As per MS Azure recommendation we have got the vulnerability assessment enable via express configuration ( we were using the classic configuration earlier) . With express configuration we do not use azurerm_mssql_server_vulnerability_assessment resource anymore. We do setup the baseline rules using resource azurerm_mssql_database_vulnerability_assessment_rule_baseline. There seems to be required attribute server_vulnerability_assessment_id on this resource. The assessment id is same as what was being set earlier ( I guess) . When we apply the following terraform resource , we get error back

Error: storage container path not set in Server Vulnerability Assessment Settings

resource “azurerm_mssql_database_vulnerability_assessment_rule_baseline” “example_VA2065” {

server_vulnerability_assessment_id = “${azurerm_mssql_server.example.id}/vulnerabilityAssessments/Default”

database_name = “master”
rule_id = “VA2065”
baseline_name = “master”
baseline_result {
result = [
“AllowAllWindowsAzureIps”, # This is to enable the All Azure Resources feature on the SQL Server firewall so Azure and Azure DevOps resources can connect.
“0.0.0.0”,
“0.0.0.0”
]
}
}

We have tried to use the rest api directly to setup the baseline rule and it worked without providing the assessment id. Not sure if the resource azurerm_mssql_database_vulnerability_assessment_rule_baseline reflects the changes in the api? OR am I missing something?

az rest --method Put --uri /subscriptions/XXXXX/resourceGroups/database-rg/providers/Microsoft.Sql/servers/test-mssqlserver/sqlVulnerabilityAssessments/default/baselines/default/rules/VA2065?api-version=2022-02-01-preview --uri-parameters systemDatabaseName=master --body ‘{ "properties": { "latestScan": false, "results": [ [ "AllowAllWindowsAzureIps", "0.0.0.0", "0.0.0.0" ] ] }}’