyCreateRequest - The create database blob auditing policy request does not exist or has no properties object.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 DataSecurityInvalidUserSuppliedParameter - An invalid parameter value was provided by the client.\n\n * 400 BlobAuditingInvalidStorageAccountName - The provided storage account is not valid or does not exist.\n\n * 400 UpdateNotAllowedOnPausedDatabase - User attempted to perform an update on a paused database.\n\n * 400 BlobAuditingInvalidStorageAccountCredentials - The provided storage account or access key is not valid.\n\n * 400 BlobAuditingIsNotSupportedOnGeoDr - Blob auditing can be configured on primary databases only.\n\n * 400 BlobAuditingNoServerIdentity - The server identity is not correctly configured.\n\n * 400 InvalidBlobAuditActionsAndGroupsForDW - Unsupported audit actions or action groups for DW.\n\n * 400 BlobAuditingInsufficientStorageAccountPermissions - Insufficient read or write permissions on the provided storage account.\n\n * 400 BlobAuditingStorageAccountIsDisabled - The provided storage account is disabled.\n\n * 400 InsufficientDiskSpaceForAuditing - Insufficient disk space to save auditing metadata in the database\n\n * 400 InvalidBlobAuditActions - Invalid audit action\n\n * 404 SourceDatabaseNotFound - The source database does not exist.\n\n * 404 DatabaseDoesNotExist - User has specified a database name that does not exist on this server instance.\n\n * 500 DatabaseIsUnavailable - Loading failed. Please try again later." }, "201": { "description": "Successfully created the database blob auditing policy.", @@ -196,7 +196,7 @@ "type": "string" }, "storageAccountAccessKey": { - "description": "Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, storageAccountAccessKey is required.", + "description": "Specifies the identifier key of the auditing storage account. \r\nIf state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage.\r\nPrerequisites for using managed identity authentication:\r\n1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD).\r\n2. Grant SQL Server identity access to the storage account by adding 'Storage Blob Data Contributor' RBAC role to the server identity.\r\nFor more information, see [Auditing to storage using Managed Identity authentication](https://go.microsoft.com/fwlink/?linkid=2114355)", "type": "string", "x-ms-mutability": [ "create", diff --git a/specification/sql/resource-manager/Microsoft.Sql/preview/2017-03-01-preview/blobAuditing.json b/specification/sql/resource-manager/Microsoft.Sql/preview/2017-03-01-preview/blobAuditing.json index 78954c1818e2..90430bf3fd96 100644 --- a/specification/sql/resource-manager/Microsoft.Sql/preview/2017-03-01-preview/blobAuditing.json +++ b/specification/sql/resource-manager/Microsoft.Sql/preview/2017-03-01-preview/blobAuditing.json @@ -103,7 +103,7 @@ } }, "default": { - "description": "*** Error Responses: ***\n\n * 400 BlobAuditingIsNotSupportedOnResourceType - Blob Auditing is currently not supported for this resource type.\n\n * 400 BlobAuditingPredicateExpressionSyntaxError - Invalid value of parameter 'predicateExpression'.\n\n * 400 InvalidDatabaseBlobAuditingPolicyCreateRequest - The create database blob auditing policy request does not exist or has no properties object.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 DataSecurityInvalidUserSuppliedParameter - An invalid parameter value was provided by the client.\n\n * 400 BlobAuditingPredicateExpressionEmpty - Invalid parameter 'predicateExpression', value can not be empty.\n\n * 400 BlobAuditingInvalidStorageAccountName - The provided storage account is not valid or does not exist.\n\n * 400 UpdateNotAllowedOnPausedDatabase - User attempted to perform an update on a paused database.\n\n * 400 BlobAuditingInvalidStorageAccountCredentials - The provided storage account or access key is not valid.\n\n * 400 BlobAuditingIsNotSupportedOnGeoDr - Blob auditing can be configured on primary databases only.\n\n * 400 InvalidBlobAuditActionsAndGroupsForDW - Unsupported audit actions or action groups for DW.\n\n * 400 BlobAuditingInsufficientStorageAccountPermissions - Insufficient read or write permissions on the provided storage account.\n\n * 400 BlobAuditingStorageAccountIsDisabled - The provided storage account is disabled.\n\n * 400 InvalidBlobAuditActions - Invalid audit action\n\n * 404 SourceDatabaseNotFound - The source database does not exist.\n\n * 404 DatabaseDoesNotExist - User has specified a database name that does not exist on this server instance.\n\n * 500 DatabaseIsUnavailable - Loading failed. Please try again later." + "description": "*** Error Responses: ***\n\n * 400 BlobAuditingIsNotSupportedOnResourceType - Blob Auditing is currently not supported for this resource type.