[Audit policy] Support Event Hub and Log Analytics in server and database audit policy commands

src/azure-cli/azure/cli/command_modules/sql/_help.py

@@ -22,29 +22,59 @@
 short-summary: Manage a database's auditing policy.
 """
 
+helps['sql db audit-policy wait'] = """
+type: command
+short-summary: Place the CLI in a waiting state until a condition of the database's audit policy is met.
+examples:
+  - name: Place the CLI in a waiting state until it determines that database's audit policy exists
+    text: az sql db audit-policy wait -g mygroup -s myserver -n mydb --exists
+"""
+
 helps['sql db audit-policy update'] = """
 type: command
 short-summary: Update a database's auditing policy.
 long-summary: If the policy is being enabled, `--storage-account` or both `--storage-endpoint` and `--storage-key` must be specified.
 examples:
   - name: Enable by storage account name.
-    text: az sql db audit-policy update -g mygroup -s myserver -n mydb --state Enabled --storage-account mystorage
+    text: |
+        az sql db audit-policy update -g mygroup -s myserver -n mydb --state Enabled \\
+            --bsts Enabled --storage-account mystorage
   - name: Enable by storage endpoint and key.
     text: |
         az sql db audit-policy update -g mygroup -s myserver -n mydb --state Enabled \\
-            --storage-endpoint https://mystorage.blob.core.windows.net --storage-key MYKEY==
+            --bsts Enabled --storage-endpoint https://mystorage.blob.core.windows.net \\
+            --storage-key MYKEY==
   - name: Set the list of audit actions.
     text: |
         az sql db audit-policy update -g mygroup -s myserver -n mydb \\
             --actions FAILED_DATABASE_AUTHENTICATION_GROUP 'UPDATE on database::mydb by public'
-  - name: Add an audit action.
-    text: |
-        az sql db audit-policy update -g mygroup -s myserver -n mydb \\
-            --add auditActionsAndGroups FAILED_DATABASE_AUTHENTICATION_GROUP
-  - name: Remove an audit action by list index.
-    text: az sql db audit-policy update -g mygroup -s myserver -n mydb --remove auditActionsAndGroups 0
   - name: Disable an auditing policy.
     text: az sql db audit-policy update -g mygroup -s myserver -n mydb --state Disabled
+  - name: Disable a blob storage auditing policy.
+    text: az sql db audit-policy update -g mygroup -s myserver -n mydb --bsts Disabled
+  - name: Enable a log analytics auditing policy.
+    text: |
+        az sql db audit-policy update -g mygroup -s myserver -n mydb --state Enabled \\
+            --lats Enabled --lawri myworkspaceresourceid
+  - name: Disable a log analytics auditing policy.
+    text: |
+        az sql db audit-policy update -g mygroup -s myserver -n mydb
+            --lats Disabled
+  - name: Enable an event hub auditing policy.
+    text: |
+        az sql db audit-policy update -g mygroup -s myserver -n mydb --state Enabled \\
+            --event-hub-target-state Enabled \\
+            --event-hub-authorization-rule-id eventhubauthorizationruleid \\
+            --event-hub eventhubname
+  - name: Enable an event hub auditing policy for default event hub.
+    text: |
+        az sql db audit-policy update -g mygroup -s myserver -n mydb --state Enabled \\
+            --event-hub-target-state Enabled \\
+            --event-hub-authorization-rule-id eventhubauthorizationruleid
+  - name: Disable an event hub auditing policy.
+    text: |
+        az sql db audit-policy update -g mygroup -s myserver -n mydb
+            --event-hub-target-state Disabled
 """
 
 helps['sql db copy'] = """
@@ -980,29 +1010,59 @@
 short-summary: Manage a server's auditing policy.
 """
 
