[Security] az security va sql: Migrate to aaz with API 2026-04-01-preview#33482
Open
GalGoldi72 wants to merge 3 commits into
Open
[Security] az security va sql: Migrate to aaz with API 2026-04-01-preview#33482GalGoldi72 wants to merge 3 commits into
GalGoldi72 wants to merge 3 commits into
Conversation
…view
[BREAKING CHANGE] Replace hand-authored SQL Vulnerability Assessment commands with atomic aaz-generated commands.
- Single --resource-id replaces 7-arg combo (--vm-resource-id, --workspace-id, --server-name, --database-name, --vm-name, --agent-id, --vm-uuid).
- New 'security va sql {create, delete, show, update}' settings commands.
- New 'security va sql baseline {add, create, update}' (replaces 'set').
- New 'security va sql scans initiate-scan' + 'scan-operation-result show'.
- All commands tagged Preview.
Supported scopes: Azure SQL Server, Azure SQL MI, Synapse, Azure VM (SQL on VM), Arc-enabled SQL Server.
Companion aaz PR: Azure/aaz#1021
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
GalGoldi72
requested review from
DanielMicrosoft,
bebound,
jiasli,
necusjz and
yonzhan
as code owners
|
Validation for Azure CLI Full Test Starting...
Thanks for your contribution! |
|
Validation for Breaking Change Starting...
Thanks for your contribution! |
microsoft-github-policy-service
Bot
requested review from
calvinhzy,
evelyn-ys and
jsntcy
microsoft-github-policy-service
Bot
added
Auto-Assign
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR migrates az security va sql (SQL Vulnerability Assessment) from hand-authored command implementations to AAZ-generated atomic commands targeting 2026-04-01-preview, removing the legacy SDK wiring, custom argument actions, help entries, and live scenario tests.
Changes:
- Replace legacy
security va sqlcommands (custom.py/commands.py/_params.py/_help.py/_client_factory.py) with AAZ-generated command implementations underaaz/latest/security/va/sql/.... - Introduce new command surface (
va sql create/show/update/delete,scans initiate-scan,scans scan-operation-result show, and baselineadd/create/update). - Remove the legacy live scenario test and its recording for
test_va_sql_scenario.
Reviewed changes
Copilot reviewed 37 out of 37 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/azure-cli/azure/cli/command_modules/security/tests/latest/test_va_sql_scenario.py | Removes legacy live scenario coverage for VA SQL commands. |
| src/azure-cli/azure/cli/command_modules/security/tests/latest/recordings/test_va_sql_scenario.yaml | Removes recorded HTTP interactions for the deleted scenario. |
| src/azure-cli/azure/cli/command_modules/security/custom.py | Deletes hand-authored VA SQL command implementations and related imports. |
| src/azure-cli/azure/cli/command_modules/security/commands.py | Removes legacy VA SQL command groups and SDK command types wiring. |
| src/azure-cli/azure/cli/command_modules/security/actions.py | Removes baseline argparse actions used by legacy VA SQL baseline commands. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/scan_operation_result/_show.py | Adds AAZ command to show scan operation result by operation id. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/scan_operation_result/init.py | Exposes the scan-operation-result command group commands. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/scan_operation_result/__cmd_group.py | Registers the scan-operation-result command group. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/_show.py | Adds AAZ command to show a single scan record. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/_list.py | Adds AAZ command to list scan records with pagination support. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/_initiate_scan.py | Adds AAZ command to initiate a scan (LRO/no-wait). |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/init.py | Exposes the scans command group commands. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/__cmd_group.py | Registers the scans command group. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/results/_show.py | Adds AAZ command to show a single scan result. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/results/_list.py | Adds AAZ command to list scan results with pagination support. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/results/init.py | Exposes the results command group commands. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/results/__cmd_group.py | Registers the results command group. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_update.py | Adds AAZ command to update a baseline rule (generic update flow). |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_show.py | Adds AAZ command to show a baseline rule. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_list.py | Adds AAZ command to list baseline rules with pagination support. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_delete.py | Adds AAZ command to delete a baseline rule with confirmation prompt. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_create.py | Adds AAZ command to create/replace a baseline rule. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_add.py | Adds AAZ command to set/replace baseline rules collection (POST). |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/init.py | Exposes the baseline command group commands. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/__cmd_group.py | Registers the baseline command group. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/_update.py | Adds AAZ command to update VA SQL settings (generic update flow). |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/_show.py | Adds AAZ command to show VA SQL settings. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/_delete.py | Adds AAZ command to delete VA SQL settings with confirmation prompt. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/_create.py | Adds AAZ command to create VA SQL settings. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/init.py | Exposes security va sql commands. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/__cmd_group.py | Registers the security va sql command group. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/init.py | Exposes the security va command group. |
| src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/__cmd_group.py | Registers the security va command group. |
| src/azure-cli/azure/cli/command_modules/security/_params.py | Removes legacy VA SQL parameters/actions; relies on AAZ args schemas. |
| src/azure-cli/azure/cli/command_modules/security/_help.py | Removes legacy hand-authored help for VA SQL commands. |
| src/azure-cli/azure/cli/command_modules/security/_client_factory.py | Removes legacy VA SQL client factories. |
| src/azure-cli/HISTORY.rst | Documents the breaking changes and new AAZ-based command surface. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+61
to
+65
| _args_schema.scan_result_id = AAZStrArg( | ||
| options=["--scan-result-id"], | ||
| help="The rule Id of the results.", | ||
| required=True, | ||
| ) |
Comment on lines
+69
to
+78
| _args_schema.latest_scan = AAZBoolArg( | ||
| options=["--latest-scan"], | ||
| arg_group="Resource", | ||
| help="Take results from latest scan.", | ||
| ) | ||
| _args_schema.results = AAZListArg( | ||
| options=["--results"], | ||
| arg_group="Resource", | ||
| help="Expected results to be inserted into the baseline. Leave this field empty if latestScan == true.", | ||
| ) |
Comment on lines
+14
to
+19
| @register_command( | ||
| "security va sql baseline add", | ||
| is_preview=True, | ||
| ) | ||
| class Add(AAZCommand): | ||
| """Set a list of baseline rules. Will overwrite any previously existing results (for all rules). |
Comment on lines
+95
to
+103
| def _execute_operations(self): | ||
| self.pre_operations() | ||
| self.SqlVulnerabilityAssessmentBaselineRulesGet(ctx=self.ctx)() | ||
| self.pre_instance_update(self.ctx.vars.instance) | ||
| self.InstanceUpdateByJson(ctx=self.ctx)() | ||
| self.InstanceUpdateByGeneric(ctx=self.ctx)() | ||
| self.post_instance_update(self.ctx.vars.instance) | ||
| self.SqlVulnerabilityAssessmentBaselineRulesCreateOrUpdate(ctx=self.ctx)() | ||
| self.post_operations() |
Comment on lines
+24
to
+25
| :example: Set baseline for multiple rules with explicit results on a SQL DB hosted on an Azure VM. | ||
| az security va sql baseline add --resource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{vm} --database-name MyDb --results "{VA1234:[[col1,col2],[col3,col4]],VA5678:[[user1,SELECT]]}" |
Comment on lines
+97
to
+99
| * `az security va sql`: [BREAKING CHANGE] Replaced hand-authored SQL Vulnerability Assessment commands with atomic aaz-generated commands targeting API version `2026-04-01-preview`. A single `--resource-id` argument now identifies the assessed resource, replacing the previous combination of `--vm-resource-id`, `--workspace-id`, `--server-name`, `--database-name`, `--vm-name`, `--agent-id`, and `--vm-uuid`. Optional `--database-name` is used only for server-level scopes (e.g. `master`). Supported scopes include Azure SQL Server, Azure SQL Managed Instance, Synapse, Azure VM (SQL on VM), and Arc-enabled SQL servers. | ||
