[SR-1585] AWS RDS for SQL Server Module

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 1.0.6 (TBD)
+
+### Features
+- Amazon RDS SQL Server module
+
 ## 1.0.4 (2024-07-25)
 
 ### Features

DSF_VERSION_COMPATABILITY.md

@@ -20,14 +20,6 @@ The following table lists the DSF versions that each module is tested and mainta
       <td>4.17+</td>
    </tr>
    <tr>
-      <td>onboard-aws-rds-neptune</td>
-      <td>4.17+</td>
-   </tr>
-   <tr>
-      <td>onboard-aws-rds-neptune-slow-query</td>
-      <td>4.17+</td>
-   </tr>
-      <tr>
       <td>onboard-aws-rds-aurora-mysql</td>
       <td>4.17+</td>
    </tr>
@@ -54,10 +46,22 @@ The following table lists the DSF versions that each module is tested and mainta
    <tr>
       <td>onboard-aws-rds-mysql</td>
       <td>4.16+</td>
+   </tr>
+      <tr>
+      <td>onboard-aws-rds-ms-sql-server</td>
+      <td>4.17+</td>
    </tr>
    <tr>
       <td>onboard-aws-rds-mysql-slow-query</td>
       <td>4.16+</td>
+   </tr>
+      <tr>
+      <td>onboard-aws-rds-neptune</td>
+      <td>4.17+</td>
+   </tr>
+   <tr>
+      <td>onboard-aws-rds-neptune-slow-query</td>
+      <td>4.17+</td>
    </tr>
    <tr>
       <td>onboard-aws-rds-oracle-standard</td>

examples/onboard-aws-rds-ms-sql-server/README.md

@@ -0,0 +1,64 @@
+# Onboard Amazon RDS for SQL Server example
+This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-RDS-for-SQL-Server-Onboarding-Steps_48367099.html).
+
+It creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each one can be found in the relevant provider documentation:
+- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
+- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs)
+
+## Prerequisites
+### Database Configuration
+Part of the onboarding process involves connecting to your RDS MS SQL Server instance and running SQL commands to create an audit policy. This module includes an example for how to connect to the instance from your local machine and create it. 
+
+**Note:** This example requires the ``sqlcmd`` client to be installed, as well as for the newly created RDS MS SQL Server instance to be accessible from your local machine. 
+
+### Account Asset Permissions
+An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created S3 bucket. In addition, the cloud account should be granted these additional permissions:
+
+```
+rds:DescribeOptionGroups
+s3:GetObject
+s3:ListBucket
+s3:ListAllMyBuckets
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aws-default-account-asset"></a> [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a |
+| <a name="module_aws-rds-ms-sql-server-1"></a> [aws-rds-ms-sql-server-1](#module\_aws-rds-ms-sql-server-1) | ../../modules/onboard-aws-rds-ms-sql-server | n/a |
+| <a name="module_aws-rds-ms-sql-server-2"></a> [aws-rds-ms-sql-server-2](#module\_aws-rds-ms-sql-server-2) | ../../modules/onboard-aws-rds-ms-sql-server | n/a |
+| <a name="module_aws-rds-ms-sql-server-3"></a> [aws-rds-ms-sql-server-3](#module\_aws-rds-ms-sql-server-3) | ../../modules/onboard-aws-rds-ms-sql-server | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [terraform_data.configure_database-1](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
+| [terraform_data.configure_database-2](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
+| [terraform_data.configure_database-3](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_dsfhub_host"></a> [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes |
+| <a name="input_dsfhub_token"></a> [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/onboard-aws-rds-ms-sql-server/configure_audit_policy.sql

