---
title: Getting Started with Datadog
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog
---

# azure_sql_server{% #azure_sql_server %}

## `active_directory_administrators`{% #active_directory_administrators %}

**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `ServerAzureADAdministrator`

- `administrator_type`**Type**: `STRING`**Provider name**: `properties.administratorType`**Description**: Type of the sever administrator.
- `azure_ad_only_authentication`**Type**: `BOOLEAN`**Provider name**: `properties.azureADOnlyAuthentication`**Description**: Azure Active Directory only Authentication enabled.
- `id`**Type**: `STRING`**Provider name**: `id`**Description**: Resource ID.
- `login`**Type**: `STRING`**Provider name**: `properties.login`**Description**: Login name of the server administrator.
- `name`**Type**: `STRING`**Provider name**: `name`**Description**: Resource name.
- `sid`**Type**: `STRING`**Provider name**: `properties.sid`**Description**: SID (object ID) of the server administrator.
- `tenant_id`**Type**: `STRING`**Provider name**: `properties.tenantId`**Description**: Tenant ID of the administrator.
- `type`**Type**: `STRING`**Provider name**: `type`**Description**: Resource type.

## `administrator_login`{% #administrator_login %}

**Type**: `STRING`**Provider name**: `properties.administratorLogin`**Description**: Administrator username for the server. Once created it cannot be changed.

## `administrator_login_password`{% #administrator_login_password %}

**Type**: `STRING`**Provider name**: `properties.administratorLoginPassword`**Description**: The administrator login password (required for server creation).

## `administrators`{% #administrators %}

**Type**: `STRUCT`**Provider name**: `properties.administrators`**Description**: The Azure Active Directory identity of the server.

- `administrator_type`**Type**: `STRING`**Provider name**: `administratorType`**Description**: Type of the sever administrator.
- `azure_ad_only_authentication`**Type**: `BOOLEAN`**Provider name**: `azureADOnlyAuthentication`**Description**: Azure Active Directory only Authentication enabled.
- `login`**Type**: `STRING`**Provider name**: `login`**Description**: Login name of the server administrator.
- `principal_type`**Type**: `STRING`**Provider name**: `principalType`**Description**: Principal Type of the sever administrator.
- `sid`**Type**: `STRING`**Provider name**: `sid`**Description**: SID (object ID) of the server administrator.
- `tenant_id`**Type**: `STRING`**Provider name**: `tenantId`**Description**: Tenant ID of the administrator.

## `advanced_threat_protection_setting`{% #advanced_threat_protection_setting %}

**Type**: `STRUCT`**Provider name**: `ServerAdvancedThreatProtection`

- `creation_time`**Type**: `STRING`**Provider name**: `properties.creationTime`**Description**: Specifies the UTC creation time of the policy.
- `id`**Type**: `STRING`**Provider name**: `id`**Description**: Resource ID.
- `name`**Type**: `STRING`**Provider name**: `name`**Description**: Resource name.
- `state`**Type**: `STRING`**Provider name**: `properties.state`**Description**: Specifies the state of the Advanced Threat Protection, whether it is enabled or disabled or a state has not been applied yet on the specific database or server.
- `type`**Type**: `STRING`**Provider name**: `type`**Description**: Resource type.