\n\n * 400 BlobAuditingPredicateExpressionSyntaxError - Invalid value of parameter 'predicateExpression'.\n\n * 400 InvalidDatabaseBlobAuditingPolicyCreateRequest - The create database blob auditing policy request does not exist or has no properties object.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 DataSecurityInvalidUserSuppliedParameter - An invalid parameter value was provided by the client.\n\n * 400 BlobAuditingPredicateExpressionEmpty - Invalid parameter 'predicateExpression', value can not be empty.\n\n * 400 BlobAuditingInvalidStorageAccountName - The provided storage account is not valid or does not exist.\n\n * 400 UpdateNotAllowedOnPausedDatabase - User attempted to perform an update on a paused database.\n\n * 400 BlobAuditingInvalidStorageAccountCredentials - The provided storage account or access key is not valid.\n\n * 400 BlobAuditingIsNotSupportedOnGeoDr - Blob auditing can be configured on primary databases only.\n\n * 400 BlobAuditingNoServerIdentity - The server identity is not correctly configured.\n\n * 400 InvalidBlobAuditActionsAndGroupsForDW - Unsupported audit actions or action groups for DW.\n\n * 400 BlobAuditingInsufficientStorageAccountPermissions - Insufficient read or write permissions on the provided storage account.\n\n * 400 BlobAuditingStorageAccountIsDisabled - The provided storage account is disabled.\n\n * 400 InsufficientDiskSpaceForAuditing - Insufficient disk space to save auditing metadata in the database\n\n * 400 InvalidBlobAuditActions - Invalid audit action\n\n * 404 SourceDatabaseNotFound - The source database does not exist.\n\n * 404 DatabaseDoesNotExist - User has specified a database name that does not exist on this server instance.\n\n * 500 DatabaseIsUnavailable - Loading failed. Please try again later." }, "201": { "description": "Successfully created the extended database blob auditing policy.", @@ -125,6 +125,51 @@ } } }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/extendedAuditingSettings": { + "get": { + "tags": [ + "BlobAuditing" + ], + "description": "Lists extended auditing settings of a database.", + "operationId": "ExtendedDatabaseBlobAuditingPolicies_ListByDatabase", + "parameters": [ + { + "$ref": "#/parameters/ResourceGroupParameter" + }, + { + "$ref": "#/parameters/ServerNameParameter" + }, + { + "$ref": "#/parameters/DatabaseNameParameter" + }, + { + "$ref": "#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ApiVersionParameter" + } + ], + "responses": { + "200": { + "description": "Successfully retrieved the database extended auditing settings.", + "schema": { + "$ref": "#/definitions/ExtendedDatabaseBlobAuditingPolicyListResult" + } + }, + "default": { + "description": "*** Error Responses: ***\n\n * 400 BlobAuditingIsNotSupportedOnResourceType - Blob Auditing is currently not supported for this resource type.\n\n * 404 SourceDatabaseNotFound - The source database does not exist.\n\n * 404 DatabaseDoesNotExist - User has specified a database name that does not exist on this server instance.\n\n * 500 DatabaseIsUnavailable - Loading failed. Please try again later." + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + }, + "x-ms-examples": { + "List extended auditing settings of a database": { + "$ref": "./examples/DatabaseExtendedAuditingSettingsList.json" + } + } + } + }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/extendedAuditingSettings/{blobAuditingPolicyName}": { "get": { "tags": [ @@ -206,7 +251,7 @@ } }, "default": { - "description": "*** Error Responses: ***\n\n * 400 InvalidServerBlobAuditingPolicyCreateRequest - The create server blob auditing policy request does not exist or has no properties object.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 DataSecurityInvalidUserSuppliedParameter - An invalid parameter value was provided by the client.\n\n * 400 BlobAuditingPredicateExpressionEmpty - Invalid parameter 'predicateExpression', value can not be empty.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 InvalidBlobAuditActions - Invalid audit action\n\n * 404 SubscriptionDoesNotHaveServer - The requested server was not found\n\n * 404 ServerNotInSubscriptionResourceGroup - Specified server does not exist in the specified resource group and subscription.\n\n * 409 ServerBlobAuditingPolicyInProgress - Set server blob auditing is already in progress." + "description": "*** Error Responses: ***\n\n * 400 InvalidServerBlobAuditingPolicyCreateRequest - The create server blob auditing policy request does not exist or has no properties object.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 DataSecurityInvalidUserSuppliedParameter - An invalid parameter value was provided by the client.