Framework/Core/FixControl/Services/SQLDatabaseFix.ps1

using namespace Microsoft.Azure.Commands.Sql.Auditing.Model
using namespace Microsoft.Azure.Commands.Sql.ServerUpgrade.Model
using namespace Microsoft.Azure.Commands.Sql.TransparentDataEncryption.Model
using namespace Microsoft.Azure.Commands.Sql.ThreatDetection.Model

Set-StrictMode -Version Latest 

class SQLDatabaseFix: FixServicesBase
{       
    SQLDatabaseFix([string] $subscriptionId, [ResourceConfig] $resourceConfig, [string] $resourceGroupName): 
        Base($subscriptionId, $resourceConfig, $resourceGroupName) 
    { }
    
    [MessageData[]] FixADAdmin([PSObject] $parameters)
    {
        [MessageData[]] $detailedLogs = @();

        if((Get-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName $this.ResourceGroupName -ServerName $this.ResourceName | Measure-Object).Count -le 0)
        {
            $adAdmin = $parameters.ActiveDirectoryAdminEmailId;
            $detailedLogs += [MessageData]::new("Setting up Active Directory admin [$adAdmin] for server [$($this.ResourceName)]...");
            $adAdminResult = Set-AzSqlServerActiveDirectoryAdministrator `
                                -ResourceGroupName $this.ResourceGroupName `
                                -ServerName $this.ResourceName `
                                -DisplayName $adAdmin `
                                -ErrorAction Stop

            $detailedLogs += [MessageData]::new("Active Directory admin has been set for server [$($this.ResourceName)]", $adAdminResult);
        }
        else
        {
            $detailedLogs += $this.PublishCustomMessage("Active Directory admin has already been set for server [$($this.ResourceName)]", [MessageType]::Update);
        }
        
        return $detailedLogs;
    }

    [MessageData[]] FixSqlDatabaseTDE([PSObject] $parameters)
    {
        [MessageData[]] $detailedLogs = @();        
        try
        {
            $sqlDatabases = @();
            $sqlDatabases += Get-AzSqlDatabase -ResourceGroupName $this.ResourceGroupName -ServerName $this.ResourceName -ErrorAction Stop |
                                    Where-Object { $_.DatabaseName -ne "master" }
            $sqlDatabases | ForEach-Object {
                $database = $_
                if($database.Status -eq 'Online')
                {
                    try {
                        $tdeStatus = Get-AzSqlDatabaseTransparentDataEncryption `
                                        -ResourceGroupName $this.ResourceGroupName `
                                        -ServerName $this.ResourceName `
                                        -DatabaseName $database.DatabaseName `
                                        -ErrorAction Stop

                        if($tdeStatus.State -ne [TransparentDataEncryptionStateType]::Enabled) {
                            $detailedLogs += [MessageData]::new("Enabling SQL TDE on database [$($database.DatabaseName)]...");
                            $tdeStatus = Set-AzSqlDatabaseTransparentDataEncryption `
                                            -ResourceGroupName $this.ResourceGroupName `
                                            -ServerName $this.ResourceName `
                                            -DatabaseName $database.DatabaseName `
                                            -State Enabled `
                                            -ErrorAction Stop
               
                            $detailedLogs += [MessageData]::new("SQL TDE has been enabled on database [$($database.DatabaseName)]", $tdeStatus);
                        }
                    }
                    catch {
                        $detailedLogs += [MessageData]::new("Error while fetching TDE status of database [$($database.DatabaseName)]");
                    }
                }
                else
                {
                       $detailedLogs += $this.PublishCustomMessage("The database [$($database.DatabaseName)] is offline, run the script again when resource is online", [MessageType]::Warning);
                }
            }
        }
        catch
        {
            $detailedLogs += [MessageData]::new("Error while fetching databases of SQL Server [$this.ResourceName]");
        }
        
        return $detailedLogs;
    }

    [MessageData[]] EnableServerAuditingPolicy([PSObject] $parameters)
    {
        [MessageData[]] $detailedLogs = @();
        $storageAccountName = $parameters.StorageAccountName;
        $storageAccount = Get-AzResource -Name $storageAccountName -ResourceType 'Microsoft.Storage/storageAccounts'
        if(($storageAccount|Measure-Object).Count -eq 0)
        {
            throw "Cannot find a storage account with the name '$($storageAccountName)'. It either does not exist, associated with a different subscription or you do not have the appropriate credentials to access it."
        }
        $detailedLogs += [MessageData]::new("Setting up audit policy for server [$($this.ResourceName)] with storage account [$storageAccountName]...");
        Set-AzSqlServerAudit `
                -ResourceGroupName $this.ResourceGroupName `
                -ServerName $this.ResourceName `
                -StorageAccountResourceId $storageAccount.ResourceId `
                -BlobStorageTargetState Enabled `
                -RetentionInDays 0 `
                -ErrorAction Stop
        $detailedLogs += [MessageData]::new("Audit policy has been set up for server [$($this.ResourceName)]");
        return $detailedLogs;
    }

