From 316aa3ab748ff2eb2c17e92e6d2bb4c7f823ac8c Mon Sep 17 00:00:00 2001 From: Sergio Navar Date: Wed, 2 Mar 2022 18:33:24 -0600 Subject: [PATCH] Update SQL MI --- .../.parameters/parameters.json | 3 ++ .../managedInstances/deploy.bicep | 28 +++++++++++++++++-- .../encryptionProtector/readme.md | 2 +- arm/Microsoft.Sql/managedInstances/readme.md | 17 +++++++++-- .../securityAlertPolicies/readme.md | 4 +-- .../vulnerabilityAssessments/readme.md | 6 ++-- 6 files changed, 49 insertions(+), 11 deletions(-) diff --git a/arm/Microsoft.Sql/managedInstances/.parameters/parameters.json b/arm/Microsoft.Sql/managedInstances/.parameters/parameters.json index 75f38b339e..d6eef2990f 100644 --- a/arm/Microsoft.Sql/managedInstances/.parameters/parameters.json +++ b/arm/Microsoft.Sql/managedInstances/.parameters/parameters.json @@ -42,6 +42,9 @@ "hardwareFamily": { "value": "Gen5" }, + "servicePrincipal": { + "value": "SystemAssigned" + }, "dnsZonePartner": { "value": "" }, diff --git a/arm/Microsoft.Sql/managedInstances/deploy.bicep b/arm/Microsoft.Sql/managedInstances/deploy.bicep index abb26fa29a..acdd6b818d 100644 --- a/arm/Microsoft.Sql/managedInstances/deploy.bicep +++ b/arm/Microsoft.Sql/managedInstances/deploy.bicep @@ -36,6 +36,16 @@ param licenseType string = 'LicenseIncluded' @description('Optional. If the service has different generations of hardware, for the same SKU, then that can be captured here.') param hardwareFamily string = 'Gen5' +@description('Optional. Whether or not multi-az is enabled.') +param zoneRedundant bool = false + +@description('Optional. Service principal type. If using AD Authentication and applying Admin, must be set to `SystemAssigned`. Then Global Admin must allow Reader access to Azure AD for the Service Principal') +@allowed([ + 'None' + 'SystemAssigned' +]) +param servicePrincipal string = 'None' + @description('Optional. Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified.') @allowed([ 'Default' @@ -133,6 +143,15 @@ param encryptionProtectorObj object = {} @description('Optional. The administrator configuration') param administratorsObj object = {} +@description('Optional. The storage account type used to store backups for this database.') +@allowed([ + 'Geo' + 'GeoZone' + 'Local' + 'Zone' +]) +param requestedBackupStorageRedundancy string = 'Geo' + @description('Optional. The name of logs that will be streamed.') @allowed([ 'ResourceUsageStats' @@ -189,6 +208,7 @@ resource managedInstance 'Microsoft.Sql/managedInstances@2021-05-01-preview' = { sku: { name: skuName tier: skuTier + family: hardwareFamily } tags: tags properties: { @@ -197,7 +217,6 @@ resource managedInstance 'Microsoft.Sql/managedInstances@2021-05-01-preview' = { administratorLoginPassword: administratorLoginPassword subnetId: subnetId licenseType: licenseType - hardwareFamily: hardwareFamily vCores: vCores storageSizeInGB: storageSizeInGB collation: collation @@ -209,6 +228,11 @@ resource managedInstance 'Microsoft.Sql/managedInstances@2021-05-01-preview' = { timezoneId: timezoneId instancePoolId: instancePoolResourceId primaryUserAssignedIdentityId: primaryUserAssignedIdentityId + requestedBackupStorageRedundancy: requestedBackupStorageRedundancy + zoneRedundant: zoneRedundant + servicePrincipal: { + type: servicePrincipal + } } } @@ -322,7 +346,7 @@ module managedInstance_administrator 'administrators/deploy.bicep' = if (!empty( params: { managedInstanceName: managedInstance.name login: administratorsObj.name - sid: administratorsObj.name + sid: administratorsObj.sid tenantId: contains(administratorsObj, 'tenantId') ? administratorsObj.tenantId : '' } } diff --git a/arm/Microsoft.Sql/managedInstances/encryptionProtector/readme.md b/arm/Microsoft.Sql/managedInstances/encryptionProtector/readme.md index 75818de364..155c071480 100644 --- a/arm/Microsoft.Sql/managedInstances/encryptionProtector/readme.md +++ b/arm/Microsoft.Sql/managedInstances/encryptionProtector/readme.md @@ -12,7 +12,7 @@ This module deploys an encryption protector for a SQL managed instance. