question

RyanCole-6309 avatar image
0 Votes"
RyanCole-6309 asked RyanCole-6309 commented

How do I specify multiple rows in an Azure Vulnerability Assessment baseline definition in my ARM (JSON) template?

I'm trying to add some Azure Vulnerability Assessment baseline definitions to my ARM templates. I use JSON for my ARM templates. I cannot find any documentation on how to specify certain VA baseline definitions, though, namely ones that need to have multiple rows in the baselines.

Specifically, I'm trying to add a baseline defintiion for VA2109. I can locate the documentation for how to define a baseline VA entry in a general sense, which is here...

https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/vulnerabilityassessments/rules/baselines?tabs=json

And then I can locate the description of VA2109 in here ...

https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules#authentication-and-authorization

But neither of those tell me how to include more than one user-role mapping. For example, below is what I currently have, which works and lets me specify that a user should have data writer role. But, I also want to specify that the user should have data reader and ddl admin roles.

 {
   "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
   "apiVersion": "2021-02-01-preview",
   "name": "[concat(variables('sqlServerName'), '/', variables('databaseName'), '/default/VA2109/Default')]",
   "dependsOn": [
     "[resourceId('Microsoft.Sql/servers/databases', variables('sqlServerName'), variables('databaseName'))]"
   ],
   "properties": {
     "baselineResults": [
       {
         "result": ["wibuser", "db_datawriter"]
       }
     ]
   }
 }

I was able to find an example of what I want using PowerShell. In PowerShell, you can just provide and array of arrays. The PowerShell example can be found here ...

https://docs.microsoft.com/en-us/powershell/module/sqlserver/new-sqlvulnerabilityassessmentbaseline?view=sqlserver-ps#example-2--create-a-new-security-check-baseline-manually

So I adjusted my ARM to do the same thing, but it throws an error saying invalid ARM template. The adjusted ARM I tried looks like below ...

 {
   "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
   "apiVersion": "2021-02-01-preview",
   "name": "[concat(variables('sqlServerName'), '/', variables('databaseName'), '/default/VA2109/Default')]",
   "dependsOn": [
     "[resourceId('Microsoft.Sql/servers/databases', variables('sqlServerName'), variables('databaseName'))]"
   ],
   "properties": {
     "baselineResults": [
       {
         "result": [
           ["wibuser", "db_datawriter"],
           ["wibuser", "db_datareader"]
         ]
       }
     ]
   }
 }

Does anybody know how to specify multiple rows in a VA baseline resource when using ARM JSON? Or perhaps know where to find documentation for all of these VA definitions?

azure-sql-databaseazure-security-center
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AnuragSharma-MSFT avatar image
0 Votes"
AnuragSharma-MSFT answered RyanCole-6309 commented

Hi @RyanCole-6309, welcome to Microsoft Q&A forum.

As I understand you want to add multiple baseline rules for user-role mapping using ARM template.

Please try below template:

 {
            "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
            "apiVersion": "2021-02-01-preview",
             "name": "[concat(variables('sqlServerName'), '/', variables('databaseName'), '/default/VA2109/Default')]",
            "properties": {
              "baselineResults": [
                {
                  "result": ["wibuser", "db_datawriter"]
               },
                 {
                  "result": ["wibuser", "db_datareader"]
               }
                ]
               }
         }

Here we need to pass multiple rows in separate result json values.

Please let us know if this helps or else we can discuss further on the same.



If answer is helpful please please click on 180671-image.png as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions. Thank you for helping to improve Microsoft Q&A!



image.png (3.5 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @RyanCole-6309, just wanted to check if you were able to look into this.

1 Vote 1 ·
RyanCole-6309 avatar image RyanCole-6309 AnuragSharma-MSFT ·

Yup, it worked! Thank you. I had been trying to figure that out for a few days.

0 Votes 0 ·