import * as pulumi from "@pulumi/pulumi"; /** * Manages a Security Alert Policy for an MS SQL Managed Instance. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "database-rg", * location: "West Europe", * }); * const exampleNetworkSecurityGroup = new azure.network.NetworkSecurityGroup("example", { * name: "mi-security-group", * location: example.location, * resourceGroupName: example.name, * }); * const allowManagementInbound = new azure.network.NetworkSecurityRule("allow_management_inbound", { * name: "allow_management_inbound", * priority: 106, * direction: "Inbound", * access: "Allow", * protocol: "Tcp", * sourcePortRange: "*", * destinationPortRanges: [ * "9000", * "9003", * "1438", * "1440", * "1452", * ], * sourceAddressPrefix: "*", * destinationAddressPrefix: "*", * resourceGroupName: example.name, * networkSecurityGroupName: exampleNetworkSecurityGroup.name, * }); * const allowMisubnetInbound = new azure.network.NetworkSecurityRule("allow_misubnet_inbound", { * name: "allow_misubnet_inbound", * priority: 200, * direction: "Inbound", * access: "Allow", * protocol: "*", * sourcePortRange: "*", * destinationPortRange: "*", * sourceAddressPrefix: "10.0.0.0/24", * destinationAddressPrefix: "*", * resourceGroupName: example.name, * networkSecurityGroupName: exampleNetworkSecurityGroup.name, * }); * const allowHealthProbeInbound = new azure.network.NetworkSecurityRule("allow_health_probe_inbound", { * name: "allow_health_probe_inbound", * priority: 300, * direction: "Inbound", * access: "Allow", * protocol: "*", * sourcePortRange: "*", * destinationPortRange: "*", * sourceAddressPrefix: "AzureLoadBalancer", * destinationAddressPrefix: "*", * resourceGroupName: example.name, * networkSecurityGroupName: exampleNetworkSecurityGroup.name, * }); * const allowTdsInbound = new azure.network.NetworkSecurityRule("allow_tds_inbound", { * name: "allow_tds_inbound", * priority: 1000, * direction: "Inbound", * access: "Allow", * protocol: "Tcp", * sourcePortRange: "*", * destinationPortRange: "1433", * sourceAddressPrefix: "VirtualNetwork", * destinationAddressPrefix: "*", * resourceGroupName: example.name, * networkSecurityGroupName: exampleNetworkSecurityGroup.name, * }); * const denyAllInbound = new azure.network.NetworkSecurityRule("deny_all_inbound", { * name: "deny_all_inbound", * priority: 4096, * direction: "Inbound", * access: "Deny", * protocol: "*", * sourcePortRange: "*", * destinationPortRange: "*", * sourceAddressPrefix: "*", * destinationAddressPrefix: "*", * resourceGroupName: example.name, * networkSecurityGroupName: exampleNetworkSecurityGroup.name, * }); * const allowManagementOutbound = new azure.network.NetworkSecurityRule("allow_management_outbound", { * name: "allow_management_outbound", * priority: 102, * direction: "Outbound", * access: "Allow", * protocol: "Tcp", * sourcePortRange: "*", * destinationPortRanges: [ * "80", * "443", * "12000", * ], * sourceAddressPrefix: "*", * destinationAddressPrefix: "*", * resourceGroupName: example.name, * networkSecurityGroupName: exampleNetworkSecurityGroup.name, * }); * const allowMisubnetOutbound = new azure.network.NetworkSecurityRule("allow_misubnet_outbound", { * name: "allow_misubnet_outbound", * priority: 200, * direction: "Outbound", * access: "Allow", * protocol: "*", * sourcePortRange: "*", * destinationPortRange: "*", * sourceAddressPrefix: "10.0.0.0/24", * destinationAddressPrefix: "*", * resourceGroupName: example.name, * networkSecurityGroupName: exampleNetworkSecurityGroup.name, * }); * const denyAllOutbound = new azure.network.NetworkSecurityRule("deny_all_outbound", { * name: "deny_all_outbound", * priority: 4096, * direction: "Outbound", * access: "Deny", * protocol: "*", * sourcePortRange: "*", * destinationPortRange: "*", * sourceAddressPrefix: "*", * destinationAddressPrefix: "*", * resourceGroupName: example.name, * networkSecurityGroupName: exampleNetworkSecurityGroup.name, * }); * const exampleVirtualNetwork = new azure.network.VirtualNetwork("example", { * name: "vnet-mi", * resourceGroupName: example.name, * addressSpaces: ["10.0.0.0/16"], * location: example.location, * }); * const exampleSubnet = new azure.network.Subnet("example", { * name: "subnet-mi", * resourceGroupName: example.name, * virtualNetworkName: exampleVirtualNetwork.name, * addressPrefixes: ["10.0.0.0/24"], * delegations: [{ * name: "managedinstancedelegation", * serviceDelegation: { * name: "Microsoft.Sql/managedInstances", * actions: [ * "Microsoft.Network/virtualNetworks/subnets/join/action", * "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", * "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action", * ], * }, * }], * }); * const exampleSubnetNetworkSecurityGroupAssociation = new azure.network.SubnetNetworkSecurityGroupAssociation("example", { * subnetId: exampleSubnet.id, * networkSecurityGroupId: exampleNetworkSecurityGroup.id, * }); * const exampleRouteTable = new azure.network.RouteTable("example", { * name: "routetable-mi", * location: example.location, * resourceGroupName: example.name, * disableBgpRoutePropagation: false, * }, { * dependsOn: [exampleSubnet], * }); * const exampleSubnetRouteTableAssociation = new azure.network.SubnetRouteTableAssociation("example", { * subnetId: exampleSubnet.id, * routeTableId: exampleRouteTable.id, * }); * const exampleManagedInstance = new azure.mssql.ManagedInstance("example", { * name: "managedsqlinstance", * resourceGroupName: example.name, * location: example.location, * licenseType: "BasePrice", * skuName: "GP_Gen5", * storageSizeInGb: 32, * subnetId: exampleSubnet.id, * vcores: 4, * administratorLogin: "mradministrator", * administratorLoginPassword: "thisIsDog11", * }, { * dependsOn: [ * exampleSubnetNetworkSecurityGroupAssociation, * exampleSubnetRouteTableAssociation, * ], * }); * const exampleManagedInstanceSecurityAlertPolicy = new azure.mssql.ManagedInstanceSecurityAlertPolicy("example", { * resourceGroupName: example.name, * managedInstanceName: exampleManagedInstance.name, * enabled: true, * storageEndpoint: exampleAzurermStorageAccount.primaryBlobEndpoint, * storageAccountAccessKey: exampleAzurermStorageAccount.primaryAccessKey, * disabledAlerts: [ * "Sql_Injection", * "Data_Exfiltration", * ], * retentionDays: 20, * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.Sql` - 2023-08-01-preview * * ## Import * * MS SQL Managed Instance Security Alert Policy can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:mssql/managedInstanceSecurityAlertPolicy:ManagedInstanceSecurityAlertPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/acceptanceTestResourceGroup1/providers/Microsoft.Sql/managedInstances/instance1/securityAlertPolicies/Default * ``` */ export declare class ManagedInstanceSecurityAlertPolicy extends pulumi.CustomResource { /** * Get an existing ManagedInstanceSecurityAlertPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: ManagedInstanceSecurityAlertPolicyState, opts?: pulumi.CustomResourceOptions): ManagedInstanceSecurityAlertPolicy; /** * Returns true if the given object is an instance of ManagedInstanceSecurityAlertPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is ManagedInstanceSecurityAlertPolicy; /** * Specifies an array of alerts that are disabled. Possible values are `Sql_Injection`, `Sql_Injection_Vulnerability`, `Access_Anomaly`, `Data_Exfiltration`, `Unsafe_Action` and `Brute_Force`. */ readonly disabledAlerts: pulumi.Output; /** * Boolean flag which specifies if the alert is sent to the account administrators or not. Defaults to `false`. */ readonly emailAccountAdminsEnabled: pulumi.Output; /** * Specifies an array of email addresses to which the alert is sent. */ readonly emailAddresses: pulumi.Output; /** * Specifies the state of the Security Alert Policy, whether it is enabled or disabled. Possible values are `true`, `false`. */ readonly enabled: pulumi.Output; /** * Specifies the name of the MS SQL Managed Instance. Changing this forces a new resource to be created. */ readonly managedInstanceName: pulumi.Output; /** * The name of the resource group that contains the MS SQL Managed Instance. Changing this forces a new resource to be created. */ readonly resourceGroupName: pulumi.Output; /** * Specifies the number of days to keep in the Threat Detection audit logs. Defaults to `0`. */ readonly retentionDays: pulumi.Output; /** * Specifies the identifier key of the Threat Detection audit storage account. This is mandatory when you use `storageEndpoint` to specify a storage account blob endpoint. * * > **Note:** Please note that storage accounts configured with `sharedAccessKeyEnabled = false` cannot be used to configure `azure.mssql.ManagedInstanceSecurityAlertPolicy` with `storageEndpoint` for now. */ readonly storageAccountAccessKey: pulumi.Output; /** * Specifies the blob storage endpoint (e.g. https://example.