## `alert_policies`{% #alert_policies %}

**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `ServerSecurityAlertPolicy`

- `creation_time`**Type**: `STRING`**Provider name**: `properties.creationTime`**Description**: Specifies the UTC creation time of the policy.
- `disabled_alerts`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `properties.disabledAlerts`**Description**: Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force
- `email_account_admins`**Type**: `BOOLEAN`**Provider name**: `properties.emailAccountAdmins`**Description**: Specifies that the alert is sent to the account administrators.
- `email_addresses`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `properties.emailAddresses`**Description**: Specifies an array of e-mail addresses to which the alert is sent.
- `id`**Type**: `STRING`**Provider name**: `id`**Description**: Resource ID.
- `name`**Type**: `STRING`**Provider name**: `name`**Description**: Resource name.
- `state`**Type**: `STRING`**Provider name**: `properties.state`**Description**: Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database.
- `storage_account_access_key`**Type**: `STRING`**Provider name**: `properties.storageAccountAccessKey`**Description**: Specifies the identifier key of the Threat Detection audit storage account.
- `storage_endpoint`**Type**: `STRING`**Provider name**: `properties.storageEndpoint`**Description**: Specifies the blob storage endpoint (e.g. [https://MyAccount.blob.core.windows.net](https://MyAccount.blob.core.windows.net)). This blob storage will hold all Threat Detection audit logs.
- `system_data`**Type**: `STRUCT`**Provider name**: `systemData`**Description**: SystemData of SecurityAlertPolicyResource.
  - `created_at`**Type**: `STRING`**Provider name**: `createdAt`**Description**: The timestamp of resource creation (UTC).
  - `created_by`**Type**: `STRING`**Provider name**: `createdBy`**Description**: The identity that created the resource.
  - `created_by_type`**Type**: `STRING`**Provider name**: `createdByType`**Description**: The type of identity that created the resource.
  - `last_modified_at`**Type**: `STRING`**Provider name**: `lastModifiedAt`**Description**: The timestamp of resource last modification (UTC)
  - `last_modified_by`**Type**: `STRING`**Provider name**: `lastModifiedBy`**Description**: The identity that last modified the resource.
  - `last_modified_by_type`**Type**: `STRING`**Provider name**: `lastModifiedByType`**Description**: The type of identity that last modified the resource.
- `type`**Type**: `STRING`**Provider name**: `type`**Description**: Resource type.

