{ "description": "Generator information:\n- Generated from: /sql/resource-manager/Microsoft.Sql/stable/2021-11-01/BlobAuditing.json\n- ARM URI: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/auditingSettings/default", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "properties": { "auditActionsAndGroups": { "description": "AuditActionsAndGroups: Specifies the Actions-Groups and Actions to audit.\nThe recommended set of action groups to use is the following combination - this will audit all the queries and stored\nprocedures executed against the database, as well as successful and failed logins:\nBATCH_COMPLETED_GROUP,\nSUCCESSFUL_DATABASE_AUTHENTICATION_GROUP,\nFAILED_DATABASE_AUTHENTICATION_GROUP.\nThis above combination is also the set that is configured by default when enabling auditing from the Azure portal.\nThe supported action groups to audit are (note: choose only specific groups that cover your auditing needs. Using\nunnecessary groups could lead to very large quantities of audit records):\nAPPLICATION_ROLE_CHANGE_PASSWORD_GROUP\nBACKUP_RESTORE_GROUP\nDATABASE_LOGOUT_GROUP\nDATABASE_OBJECT_CHANGE_GROUP\nDATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP\nDATABASE_OBJECT_PERMISSION_CHANGE_GROUP\nDATABASE_OPERATION_GROUP\nDATABASE_PERMISSION_CHANGE_GROUP\nDATABASE_PRINCIPAL_CHANGE_GROUP\nDATABASE_PRINCIPAL_IMPERSONATION_GROUP\nDATABASE_ROLE_MEMBER_CHANGE_GROUP\nFAILED_DATABASE_AUTHENTICATION_GROUP\nSCHEMA_OBJECT_ACCESS_GROUP\nSCHEMA_OBJECT_CHANGE_GROUP\nSCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP\nSCHEMA_OBJECT_PERMISSION_CHANGE_GROUP\nSUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\nUSER_CHANGE_PASSWORD_GROUP\nBATCH_STARTED_GROUP\nBATCH_COMPLETED_GROUP\nDBCC_GROUP\nDATABASE_OWNERSHIP_CHANGE_GROUP\nDATABASE_CHANGE_GROUP\nLEDGER_OPERATION_GROUP\nThese are groups that cover all sql statements and stored procedures executed against the database, and should not be\nused in combination with other groups as this will result in duplicate audit logs.\nFor more information, see [Database-Level Audit Action\nGroups](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-action-groups).\nFor Database auditing policy, specific Actions can also be specified (note that Actions cannot be specified for Server\nauditing policy). The supported actions to audit are:\nSELECT\nUPDATE\nINSERT\nDELETE\nEXECUTE\nRECEIVE\nREFERENCES\nThe general form for defining an action to be audited is:\n{action} ON {object} BY {principal}\nNote that in the above format can refer to an object like a table, view, or stored procedure, or an entire\ndatabase or schema. For the latter cases, the forms DATABASE::{db_name} and SCHEMA::{schema_name} are used, respectively.\nFor example:\nSELECT on dbo.myTable by public\nSELECT on DATABASE::myDatabase by public\nSELECT on SCHEMA::mySchema by public\nFor more information, see [Database-Level Audit\nActions](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-actions)", "items": { "type": "string" }, "type": "array" }, "isAzureMonitorTargetEnabled": { "description": "IsAzureMonitorTargetEnabled: Specifies whether audit events are sent to Azure Monitor.\nIn order to send the events to Azure Monitor, specify 'State' as 'Enabled' and 'IsAzureMonitorTargetEnabled' as true.\nWhen using REST API to configure auditing, Diagnostic Settings with 'SQLSecurityAuditEvents' diagnostic logs category on\nthe database should be also created.\nNote that for server level audit you should use the 'master' database as {databaseName}.\nDiagnostic Settings URI format:\nPUT\nhttps://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview\nFor more information, see [Diagnostic Settings REST API](https://go.microsoft.com/fwlink/?linkid=2033207)\nor [Diagnostic Settings PowerShell](https://go.microsoft.com/fwlink/?linkid=2033043)", "type": "boolean" }, "isManagedIdentityInUse": { "description": "IsManagedIdentityInUse: Specifies whether Managed Identity is used to access blob storage", "type": "boolean" }, "isStorageSecondaryKeyInUse": { "description": "IsStorageSecondaryKeyInUse: Specifies whether storageAccountAccessKey value is the storage's secondary key.", "type": "boolean" }, "operatorSpec": { "description": "OperatorSpec: The specification for configuring operator behavior. This field is interpreted by the operator and not\npassed directly to Azure", "properties": { "configMapExpressions": { "description": "ConfigMapExpressions: configures where to place operator written dynamic ConfigMaps (created with CEL expressions).", "items": { "description": "DestinationExpression is a CEL expression and a destination to store the result in. The destination may\nbe a secret or a configmap. The value of the expression is stored at the specified location in\nthe destination.", "properties": { "key": { "description": "Key is the key in the ConfigMap or Secret being written to. If the CEL expression in Value returns a string\nthis is required to identify what key to write to. If the CEL expression in Value returns a map[string]string\nKey must not be set, instead the keys written will be determined dynamically based on the keys of the resulting\nmap[string]string.", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap or secret to write to.