Azure SQL server not configured with Active Directory admin authentication
Description
Azure AD authentication is a mechanism of connecting to Azure SQL Database by using identities in Azure AD. With Azure AD authentication, you can manage the identities of database users and other Microsoft services in one central location. It offers benefits like Multi-Factor Authentication, identity protection, and seamless domain join.
This policy ensures that Azure AD authentication is enabled for Azure SQL (MSSQL) by checking for the existence of the `azuread_administrator` attribute in the `azurerm_mssql_server` resource and verifying that the `login_username` attribute within `azuread_administrator` has a valid value (i.e., not only whitespaces).
Code Example
terraform
resource "azurerm_mssql_server" "example" {
name = "example-mssqlserver"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
# ... other configurations ...
+ azuread_administrator {
+ login_username = "example_admin"
+ object_id = "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+ tenant_id = "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+ }
}Remediation
Terraform
Resource:
- azurerm_mssql_server
Arguments:
- azuread_administrator
- azuread_administrator.login_username
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0784 |
| Severity | INFO |
| IaC Type | arm |
| Frameworks | Terraform, |
| Checkov ID | CKV2_AZURE_27 |