Home > OS >  How do I specify multiple rows in an Azure Vulnerability Assessment baseline definition in my ARM (J
How do I specify multiple rows in an Azure Vulnerability Assessment baseline definition in my ARM (J

Time:03-08

I'm trying to add some Azure Vulnerability Assessment baseline definitions to my ARM templates. I use JSON for my ARM templates. I cannot find any documentation on how to specify certain VA baseline definitions, though, namely ones that need to have multiple rows in the baselines.

Specifically, I'm trying to add a baseline defintiion for VA2109. I can locate the documentation for how to define a baseline VA entry in a general sense, which is here...

https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/vulnerabilityassessments/rules/baselines?tabs=json

And then I can locate the description of VA2109 in here ...

https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules#authentication-and-authorization

But neither of those tell me how to include more than one user-role mapping. For example, below is what I currently have, which works and lets me specify that a user should have data writer role. But, I also want to specify that the user should have data reader and ddl admin roles.

{
  "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
  "apiVersion": "2021-02-01-preview",
  "name": "[concat(variables('sqlServerName'), '/', variables('databaseName'), '/default/VA2109/Default')]",
  "dependsOn": [
    "[resourceId('Microsoft.Sql/servers/databases', variables('sqlServerName'), variables('databaseName'))]"
  ],
  "properties": {
    "baselineResults": [
      {
        "result": ["wibuser", "db_datawriter"]
      }
    ]
  }
}

I was able to find an example of what I want using PowerShell. In PowerShell, you can just provide and array of arrays. The PowerShell example can be found here ...

https://docs.microsoft.com/en-us/powershell/module/sqlserver/new-sqlvulnerabilityassessmentbaseline?view=sqlserver-ps#example-2--create-a-new-security-check-baseline-manually

So I adjusted my ARM to do the same thing, but it throws an error saying invalid ARM template. The adjusted ARM I tried looks like below ...

{
  "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
  "apiVersion": "2021-02-01-preview",
  "name": "[concat(variables('sqlServerName'), '/', variables('databaseName'), '/default/VA2109/Default')]",
  "dependsOn": [
    "[resourceId('Microsoft.Sql/servers/databases', variables('sqlServerName'), variables('databaseName'))]"
  ],
  "properties": {
    "baselineResults": [
      {
        "result": [
          ["wibuser", "db_datawriter"],
          ["wibuser", "db_datareader"]
        ]
      }
    ]
  }
}

Does anybody know how to specify multiple rows in a VA baseline resource when using ARM JSON? Or perhaps know where to find documentation for all of these VA definitions?

CodePudding user response:

Note that baselineResults is an array of rows.
You will need to add each row as an JSON object to that array.

Also, note that each result row should include all columns so you should also include "Principal Type" and "Authentication Type" rows.

It should look something like that:

{
  "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
  "apiVersion": "2021-02-01-preview",
  "name": "[concat(variables('sqlServerName'), '/', variables('databaseName'), '/default/VA2109/Default')]",
  "dependsOn": [
    "[resourceId('Microsoft.Sql/servers/databases', variables('sqlServerName'), variables('databaseName'))]"
  ],
  "properties": {
    "baselineResults": [
      {
        "result":  ["wibuser", "db_datawriter", "SQL_USER", "NONE"]
      },
      {
        "result":  ["wibuser", "db_datareader", "SQL_USER", "NONE"]
      }
    ]
  }
}

I added dummy values for "Principal Type" and "Authentication Type" rows, fill your own

  • Related