Vulnerability assessment enablement on Azure SQL server through ARM template
I have created my Azure SQL server through ARM templates. To enable the vulnerability assessment I need to enable Advanced data security. I use the following code in my ARM template inside the resource bracket of the SQL server resource to enable this.
{
"name": "vulnerabilityAssessments",
"type": "vulnerabilityAssessments",
"apiVersion": "2018-06-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('sqlServerName'))]"
],
"properties": {
"storageContainerPath": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net/vulnerability-assessment/')]",
"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
"recurringScans": {
"isEnabled": true,
"emailSubscriptionAdmins": false,
"emails": "[parameters('emailaddresses')]"
}
}
},
As you can see I set my storage account to the vulnerability assessment, but when i deploy this I get the following error:
VulnerabilityAssessmentADSIsDisabled", "message": "Advanced Data Security should be enabled in order to use Vulnerability Assessment."
And when I look into my advanced data security blade of the SQL server I see this been set:
If I set the storage account manually. The vulnerability assessment is enabled.... I tried to change the vulnerability assessment brackets on the database level and tried to debug the storage account reference in the properties but can't seem to see what i do wrong or what I keep forgetting ? Is there anyone who tried to do this already ?
PS: Like you can see in the image periodic recurring scans is off whilst I have enabled this inside the recurring scans array of vulnerability assessment.
The issue you are having is caused by deploying an ARM template with Vulnerability Assessment, but without enabling Advanced Data Security first.
You will have to deploy Advanced Data Security in the ARM template and add a dependency in the Vulnerability Assessment block, so it will only be deployed after Advanced Data Security is deployed.
For example:
{
"apiVersion": "2017-03-01-preview",
"type": "Microsoft.Sql/servers/securityAlertPolicies",
"name": "[concat(parameters('serverName'), '/Default')]",
"properties": {
"state": "Enabled",
"disabledAlerts": [],
"emailAddresses": [],
"emailAccountAdmins": true
}
},
{
"apiVersion": "2018-06-01-preview",
"type": "Microsoft.Sql/servers/vulnerabilityAssessments",
"name": "[concat(parameters('serverName'), '/Default')]",
"properties": {
"storageContainerPath": "[if(parameters('enableADS'), concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2018-07-01').primaryEndpoints.blob, 'vulnerability-assessment'), '')]",
"storageAccountAccessKey": "[if(parameters('enableADS'), listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2018-02-01').keys[0].value, '')]",
"recurringScans": {
"isEnabled": true,
"emailSubscriptionAdmins": true,
"emails": []
}
},
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/securityAlertPolicies/Default')]"
]
}
Note that in this example I'm assuming that you are using an existing storage. If you're deploying a storage within the same ARM template, you will have to add a dependancy for that too (under "dependsOn"):
"[concat('Microsoft.Storage/storageAccounts/', variables('storageName'))]"