+helps['sql server audit-policy wait'] = """
+type: command
+short-summary: Place the CLI in a waiting state until a condition of the server's audit policy is met.
+examples:
+  - name: Place the CLI in a waiting state until it determines that server's audit policy exists
+    text: az sql server audit-policy wait -g mygroup -n myserver --exists
+"""
+
 helps['sql server audit-policy update'] = """
 type: command
 short-summary: Update a server's auditing policy.
 long-summary: If the policy is being enabled, `--storage-account` or both `--storage-endpoint` and `--storage-key` must be specified.
 examples:
   - name: Enable by storage account name.
-    text: az sql server audit-policy update -g mygroup -n myserver --state Enabled --storage-account mystorage
+    text: |
+        az sql server audit-policy update -g mygroup -n myserver --state Enabled \\
+            --bsts Enabled --storage-account mystorage
   - name: Enable by storage endpoint and key.
     text: |
         az sql server audit-policy update -g mygroup -n myserver --state Enabled \\
-            --storage-endpoint https://mystorage.blob.core.windows.net --storage-key MYKEY==
+            --bsts Enabled --storage-endpoint https://mystorage.blob.core.windows.net \\
+            --storage-key MYKEY==
   - name: Set the list of audit actions.
     text: |
         az sql server audit-policy update -g mygroup -n myserver \\
             --actions FAILED_DATABASE_AUTHENTICATION_GROUP 'UPDATE on server::myserver by public'
-  - name: Add an audit action.
-    text: |
-        az sql server audit-policy update -g mygroup -n myserver \\
-            --add auditActionsAndGroups FAILED_DATABASE_AUTHENTICATION_GROUP
-  - name: Remove an audit action by list index.
-    text: az sql server audit-policy update -g mygroup -n myserver --remove auditActionsAndGroups 0
   - name: Disable an auditing policy.
     text: az sql server audit-policy update -g mygroup -n myserver --state Disabled
+  - name: Disable a blob storage auditing policy.
+    text: az sql server audit-policy update -g mygroup -n myserver --bsts Disabled
+  - name: Enable a log analytics auditing policy.
+    text: |
+        az sql server audit-policy update -g mygroup -n myserver --state Enabled \\
+            --lats Enabled --lawri myworkspaceresourceid
+  - name: Disable a log analytics auditing policy.
+    text: |
+        az sql server audit-policy update -g mygroup -n myserver
+            --lats Disabled
+  - name: Enable an event hub auditing policy.
+    text: |
+        az sql server audit-policy update -g mygroup -n myserver --state Enabled \\
+            --event-hub-target-state Enabled \\
+            --event-hub-authorization-rule-id eventhubauthorizationruleid \\
+            --event-hub eventhubname
+  - name: Enable an event hub auditing policy for default event hub.
+    text: |
+        az sql server audit-policy update -g mygroup -n myserver --state Enabled \\
+            --event-hub-target-state Enabled \\
+            --event-hub-authorization-rule-id eventhubauthorizationruleid
+  - name: Disable an event hub auditing policy.
+    text: |
+        az sql server audit-policy update -g mygroup -n myserver
+            --event-hub-target-state Disabled
 """
 
 helps['sql server conn-policy'] = """

src/azure-cli/azure/cli/command_modules/sql/_params.py

@@ -127,6 +127,10 @@ def get_internal_backup_storage_redundancy(self):
 
 time_format_help = 'Time should be in following format: "YYYY-MM-DDTHH:MM:SS".'
 
+storage_arg_group = "Storage"
+log_analytics_arg_group = "Log Analytics"
+event_hub_arg_group = "Event Hub"
+
 
 def get_location_type_with_default_from_resource_group(cli_ctx):
     return CLIArgumentType(
@@ -257,6 +261,47 @@ def get_location_type_with_default_from_resource_group(cli_ctx):
     help='The number of readonly replicas to provision for the database. '
     'Only settable for Hyperscale edition.')
 
+blob_storage_target_state_param_type = CLIArgumentType(
+    arg_group=storage_arg_group,
+    options_list=['--blob-storage-target-state', '--bsts'],
+    configured_default='sql-server',
+    help='Indicate whether blob storage is a destination for audit records.',
+    arg_type=get_enum_type(BlobAuditingPolicyState))
+
+log_analytics_target_state_param_type = CLIArgumentType(
+    arg_group=log_analytics_arg_group,
+    options_list=['--log-analytics-target-state', '--lats'],
+    configured_default='sql-server',
+    help='Indicate whether log analytics is a destination for audit records.',
+    arg_type=get_enum_type(BlobAuditingPolicyState))
+
+log_analytics_workspace_resource_id_param_type = CLIArgumentType(
+    arg_group=log_analytics_arg_group,
+    options_list=['--log-analytics-workspace-resource-id', '--lawri'],
+    configured_default='sql-server',
+    help='The workspace ID (resource ID of a Log Analytics workspace) for a Log Analytics workspace '
+         'to which you would like to send Audit Logs.')
+
+event_hub_target_state_param_type = CLIArgumentType(
+    arg_group=event_hub_arg_group,
+    options_list=['--event-hub-target-state', '--ehts'],
+    configured_default='sql-server',
+    help='Indicate whether event hub is a destination for audit records.',
+    arg_type=get_enum_type(BlobAuditingPolicyState))
+
+event_hub_authorization_rule_id_param_type = CLIArgumentType(
+    arg_group=event_hub_arg_group,
+    options_list=['--event-hub-authorization-rule-id', '--ehari'],
+    configured_default='sql-server',
+    help='The resource Id for the event hub authorization rule.')
+
+event_hub_param_type = CLIArgumentType(
+    arg_group=event_hub_arg_group,
+    options_list=['--event-hub', '--eh'],
+    configured_default='sql-server',
+    help='The name of the event hub. If none is specified '
+         'when providing event_hub_authorization_rule_id, the default event hub will be selected.')
+
 db_service_objective_examples = 'Basic, S0, P1, GP_Gen4_1, GP_Gen5_S_8, BC_Gen5_2, HS_Gen5_32.'
 dw_service_objective_examples = 'DW100, DW1000c'
 
