通过 ARM 模板在 Azure SQL 服务器上启用漏洞评估

Vulnerability assessment enablement on Azure SQL server through ARM template

我已经通过 ARM 模板创建了我的 Azure SQL 服务器。要启用漏洞评估,我需要启用高级数据安全。 我在 SQL 服务器资源的资源括号内的 ARM 模板中使用以下代码来启用此功能。

 {
                    "name": "vulnerabilityAssessments",
                    "type": "vulnerabilityAssessments",
                    "apiVersion": "2018-06-01-preview",
                    "dependsOn": [
                        "[concat('Microsoft.Sql/servers/', parameters('sqlServerName'))]"
                    ],
                    "properties": {
                        "storageContainerPath": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net/vulnerability-assessment/')]",
                        "storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
                        "recurringScans": {
                            "isEnabled": true,
                            "emailSubscriptionAdmins": false,
                            "emails": "[parameters('emailaddresses')]"
                        }
                    }
                },

如您所见,我将我的存储帐户设置为漏洞评估,但是当我部署它时出现以下错误:

VulnerabilityAssessmentADSIsDisabled", "message": "Advanced Data Security should be enabled in order to use Vulnerability Assessment."

当我查看 SQL 服务器的高级数据安全性 blade 时,我看到已设置:

如果我手动设置存储帐户。漏洞评估已启用.... 我尝试更改数据库级别的漏洞评估括号并尝试调试属性中的存储帐户引用,但似乎看不出我做错了什么或我一直忘记了什么? 有没有人已经尝试这样做了?

PS:就像您在图像中看到的那样,定期重复扫描已关闭,而我在漏洞评估的重复扫描数组中启用了它。

我已通过将漏洞评估拆分到不同的资源块来解决此问题。而不是将它放在 SQL 资源块中。新资源块如下所示:

{
        "name": "[concat(parameters('sqlServerName'), '/vulnerabilityAssessments')]",
        "type": "Microsoft.Sql/servers/vulnerabilityAssessments",
        "apiVersion": "2018-06-01-preview",
        "location": "[parameters('location')]",
        "dependsOn": [
            "[concat('Microsoft.Sql/servers/', parameters('sqlServerName'))]",
            "[concat('Microsoft.Sql/servers/', parameters('sqlServerName'), '/databases/',  parameters('databaseName'))]"
        ],
        "properties": {
            "storageContainerPath": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net/vulnerability-assessment/')]",
            "storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
            "recurringScans": {
                "isEnabled": true,
                "emailSubscriptionAdmins": false,
                "emails": "[parameters('emailaddresses')]"
            }
        }
    },

您遇到的问题是由于部署了带有漏洞评估的 ARM 模板,但没有首先启用高级数据安全引起的。

您必须在 ARM 模板中部署 Advanced Data Security,并在 Vulnerability Assessment 块中添加依赖项,因此只有在部署 Advanced Data Security 后才会部署。

例如:

{
  "apiVersion": "2017-03-01-preview",
  "type": "Microsoft.Sql/servers/securityAlertPolicies",
  "name": "[concat(parameters('serverName'), '/Default')]",
  "properties": {
    "state": "Enabled",
    "disabledAlerts": [],
    "emailAddresses": [],
    "emailAccountAdmins": true
  }
},
{
  "apiVersion": "2018-06-01-preview",
  "type": "Microsoft.Sql/servers/vulnerabilityAssessments",
  "name": "[concat(parameters('serverName'), '/Default')]",
  "properties": {
        "storageContainerPath": "[if(parameters('enableADS'), concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2018-07-01').primaryEndpoints.blob, 'vulnerability-assessment'), '')]",
        "storageAccountAccessKey": "[if(parameters('enableADS'), listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2018-02-01').keys[0].value, '')]",
    "recurringScans": {
      "isEnabled": true,
      "emailSubscriptionAdmins": true,
      "emails": []
    }
  },
  "dependsOn": [
      "[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
      "[concat('Microsoft.Sql/servers/', parameters('serverName'), '/securityAlertPolicies/Default')]"

  ]
}

请注意,在此示例中,我假设您使用的是现有存储。 如果您要在同一个 ARM 模板 中部署存储 ,您也必须为此添加一个依赖项(在 "dependsOn" 下):

"[concat('Microsoft.Storage/storageAccounts/', variables('storageName'))]"