\n\n * 400 BlobAuditingPredicateExpressionEmpty - Invalid parameter 'predicateExpression', value can not be empty.\n\n * 400 BlobAuditingInvalidStorageAccountCredentials - The provided storage account or access key is not valid.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 InsufficientDiskSpaceForAuditing - Insufficient disk space to save auditing metadata in the database\n\n * 400 InvalidBlobAuditActions - Invalid audit action\n\n * 404 SubscriptionDoesNotHaveServer - The requested server was not found\n\n * 404 ServerNotInSubscriptionResourceGroup - Specified server does not exist in the specified resource group and subscription.\n\n * 409 ServerBlobAuditingPolicyInProgress - Set server blob auditing is already in progress." }, "202": { "description": "Updating the extended auditing settings is in progress." @@ -223,6 +268,48 @@ } } }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/extendedAuditingSettings": { + "get": { + "tags": [ + "BlobAuditing" + ], + "description": "Lists extended auditing settings of a server.", + "operationId": "ExtendedServerBlobAuditingPolicies_ListByServer", + "parameters": [ + { + "$ref": "#/parameters/ResourceGroupParameter" + }, + { + "$ref": "#/parameters/ServerNameParameter" + }, + { + "$ref": "#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ApiVersionParameter" + } + ], + "responses": { + "200": { + "description": "Successfully retrieved extended server auditing settings.", + "schema": { + "$ref": "#/definitions/ExtendedServerBlobAuditingPolicyListResult" + } + }, + "default": { + "description": "*** Error Responses: ***\n\n * 404 SubscriptionDoesNotHaveServer - The requested server was not found\n\n * 404 ServerNotInSubscriptionResourceGroup - Specified server does not exist in the specified resource group and subscription." + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + }, + "x-ms-examples": { + "List extended auditing settings of a server": { + "$ref": "./examples/ServerExtendedAuditingSettingsList.json" + } + } + } + }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/auditingSettings/{blobAuditingPolicyName}": { "get": { "tags": [ @@ -304,7 +391,7 @@ } }, "default": { - "description": "*** Error Responses: ***\n\n * 400 InvalidServerBlobAuditingPolicyCreateRequest - The create server blob auditing policy request does not exist or has no properties object.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 DataSecurityInvalidUserSuppliedParameter - An invalid parameter value was provided by the client.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 InvalidBlobAuditActions - Invalid audit action\n\n * 404 SubscriptionDoesNotHaveServer - The requested server was not found\n\n * 404 ServerNotInSubscriptionResourceGroup - Specified server does not exist in the specified resource group and subscription.\n\n * 409 ServerBlobAuditingPolicyInProgress - Set server blob auditing is already in progress." + "description": "*** Error Responses: ***\n\n * 400 InvalidServerBlobAuditingPolicyCreateRequest - The create server blob auditing policy request does not exist or has no properties object.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 DataSecurityInvalidUserSuppliedParameter - An invalid parameter value was provided by the client.\n\n * 400 BlobAuditingInvalidStorageAccountCredentials - The provided storage account or access key is not valid.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 InsufficientDiskSpaceForAuditing - Insufficient disk space to save auditing metadata in the database\n\n * 400 InvalidBlobAuditActions - Invalid audit action\n\n * 404 SubscriptionDoesNotHaveServer - The requested server was not found\n\n * 404 ServerNotInSubscriptionResourceGroup - Specified server does not exist in the specified resource group and subscription.\n\n * 409 ServerBlobAuditingPolicyInProgress - Set server blob auditing is already in progress." }, "202": { "description": "Updating the auditing settings is in progress." @@ -450,7 +537,7 @@ } }, "default": { - "description": "*** Error Responses: ***\n\n * 400 BlobAuditingIsNotSupportedOnResourceType - Blob Auditing is currently not supported for this resource type.\n\n * 400 InvalidDatabaseBlobAuditingPolicyCreateRequest - The create database blob auditing policy request does not exist or has no properties object.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 DataSecurityInvalidUserSuppliedParameter - An invalid parameter value was provided by the client.\n\n * 400 BlobAuditingInvalidStorageAccountName - The provided storage account is not valid or does not exist.\n\n * 400 UpdateNotAllowedOnPausedDatabase - User attempted to perform an update on a paused database.\n\n * 400 BlobAuditingInvalidStorageAccountCredentials - The provided storage account or access key is not valid.