\nThe configmap or secret will be created in the same namespace as the resource.", "type": "string" }, "value": { "description": "Value is a CEL expression. The CEL expression may return a string or a map[string]string. For more information\non CEL in ASO see https://azure.github.io/azure-service-operator/guide/expressions/", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array" }, "secretExpressions": { "description": "SecretExpressions: configures where to place operator written dynamic secrets (created with CEL expressions).", "items": { "description": "DestinationExpression is a CEL expression and a destination to store the result in. The destination may\nbe a secret or a configmap. The value of the expression is stored at the specified location in\nthe destination.", "properties": { "key": { "description": "Key is the key in the ConfigMap or Secret being written to. If the CEL expression in Value returns a string\nthis is required to identify what key to write to. If the CEL expression in Value returns a map[string]string\nKey must not be set, instead the keys written will be determined dynamically based on the keys of the resulting\nmap[string]string.", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap or secret to write to.\nThe configmap or secret will be created in the same namespace as the resource.", "type": "string" }, "value": { "description": "Value is a CEL expression. The CEL expression may return a string or a map[string]string. For more information\non CEL in ASO see https://azure.github.io/azure-service-operator/guide/expressions/", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "owner": { "description": "Owner: The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also\ncontrols the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a\nreference to a sql.azure.com/ServersDatabase resource", "properties": { "armId": { "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "name": { "description": "This is the name of the Kubernetes resource to reference.", "type": "string" } }, "type": "object", "additionalProperties": false }, "queueDelayMs": { "description": "QueueDelayMs: Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be\nprocessed.\nThe default minimum value is 1000 (1 second). The maximum is 2,147,483,647.", "type": "integer" }, "retentionDays": { "description": "RetentionDays: Specifies the number of days to keep in the audit logs in the storage account.", "type": "integer" }, "state": { "description": "State: Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are\nrequired.", "enum": [ "Disabled", "Enabled" ], "type": "string" }, "storageAccountAccessKey": { "description": "StorageAccountAccessKey: Specifies the identifier key of the auditing storage account.\nIf state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server\nsystem-assigned managed identity to access the storage.\nPrerequisites for using managed identity authentication:\n1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD).\n2. Grant SQL Server identity access to the storage account by adding 'Storage Blob Data Contributor' RBAC role to the\nserver identity.\nFor more information, see [Auditing to storage using Managed Identity\nauthentication](https://go.microsoft.com/fwlink/?linkid=2114355)", "properties": { "key": { "description": "Key is the key in the Kubernetes secret being referenced", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes secret being referenced.\nThe secret must be in the same namespace as the resource", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false }, "storageAccountSubscriptionId": { "description": "StorageAccountSubscriptionId: Specifies the blob storage subscription Id.", "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$", "type": "string" }, "storageEndpoint": { "description": "StorageEndpoint: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is\nEnabled, storageEndpoint or isAzureMonitorTargetEnabled is required.", "type": "string" } }, "required": [ "owner", "state" ], "type": "object", "additionalProperties": false }, "status": { "properties": { "auditActionsAndGroups": { "description": "AuditActionsAndGroups: Specifies the Actions-Groups and Actions to audit.\nThe recommended set of action groups to use is the following combination - this will audit all the queries and stored\nprocedures executed against the database, as well as successful and failed logins:\nBATCH_COMPLETED_GROUP,\nSUCCESSFUL_DATABASE_AUTHENTICATION_GROUP,\nFAILED_DATABASE_AUTHENTICATION_GROUP.\nThis above combination is also the set that is configured by default when enabling auditing from the Azure portal.\nThe supported action groups to audit are (note: choose only specific groups that cover your auditing needs. Using\nunnecessary groups could lead to very large quantities of audit records):\nAPPLICATION_ROLE_CHANGE_PASSWORD_GROUP\nBACKUP_RESTORE_GROUP\nDATABASE_LOGOUT_GROUP\nDATABASE_OBJECT_CHANGE_GROUP\nDATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP\nDATABASE_OBJECT_PERMISSION_CHANGE_GROUP\nDATABASE_OPERATION_GROUP\nDATABASE_PERMISSION_CHANGE_GROUP\nDATABASE_PRINCIPAL_CHANGE_GROUP\nDATABASE_PRINCIPAL_IMPERSONATION_GROUP\nDATABASE_ROLE_MEMBER_CHANGE_GROUP\nFAILED_DATABASE_AUTHENTICATION_GROUP\nSCHEMA_OBJECT_ACCESS_GROUP\nSCHEMA_OBJECT_CHANGE_GROUP\nSCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP\nSCHEMA_OBJECT_PERMISSION_CHANGE_GROUP\nSUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\nUSER_CHANGE_PASSWORD_GROUP\nBATCH_STARTED_GROUP\nBATCH_COMPLETED_GROUP\nDBCC_GROUP\nDATABASE_OWNERSHIP_CHANGE_GROUP\nDATABASE_CHANGE_GROUP\nLEDGER_OPERATION_GROUP\nThese are groups that cover all sql statements and stored procedures executed against the database, and should not be\nused in combination with other groups as this will result in duplicate audit logs.