## `audit_setting`{% #audit_setting %}

**Type**: `STRUCT`**Provider name**: `ServerBlobAuditingPolicy`

- `audit_actions_and_groups`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `properties.auditActionsAndGroups`**Description**: Specifies the Actions-Groups and Actions to audit.The recommended set of action groups to use is the following combination - this will audit all the queries and stored procedures executed against the database, as well as successful and failed logins:BATCH_COMPLETED_GROUP,SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP,FAILED_DATABASE_AUTHENTICATION_GROUP.This above combination is also the set that is configured by default when enabling auditing from the Azure portal.The supported action groups to audit are (note: choose only specific groups that cover your auditing needs. Using unnecessary groups could lead to very large quantities of audit records):APPLICATION_ROLE_CHANGE_PASSWORD_GROUPBACKUP_RESTORE_GROUPDATABASE_LOGOUT_GROUPDATABASE_OBJECT_CHANGE_GROUPDATABASE_OBJECT_OWNERSHIP_CHANGE_GROUPDATABASE_OBJECT_PERMISSION_CHANGE_GROUPDATABASE_OPERATION_GROUPDATABASE_PERMISSION_CHANGE_GROUPDATABASE_PRINCIPAL_CHANGE_GROUPDATABASE_PRINCIPAL_IMPERSONATION_GROUPDATABASE_ROLE_MEMBER_CHANGE_GROUPFAILED_DATABASE_AUTHENTICATION_GROUPSCHEMA_OBJECT_ACCESS_GROUPSCHEMA_OBJECT_CHANGE_GROUPSCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUPSCHEMA_OBJECT_PERMISSION_CHANGE_GROUPSUCCESSFUL_DATABASE_AUTHENTICATION_GROUPUSER_CHANGE_PASSWORD_GROUPBATCH_STARTED_GROUPBATCH_COMPLETED_GROUPDBCC_GROUPDATABASE_OWNERSHIP_CHANGE_GROUPDATABASE_CHANGE_GROUPThese are groups that cover all sql statements and stored procedures executed against the database, and should not be used in combination with other groups as this will result in duplicate audit logs.For more information, see [Database-Level Audit Action Groups](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-action-groups).For Database auditing policy, specific Actions can also be specified (note that Actions cannot be specified for Server auditing policy). The supported actions to audit are:SELECTUPDATEINSERTDELETEEXECUTERECEIVEREFERENCESThe general form for defining an action to be audited is:{action} ON {object} BY {principal}Note that in the above format can refer to an object like a table, view, or stored procedure, or an entire database or schema. For the latter cases, the forms DATABASE::{db_name} and SCHEMA::{schema_name} are used, respectively.For example:SELECT on dbo.myTable by publicSELECT on DATABASE::myDatabase by publicSELECT on SCHEMA::mySchema by publicFor more information, see [Database-Level Audit Actions](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-actions)
- `id`**Type**: `STRING`**Provider name**: `id`**Description**: Resource ID.
- `is_azure_monitor_target_enabled`**Type**: `BOOLEAN`**Provider name**: `properties.isAzureMonitorTargetEnabled`**Description**: Specifies whether audit events are sent to Azure Monitor. In order to send the events to Azure Monitor, specify 'state' as 'Enabled' and 'isAzureMonitorTargetEnabled' as true.When using REST API to configure auditing, Diagnostic Settings with 'SQLSecurityAuditEvents' diagnostic logs category on the database should be also created.Note that for server level audit you should use the 'master' database as {databaseName}.Diagnostic Settings URI format:PUT [https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-previewFor](https://management.azure.com/subscriptions/%7bsubscriptionId%7d/resourceGroups/%7bresourceGroup%7d/providers/Microsoft.Sql/servers/%7bserverName%7d/databases/%7bdatabaseName%7d/providers/microsoft.insights/diagnosticSettings/%7bsettingsName%7d?api-version=2017-05-01-previewFor) more information, see [Diagnostic Settings REST API](https://go.microsoft.com/fwlink/?linkid=2033207)or [Diagnostic Settings PowerShell](https://go.microsoft.com/fwlink/?linkid=2033043)
- `is_storage_secondary_key_in_use`**Type**: `BOOLEAN`**Provider name**: `properties.isStorageSecondaryKeyInUse`**Description**: Specifies whether storageAccountAccessKey value is the storage's secondary key.
- `name`**Type**: `STRING`**Provider name**: `name`**Description**: Resource name.
- `queue_delay_ms`**Type**: `INT32`**Provider name**: `properties.queueDelayMs`**Description**: Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be processed.The default minimum value is 1000 (1 second). The maximum is 2,147,483,647.
- `retention_days`**Type**: `INT64`**Provider name**: `properties.retentionDays`**Description**: Specifies the number of days to keep in the audit logs in the storage account.
- `state`**Type**: `STRING`**Provider name**: `properties.state`**Description**: Specifies the state of the policy. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.
- `storage_account_access_key`**Type**: `STRING`**Provider name**: `properties.storageAccountAccessKey`**Description**: Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage.Prerequisites for using managed identity authentication:1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD).2. Grant SQL Server identity access to the storage account by adding 'Storage Blob Data Contributor' RBAC role to the server identity.For more information, see [Auditing to storage using Managed Identity authentication](https://go.microsoft.com/fwlink/?linkid=2114355)
- `storage_account_subscription_id`**Type**: `STRING`**Provider name**: `properties.storageAccountSubscriptionId`**Description**: Specifies the blob storage subscription Id.
- `storage_endpoint`**Type**: `STRING`**Provider name**: `properties.storageEndpoint`**Description**: Specifies the blob storage endpoint (e.g. [https://MyAccount.blob.core.windows.net](https://MyAccount.blob.core.windows.net)). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required.
- `type`**Type**: `STRING`**Provider name**: `type`**Description**: Resource type.

