Azure · Juliehzl · Aug 20, 2020 · Aug 5, 2020 · Aug 9, 2020 · Aug 10, 2020
@@ -913,6 +913,36 @@
 short-summary: Update an existing server Active Directory administrator.
 """
 
+helps['sql server audit-policy'] = """
+type: group
+short-summary: Manage a server's auditing policy.
+"""
+
+helps['sql server audit-policy update'] = """
+type: command
+short-summary: Update a server's auditing policy.
+long-summary: If the policy is being enabled, `--storage-account` or both `--storage-endpoint` and `--storage-key` must be specified.
+examples:
+  - name: Enable by storage account name.
+    text: az sql server audit-policy update -g mygroup -n myserver --state Enabled --storage-account mystorage
+  - name: Enable by storage endpoint and key.
+    text: |
+        az sql server audit-policy update -g mygroup -n myserver --state Enabled \\
+            --storage-endpoint https://mystorage.blob.core.windows.net --storage-key MYKEY==
+  - name: Set the list of audit actions.
+    text: |
+        az sql server audit-policy update -g mygroup -n myserver \\
+            --actions FAILED_DATABASE_AUTHENTICATION_GROUP 'UPDATE on server::myserver by public'
+  - name: Add an audit action.
+    text: |
+        az sql server audit-policy update -g mygroup -n myserver \\
+            --add auditActionsAndGroups FAILED_DATABASE_AUTHENTICATION_GROUP
+  - name: Remove an audit action by list index.
+    text: az sql server audit-policy update -g mygroup -n myserver --remove auditActionsAndGroups 0
+  - name: Disable an auditing policy.
+    text: az sql server audit-policy update -g mygroup -n myserver --state Disabled
+"""
+
 helps['sql server conn-policy'] = """
 type: group
 short-summary: Manage a server's connection policy.

@@ -1275,6 +1275,44 @@ def _configure_security_policy_storage_params(arg_ctx):
                 'sid',
             ])
 
+    #####
+    #           sql server audit-policy
+    ######
+    with self.argument_context('sql server audit-policy update') as c:
+        storage_arg_group = 'Storage'
+
+        c.argument('storage_account',
+                   options_list=['--storage-account'],
+                   arg_group=storage_arg_group,
+                   help='Name of the storage account.')
+
+        c.argument('storage_account_access_key',
+                   options_list=['--storage-key'],
+                   arg_group=storage_arg_group,
+                   help='Access key for the storage account.')
+
+        c.argument('storage_endpoint',
+                   arg_group=storage_arg_group,
+                   help='The storage account endpoint.')
+        _configure_security_policy_storage_params(c)
+
+        policy_arg_group = 'Policy'
+
+        c.argument('state',
+                   arg_group=policy_arg_group,
+                   help='Auditing policy state',
+                   arg_type=get_enum_type(BlobAuditingPolicyState))
+
+        c.argument('audit_actions_and_groups',
+                   options_list=['--actions'],
+                   arg_group=policy_arg_group,
+                   help='List of actions and action groups to audit.',
+                   nargs='+')
+
+        c.argument('retention_days',
+                   arg_group=policy_arg_group,
+                   help='The number of days to retain audit logs.')
+
     #####
     #           sql server conn-policy
     #####

@@ -40,6 +40,10 @@ def get_sql_database_blob_auditing_policies_operations(cli_ctx, _):
     return get_sql_management_client(cli_ctx).database_blob_auditing_policies
 
 
+def get_sql_server_blob_auditing_policies_operations(cli_ctx, _):
+    return get_sql_management_client(cli_ctx).server_blob_auditing_policies
+
+
 def get_sql_database_sensitivity_labels_operations(cli_ctx, _):
     return get_sql_management_client(cli_ctx).sensitivity_labels
 

@@ -26,6 +26,7 @@
     get_sql_capabilities_operations,
     get_sql_databases_operations,
     get_sql_database_blob_auditing_policies_operations,
+    get_sql_server_blob_auditing_policies_operations,
     get_sql_database_long_term_retention_backups_operations,
     get_sql_database_long_term_retention_policies_operations,
     get_sql_database_sensitivity_labels_operations,
@@ -251,6 +252,19 @@ def load_command_table(self, _):
         g.generic_update_command('update',
                                  custom_func_name='db_audit_policy_update')
 
+    server_blob_auditing_policies_operations = CliCommandType(
+        operations_tmpl='azure.mgmt.sql.operations#ServerBlobAuditingPoliciesOperations.{}',
+        client_factory=get_sql_server_blob_auditing_policies_operations)
+
+    with self.command_group('sql server audit-policy',
+                            server_blob_auditing_policies_operations,
+                            client_factory=get_sql_server_blob_auditing_policies_operations,
+                            is_preview=True) as g:
+
+        g.show_command('show', 'get')
+        g.generic_update_command('update',
+                                 custom_func_name='server_audit_policy_update')
+
     database_long_term_retention_policies_operations = CliCommandType(
         operations_tmpl='azure.mgmt.sql.operations#BackupLongTermRetentionPoliciesOperations.{}',
         client_factory=get_sql_database_long_term_retention_policies_operations)

@@ -1497,6 +1497,54 @@ def db_audit_policy_update(
     # Apply state
     if state:
         instance.state = BlobAuditingPolicyState[state.lower()]
+
+    enabled = instance.state.value.lower() == BlobAuditingPolicyState.enabled.value.lower()  # pylint: disable=no-member
+
+    # Set storage-related properties
+    _db_security_policy_update(
+        cmd.cli_ctx,
+        instance,
+        enabled,
+        storage_account,
+        storage_endpoint,
+        storage_account_access_key,
+        instance.is_storage_secondary_key_in_use)
+
+    # Set other properties
+    if audit_actions_and_groups:
+        instance.audit_actions_and_groups = audit_actions_and_groups
+
+    # If auditing is enabled, make sure that the actions and groups are set to default
+    # value in case they were removed previously (When disabling auditing)
+    if enabled and (not instance.audit_actions_and_groups or instance.audit_actions_and_groups == []):
+        instance.audit_actions_and_groups = [
+            "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
+            "FAILED_DATABASE_AUTHENTICATION_GROUP",
+            "BATCH_COMPLETED_GROUP"]
+
+    if retention_days:
+        instance.retention_days = retention_days
+
+    return instance
+
+
+def server_audit_policy_update(
+        cmd,
+        instance,
+        state=None,
+        storage_account=None,
+        storage_endpoint=None,
+        storage_account_access_key=None,
+        audit_actions_and_groups=None,
+        retention_days=None):
+    '''
+    Updates an audit policy. Custom update function to apply parameters to instance.
+    '''
+
+    # Apply state
+    if state:
+        instance.state = BlobAuditingPolicyState[state.lower()]
+
     enabled = instance.state.value.lower() == BlobAuditingPolicyState.enabled.value.lower()  # pylint: disable=no-member
 
     # Set storage-related properties