    [MessageData[]] EnableDatabaseAuditingPolicy([PSObject] $parameters, [string] $databaseName)
    {
        [MessageData[]] $detailedLogs = @();
        $storageAccountName = $parameters.StorageAccountName;
        $storageAccount = Get-AzResource -Name $storageAccountName -ResourceType 'Microsoft.Storage/storageAccounts'
        if(($storageAccount|Measure-Object).Count -eq 0)
        {
            throw "Cannot find a storage account with the name '$($storageAccountName)'. It either does not exist, associated with a different subscription or you do not have the appropriate credentials to access it."
        }
        $detailedLogs += [MessageData]::new("Setting up audit policy for database [$databaseName] with storage account [$storageAccountName]...");
    
        Set-AzSqlDatabaseAudit `
                -ResourceGroupName $this.ResourceGroupName `
                -ServerName $this.ResourceName `
                -DatabaseName $databaseName `
                -StorageAccountResourceId $storageAccount.ResourceId `
                -BlobStorageTargetState Enabled `
                -RetentionInDays 0 `
                -ErrorAction Stop

        $detailedLogs += [MessageData]::new("Audit policy has been set up for database [$databaseName]");
        return $detailedLogs;
    }

    [MessageData[]] EnableServerThreatDetection([PSObject] $parameters)
    {
        [MessageData[]] $detailedLogs = @();
        $storageAccountName = $parameters.StorageAccountName;
        $securityContactEmails = $parameters.SecurityContactEmails;
        $detailedLogs += [MessageData]::new("Setting up threat detection for server [$($this.ResourceName)] with storage account [$storageAccountName]...");

        # Check if audit is not enabled
        if(-not $this.IsServerAuditEnabled())
        {
            $detailedLogs += $this.EnableServerAuditingPolicy($parameters)
        }

        # TODO: We are temporarily suppressing the alias deprecation warning message given by the below Az.SQL cmdlet.
        Update-AzSqlServerAdvancedThreatProtectionSettings `
                -ResourceGroupName $this.ResourceGroupName `
                -ServerName $this.ResourceName `
                -StorageAccountName $storageAccountName `
                -EmailAdmins $true `
                -NotificationRecipientsEmails $securityContactEmails `
                -RetentionInDays 0 `
                -ErrorAction Stop `
                -WarningAction SilentlyContinue

        $detailedLogs += [MessageData]::new("Threat detection has been set up for server [$($this.ResourceName)]");
        return $detailedLogs;
    }

    # TODO: This function is not being called. We should delete it if not used.
    [MessageData[]] EnableDatabaseThreatDetection([PSObject] $parameters, [string] $databaseName)
    {
        [MessageData[]] $detailedLogs = @();
        $storageAccountName = $parameters.StorageAccountName;
        $securityContactEmails = $parameters.SecurityContactEmails;
        $detailedLogs += [MessageData]::new("Setting up threat detection for database [$databaseName] with storage account [$storageAccountName]...");
        
        # Check if audit is not enabled
        if(-not $this.IsDatabaseAuditEnabled($databaseName))
        {
            $detailedLogs += $this.EnableDatabaseAuditingPolicy($parameters, $databaseName);
        }

        # TODO: We are temporarily suppressing the alias deprecation warning message given by the below Az.SQL cmdlet.
        Update-AzSqlDatabaseAdvancedThreatProtectionSettings `
                -ResourceGroupName $this.ResourceGroupName `
                -ServerName $this.ResourceName `
                -DatabaseName $databaseName `
                -StorageAccountName $storageAccountName `
                -EmailAdmins $true `
                -NotificationRecipientsEmails $securityContactEmails `
                -RetentionInDays 0 `
                -ErrorAction Stop -WarningAction SilentlyContinue
        
        $detailedLogs += [MessageData]::new("Threat detection has been set up for database [$databaseName]");
        return $detailedLogs;
    }

    hidden [bool] IsServerAuditEnabled()
    {
        $result = $false;
        $serverAudit = Get-AzSqlServerAudit -ResourceGroupName $this.ResourceGroupName -ServerName $this.ResourceName
        $result = ($serverAudit -and $serverAudit.BlobStorageTargetState -eq [AuditStateType]::Enabled)
        return $result
    }

    hidden [bool] IsDatabaseAuditEnabled([string] $databaseName)
    {
        $result = $false;
        $dbAudit = Get-AzSqlDatabaseAudit -ResourceGroupName $this.ResourceGroupName -ServerName $this.ResourceName -DatabaseName $databaseName; 
        $result = ($dbAudit -and $dbAudit.BlobStorageTargetState -eq [AuditStateType]::Enabled)
        return $result
    }
}