def _audit_policy_update_rollback(
cmd,
workspace_name,
resource_group_name,
sql_pool_name,
rollback_data):
'''
Rollback diagnostic settings change
'''
diagnostic_settings_url = _get_diagnostic_settings_url(
cmd=cmd,
resource_group_name=resource_group_name,
workspace_name=workspace_name,
sql_pool_name=sql_pool_name)
azure_monitor_client = cf_monitor(cmd.cli_ctx)
for rd in rollback_data:
rollback_diagnostic_setting = rd[1]
if rd[0] == "create" or rd[0] == "update":
create_diagnostics_settings(
client=azure_monitor_client.diagnostic_settings,
name=rollback_diagnostic_setting.name,
resource_uri=diagnostic_settings_url,
logs=rollback_diagnostic_setting.logs,
metrics=rollback_diagnostic_setting.metrics,
event_hub=rollback_diagnostic_setting.event_hub_name,
event_hub_rule=rollback_diagnostic_setting.event_hub_authorization_rule_id,
storage_account=rollback_diagnostic_setting.storage_account_id,
workspace=rollback_diagnostic_setting.workspace_id)
else: # delete
azure_monitor_client.diagnostic_settings.delete(diagnostic_settings_url, rollback_diagnostic_setting.name)
def _audit_policy_create_diagnostic_setting(
cmd,
resource_group_name,
workspace_name,
sql_pool_name=None,
category_name=None,
log_analytics_target_state=None,
log_analytics_workspace_resource_id=None,
event_hub_target_state=None,
event_hub_authorization_rule_id=None,
event_hub_name=None):
'''
Create audit diagnostic setting, i.e. containing single category - SQLSecurityAuditEvents or DevOpsOperationsAudit
'''
# Generate diagnostic settings name to be created
name = category_name
import inspect
test_methods = ["test_sql_ws_audit_policy_logentry_eventhub", "test_sql_pool_audit_policy_logentry_eventhub"]
test_mode = next((e for e in inspect.stack() if e.function in test_methods), None) is not None
# For test environment the name should be constant, i.e. match the name written in recorded yaml file
if test_mode:
name += '_LogAnalytics' if log_analytics_target_state is not None else ''
name += '_EventHub' if event_hub_target_state is not None else ''
else:
import uuid
name += '_' + str(uuid.uuid4())
diagnostic_settings_url = _get_diagnostic_settings_url(
cmd=cmd,
resource_group_name=resource_group_name,
workspace_name=workspace_name,
sql_pool_name=sql_pool_name)
azure_monitor_client = cf_monitor(cmd.cli_ctx)
LogSettings = cmd.get_models(
'LogSettings',
resource_type=ResourceType.MGMT_MONITOR,
operation_group='diagnostic_settings')
RetentionPolicy = cmd.get_models(
'RetentionPolicy',
resource_type=ResourceType.MGMT_MONITOR,
operation_group='diagnostic_settings')
return create_diagnostics_settings(
client=azure_monitor_client.diagnostic_settings,
name=name,
resource_uri=diagnostic_settings_url,
logs=[LogSettings(category=category_name, enabled=True,
retention_policy=RetentionPolicy(enabled=False, days=0))],
metrics=None,
event_hub=event_hub_name,
event_hub_rule=event_hub_authorization_rule_id,
storage_account=None,
workspace=log_analytics_workspace_resource_id)
def _get_diagnostic_settings(
cmd,
resource_group_name,
workspace_name,
sql_pool_name=None):
'''
Common code to get workspace or sqlpool diagnostic settings
'''
diagnostic_settings_url = _get_diagnostic_settings_url(
cmd=cmd, resource_group_name=resource_group_name,
workspace_name=workspace_name, sql_pool_name=sql_pool_name)
azure_monitor_client = cf_monitor(cmd.cli_ctx)
return azure_monitor_client.diagnostic_settings.list(diagnostic_settings_url)
def _audit_policy_update_diagnostic_settings(
cmd,
workspace_name,
resource_group_name,
sql_pool_name=None,
diagnostic_settings=None,
category_name=None,
log_analytics_target_state=None,
log_analytics_workspace_resource_id=None,
event_hub_target_state=None,
event_hub_authorization_rule_id=None,
event_hub_name=None):
'''
Update audit policy's diagnostic settings
'''
# Fetch all audit diagnostic settings
audit_diagnostic_settings = _fetch_all_audit_diagnostic_settings(diagnostic_settings.value, category_name)
num_of_audit_diagnostic_settings = len(audit_diagnostic_settings)
# If more than 1 audit diagnostic settings found then throw error
if num_of_audit_diagnostic_settings > 1:
raise CLIError('Multiple audit diagnostics settings are already enabled')
diagnostic_settings_url = _get_diagnostic_settings_url(
cmd=cmd,
resource_group_name=resource_group_name,
workspace_name=workspace_name,
sql_pool_name=sql_pool_name)
azure_monitor_client = cf_monitor(cmd.cli_ctx)
# If no audit diagnostic settings found then create one if azure monitor is enabled
if num_of_audit_diagnostic_settings == 0:
if _is_audit_policy_state_enabled(log_analytics_target_state) or\
_is_audit_policy_state_enabled(event_hub_target_state):
created_diagnostic_setting = _audit_policy_create_diagnostic_setting(
cmd=cmd,
resource_group_name=resource_group_name,
workspace_name=workspace_name,
sql_pool_name=sql_pool_name,