@@ -0,0 +1,101 @@
+DECLARE  
+  @server_audit AS VARCHAR(50) = '$(server_audit)',
+  @server_audit_spec_name AS VARCHAR(50) = '$(audit_spec_name)',
+  @server_audit_spec AS VARCHAR(3000),
+  @server_audit_status INT,
+  @sql_command AS VARCHAR(3000)
+
+USE master;
+
+-- Create server audit
+IF (EXISTS (SELECT * FROM sys.dm_server_audit_status where name = @server_audit))
+  BEGIN 
+    PRINT 'Server audit "' + @server_audit + '" already exists.';
+  END
+ELSE 
+  BEGIN 
+    PRINT 'Creating server audit "' + @server_audit + '"';
+
+    SET @sql_command = 'CREATE SERVER AUDIT ' + @server_audit + ' TO FILE (FILEPATH = ''D:\rdsdbdata\SQLAudit\'', MAXSIZE = 2 MB) WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE)';
+    EXECUTE(@sql_command);
+  END;
+
+-- Enable server audit
+select @server_audit_status = status FROM sys.dm_server_audit_status where name = @server_audit;
+
+IF (@server_audit_status = 1)
+  BEGIN
+    PRINT 'Server audit "' + @server_audit + '" is already enabled.';
+  END;
+ELSE 
+  BEGIN 
+    PRINT 'Enabling server audit "' + @server_audit + '"';
+
+    SET @sql_command = 'ALTER SERVER AUDIT ' + @server_audit + ' WITH (STATE = ON)';
+    EXECUTE(@sql_command);
+  END;
+
+
+-- Create server audit specification
+IF (EXISTS (SELECT * FROM sys.server_audit_specifications where name = @server_audit_spec_name))
+  BEGIN
+    PRINT 'Server audit specification "' + @server_audit_spec_name + '" already exists.';
+  END;
+ELSE 
+  BEGIN 
+    PRINT 'Creating server audit specification "' + @server_audit_spec_name + '"';
+
+    -- This creates a server audit specification that captures all server-level and database-level events.
+    -- Modify or add additional groups as needed.
+    -- For all action groups available, see https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-ver15
+    SET @server_audit_spec = 'ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP),
+ADD (AUDIT_CHANGE_GROUP),
+ADD (BACKUP_RESTORE_GROUP),
+ADD (BATCH_COMPLETED_GROUP),
+ADD (BATCH_STARTED_GROUP),
+ADD (BROKER_LOGIN_GROUP),
+ADD (DATABASE_CHANGE_GROUP),
+ADD (DATABASE_LOGOUT_GROUP),
+ADD (DATABASE_MIRRORING_LOGIN_GROUP),
+ADD (DATABASE_OBJECT_ACCESS_GROUP),
+ADD (DATABASE_OBJECT_CHANGE_GROUP),
+ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP),
+ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),
+ADD (DATABASE_OPERATION_GROUP),
+ADD (DATABASE_OWNERSHIP_CHANGE_GROUP),
+ADD (DATABASE_PERMISSION_CHANGE_GROUP),
+ADD (DATABASE_PRINCIPAL_CHANGE_GROUP),
+ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP),
+ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
+ADD (DBCC_GROUP),
+ADD (FAILED_DATABASE_AUTHENTICATION_GROUP),
+ADD (FAILED_LOGIN_GROUP),
+ADD (FULLTEXT_GROUP),
+ADD (LOGIN_CHANGE_PASSWORD_GROUP),
+ADD (LOGOUT_GROUP),
+ADD (SCHEMA_OBJECT_ACCESS_GROUP),
+ADD (SCHEMA_OBJECT_CHANGE_GROUP),
+ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP),
+ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP),
+ADD (SERVER_OBJECT_CHANGE_GROUP),
+ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP),
+ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP),
+ADD (SERVER_OPERATION_GROUP),
+ADD (SERVER_PERMISSION_CHANGE_GROUP),
+ADD (SERVER_PRINCIPAL_CHANGE_GROUP),
+ADD (SERVER_PRINCIPAL_IMPERSONATION_GROUP),
+ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),
+ADD (SERVER_STATE_CHANGE_GROUP),
+ADD (SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP),
+ADD (SUCCESSFUL_LOGIN_GROUP),
+ADD (TRACE_CHANGE_GROUP),
+ADD (TRANSACTION_GROUP),
+ADD (USER_CHANGE_PASSWORD_GROUP),
+ADD (USER_DEFINED_AUDIT_GROUP)
+WITH (STATE = ON)';
+
+    SET @sql_command = 'CREATE SERVER AUDIT SPECIFICATION ' + @server_audit_spec_name + ' FOR SERVER AUDIT ' + @server_audit + ' ' + @server_audit_spec;
+    EXECUTE(@sql_command);
+  END;
+
+GO

examples/onboard-aws-rds-ms-sql-server/configure_database.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# Creates an audit policy on an SQL Server instance using the 'sqlcmd' client
+
+# Settings
+current_directory=$(dirname "$(realpath "${BASH_SOURCE[0]}")")
+policy_sql_file="${current_directory}/configure_audit_policy.sql"
+
+# Functions
+function is_pkg_installed {
+  local pkg="$1"
+  if ! command -v "${pkg}" &> /dev/null
+  then
+    echo "Package '${pkg}' is not installed."
+    echo "Please see https://learn.microsoft.com/en-us/sql/tools/sqlcmd/sqlcmd-utility for installation instructions for your OS."
+    echo "Exiting..."
+    exit 1
+  else 
+    return 0
+  fi 
+}
+
+is_pkg_installed "sqlcmd"
+
+# Create server audit with server audit specification
+if [ ! -r "${policy_sql_file}" ]; then 
+  echo "Unable to read ${policy_sql_file}"
+  echo "Exiting..."
+  exit 1
+else 
+  sqlcmd -S tcp:${ENDPOINT} -U ${ADMIN_USER} -P ${ADMIN_PASSWORD} -v server_audit=${SERVER_AUDIT_NAME} -v audit_spec_name=${SERVER_AUDIT_SPEC_NAME} -C < ${policy_sql_file}
+fi