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs. */ readonly storageEndpoint: pulumi.Output; /** * Create a ManagedInstanceSecurityAlertPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: ManagedInstanceSecurityAlertPolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering ManagedInstanceSecurityAlertPolicy resources. */ export interface ManagedInstanceSecurityAlertPolicyState { /** * Specifies an array of alerts that are disabled. Possible values are `Sql_Injection`, `Sql_Injection_Vulnerability`, `Access_Anomaly`, `Data_Exfiltration`, `Unsafe_Action` and `Brute_Force`. */ disabledAlerts?: pulumi.Input[]>; /** * Boolean flag which specifies if the alert is sent to the account administrators or not. Defaults to `false`. */ emailAccountAdminsEnabled?: pulumi.Input; /** * Specifies an array of email addresses to which the alert is sent. */ emailAddresses?: pulumi.Input[]>; /** * Specifies the state of the Security Alert Policy, whether it is enabled or disabled. Possible values are `true`, `false`. */ enabled?: pulumi.Input; /** * Specifies the name of the MS SQL Managed Instance. Changing this forces a new resource to be created. */ managedInstanceName?: pulumi.Input; /** * The name of the resource group that contains the MS SQL Managed Instance. Changing this forces a new resource to be created. */ resourceGroupName?: pulumi.Input; /** * Specifies the number of days to keep in the Threat Detection audit logs. Defaults to `0`. */ retentionDays?: pulumi.Input; /** * Specifies the identifier key of the Threat Detection audit storage account. This is mandatory when you use `storageEndpoint` to specify a storage account blob endpoint. * * > **Note:** Please note that storage accounts configured with `sharedAccessKeyEnabled = false` cannot be used to configure `azure.mssql.ManagedInstanceSecurityAlertPolicy` with `storageEndpoint` for now. */ storageAccountAccessKey?: pulumi.Input; /** * Specifies the blob storage endpoint (e.g. https://example.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs. */ storageEndpoint?: pulumi.Input; } /** * The set of arguments for constructing a ManagedInstanceSecurityAlertPolicy resource. */ export interface ManagedInstanceSecurityAlertPolicyArgs { /** * Specifies an array of alerts that are disabled. Possible values are `Sql_Injection`, `Sql_Injection_Vulnerability`, `Access_Anomaly`, `Data_Exfiltration`, `Unsafe_Action` and `Brute_Force`. */ disabledAlerts?: pulumi.Input[]>; /** * Boolean flag which specifies if the alert is sent to the account administrators or not. Defaults to `false`. */ emailAccountAdminsEnabled?: pulumi.Input; /** * Specifies an array of email addresses to which the alert is sent. */ emailAddresses?: pulumi.Input[]>; /** * Specifies the state of the Security Alert Policy, whether it is enabled or disabled. Possible values are `true`, `false`. */ enabled?: pulumi.Input; /** * Specifies the name of the MS SQL Managed Instance. Changing this forces a new resource to be created. */ managedInstanceName: pulumi.Input; /** * The name of the resource group that contains the MS SQL Managed Instance. Changing this forces a new resource to be created. */ resourceGroupName: pulumi.Input; /** * Specifies the number of days to keep in the Threat Detection audit logs. Defaults to `0`. */ retentionDays?: pulumi.Input; /** * Specifies the identifier key of the Threat Detection audit storage account. This is mandatory when you use `storageEndpoint` to specify a storage account blob endpoint. * * > **Note:** Please note that storage accounts configured with `sharedAccessKeyEnabled = false` cannot be used to configure `azure.mssql.ManagedInstanceSecurityAlertPolicy` with `storageEndpoint` for now. */ storageAccountAccessKey?: pulumi.Input; /** * Specifies the blob storage endpoint (e.g. https://example.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs. */ storageEndpoint?: pulumi.Input; }