## `encryption_protector`{% #encryption_protector %}

**Type**: `STRUCT`**Provider name**: `EncryptionProtector`

- `auto_rotation_enabled`**Type**: `BOOLEAN`**Provider name**: `properties.autoRotationEnabled`**Description**: Key auto rotation opt-in flag. Either true or false.
- `id`**Type**: `STRING`**Provider name**: `id`**Description**: Resource ID.
- `kind`**Type**: `STRING`**Provider name**: `kind`**Description**: Kind of encryption protector. This is metadata used for the Azure portal experience.
- `location`**Type**: `STRING`**Provider name**: `location`**Description**: Resource location.
- `name`**Type**: `STRING`**Provider name**: `name`**Description**: Resource name.
- `server_key_name`**Type**: `STRING`**Provider name**: `properties.serverKeyName`**Description**: The name of the server key.
- `server_key_type`**Type**: `STRING`**Provider name**: `properties.serverKeyType`**Description**: The encryption protector type like 'ServiceManaged', 'AzureKeyVault'.
- `subregion`**Type**: `STRING`**Provider name**: `properties.subregion`**Description**: Subregion of the encryption protector.
- `thumbprint`**Type**: `STRING`**Provider name**: `properties.thumbprint`**Description**: Thumbprint of the server key.
- `type`**Type**: `STRING`**Provider name**: `type`**Description**: Resource type.
- `uri`**Type**: `STRING`**Provider name**: `properties.uri`**Description**: The URI of the server key.

## `firewall_rules`{% #firewall_rules %}

**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `FirewallRule`

- `end_ip_address`**Type**: `STRING`**Provider name**: `properties.endIpAddress`**Description**: The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value '0.0.0.0' for all Azure-internal IP addresses.
- `id`**Type**: `STRING`**Provider name**: `id`**Description**: Resource ID.
- `name`**Type**: `STRING`**Provider name**: `name`**Description**: Resource name.
- `start_ip_address`**Type**: `STRING`**Provider name**: `properties.startIpAddress`**Description**: The start IP address of the firewall rule. Must be IPv4 format. Use value '0.0.0.0' for all Azure-internal IP addresses.
- `type`**Type**: `STRING`**Provider name**: `type`**Description**: Resource type.

## `fully_qualified_domain_name`{% #fully_qualified_domain_name %}

**Type**: `STRING`**Provider name**: `properties.fullyQualifiedDomainName`**Description**: The fully qualified domain name of the server.

## `id`{% #id %}

**Type**: `STRING`**Provider name**: `id`**Description**: Resource ID.

## `identity`{% #identity %}

**Type**: `STRUCT`**Provider name**: `identity`**Description**: The Azure Active Directory identity of the server.

- `principal_id`**Type**: `STRING`**Provider name**: `principalId`**Description**: The Azure Active Directory principal id.
- `tenant_id`**Type**: `STRING`**Provider name**: `tenantId`**Description**: The Azure Active Directory tenant id.
- `type`**Type**: `STRING`**Provider name**: `type`**Description**: The identity type. Set this to 'SystemAssigned' in order to automatically create and assign an Azure Active Directory principal for the resource.

## `key_id`{% #key_id %}

**Type**: `STRING`**Provider name**: `properties.keyId`**Description**: A CMK URI of the key to use for encryption.

## `kind`{% #kind %}

**Type**: `STRING`**Provider name**: `kind`**Description**: Kind of sql server. This is metadata used for the Azure portal experience.

## `location`{% #location %}

**Type**: `STRING`**Provider name**: `location`**Description**: Resource location.

## `minimal_tls_version`{% #minimal_tls_version %}

**Type**: `STRING`**Provider name**: `properties.minimalTlsVersion`**Description**: Minimal TLS version. Allowed values: '1.0', '1.1', '1.2'

## `name`{% #name %}

**Type**: `STRING`**Provider name**: `name`**Description**: Resource name.

## `primary_user_assigned_identity_id`{% #primary_user_assigned_identity_id %}

**Type**: `STRING`**Provider name**: `properties.primaryUserAssignedIdentityId`**Description**: The resource id of a user assigned identity to be used by default.