| * `az security va sql`: Add new SQL Vulnerability Assessment settings commands: `create`, `delete`, `show`, `update` for enabling/disabling SQL VA on a resource. | ||
| * `az security va sql baseline`: Add `add` (set baseline for all rules), `create` (single-rule baseline), and `update` commands. Remove `set` command (use `add` instead). |
GalGoldi72
added a commit
to GalGoldi72/aaz
that referenced
this pull request
Jun 2, 2026
Adds `rule-id` as a primary option for the scanResultId argument on `az security va sql results show`, with `scan-result-id` kept as a secondary alias. This aligns with the `baseline` commands which use `--rule-id` for the same logical concept and matches Copilot review feedback on Azure/azure-cli#33482. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Addresses Copilot review comments on Azure#33482: - `security va sql results show`: Accept both `--rule-id` (preferred, consistent with `baseline` commands) and `--scan-result-id` (alias). Examples updated to use `--rule-id`. - `security va sql baseline add/create/update`: Reject mutually exclusive `--latest-scan` and `--results` arguments with a clear error message, matching the legacy behavior. - `security va sql baseline set`: Re-added as a deprecated alias of `baseline add` for backwards compatibility with the legacy CLI. - `security va sql baseline update`: Behaves as a true upsert -- if no baseline exists yet for the specified rule, an empty instance is initialized so the subsequent PUT creates one (instead of 404). - `security va sql baseline add`: Fixed example to use valid JSON for the `--results` argument. - HISTORY.rst updated to document the rule-id alias, deprecated `set` alias, and upsert behavior of `baseline update`. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The AAZ-generated `update` command uses the standard GET -> patch instance ->
PUT flow. The Microsoft.Security
`sqlVulnerabilityAssessments/default/baselineRules` service has an asymmetric
request/response shape: PUT accepts only a flat `{ latestScan, results }` body,
but GET returns the ARM-canonical `{ properties: { latestScan, results }, ... }`
shape. The generic-update flow therefore PUTs a mixed payload that the service
rejects with `400 UnsupportedProperties: 'properties'`.
Verified directly against the live API:
PUT { latestScan: true } -> 200 OK
PUT { properties: { latestScan: true } } -> 400 UnsupportedProperties
Because `baseline create` is the same PUT endpoint and is a full upsert,
removing `update` does not reduce functionality.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
[BREAKING CHANGE] Migrates
az security va sqlfrom hand-authored SDK-based commands to atomic aaz-generated commands targeting Microsoft.Security 2026-04-01-preview.Companion PRs
Breaking changes
--vm-resource-id+--workspace-id+--server-name+--database-name+--vm-name+--agent-id+--vm-uuid(mash-up of 7 args)--resource-id(plus optional--database-namefor server-level scopes)az security va sql baseline setaz security va sql baseline addThe 7-arg approach hard-coded resource-id assembly for two scopes (Azure VM and OMS-monitored on-prem). The new API natively supports 7+ scopes via a generic
--resource-id.New commands
security va sqlcreate,delete,show,update(manage settings)security va sql baselineadd,create,delete,list,show,updatesecurity va sql resultslist,showsecurity va sql scansinitiate-scan,list,showsecurity va sql scans scan-operation-resultshowScopes supported
--database-name)Stage
All new commands are Preview (matching API version
2026-04-01-preview). The parentsecurity vagroup is also Preview since SQL VA is its only content.Diff summary
security/aaz/latest/security/va/commands.py,custom.py,_help.py,_params.py,actions.py,_client_factory.pytest_va_sql_scenario.py+ YAML)Validation
azdev style security: 9.88/10 (only pre-existing line-too-long in unrelatedcustom.pyautomation code; score improved from baseline)azdev linter security: PASSEDazdev test security: 30 passed, 1 skipped, 0 failed — zero regressions in other security commandsTODO (this PR, before merge)
security va sqlcommands (placeholder — see PR comments for design)LiveScenarioTestagainst a real Azure SQL DB or recordedScenarioTestwith playback