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `autoRotationEnabled` | bool | | | Optional. Key auto rotation opt-in flag | +| `autoRotationEnabled` | bool | `False` | | Optional. Key auto rotation opt-in flag | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | | `managedInstanceName` | string | | | Required. Name of the SQL managed instance. | | `name` | string | `current` | | Required. The name of the encryptionProtector | diff --git a/arm/Microsoft.Sql/managedInstances/readme.md b/arm/Microsoft.Sql/managedInstances/readme.md index 6b005da7f9..399de9fd67 100644 --- a/arm/Microsoft.Sql/managedInstances/readme.md +++ b/arm/Microsoft.Sql/managedInstances/readme.md @@ -21,7 +21,15 @@ This template deploys a SQL managed instance. ### Deployment prerequisites -SQL Managed Instance is deployed on a virtual network. This network is required to satisfy the requirements explained [here](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-connectivity-architecture#network-requirements). In the module is a second ARM template UpdateSubnet.deploy.json, which configures a subnet to be ready for the SQL managed instance. +#### Networking + +SQL Managed Instance is deployed on a virtual network to a subnet that is delagated to the SQL MI service. This network is required to satisfy the requirements explained [here](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-connectivity-architecture#network-requirements). + +SQL MI requires that the subnet have a Route Table and NSG assigned to it. The SQL MI service will automatically add Routes to the Route Table and Rules to the NSG once the SQL MI has been deployed. As a result, the parameter file for the Route Table and NSG will have to be updated afterwards with the created Routes & Rules, otherwise redeployment of the Route Table & NSG via Bicep/ARM will fail. + +#### Azure AD Authentication + +SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#provision-azure-ad-admin-sql-managed-instance). This requires a Service Principal to be assigned and granted Reader rights to Azure AD by an AD Admin. To do so via this module, the `servicePrincipal` parameter must be set to `SystemAssigned` and deploy the SQL MI. Afterwards an Azure AD Admin must go to the SQL MI Azure Active Directory admin page in the Azure Portal and assigned the Reader rights. Next the `administratorsObj` must be configured in the parameter file and be redeployed. ## Parameters @@ -52,21 +60,24 @@ SQL Managed Instance is deployed on a virtual network. This network is required | `name` | string | | | Required. The name of the SQL managed instance. | | `primaryUserAssignedIdentityId` | string | | | Optional. Mandatory if "managedServiceIdentity" contains UserAssigned. The resource ID of a user assigned identity to be used by default. | | `proxyOverride` | string | `Proxy` | `[Proxy, Redirect, Default]` | Optional. Connection type used for connecting to the instance. | -| `publicDataEndpointEnabled` | bool | | | Optional. Whether or not the public data endpoint is enabled. | +| `publicDataEndpointEnabled` | bool | `False` | | Optional. Whether or not the public data endpoint is enabled. | +| `requestedBackupStorageRedundancy` | string | `Geo` | `[Geo, GeoZone, Local, Zone]` | Optional. The storage account type used to store backups for this database. | | `restorePointInTime` | string | | | Optional. Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `securityAlertPoliciesObj` | _[securityAlertPolicies](securityAlertPolicies/readme.md)_ object | `{object}` | | Optional. The security alert policy configuration | +| `servicePrincipal` | string | `None` | `[None, SystemAssigned]` | Optional. Service principal type. If using AD Authentication and applying Admin, must be set to `SystemAssigned`. Then Global Admin must allow Reader access to Azure AD for the Service Principal | | `skuName` | string | `GP_Gen5` | | Optional. The name of the SKU, typically, a letter + Number code, e.g. P3. | | `skuTier` | string | `GeneralPurpose` | | Optional. The tier or edition of the particular SKU, e.g. Basic, Premium. | | `sourceManagedInstanceId` | string | | | Optional. The resource identifier of the source managed instance associated with create operation of this instance. | | `storageSizeInGB` | int | `32` | | Optional. Storage size in GB. Minimum value: 32. Maximum value: 8192. Increments of 32 GB allowed only. | | `subnetId` | string | | | Required. The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. | -| `systemAssignedIdentity` | bool | | | Optional. Enables system assigned managed identity on the resource. | +| `systemAssignedIdentity` | bool | `False` | | Optional. Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Optional. Tags of the resource. | | `timezoneId` | string | `UTC` | | Optional. ID of the timezone. Allowed values are timezones supported by Windows. | | `userAssignedIdentities` | object | `{object}` | | Optional. The ID(s) to assign to the resource. | | `vCores` | int | `4` | | Optional. The number of vCores. Allowed values: 8, 16, 24, 32, 40, 64, 80. | | `vulnerabilityAssessmentsObj` | _[vulnerabilityAssessments](vulnerabilityAssessments/readme.md)_ object | `{object}` | | Optional. The vulnerability assessment configuration | +| `zoneRedundant` | bool | `False` | | Optional. Whether or not multi-az is enabled. | ### Parameter Usage : `userAssignedIdentities` diff --git a/arm/Microsoft.Sql/managedInstances/securityAlertPolicies/readme.md b/arm/Microsoft.Sql/managedInstances/securityAlertPolicies/readme.md index c739262e8c..282e4a3fd5 100644 --- a/arm/Microsoft.Sql/managedInstances/securityAlertPolicies/readme.md +++ b/arm/Microsoft.Sql/managedInstances/securityAlertPolicies/readme.md @@ -13,7 +13,7 @@ This module deploys a security alert policy for a SQL managed instance. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | -| `emailAccountAdmins` | bool | | | Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators. | +| `emailAccountAdmins` | bool | `False` | | Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators. | | `managedInstanceName` | string | | | Required. Name of the SQL managed instance. | | `name` | string | | | Required. The name of the security alert policy | | `state` | string | `Disabled` | `[Enabled, Disabled]` | Optional. Enables advanced data security features, like recuring vulnerability assesment scans and ATP. If enabled, storage account must be provided. | @@ -23,8 +23,8 @@ This module deploys a security alert policy for a SQL managed instance. | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed security alert policy | -| `resourceId` | string | The resource ID of the deployed security alert policy | | `resourceGroupName` | string | The resource group of the deployed security alert policy | +| `resourceId` | string | The resource ID of the deployed security alert policy | ## Template references diff --git a/arm/Microsoft.Sql/managedInstances/vulnerabilityAssessments/readme.md b/arm/Microsoft.Sql/managedInstances/vulnerabilityAssessments/readme.md index 153d661eb1..a349bc7853 100644 --- a/arm/Microsoft.Sql/managedInstances/vulnerabilityAssessments/readme.md +++ b/arm/Microsoft.Sql/managedInstances/vulnerabilityAssessments/readme.md @@ -16,8 +16,8 @@ This module deploys a vulnerability assessment for a SQL managed instance. | `managedInstanceName` | string | | | Required. Name of the SQL managed instance. | | `name` | string | | | Required. The name of the vulnerability assessment | | `recurringScansEmails` | array | `[]` | | Optional. Specifies an array of email addresses to which the scan notification is sent. | -| `recurringScansEmailSubscriptionAdmins` | bool | | | Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators. | -| `recurringScansIsEnabled` | bool | | | Optional. Recurring scans state. | +| `recurringScansEmailSubscriptionAdmins` | bool | `False` | | Optional. Specifies that the schedule scan notification will be is sent to the subscription administrators. | +| `recurringScansIsEnabled` | bool | `False` | | Optional. Recurring scans state. | | `vulnerabilityAssessmentsStorageAccountId` | string | | | Optional. A blob storage to hold the scan results. | ## Outputs @@ -25,8 +25,8 @@ This module deploys a vulnerability assessment for a SQL managed instance. | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the deployed vulnerability assessment | -| `resourceId` | string | The resource ID of the deployed vulnerability assessment | | `resourceGroupName` | string | The resource group of the deployed vulnerability assessment | +| `resourceId` | string | The resource ID of the deployed vulnerability assessment | ## Template references