\n\n * 400 BlobAuditingIsNotSupportedOnGeoDr - Blob auditing can be configured on primary databases only.\n\n * 400 InvalidBlobAuditActionsAndGroupsForDW - Unsupported audit actions or action groups for DW.\n\n * 400 BlobAuditingInsufficientStorageAccountPermissions - Insufficient read or write permissions on the provided storage account.\n\n * 400 BlobAuditingStorageAccountIsDisabled - The provided storage account is disabled.\n\n * 400 InvalidBlobAuditActions - Invalid audit action\n\n * 404 SourceDatabaseNotFound - The source database does not exist.\n\n * 404 DatabaseDoesNotExist - User has specified a database name that does not exist on this server instance.\n\n * 500 DatabaseIsUnavailable - Loading failed. Please try again later." + "description": "*** Error Responses: ***\n\n * 400 BlobAuditingIsNotSupportedOnResourceType - Blob Auditing is currently not supported for this resource type.\n\n * 400 InvalidDatabaseBlobAuditingPolicyCreateRequest - The create database blob auditing policy request does not exist or has no properties object.\n\n * 400 InvalidBlobAuditActionsAndGroups - Invalid audit actions or action groups.\n\n * 400 DataSecurityInvalidUserSuppliedParameter - An invalid parameter value was provided by the client.\n\n * 400 BlobAuditingInvalidStorageAccountName - The provided storage account is not valid or does not exist.\n\n * 400 UpdateNotAllowedOnPausedDatabase - User attempted to perform an update on a paused database.\n\n * 400 BlobAuditingInvalidStorageAccountCredentials - The provided storage account or access key is not valid.\n\n * 400 BlobAuditingIsNotSupportedOnGeoDr - Blob auditing can be configured on primary databases only.\n\n * 400 BlobAuditingNoServerIdentity - The server identity is not correctly configured.\n\n * 400 InvalidBlobAuditActionsAndGroupsForDW - Unsupported audit actions or action groups for DW.\n\n * 400 BlobAuditingInsufficientStorageAccountPermissions - Insufficient read or write permissions on the provided storage account.\n\n * 400 BlobAuditingStorageAccountIsDisabled - The provided storage account is disabled.\n\n * 400 InsufficientDiskSpaceForAuditing - Insufficient disk space to save auditing metadata in the database\n\n * 400 InvalidBlobAuditActions - Invalid audit action\n\n * 404 SourceDatabaseNotFound - The source database does not exist.\n\n * 404 DatabaseDoesNotExist - User has specified a database name that does not exist on this server instance.\n\n * 500 DatabaseIsUnavailable - Loading failed. Please try again later." }, "201": { "description": "Successfully created the database blob auditing policy.", @@ -547,7 +634,7 @@ "type": "string" }, "storageAccountAccessKey": { - "description": "Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, storageAccountAccessKey is required.", + "description": "Specifies the identifier key of the auditing storage account. \r\nIf state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage.\r\nPrerequisites for using managed identity authentication:\r\n1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD).\r\n2. Grant SQL Server identity access to the storage account by adding 'Storage Blob Data Contributor' RBAC role to the server identity.\r\nFor more information, see [Auditing to storage using Managed Identity authentication](https://go.microsoft.com/fwlink/?linkid=2114355)", "type": "string", "x-ms-mutability": [ "create", @@ -602,6 +689,25 @@ } } }, + "ExtendedDatabaseBlobAuditingPolicyListResult": { + "description": "A list of database extended auditing settings.", + "type": "object", + "properties": { + "value": { + "description": "Array of results.", + "type": "array", + "items": { + "$ref": "#/definitions/ExtendedDatabaseBlobAuditingPolicy" + }, + "readOnly": true + }, + "nextLink": { + "description": "Link to retrieve next page of results.", + "type": "string", + "readOnly": true + } + } + }, "ExtendedServerBlobAuditingPolicyProperties": { "description": "Properties of an extended server blob auditing policy.", "required": [ @@ -630,7 +736,7 @@ "type": "string" }, "storageAccountAccessKey": { - "description": "Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, storageAccountAccessKey is required.", + "description": "Specifies the identifier key of the auditing storage account. \r\nIf state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage.\r\nPrerequisites for using managed identity authentication:\r\n1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD).\r\n2. Grant SQL Server identity access to the storage account by adding 'Storage Blob Data Contributor' RBAC role to the server identity.