[Security] az security va sql: Migrate to aaz with API 2026-04-01-preview

[BREAKING CHANGE] Replace hand-authored SQL Vulnerability Assessment commands with atomic aaz-generated commands.

- Single --resource-id replaces 7-arg combo (--vm-resource-id, --workspace-id, --server-name, --database-name, --vm-name, --agent-id, --vm-uuid).
- New 'security va sql {create, delete, show, update}' settings commands.
- New 'security va sql baseline {add, create, update}' (replaces 'set').
- New 'security va sql scans initiate-scan' + 'scan-operation-result show'.
- All commands tagged Preview.

Supported scopes: Azure SQL Server, Azure SQL MI, Synapse, Azure VM (SQL on VM), Arc-enabled SQL Server.

Companion aaz PR: Azure/aaz#1021

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: GalGoldi72

src/azure-cli/HISTORY.rst

@@ -92,6 +92,14 @@ Release History
 * [BREAKING CHANGE] `az postgres flexible-server backup/db/firewall-rule/long-term-retention/migration/replica create`: Make consistent use of `--name` and `--server-name` across all commands (#33343)
 * [BREAKING CHANGE] `az postgres flexible-server long-term-retention`: Remove support for command group (#33345)
 
+**Security**
+
+* `az security va sql`: [BREAKING CHANGE] Replaced hand-authored SQL Vulnerability Assessment commands with atomic aaz-generated commands targeting API version `2026-04-01-preview`. A single `--resource-id` argument now identifies the assessed resource, replacing the previous combination of `--vm-resource-id`, `--workspace-id`, `--server-name`, `--database-name`, `--vm-name`, `--agent-id`, and `--vm-uuid`. Optional `--database-name` is used only for server-level scopes (e.g. `master`). Supported scopes include Azure SQL Server, Azure SQL Managed Instance, Synapse, Azure VM (SQL on VM), and Arc-enabled SQL servers.
+* `az security va sql`: Add new SQL Vulnerability Assessment settings commands: `create`, `delete`, `show`, `update` for enabling/disabling SQL VA on a resource.
+* `az security va sql baseline`: Add `add` (set baseline for all rules), `create` (single-rule baseline), and `update` commands. Remove `set` command (use `add` instead).
+* `az security va sql scans`: Add `initiate-scan` command to trigger a vulnerability assessment scan, and `scan-operation-result show` to poll the operation result.
+* `az security va sql`: All commands are tagged Preview, matching the underlying API version.
+
 **Storage**
 
 * `az storage account create/update`: Support new value `Smart` for `--access-tier` (#33423)

src/azure-cli/azure/cli/command_modules/security/_client_factory.py

@@ -63,18 +63,6 @@ def cf_security_advanced_threat_protection(cli_ctx, _):
     return _cf_security(cli_ctx).advanced_threat_protection
 
 
-def cf_sql_vulnerability_assessment_scans(cli_ctx, _):
-    return _cf_security(cli_ctx).sql_vulnerability_assessment_scans
-
-
-def cf_sql_vulnerability_assessment_results(cli_ctx, _):
-    return _cf_security(cli_ctx).sql_vulnerability_assessment_scan_results
-
-
-def cf_sql_vulnerability_assessment_baseline(cli_ctx, _):
-    return _cf_security(cli_ctx).sql_vulnerability_assessment_baseline_rules
-
-
 def cf_security_assessment(cli_ctx, _):
     return _cf_security(cli_ctx).assessments
 

src/azure-cli/azure/cli/command_modules/security/_help.py

@@ -187,151 +187,6 @@
         az security atp cosmosdb update --resource-group MyResourceGroup --cosmosdb-account MyCosmosDbAccount --is-enabled false
 """
 