\nFor more information, see [Database-Level Audit Action\nGroups](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-action-groups).\nFor Database auditing policy, specific Actions can also be specified (note that Actions cannot be specified for Server\nauditing policy). The supported actions to audit are:\nSELECT\nUPDATE\nINSERT\nDELETE\nEXECUTE\nRECEIVE\nREFERENCES\nThe general form for defining an action to be audited is:\n{action} ON {object} BY {principal}\nNote that in the above format can refer to an object like a table, view, or stored procedure, or an entire\ndatabase or schema. For the latter cases, the forms DATABASE::{db_name} and SCHEMA::{schema_name} are used, respectively.\nFor example:\nSELECT on dbo.myTable by public\nSELECT on DATABASE::myDatabase by public\nSELECT on SCHEMA::mySchema by public\nFor more information, see [Database-Level Audit\nActions](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-actions)", "items": { "type": "string" }, "type": "array" }, "conditions": { "description": "Conditions: The observed state of the resource", "items": { "description": "Condition defines an extension to status (an observation) of a resource", "properties": { "lastTransitionTime": { "description": "LastTransitionTime is the last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "Message is a human readable message indicating details about the transition. This field may be empty.", "type": "string" }, "observedGeneration": { "description": "ObservedGeneration is the .metadata.generation that the condition was set based upon. For instance, if\n.metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "type": "integer" }, "reason": { "description": "Reason for the condition's last transition.\nReasons are upper CamelCase (PascalCase) with no spaces. A reason is always provided, this field will not be empty.", "type": "string" }, "severity": { "description": "Severity with which to treat failures of this type of condition.\nFor conditions which have positive polarity (Status == True is their normal/healthy state), this will be omitted when Status == True\nFor conditions which have negative polarity (Status == False is their normal/healthy state), this will be omitted when Status == False.\nThis is omitted in all cases when Status == Unknown", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, or Unknown.", "type": "string" }, "type": { "description": "Type of condition.", "type": "string" } }, "required": [ "lastTransitionTime", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "id": { "description": "Id: Resource ID.", "type": "string" }, "isAzureMonitorTargetEnabled": { "description": "IsAzureMonitorTargetEnabled: Specifies whether audit events are sent to Azure Monitor.\nIn order to send the events to Azure Monitor, specify 'State' as 'Enabled' and 'IsAzureMonitorTargetEnabled' as true.\nWhen using REST API to configure auditing, Diagnostic Settings with 'SQLSecurityAuditEvents' diagnostic logs category on\nthe database should be also created.\nNote that for server level audit you should use the 'master' database as {databaseName}.\nDiagnostic Settings URI format:\nPUT\nhttps://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview\nFor more information, see [Diagnostic Settings REST API](https://go.microsoft.com/fwlink/?linkid=2033207)\nor [Diagnostic Settings PowerShell](https://go.microsoft.com/fwlink/?linkid=2033043)", "type": "boolean" }, "isManagedIdentityInUse": { "description": "IsManagedIdentityInUse: Specifies whether Managed Identity is used to access blob storage", "type": "boolean" }, "isStorageSecondaryKeyInUse": { "description": "IsStorageSecondaryKeyInUse: Specifies whether storageAccountAccessKey value is the storage's secondary key.", "type": "boolean" }, "kind": { "description": "Kind: Resource kind.", "type": "string" }, "name": { "description": "Name: Resource name.", "type": "string" }, "queueDelayMs": { "description": "QueueDelayMs: Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be\nprocessed.\nThe default minimum value is 1000 (1 second). The maximum is 2,147,483,647.", "type": "integer" }, "retentionDays": { "description": "RetentionDays: Specifies the number of days to keep in the audit logs in the storage account.", "type": "integer" }, "state": { "description": "State: Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are\nrequired.", "type": "string" }, "storageAccountSubscriptionId": { "description": "StorageAccountSubscriptionId: Specifies the blob storage subscription Id.", "type": "string" }, "storageEndpoint": { "description": "StorageEndpoint: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is\nEnabled, storageEndpoint or isAzureMonitorTargetEnabled is required.", "type": "string" }, "type": { "description": "Type: Resource type.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object" }