## `private_endpoint_connections`{% #private_endpoint_connections %}

**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `properties.privateEndpointConnections`**Description**: List of private endpoint connections on a server

- `id`**Type**: `STRING`**Provider name**: `id`**Description**: Resource ID.
- `private_endpoint`**Type**: `STRUCT`**Provider name**: `properties.privateEndpoint`**Description**: Private endpoint which the connection belongs to.
  - `id`**Type**: `STRING`**Provider name**: `id`**Description**: Resource id of the private endpoint.
- `private_link_service_connection_state`**Type**: `STRUCT`**Provider name**: `properties.privateLinkServiceConnectionState`**Description**: Connection state of the private endpoint connection.
  - `actions_required`**Type**: `STRING`**Provider name**: `actionsRequired`**Description**: The actions required for private link service connection.
  - `description`**Type**: `STRING`**Provider name**: `description`**Description**: The private link service connection description.
  - `status`**Type**: `STRING`**Provider name**: `status`**Description**: The private link service connection status.
- `provisioning_state`**Type**: `STRING`**Provider name**: `properties.provisioningState`**Description**: State of the private endpoint connection.

## `public_network_access`{% #public_network_access %}

**Type**: `STRING`**Provider name**: `properties.publicNetworkAccess`**Description**: Whether or not public endpoint access is allowed for this server. Value is optional but if passed in, must be 'Enabled' or 'Disabled'

## `resource_group`{% #resource_group %}

**Type**: `STRING`

## `state`{% #state %}

**Type**: `STRING`**Provider name**: `properties.state`**Description**: The state of the server.

## `subscription_id`{% #subscription_id %}

**Type**: `STRING`

## `subscription_name`{% #subscription_name %}

**Type**: `STRING`

## `tags`{% #tags %}

**Type**: `UNORDERED_LIST_STRING`

## `type`{% #type %}

**Type**: `STRING`**Provider name**: `type`**Description**: Resource type.

## `version`{% #version %}

**Type**: `STRING`**Provider name**: `properties.version`**Description**: The version of the server.

## `vulnerability_assessments`{% #vulnerability_assessments %}

**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `ServerVulnerabilityAssessment`

- `id`**Type**: `STRING`**Provider name**: `id`**Description**: Resource ID.
- `name`**Type**: `STRING`**Provider name**: `name`**Description**: Resource name.
- `recurring_scans`**Type**: `STRUCT`**Provider name**: `properties.recurringScans`**Description**: The recurring scans settings
  - `email_subscription_admins`**Type**: `BOOLEAN`**Provider name**: `emailSubscriptionAdmins`**Description**: Specifies that the schedule scan notification will be is sent to the subscription administrators.
  - `emails`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `emails`**Description**: Specifies an array of e-mail addresses to which the scan notification is sent.
  - `is_enabled`**Type**: `BOOLEAN`**Provider name**: `isEnabled`**Description**: Recurring scans state.
- `storage_account_access_key`**Type**: `STRING`**Provider name**: `properties.storageAccountAccessKey`**Description**: Specifies the identifier key of the storage account for vulnerability assessment scan results. If 'StorageContainerSasKey' isn't specified, storageAccountAccessKey is required. Applies only if the storage account is not behind a Vnet or a firewall
- `storage_container_path`**Type**: `STRING`**Provider name**: `properties.storageContainerPath`**Description**: A blob storage container path to hold the scan results (e.g. [https://myStorage.blob.core.windows.net/VaScans/)](https://myStorage.blob.core.windows.net/VaScans/%29).
- `storage_container_sas_key`**Type**: `STRING`**Provider name**: `properties.storageContainerSasKey`**Description**: A shared access signature (SAS Key) that has write access to the blob container specified in 'storageContainerPath' parameter. If 'storageAccountAccessKey' isn't specified, StorageContainerSasKey is required. Applies only if the storage account is not behind a Vnet or a firewall
- `type`**Type**: `STRING`**Provider name**: `type`**Description**: Resource type.

## `workspace_feature`{% #workspace_feature %}

**Type**: `STRING`**Provider name**: `properties.workspaceFeature`**Description**: Whether or not existing server has a workspace created and if it allows connection from workspace