-helps['security va'] = """
-type: group
-short-summary: View Vulnerability Assessment.
-"""
-
-helps['security va sql'] = """
-type: group
-short-summary: View Sql Vulnerability Assessment scan results and manage baseline.
-"""
-
-helps['security va sql scans'] = """
-type: group
-short-summary: View Sql Vulnerability Assessment scan summaries.
-"""
-
-helps['security va sql scans show'] = """
-type: command
-short-summary: View Sql Vulnerability Assessment scan summaries.
-examples:
-  - name: View Sql Vulnerability Assessment scan summary on an Azure virtual machine.
-    text: >
-        az security va sql scans show --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.Compute/VirtualMachines/MyVmName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --scan-id MyScanId
-  - name: View Sql Vulnerability Assessment scan summary on an On-Premise machine.
-    text: >
-        az security va sql scans show --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.OperationalInsights/Workspaces/MyWorkspaceName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --vm-name MyVmName --agent-id MyAgentId --vm-uuid MyVmUUID --scan-id MyScanId
-"""
-
-helps['security va sql scans list'] = """
-type: command
-short-summary: List all Sql Vulnerability Assessment scan summaries.
-examples:
-  - name: List all Sql Vulnerability Assessment scan summaries on an Azure virtual machine.
-    text: >
-        az security va sql scans list --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.Compute/VirtualMachines/MyVmName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName
-  - name: List all Sql Vulnerability Assessment scan summaries on an On-Premise machine.
-    text: >
-        az security va sql scans list --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.OperationalInsights/Workspaces/MyWorkspaceName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --vm-name MyVmName --agent-id MyAgentId --vm-uuid MyVmUUID
-"""
-
-helps['security va sql results'] = """
-type: group
-short-summary: View Sql Vulnerability Assessment scan results.
-"""
-
-helps['security va sql results show'] = """
-type: command
-short-summary: View Sql Vulnerability Assessment scan results.
-examples:
-  - name: View Sql Vulnerability Assessment scan results on an Azure virtual machine.
-    text: >
-        az security va sql results show --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.Compute/VirtualMachines/MyVmName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --scan-id MyScanId --rule-id VA9999
-  - name: View Sql Vulnerability Assessment scan results on an On-Premise machine.
-    text: >
-        az security va sql results show --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.OperationalInsights/Workspaces/MyWorkspaceName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --vm-name MyVmName --agent-id MyAgentId --vm-uuid MyVmUUID --scan-id MyScanId --rule-id VA9999
-"""
-
-helps['security va sql results list'] = """
-type: command
-short-summary: View all Sql Vulnerability Assessment scan results.
-examples:
-  - name: View all Sql Vulnerability Assessment scan results on an Azure virtual machine.
-    text: >
-        az security va sql results list --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.Compute/VirtualMachines/MyVmName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --scan-id MyScanId
-  - name: View all Sql Vulnerability Assessment scan results on an On-Premise machine.
-    text: >
-        az security va sql results list --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.OperationalInsights/Workspaces/MyWorkspaceName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --vm-name MyVmName --agent-id MyAgentId --vm-uuid MyVmUUID --scan-id MyScanId
-"""
-
-helps['security va sql baseline'] = """
-type: group
-short-summary: View and manage Sql Vulnerability Assessment baseline.
-"""
-
-helps['security va sql baseline show'] = """
-type: command
-short-summary: View Sql Vulnerability Assessment rule baseline.
-examples:
-  - name: View Sql Vulnerability Assessment rule baseline on an Azure virtual machine.
-    text: >
-        az security va sql baseline show --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.Compute/VirtualMachines/MyVmName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --rule-id VA9999
-  - name: View Sql Vulnerability Assessment rule baseline on an On-Premise machine.
-    text: >
-        az security va sql baseline show --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.OperationalInsights/Workspaces/MyWorkspaceName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --vm-name MyVmName --agent-id MyAgentId --vm-uuid MyVmUUID --rule-id VA9999
-"""
-
-helps['security va sql baseline list'] = """
-type: command
-short-summary: View Sql Vulnerability Assessment baseline for all rules.
-examples:
-  - name: View Sql Vulnerability Assessment baseline for all rules on an Azure virtual machine.
-    text: >
-        az security va sql baseline list --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.Compute/VirtualMachines/MyVmName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName
-  - name: View Sql Vulnerability Assessment baseline for all rules on an On-Premise machine.
