Skip to content

[Modules] Update SQL MI to new dependencies approach #2316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eriqua merged 51 commits into from
Nov 12, 2022
Merged

[Modules] Update SQL MI to new dependencies approach #2316

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
867658f
dep only
eriqua Oct 17, 2022
0c7630a
disable pester
eriqua Oct 17, 2022
49a83da
remove param
eriqua Oct 17, 2022
07f4937
subnet boundary
eriqua Oct 17, 2022
af56ce7
min resource
eriqua Oct 17, 2022
b57e5f8
min and common dep
eriqua Oct 17, 2022
c47d96d
clean up param
eriqua Oct 17, 2022
3a45f34
disable min resource
eriqua Oct 17, 2022
112d13a
enable com resource
eriqua Oct 17, 2022
840ffb9
min resource readme and cleanup
eriqua Oct 17, 2022
2cdd3a6
enable pester
eriqua Oct 17, 2022
30e3939
sqlmi removal
eriqua Oct 18, 2022
7afc9f9
Update deploy.test.bicep
eriqua Oct 18, 2022
589d74c
Update dependencies.bicep
eriqua Oct 18, 2022
76d2724
Update dependencies.bicep
eriqua Oct 18, 2022
6a7413c
Merge branch 'main' into users/erikag/1964-sqlmi-newdep
eriqua Oct 19, 2022
812c038
readme
eriqua Oct 19, 2022
a750580
no main resource
eriqua Oct 19, 2022
dc1128f
formatting
eriqua Oct 19, 2022
577c626
temp serviceshort
eriqua Oct 19, 2022
cda396e
serviceshort
eriqua Oct 19, 2022
8ef7ec0
test main resource
eriqua Oct 22, 2022
f136df5
no encr prot and key
eriqua Oct 24, 2022
719c33a
test dep name
eriqua Oct 24, 2022
082bc4e
enc obj with kv crypto user
eriqua Oct 24, 2022
abcc73b
Key Vault Crypto Service Encryption User
eriqua Oct 25, 2022
604b7b7
update sqlmi dep
eriqua Nov 4, 2022
b18010d
update sqlmi dep no token
eriqua Nov 4, 2022
97976e6
merge latest
eriqua Nov 4, 2022
c756c98
serverKeyName
eriqua Nov 9, 2022
f9efc32
Merge branch 'main' into users/erikag/1964-sqlmi-newdep
eriqua Nov 9, 2022
96fe685
readme
eriqua Nov 9, 2022
03ff53e
keys
eriqua Nov 10, 2022
01f2639
Merge branch 'main' into users/erikag/1964-sqlmi-newdep
eriqua Nov 10, 2022
50c19e1
test nsg dep
eriqua Nov 10, 2022
4c5b888
disable min
eriqua Nov 10, 2022
d1d73e1
rt and vnet
eriqua Nov 10, 2022
04db8a1
change rg
eriqua Nov 10, 2022
7d8583b
rt set
eriqua Nov 10, 2022
b993d0b
change rg
eriqua Nov 10, 2022
857c955
enable all resources
eriqua Nov 10, 2022
72f0e08
encr obj
eriqua Nov 11, 2022
c9a7002
min
eriqua Nov 11, 2022
4f77050
min dep update
eriqua Nov 11, 2022
2625836
Merge branch 'main' into users/erikag/1964-sqlmi-newdep
eriqua Nov 11, 2022
d6640a2
encr obj depending on keys
eriqua Nov 11, 2022
3a246fc
pester back
eriqua Nov 11, 2022
6794f9e
readme
eriqua Nov 11, 2022
01f96a6
common dep cleanup
eriqua Nov 11, 2022
a95faf6
key rbac
eriqua Nov 11, 2022
5a5f90c
cleanup
eriqua Nov 12, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions .github/workflows/ms.sql.managedinstances.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,8 +106,7 @@ jobs:
- name: 'Using test file [${{ matrix.moduleTestFilePaths }}]'
uses: ./.github/actions/templates/validateModuleDeployment
with:
templateFilePath: '${{ env.modulePath }}/deploy.bicep'
parameterFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}'
templateFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}'
location: '${{ env.location }}'
resourceGroupName: '${{ env.resourceGroupName }}'
subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
Expand Down
350 changes: 350 additions & 0 deletions modules/Microsoft.Sql/managedInstances/.test/common/dependencies.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,350 @@
@description('Required. The name of the Virtual Network to create.')
param virtualNetworkName string

@description('Required. The name of the Network Security Group to create.')
param networkSecurityGroupName string

@description('Required. The name of the Route Table to create.')
param routeTableName string

@description('Required. The name of the Managed Identity to create.')
param managedIdentityName string

@description('Required. The name of the Key Vault to create.')
param keyVaultName string

@description('Optional. The location to deploy resources to.')
param location string = resourceGroup().location

var sqlMiVnetAddressPrefix = '10.0.0.0/16'
var sqlMiSubnetAddressPrefix = '10.0.0.0/24'
var sqlMiSubnetAddressPrefixString = replace(replace(sqlMiSubnetAddressPrefix, '.', '-'), '/', '-')

resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-08-01' = {
name: networkSecurityGroupName
location: location
properties: {
securityRules: [
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-sqlmgmt-in-${sqlMiSubnetAddressPrefixString}-v10'
properties: {
description: 'Allow MI provisioning Control Plane Deployment and Authentication Service'
protocol: 'Tcp'
sourcePortRange: '*'
sourceAddressPrefix: 'SqlManagement'
destinationAddressPrefix: sqlMiSubnetAddressPrefix
access: 'Allow'
priority: 100
direction: 'Inbound'
destinationPortRanges: [
'9000'
'9003'
'1438'
'1440'
'1452'
]
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corpsaw-in-${sqlMiSubnetAddressPrefixString}-v10'
properties: {
description: 'Allow MI Supportability'
protocol: 'Tcp'
sourcePortRange: '*'
sourceAddressPrefix: 'CorpNetSaw'
destinationAddressPrefix: sqlMiSubnetAddressPrefix
access: 'Allow'
priority: 101
direction: 'Inbound'
destinationPortRanges: [
'9000'
'9003'
'1440'
]
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corppublic-in-${sqlMiSubnetAddressPrefixString}-v10'
properties: {
description: 'Allow MI Supportability through Corpnet ranges'
protocol: 'Tcp'
sourcePortRange: '*'
sourceAddressPrefix: 'CorpNetPublic'
destinationAddressPrefix: sqlMiSubnetAddressPrefix
access: 'Allow'
priority: 102
direction: 'Inbound'
destinationPortRanges: [
'9000'
'9003'
]
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-healthprobe-in-${sqlMiSubnetAddressPrefixString}-v10'
properties: {
description: 'Allow Azure Load Balancer inbound traffic'
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: 'AzureLoadBalancer'
destinationAddressPrefix: sqlMiSubnetAddressPrefix
access: 'Allow'
priority: 103
direction: 'Inbound'
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-in-${sqlMiSubnetAddressPrefixString}-v10'
properties: {
description: 'Allow MI internal inbound traffic'
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: sqlMiSubnetAddressPrefix
destinationAddressPrefix: sqlMiSubnetAddressPrefix
access: 'Allow'
priority: 104
direction: 'Inbound'
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-services-out-${sqlMiSubnetAddressPrefixString}-v10'
properties: {
description: 'Allow MI services outbound traffic over https'
protocol: 'Tcp'
sourcePortRange: '*'
sourceAddressPrefix: sqlMiSubnetAddressPrefix
destinationAddressPrefix: 'AzureCloud'
access: 'Allow'
priority: 100
direction: 'Outbound'
destinationPortRanges: [
'443'
'12000'
]
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-out-${sqlMiSubnetAddressPrefixString}-v10'
properties: {
description: 'Allow MI internal outbound traffic'
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: sqlMiSubnetAddressPrefix
destinationAddressPrefix: sqlMiSubnetAddressPrefix
access: 'Allow'
priority: 101
direction: 'Outbound'
}
}
]
}
}

resource routeTable 'Microsoft.Network/routeTables@2021-08-01' = {
name: routeTableName
location: location
properties: {
disableBgpRoutePropagation: false
routes: [
{
name: 'Microsoft.Sql-managedInstances_UseOnly_subnet-${sqlMiSubnetAddressPrefixString}-to-vnetlocal'
properties: {
addressPrefix: sqlMiSubnetAddressPrefix
nextHopType: 'VnetLocal'
hasBgpOverride: false
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage'
properties: {
addressPrefix: 'Storage'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-SqlManagement'
properties: {
addressPrefix: 'SqlManagement'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureMonitor'
properties: {
addressPrefix: 'AzureMonitor'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetSaw'
properties: {
addressPrefix: 'CorpNetSaw'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetPublic'
properties: {
addressPrefix: 'CorpNetPublic'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureActiveDirectory'
properties: {
addressPrefix: 'AzureActiveDirectory'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.westeurope'
properties: {
addressPrefix: 'AzureCloud.westeurope'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.northeurope'
properties: {
addressPrefix: 'AzureCloud.northeurope'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.westeurope'
properties: {
addressPrefix: 'Storage.westeurope'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.northeurope'
properties: {
addressPrefix: 'Storage.northeurope'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.westeurope'
properties: {
addressPrefix: 'EventHub.westeurope'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
{
name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.northeurope'
properties: {
addressPrefix: 'EventHub.northeurope'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
]
}
}

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
name: virtualNetworkName
location: location
properties: {
addressSpace: {
addressPrefixes: [
sqlMiVnetAddressPrefix
]
}
subnets: [
{
name: 'ManagedInstance'
properties: {
addressPrefix: sqlMiSubnetAddressPrefix
routeTable: {
id: routeTable.id
}
networkSecurityGroup: {
id: networkSecurityGroup.id
}
delegations: [
{
name: 'managedInstanceDelegation'
properties: {
serviceName: 'Microsoft.Sql/managedInstances'
}
}
]
}
}
]
}
}

resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: managedIdentityName
location: location
}

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
name: keyVaultName
location: location
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: tenant().tenantId
enablePurgeProtection: null
enabledForTemplateDeployment: true
enabledForDiskEncryption: true
enabledForDeployment: true
enableRbacAuthorization: true
accessPolicies: []
}

resource key 'keys@2022-07-01' = {
name: 'keyEncryptionKey'
properties: {
kty: 'RSA'
}
}
}

resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment')
scope: keyVault::key
properties: {
principalId: managedIdentity.properties.principalId
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User
principalType: 'ServicePrincipal'
}
}

@description('The resource ID of the created Virtual Network Subnet.')
output subnetResourceId string = virtualNetwork.properties.subnets[0].id

@description('The principal ID of the created Managed Identity.')
output managedIdentityPrincipalId string = managedIdentity.properties.principalId

@description('The resource ID of the created Managed Identity.')
output managedIdentityResourceId string = managedIdentity.id

@description('The URL of the created Key Vault Encryption Key.')
output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion

@description('The name of the created Key Vault Encryption Key.')
output keyVaultKeyName string = keyVault::key.name

@description('The name of the created Key Vault.')
output keyVaultName string = keyVault.name
Loading