Skip to content

feat(azure): upgrade azure-mgmt-sql to v3.0.1 and migrate to database_security_alert_policies API #2154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AdriiiPRodri wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat(azure): upgrade azure-mgmt-sql to v3.0.1 and migrate to database_security_alert_policies API #2154

AdriiiPRodri wants to merge 2 commits into from
+20 −28

Conversation

@AdriiiPRodri
Copy link

@AdriiiPRodri AdriiiPRodri commented Dec 17, 2025
edited
Loading

Summary

Upgrade azure-mgmt-sql from <=1.0.0 to >=3.0.1 and migrate from database_threat_detection_policies to database_security_alert_policies API.

Why is this change necessary?

  1. API Retirement: Microsoft will retire ALL 2014-04-01 REST APIs on June 30, 2026. The current database_threat_detection_policies operation uses api-version=2014-04-01. If we don't migrate, Cartography's Azure SQL sync will stop working.

    Source: Microsoft API Retirement Notice

  2. Ecosystem Compatibility: The constraint azure-mgmt-sql<=1.0.0 conflicts with projects using modern Azure SDK versions (released in the last 4 years), blocking Cartography adoption in the cloud security ecosystem.

  3. New Data Available: The modern API provides creation_time field useful for auditing and compliance.

Changes:

File Change
pyproject.toml azure-mgmt-sql<=1.0.0>=3.0.1,<4
cartography/intel/azure/sql.py database_threat_detection_policies.get()database_security_alert_policies.get()
cartography/models/azure/sql/databasethreatdetectionpolicy.py Remove location, kind, useserverdefault (no longer in Azure API); Add creationtime
tests/data/azure/sql.py Update mock data to match new API response format
docs/root/modules/azure/schema.md Update schema documentation
uv.lock Auto-generated lockfile update

Note on version constraint: We use >=3.0.1,<4 because azure-mgmt-sql v4 is still in pre-release. The v3.x line will have long-term support, and pinning the upper bound prevents unexpected breaking changes when v4 is eventually released.

Note on uv.lock changes: The typing-extensions marker (python_full_version < '3.11') is automatically added by the azure-mgmt-sql package dependencies—not a manual change.

Note on removed fields: The fields location, kind, and useserverdefault were removed by Microsoft from the Azure SQL API in 2021. Existing nodes in Neo4j will retain their old values, only new nodes will lack these fields.

Related issues or links

Checklist

Provide proof that this works (this makes reviews move faster). Please perform one or more of the following:

  • Update/add unit or integration tests.
  • Include a screenshot showing what the graph looked like before and after your changes.
  • Include console log trace showing what happened before and after your changes.

Live Azure Test (azure-mgmt-sql 3.0.1):

$ uv run python -c "import azure.mgmt.sql; print(f'azure-mgmt-sql=={azure.mgmt.sql.VERSION}')"
azure-mgmt-sql==3.0.1

INFO:cartography.intel.azure.sql:Syncing Azure SQL for subscription 'b0d944f1-bb40-434a-a2da-8fed62716d3c'.
INFO:cartography.graph.statement:Completed AzureSQLServer statement #1
INFO:cartography.graph.statement:Completed AzureSQLServer statement #2
INFO:cartography.graph.job:Finished job AzureSQLServer
...
INFO:cartography.graph.statement:Completed AzureDatabaseThreatDetectionPolicy statement #1
INFO:cartography.graph.statement:Completed AzureDatabaseThreatDetectionPolicy statement #2
INFO:cartography.graph.statement:Completed AzureDatabaseThreatDetectionPolicy statement #3
INFO:cartography.graph.job:Finished job AzureDatabaseThreatDetectionPolicy

Neo4j query result:

MATCH (db:AzureSQLDatabase)-[:CONTAINS]->(p:AzureDatabaseThreatDetectionPolicy)
RETURN db.name, p.state, p.creationtime, p.emailadmins, p.retentiondays
database state creationtime emailadmins retentiondays
master Disabled 0001-01-01T00:00:00.000Z false 0
testdb Enabled 2025-12-17T16:57:58.277Z false 0

If you are changing a node or relationship:

If you are implementing a new intel module:

  • Use the NodeSchema data model.
  • Confirm that the linter actually passes (submitting a PR where the linter fails shows reviewers that you did not test your code and will delay your review).
make test_lint  ✅ Passed
make test_unit  ✅ 354 passed in 14.03s

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Dec 17, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 5 files

@AdriiiPRodri
feat(azure): upgrade azure-mgmt-sql to v3.0.1 and migrate to database…
07089a2 
…_security_alert_policies API

Signed-off-by: Adrián Jesús Peña Rodríguez <[email protected]>
@jfagoagas jfagoagas mentioned this pull request Dec 19, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AdriiiPRodri