@@ -804,8 +849,6 @@ def load_arguments(self, _):
     #####
     def _configure_security_policy_storage_params(arg_ctx):
 
-        storage_arg_group = 'Storage'
-
         arg_ctx.argument('storage_account',
                          options_list=['--storage-account'],
                          arg_group=storage_arg_group,
@@ -840,6 +883,23 @@ def _configure_security_policy_storage_params(arg_ctx):
                    arg_group=policy_arg_group,
                    help='The number of days to retain audit logs.')
 
+        c.argument('blob_storage_target_state',
+                   blob_storage_target_state_param_type)
+
+        c.argument('log_analytics_target_state',
+                   log_analytics_target_state_param_type)
+
+        c.argument('log_analytics_workspace_resource_id',
+                   log_analytics_workspace_resource_id_param_type)
+
+        c.argument('event_hub_target_state',
+                   event_hub_target_state_param_type)
+
+        c.argument('event_hub_authorization_rule_id',
+                   event_hub_authorization_rule_id_param_type)
+
+        c.argument('event_hub', event_hub_param_type)
+
     with self.argument_context('sql db threat-policy update') as c:
         _configure_security_policy_storage_params(c)
 
@@ -1322,8 +1382,6 @@ def _configure_security_policy_storage_params(arg_ctx):
     #           sql server audit-policy
     ######
     with self.argument_context('sql server audit-policy update') as c:
-        storage_arg_group = 'Storage'
-
         c.argument('storage_account',
                    options_list=['--storage-account'],
                    arg_group=storage_arg_group,
@@ -1356,6 +1414,23 @@ def _configure_security_policy_storage_params(arg_ctx):
                    arg_group=policy_arg_group,
                    help='The number of days to retain audit logs.')
 
+        c.argument('blob_storage_target_state',
+                   blob_storage_target_state_param_type)
+
+        c.argument('log_analytics_target_state',
+                   log_analytics_target_state_param_type)
+
+        c.argument('log_analytics_workspace_resource_id',
+                   log_analytics_workspace_resource_id_param_type)
+
+        c.argument('event_hub_target_state',
+                   event_hub_target_state_param_type)
+
+        c.argument('event_hub_authorization_rule_id',
+                   event_hub_authorization_rule_id_param_type)
+
+        c.argument('event_hub', event_hub_param_type)
+
     #####
     #           sql server conn-policy
     #####

src/azure-cli/azure/cli/command_modules/sql/commands.py

@@ -260,9 +260,9 @@ def load_command_table(self, _):
                             database_blob_auditing_policies_operations,
                             client_factory=get_sql_database_blob_auditing_policies_operations) as g:
 
-        g.show_command('show', 'get')
-        g.generic_update_command('update',
-                                 custom_func_name='db_audit_policy_update')
+        g.custom_show_command('show', 'db_audit_policy_show')
+        g.generic_update_command('update', custom_func_name='db_audit_policy_update')
+        g.wait_command('wait')
 
     server_blob_auditing_policies_operations = CliCommandType(
         operations_tmpl='azure.mgmt.sql.operations#ServerBlobAuditingPoliciesOperations.{}',
@@ -272,9 +272,9 @@ def load_command_table(self, _):
                             server_blob_auditing_policies_operations,
                             client_factory=get_sql_server_blob_auditing_policies_operations) as g:
 
-        g.show_command('show', 'get')
-        g.generic_update_command('update',
-                                 custom_func_name='server_audit_policy_update')
+        g.custom_show_command('show', 'server_audit_policy_show')
+        g.generic_update_command('update', custom_func_name='server_audit_policy_update', supports_no_wait=True)
+        g.wait_command('wait')
 
     database_long_term_retention_policies_operations = CliCommandType(
         operations_tmpl='azure.mgmt.sql.operations#BackupLongTermRetentionPoliciesOperations.{}',