category_name=category_name,
log_analytics_target_state=log_analytics_target_state,
log_analytics_workspace_resource_id=log_analytics_workspace_resource_id,
event_hub_target_state=event_hub_target_state,
event_hub_authorization_rule_id=event_hub_authorization_rule_id,
event_hub_name=event_hub_name)
# Return rollback data tuple
return [("delete", created_diagnostic_setting)]
# azure monitor is disabled - there is nothing to do
return None
# This leaves us with case when num_of_audit_diagnostic_settings is 1
audit_diagnostic_setting = audit_diagnostic_settings[0]
# Initialize actually updated azure monitor fields
if log_analytics_target_state is None:
log_analytics_workspace_resource_id = audit_diagnostic_setting.workspace_id
elif _is_audit_policy_state_disabled(log_analytics_target_state):
log_analytics_workspace_resource_id = None
if event_hub_target_state is None:
event_hub_authorization_rule_id = audit_diagnostic_setting.event_hub_authorization_rule_id
event_hub_name = audit_diagnostic_setting.event_hub_name
elif _is_audit_policy_state_disabled(event_hub_target_state):
event_hub_authorization_rule_id = None
event_hub_name = None
is_azure_monitor_target_enabled = log_analytics_workspace_resource_id is not None or\
event_hub_authorization_rule_id is not None
has_other_categories = next((log for log in audit_diagnostic_setting.logs
if log.enabled and log.category != category_name), None) is not None
# If there is no other categories except SQLSecurityAuditEvents\DevOpsOperationsAudit update or delete
# the existing single diagnostic settings
if not has_other_categories:
# If azure monitor is enabled then update existing single audit diagnostic setting
if is_azure_monitor_target_enabled:
create_diagnostics_settings(
client=azure_monitor_client.diagnostic_settings,
name=audit_diagnostic_setting.name,
resource_uri=diagnostic_settings_url,
logs=audit_diagnostic_setting.logs,
metrics=audit_diagnostic_setting.metrics,
event_hub=event_hub_name,
event_hub_rule=event_hub_authorization_rule_id,
storage_account=audit_diagnostic_setting.storage_account_id,
workspace=log_analytics_workspace_resource_id)
# Return rollback data tuple
return [("update", audit_diagnostic_setting)]
# Azure monitor is disabled, delete existing single audit diagnostic setting
azure_monitor_client.diagnostic_settings.delete(diagnostic_settings_url, audit_diagnostic_setting.name)
# Return rollback data tuple
return [("create", audit_diagnostic_setting)]
# In case there are other categories in the existing single audit diagnostic setting a "split" must be performed:
# 1. Disable SQLSecurityAuditEvents\DevOpsOperationsAudit category in found audit diagnostic setting
# 2. Create new diagnostic setting with SQLSecurityAuditEvents\DevOpsOperationsAudit category,
# i.e. audit diagnostic setting
# Build updated logs list with disabled SQLSecurityAuditEvents\DevOpsOperationsAudit category
updated_logs = []
LogSettings = cmd.get_models(
'LogSettings',
resource_type=ResourceType.MGMT_MONITOR,
operation_group='diagnostic_settings')
RetentionPolicy = cmd.get_models(
'RetentionPolicy',
resource_type=ResourceType.MGMT_MONITOR,
operation_group='diagnostic_settings')
for log in audit_diagnostic_setting.logs:
if log.category == category_name:
updated_logs.append(LogSettings(category=log.category, enabled=False,
retention_policy=RetentionPolicy(enabled=False, days=0)))
else:
updated_logs.append(log)
# Update existing diagnostic settings
create_diagnostics_settings(
client=azure_monitor_client.diagnostic_settings,
name=audit_diagnostic_setting.name,
resource_uri=diagnostic_settings_url,
logs=updated_logs,
metrics=audit_diagnostic_setting.metrics,
event_hub=audit_diagnostic_setting.event_hub_name,
event_hub_rule=audit_diagnostic_setting.event_hub_authorization_rule_id,
storage_account=audit_diagnostic_setting.storage_account_id,
workspace=audit_diagnostic_setting.workspace_id)
# Add original 'audit_diagnostic_settings' to rollback_data list
rollback_data = [("update", audit_diagnostic_setting)]
# Create new diagnostic settings with enabled SQLSecurityAuditEvents\DevOpsOperationsAudit category
# only if azure monitor is enabled
if is_azure_monitor_target_enabled:
created_diagnostic_setting = _audit_policy_create_diagnostic_setting(
cmd=cmd,
resource_group_name=resource_group_name,
workspace_name=workspace_name,
sql_pool_name=sql_pool_name,
category_name=category_name,
log_analytics_target_state=log_analytics_target_state,
log_analytics_workspace_resource_id=log_analytics_workspace_resource_id,
event_hub_target_state=event_hub_target_state,
event_hub_authorization_rule_id=event_hub_authorization_rule_id,
event_hub_name=event_hub_name)
# Add 'created_diagnostic_settings' to rollback_data list in reverse order
rollback_data.insert(0, ("delete", created_diagnostic_setting))
return rollback_data