For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-azure-sql-server-predictable-active-directory-admin-account-name.md. A documentation index is available at /llms.txt.

SQL server predictable Active Directory admin account name

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-azure-sql-server-predictable-active-directory-admin-account-name

Provider: Azure

Platform: Terraform

Severity: Low

Category: Best Practices

Learn More

Description

Azure SQL Servers should not use predictable Active Directory Administrator account names, such as Admin, for the login attribute, as this increases the risk of brute-force or dictionary attacks. Using easily guessed usernames, such as login = "Admin", increases the risk of unauthorized access by making accounts more susceptible to targeted attacks. To enhance security, use a unique and hard-to-guess login name, such as:

login = "NotEasyToPredictAdmin"

This helps reduce the likelihood of successful account compromise.

Compliant Code Examples

#this code is a correct code for which the query should not find any result
data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "negative1" {
  name     = "acceptanceTestResourceGroup1"
  location = "West US"
}

resource "azurerm_sql_server" "negative2" {
  name                         = "mysqlserver"
  resource_group_name          = azurerm_resource_group.example.name
  location                     = azurerm_resource_group.example.location
  version                      = "12.0"
  administrator_login          = "4dm1n157r470r"
  administrator_login_password = "4-v3ry-53cr37-p455w0rd"
}

resource "azurerm_sql_active_directory_administrator" "negative3" {
  server_name         = azurerm_sql_server.example.name
  resource_group_name = azurerm_resource_group.example.name
  login               = "NotEasyToPredictAdmin"
  tenant_id           = data.azurerm_client_config.current.tenant_id
  object_id           = data.azurerm_client_config.current.object_id
}

Non-Compliant Code Examples

#this is a problematic code where the query should report a result(s)
data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "positive1" {
  name     = "acceptanceTestResourceGroup1"
  location = "West US"
}

resource "azurerm_sql_server" "positive2" {
  name                         = "mysqlserver"
  resource_group_name          = azurerm_resource_group.example.name
  location                     = azurerm_resource_group.example.location
  version                      = "12.0"
  administrator_login          = "4dm1n157r470r"
  administrator_login_password = "4-v3ry-53cr37-p455w0rd"
}

resource "azurerm_sql_active_directory_administrator" "positive3" {
  server_name         = azurerm_sql_server.example.name
  resource_group_name = azurerm_resource_group.example.name
  login               = ""
  tenant_id           = data.azurerm_client_config.current.tenant_id
  object_id           = data.azurerm_client_config.current.object_id
}

resource "azurerm_sql_active_directory_administrator" "positive4" {
  server_name         = azurerm_sql_server.example.name
  resource_group_name = azurerm_resource_group.example.name
  login               = "Admin"
  tenant_id           = data.azurerm_client_config.current.tenant_id
  object_id           = data.azurerm_client_config.current.object_id
}