-    text: >
-        az security va sql baseline list --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.OperationalInsights/Workspaces/MyWorkspaceName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --vm-name MyVmName --agent-id MyAgentId --vm-uuid MyVmUUID
-"""
-
-helps['security va sql baseline delete'] = """
-type: command
-short-summary: Delete Sql Vulnerability Assessment rule baseline.
-examples:
-  - name: Delete Sql Vulnerability Assessment rule baseline on an Azure virtual machine.
-    text: >
-        az security va sql baseline delete --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.Compute/VirtualMachines/MyVmName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --rule-id VA9999
-  - name: Delete Sql Vulnerability Assessment rule baseline on an On-Premise machine.
-    text: >
-        az security va sql baseline delete --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.OperationalInsights/Workspaces/MyWorkspaceName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --vm-name MyVmName --agent-id MyAgentId --vm-uuid MyVmUUID --rule-id VA9999
-"""
-
-helps['security va sql baseline update'] = """
-type: command
-short-summary: Update Sql Vulnerability Assessment rule baseline. Replaces the current rule baseline.
-examples:
-  - name: Update Sql Vulnerability Assessment rule baseline on an Azure virtual machine. Replaces the current rule baseline with latest scan results.
-    text: >
-        az security va sql baseline update --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.Compute/VirtualMachines/MyVmName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --rule-id VA9999 --latest
-  - name: Update Sql Vulnerability Assessment rule baseline on an Azure virtual machine. Replaces the current rule baseline with provided results.
-    text: >
-        az security va sql baseline update --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.Compute/VirtualMachines/MyVmName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --rule-id VA9999 --baseline Line1_Col1 Line1_Col2 --baseline Line2_Col1 Line2_Col2
-  - name: Update Sql Vulnerability Assessment rule baseline on an On-Premise machine. Replaces the current rule baseline with latest scan results.
-    text: >
-        az security va sql baseline update --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.OperationalInsights/Workspaces/MyWorkspaceName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --vm-name MyVmName --agent-id MyAgentId --vm-uuid MyVmUUID --rule-id VA9999 --latest
-  - name: Update Sql Vulnerability Assessment rule baseline on an On-Premise machine. Replaces the current rule baseline with provided results.
-    text: >
-        az security va sql baseline update --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.OperationalInsights/Workspaces/MyWorkspaceName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --vm-name MyVmName --agent-id MyAgentId --vm-uuid MyVmUUID --rule-id VA9999 --baseline Line1_Col1 Line1_Col2 --baseline Line2_Col1 Line2_Col2
-"""
-
-helps['security va sql baseline set'] = """
-type: command
-short-summary: Sets Sql Vulnerability Assessment baseline. Replaces the current baseline.
-examples:
-  - name: Sets Sql Vulnerability Assessment baseline on an Azure virtual machine. Replaces the current baseline with latest scan results.
-    text: >
-        az security va sql baseline set --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.Compute/VirtualMachines/MyVmName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --latest
-  - name: Sets Sql Vulnerability Assessment baseline on an Azure virtual machine. Replaces the current baseline with provided results.
-    text: >
-        az security va sql baseline set --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.Compute/VirtualMachines/MyVmName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --baseline rule=VA9999 Line1_col1 Line1_col2 Line1_col3 --baseline rule=VA8888 Line1_col1 Line1_col2 --baseline rule=VA9999 Line2_col1 Line2_col2 Line2_col3
-  - name: Sets Sql Vulnerability Assessment baseline on an On-Premise machine. Replaces the current baseline with latest scan results.
-    text: >
-        az security va sql baseline set --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.OperationalInsights/Workspaces/MyWorkspaceName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --vm-name MyVmName --agent-id MyAgentId --vm-uuid MyVmUUID --latest
-  - name: Sets Sql Vulnerability Assessment baseline on an On-Premise machine. Replaces the current baseline with provided results.
-    text: >
-        az security va sql baseline set --vm-resource-id subscriptions/MySubscription/ResourceGroups/MyResourceGroup/Providers/Microsoft.OperationalInsights/Workspaces/MyWorkspaceName --workspace-id 00000000-0000-0000-0000-000000000000 --server-name MyServerName --database-name MyDbName --vm-name MyVmName --agent-id MyAgentId --vm-uuid MyVmUUID --baseline rule=VA9999 Line1_col1 Line1_col2 Line1_col3 --baseline rule=VA8888 Line1_col1 Line1_col2 --baseline rule=VA9999 Line2_col1 Line2_col2 Line2_col3
-"""
-
 helps['security auto-provisioning-setting'] = """
 type: group
 short-summary: View your auto provisioning settings.