\r\nFor more information, see [Auditing to storage using Managed Identity authentication](https://go.microsoft.com/fwlink/?linkid=2114355)", "type": "string", "x-ms-mutability": [ "create", @@ -685,6 +791,25 @@ } } }, + "ExtendedServerBlobAuditingPolicyListResult": { + "description": "A list of server extended auditing settings.", + "type": "object", + "properties": { + "value": { + "description": "Array of results.", + "type": "array", + "items": { + "$ref": "#/definitions/ExtendedServerBlobAuditingPolicy" + }, + "readOnly": true + }, + "nextLink": { + "description": "Link to retrieve next page of results.", + "type": "string", + "readOnly": true + } + } + }, "ServerBlobAuditingPolicyProperties": { "description": "Properties of a server blob auditing policy.", "required": [ @@ -709,7 +834,7 @@ "type": "string" }, "storageAccountAccessKey": { - "description": "Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, storageAccountAccessKey is required.", + "description": "Specifies the identifier key of the auditing storage account. \r\nIf state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage.\r\nPrerequisites for using managed identity authentication:\r\n1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD).\r\n2. Grant SQL Server identity access to the storage account by adding 'Storage Blob Data Contributor' RBAC role to the server identity.\r\nFor more information, see [Auditing to storage using Managed Identity authentication](https://go.microsoft.com/fwlink/?linkid=2114355)", "type": "string", "x-ms-mutability": [ "create", @@ -807,7 +932,7 @@ "type": "string" }, "storageAccountAccessKey": { - "description": "Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, storageAccountAccessKey is required.", + "description": "Specifies the identifier key of the auditing storage account. \r\nIf state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage.\r\nPrerequisites for using managed identity authentication:\r\n1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD).\r\n2. Grant SQL Server identity access to the storage account by adding 'Storage Blob Data Contributor' RBAC role to the server identity.\r\nFor more information, see [Auditing to storage using Managed Identity authentication](https://go.microsoft.com/fwlink/?linkid=2114355)", "type": "string", "x-ms-mutability": [ "create", diff --git a/specification/sql/resource-manager/Microsoft.Sql/preview/2017-03-01-preview/examples/DatabaseExtendedAuditingSettingsList.json b/specification/sql/resource-manager/Microsoft.Sql/preview/2017-03-01-preview/examples/DatabaseExtendedAuditingSettingsList.json new file mode 100644 index 000000000000..d4b99bed098a --- /dev/null +++ b/specification/sql/resource-manager/Microsoft.Sql/preview/2017-03-01-preview/examples/DatabaseExtendedAuditingSettingsList.json @@ -0,0 +1,32 @@ +{ + "parameters": { + "subscriptionId": "00000000-1111-2222-3333-444444444444", + "resourceGroupName": "blobauditingtest-6852", + "serverName": "blobauditingtest-2080", + "databaseName": "testdb", + "api-version": "2017-03-01-preview" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-6852/providers/Microsoft.Sql/servers/blobauditingtest-2080/databases/testdb/extendedAuditingSettings/default", + "name": "default", + "type": "Microsoft.Sql/servers/databases/extendedAuditingSettings", + "properties": { + "state": "Disabled", + "storageEndpoint": "", + "retentionDays": 0, + "auditActionsAndGroups": [], + "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000", + "isStorageSecondaryKeyInUse": false, + "predicateExpression": "statement = 'select 1'", + "isAzureMonitorTargetEnabled": false + } + } + ] + } + } + } +} diff --git a/specification/sql/resource-manager/Microsoft.Sql/preview/2017-03-01-preview/examples/ServerExtendedAuditingSettingsList.json b/specification/sql/resource-manager/Microsoft.Sql/preview/2017-03-01-preview/examples/ServerExtendedAuditingSettingsList.json new file mode 100644 index 000000000000..e5570eb1c9d5 --- /dev/null +++ b/specification/sql/resource-manager/Microsoft.Sql/preview/2017-03-01-preview/examples/ServerExtendedAuditingSettingsList.json @@ -0,0 +1,31 @@ +{ + "parameters": { + "subscriptionId": "00000000-1111-2222-3333-444444444444", + "resourceGroupName": "blobauditingtest-4799", + "serverName": "blobauditingtest-6440", + "api-version": "2017-03-01-preview" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-6852/providers/Microsoft.Sql/servers/blobauditingtest-2080/extendedAuditingSettings/default", + "name": "default", + "type": "Microsoft.Sql/servers/extendedAuditingSettings", + "properties": { + "state": "Disabled", + "storageEndpoint": "", + "retentionDays": 0, + "auditActionsAndGroups": [], + "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000", + "isStorageSecondaryKeyInUse": false, + "predicateExpression": "object_name = 'SensitiveData'", + "isAzureMonitorTargetEnabled": false + } + } + ] + } + } + } +}