From 592685ce99a7cfb24fb18fdb60f265d1f8c7a87f Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Thu, 1 Dec 2022 11:12:45 +0100 Subject: [PATCH 01/28] sqlserver_key_01 --- modules/Microsoft.Sql/servers/deploy.bicep | 16 ++++- .../Microsoft.Sql/servers/keys/deploy.bicep | 58 +++++++++++++++++++ 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 modules/Microsoft.Sql/servers/keys/deploy.bicep diff --git a/modules/Microsoft.Sql/servers/deploy.bicep b/modules/Microsoft.Sql/servers/deploy.bicep index b066c97777..6b48386bcf 100644 --- a/modules/Microsoft.Sql/servers/deploy.bicep +++ b/modules/Microsoft.Sql/servers/deploy.bicep @@ -49,6 +49,9 @@ param virtualNetworkRules array = [] @description('Optional. The security alert policies to create in the server.') param securityAlertPolicies array = [] +@description('Optional. The keys to configure.') +param keys array = [] + @description('Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided.') param administrators object = {} @@ -95,7 +98,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource server 'Microsoft.Sql/servers@2022-02-01-preview' = { +resource server 'Microsoft.Sql/servers@2022-05-01-preview' = { location: location name: name tags: tags @@ -275,6 +278,17 @@ module server_vulnerabilityAssessment 'vulnerabilityAssessments/deploy.bicep' = ] } +module server_keys 'keys/deploy.bicep' = [for (key, index) in keys: { + name: '${uniqueString(deployment().name, location)}-SqlMi-Key-${index}' + params: { + name: key.name + serverName: server.name + serverKeyType: contains(key, 'serverKeyType') ? key.serverKeyType : 'ServiceManaged' + uri: contains(key, 'uri') ? key.uri : '' + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + @description('The name of the deployed SQL server.') output name string = server.name diff --git a/modules/Microsoft.Sql/servers/keys/deploy.bicep b/modules/Microsoft.Sql/servers/keys/deploy.bicep new file mode 100644 index 0000000000..3d3ccb33a8 --- /dev/null +++ b/modules/Microsoft.Sql/servers/keys/deploy.bicep @@ -0,0 +1,58 @@ +@description('Required. The name of the key. Must follow the [__] pattern.') +param name string + +@description('Conditional. The name of the parent SQL server.') +param serverName string + +@description('Optional. The encryption protector type like "ServiceManaged", "AzureKeyVault".') +@allowed([ + 'AzureKeyVault' + 'ServiceManaged' +]) +param serverKeyType string = 'ServiceManaged' + +@description('Optional. The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required.') +param uri string = '' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +var splittedKeyUri = split(uri, '/') + +// if serverManaged, use serverManaged, if uri provided use concated uri value +// MUST match the pattern '__' +var serverKeyName = empty(uri) ? 'ServiceManaged' : '${split(splittedKeyUri[2], '.')[0]}_${splittedKeyUri[4]}_${splittedKeyUri[5]}' + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource server 'Microsoft.Sql/servers@2022-05-01-preview' existing = { + name: serverName +} + +resource key 'Microsoft.Sql/servers/keys@2022-05-01-preview' = { + name: !empty(name) ? name : serverKeyName + parent: server + properties: { + serverKeyType: serverKeyType + uri: uri + } +} + +@description('The name of the deployed server key.') +output name string = key.name + +@description('The resource ID of the deployed server key.') +output resourceId string = key.id + +@description('The resource group of the deployed server key.') +output resourceGroupName string = resourceGroup().name From 8d31f54120b722c661c9bcaef340a3321f109519 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Thu, 1 Dec 2022 11:12:59 +0100 Subject: [PATCH 02/28] sqlserver_key_01 --- .../servers/.test/common/dependencies.bicep | 47 +++++++++++++++++ .../servers/.test/common/deploy.test.bicep | 8 +++ modules/Microsoft.Sql/servers/keys/readme.md | 51 +++++++++++++++++++ .../Microsoft.Sql/servers/keys/version.json | 4 ++ 4 files changed, 110 insertions(+) create mode 100644 modules/Microsoft.Sql/servers/keys/readme.md create mode 100644 modules/Microsoft.Sql/servers/keys/version.json diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index 0a65dc7910..5815de33dd 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -7,6 +7,9 @@ param virtualNetworkName string @description('Optional. The location to deploy resources to.') param location string = resourceGroup().location +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { name: managedIdentityName location: location @@ -56,6 +59,41 @@ resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { } } +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + principalType: 'ServicePrincipal' + } +} + @description('The principal ID of the created managed identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId @@ -70,3 +108,12 @@ output serviceEndpointSubnetResourceId string = virtualNetwork.properties.subnet @description('The resource ID of the created Private DNS Zone.') output privateDNSResourceId string = privateDNSZone.id + +@description('The URL of the created Key Vault Encryption Key.') +output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion + +@description('The name of the created Key Vault Encryption Key.') +output keyVaultKeyName string = keyVault::key.name + +@description('The name of the created Key Vault.') +output keyVaultName string = keyVault.name diff --git a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep index 213e5f34cc..bb1ac1e6f3 100644 --- a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep @@ -35,6 +35,7 @@ module resourceGroupResources 'dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { + keyVaultName: 'dep-<>-kv-${serviceShort}' managedIdentityName: 'dep-<>-msi-${serviceShort}' virtualNetworkName: 'dep-<>-vnet-${serviceShort}' location: location @@ -129,6 +130,13 @@ module testDeployment '../../deploy.bicep' = { emailAccountAdmins: true } ] + keys: [ + { + name: '${resourceGroupResources.outputs.keyVaultName}_${resourceGroupResources.outputs.keyVaultKeyName}_${last(split(resourceGroupResources.outputs.keyVaultEncryptionKeyUrl, '/'))}' + serverKeyType: 'AzureKeyVault' + uri: resourceGroupResources.outputs.keyVaultEncryptionKeyUrl + } + ] systemAssignedIdentity: true userAssignedIdentities: { '${resourceGroupResources.outputs.managedIdentitResourceId}': {} diff --git a/modules/Microsoft.Sql/servers/keys/readme.md b/modules/Microsoft.Sql/servers/keys/readme.md new file mode 100644 index 0000000000..399e34aaef --- /dev/null +++ b/modules/Microsoft.Sql/servers/keys/readme.md @@ -0,0 +1,51 @@ +# SQL Managed Instance Keys `[Microsoft.Sql/managedInstances/keys]` + +This module deploys a key for a SQL managed instance. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Sql/managedInstances/keys` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/keys) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the key. Must follow the [__] pattern. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `managedInstanceName` | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `serverKeyType` | string | `'ServiceManaged'` | `[AzureKeyVault, ServiceManaged]` | The encryption protector type like "ServiceManaged", "AzureKeyVault". | +| `uri` | string | `''` | | The URI of the key. If the ServerKeyType is AzureKeyVault, then either the URI or the keyVaultName/keyName combination is required. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed managed instance key. | +| `resourceGroupName` | string | The resource group of the deployed managed instance key. | +| `resourceId` | string | The resource ID of the deployed managed instance key. | + +## Cross-referenced modules + +_None_ diff --git a/modules/Microsoft.Sql/servers/keys/version.json b/modules/Microsoft.Sql/servers/keys/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/modules/Microsoft.Sql/servers/keys/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} From f26fbfa55db69add33a7b36799e27cb72a25b958 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Thu, 1 Dec 2022 11:28:49 +0100 Subject: [PATCH 03/28] updated_readme --- modules/Microsoft.Sql/servers/readme.md | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/modules/Microsoft.Sql/servers/readme.md b/modules/Microsoft.Sql/servers/readme.md index 83f138292a..797df2e7c9 100644 --- a/modules/Microsoft.Sql/servers/readme.md +++ b/modules/Microsoft.Sql/servers/readme.md @@ -19,10 +19,11 @@ This module deploys a SQL server. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2022-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-05-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2022-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-05-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Sql/servers` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers) | +| `Microsoft.Sql/servers` | [2022-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers) | | `Microsoft.Sql/servers/databases` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01/servers/databases) | | `Microsoft.Sql/servers/elasticPools` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/elasticPools) | | `Microsoft.Sql/servers/firewallRules` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/firewallRules) | +| `Microsoft.Sql/servers/keys` | [2022-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/keys) | | `Microsoft.Sql/servers/securityAlertPolicies` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/securityAlertPolicies) | | `Microsoft.Sql/servers/virtualNetworkRules` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/virtualNetworkRules) | | `Microsoft.Sql/servers/vulnerabilityAssessments` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/vulnerabilityAssessments) | @@ -51,6 +52,7 @@ This module deploys a SQL server. | `elasticPools` | _[elasticPools](elasticPools/readme.md)_ array | `[]` | | The Elastic Pools to create in the server. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `firewallRules` | _[firewallRules](firewallRules/readme.md)_ array | `[]` | | The firewall rules to create in the server. | +| `keys` | _[keys](keys/readme.md)_ array | `[]` | | The keys to configure. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `minimalTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2]` | Minimal TLS version allowed. | @@ -415,9 +417,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { module servers './Microsoft.Sql/servers/deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-sqlscom' params: { - // Required parameters name: '<>-sqlscom' - // Non-required parameters administratorLogin: 'adminUserName' administratorLoginPassword: '' databases: [ @@ -454,6 +454,13 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { startIpAddress: '0.0.0.0' } ] + keys: [ + { + name: '' + serverKeyType: 'AzureKeyVault' + uri: '' + } + ] location: '' lock: 'CanNotDelete' privateEndpoints: [ @@ -520,11 +527,9 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - // Required parameters "name": { "value": "<>-sqlscom" }, - // Non-required parameters "administratorLogin": { "value": "adminUserName" }, @@ -573,6 +578,15 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { } ] }, + "keys": { + "value": [ + { + "name": "", + "serverKeyType": "AzureKeyVault", + "uri": "" + } + ] + }, "location": { "value": "" }, From d30ce6b8fc9e2d6d25b4dfe1162f1e555fe323ca Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 5 Dec 2022 17:50:54 +0100 Subject: [PATCH 04/28] updated readme file --- modules/Microsoft.Sql/servers/deploy.bicep | 2 +- modules/Microsoft.Sql/servers/keys/readme.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/Microsoft.Sql/servers/deploy.bicep b/modules/Microsoft.Sql/servers/deploy.bicep index 6b48386bcf..9aaaa596ea 100644 --- a/modules/Microsoft.Sql/servers/deploy.bicep +++ b/modules/Microsoft.Sql/servers/deploy.bicep @@ -279,7 +279,7 @@ module server_vulnerabilityAssessment 'vulnerabilityAssessments/deploy.bicep' = } module server_keys 'keys/deploy.bicep' = [for (key, index) in keys: { - name: '${uniqueString(deployment().name, location)}-SqlMi-Key-${index}' + name: '${uniqueString(deployment().name, location)}-Sql-Key-${index}' params: { name: key.name serverName: server.name diff --git a/modules/Microsoft.Sql/servers/keys/readme.md b/modules/Microsoft.Sql/servers/keys/readme.md index 399e34aaef..51ceccafb2 100644 --- a/modules/Microsoft.Sql/servers/keys/readme.md +++ b/modules/Microsoft.Sql/servers/keys/readme.md @@ -1,4 +1,4 @@ -# SQL Managed Instance Keys `[Microsoft.Sql/managedInstances/keys]` +# SQL Servers Keys `[Microsoft.Sql/servers/keys]` This module deploys a key for a SQL managed instance. @@ -13,7 +13,7 @@ This module deploys a key for a SQL managed instance. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/managedInstances/keys` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/managedInstances/keys) | +| `Microsoft.Sql/servers/keys` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/keys) | ## Parameters From ec502e616b3c9db0aa8203d03be593e86ea137d9 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 5 Dec 2022 18:03:28 +0100 Subject: [PATCH 05/28] readme keys --- modules/Microsoft.Sql/servers/keys/readme.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/Microsoft.Sql/servers/keys/readme.md b/modules/Microsoft.Sql/servers/keys/readme.md index 51ceccafb2..8700f68188 100644 --- a/modules/Microsoft.Sql/servers/keys/readme.md +++ b/modules/Microsoft.Sql/servers/keys/readme.md @@ -13,7 +13,7 @@ This module deploys a key for a SQL managed instance. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Sql/servers/keys` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/keys) | +| `Microsoft.Sql/servers/keys` | [2022-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/keys) | ## Parameters @@ -27,7 +27,7 @@ This module deploys a key for a SQL managed instance. | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `managedInstanceName` | string | The name of the parent SQL managed instance. Required if the template is used in a standalone deployment. | +| `serverName` | string | The name of the parent SQL server. | **Optional parameters** @@ -42,9 +42,9 @@ This module deploys a key for a SQL managed instance. | Output Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the deployed managed instance key. | -| `resourceGroupName` | string | The resource group of the deployed managed instance key. | -| `resourceId` | string | The resource ID of the deployed managed instance key. | +| `name` | string | The name of the deployed server key. | +| `resourceGroupName` | string | The resource group of the deployed server key. | +| `resourceId` | string | The resource ID of the deployed server key. | ## Cross-referenced modules From a2351b61a20150e7a7e88e5cd192e139384f2031 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 5 Dec 2022 18:37:11 +0100 Subject: [PATCH 06/28] updates --- modules/Microsoft.Sql/servers/keys/deploy.bicep | 2 +- modules/Microsoft.Sql/servers/keys/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Sql/servers/keys/deploy.bicep b/modules/Microsoft.Sql/servers/keys/deploy.bicep index 3d3ccb33a8..afa7bfce79 100644 --- a/modules/Microsoft.Sql/servers/keys/deploy.bicep +++ b/modules/Microsoft.Sql/servers/keys/deploy.bicep @@ -1,7 +1,7 @@ @description('Required. The name of the key. Must follow the [__] pattern.') param name string -@description('Conditional. The name of the parent SQL server.') +@description('Conditional. The name of the parent SQL server. Required if the template is used in a standalone deployment.') param serverName string @description('Optional. The encryption protector type like "ServiceManaged", "AzureKeyVault".') diff --git a/modules/Microsoft.Sql/servers/keys/readme.md b/modules/Microsoft.Sql/servers/keys/readme.md index 8700f68188..c14e6f7ba5 100644 --- a/modules/Microsoft.Sql/servers/keys/readme.md +++ b/modules/Microsoft.Sql/servers/keys/readme.md @@ -27,7 +27,7 @@ This module deploys a key for a SQL managed instance. | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `serverName` | string | The name of the parent SQL server. | +| `serverName` | string | The name of the parent SQL server. Required if the template is used in a standalone deployment. | **Optional parameters** From 954bd7614cda8fa9e91212a0619691a719990fe8 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Tue, 6 Dec 2022 17:41:06 +0100 Subject: [PATCH 07/28] 'pippo_carml_sqlserver' --- modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep index bb1ac1e6f3..84558899cd 100644 --- a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep @@ -36,7 +36,7 @@ module resourceGroupResources 'dependencies.bicep' = { name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { keyVaultName: 'dep-<>-kv-${serviceShort}' - managedIdentityName: 'dep-<>-msi-${serviceShort}' + managedIdentityName: 'pippo_carml_sqlserver' //'dep-<>-msi-${serviceShort}' virtualNetworkName: 'dep-<>-vnet-${serviceShort}' location: location } From dd125e3c6bb3aba26873b11dcfff443eaf20d7b8 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Tue, 6 Dec 2022 17:56:48 +0100 Subject: [PATCH 08/28] fabmas permissions --- modules/Microsoft.Sql/servers/.test/common/dependencies.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index 5815de33dd..5a42455e64 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -88,7 +88,7 @@ resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') scope: keyVault::key properties: { - principalId: managedIdentity.properties.principalId + principalId: '0664bbad-f57c-4c87-bee4-74cec8b677d2' //FABMAS managedIdentity.properties.principalId roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User principalType: 'ServicePrincipal' } From 4a8cdb6a702c75608068e3e9c3d9f724c2e189ca Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Tue, 6 Dec 2022 18:29:57 +0100 Subject: [PATCH 09/28] principalType --- modules/Microsoft.Sql/servers/.test/common/dependencies.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index 5a42455e64..a69ae4a193 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -90,7 +90,7 @@ resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { properties: { principalId: '0664bbad-f57c-4c87-bee4-74cec8b677d2' //FABMAS managedIdentity.properties.principalId roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User - principalType: 'ServicePrincipal' + principalType: 'User' //'ServicePrincipal' } } From fd740e99c9118302b19410817d6a13eb1f1be120 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Tue, 6 Dec 2022 18:44:42 +0100 Subject: [PATCH 10/28] doppie permissions --- .../servers/.test/common/dependencies.bicep | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index a69ae4a193..4dacfb7361 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -94,6 +94,17 @@ resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { } } +resource keyPermissions2 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId //PIPPO + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + principalType: 'ServicePrincipal' + } +} + + @description('The principal ID of the created managed identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId From 7930de4938b507068117ba075f1c0298eac7de47 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Tue, 6 Dec 2022 19:06:55 +0100 Subject: [PATCH 11/28] y --- .../servers/.test/common/dependencies.bicep | 14 ++------------ .../servers/.test/common/deploy.test.bicep | 2 +- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index 4dacfb7361..5ac8ffb105 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -88,17 +88,7 @@ resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') scope: keyVault::key properties: { - principalId: '0664bbad-f57c-4c87-bee4-74cec8b677d2' //FABMAS managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User - principalType: 'User' //'ServicePrincipal' - } -} - -resource keyPermissions2 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key - properties: { - principalId: managedIdentity.properties.principalId //PIPPO + principalId: managedIdentity.properties.principalId roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User principalType: 'ServicePrincipal' } @@ -109,7 +99,7 @@ resource keyPermissions2 'Microsoft.Authorization/roleAssignments@2022-04-01' = output managedIdentityPrincipalId string = managedIdentity.properties.principalId @description('The resource ID of the created managed identity.') -output managedIdentitResourceId string = managedIdentity.id +output managedIdentityResourceId string = managedIdentity.id @description('The resource ID of the created virtual network subnet for a Private Endpoint.') output privateEndpointSubnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep index 84558899cd..5cf619eff4 100644 --- a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep @@ -139,7 +139,7 @@ module testDeployment '../../deploy.bicep' = { ] systemAssignedIdentity: true userAssignedIdentities: { - '${resourceGroupResources.outputs.managedIdentitResourceId}': {} + '${resourceGroupResources.outputs.managedIdentityResourceId}': {} } privateEndpoints: [ { From bf93cc0eb77b64ef665db5ee9da1bdd26efee685 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Tue, 6 Dec 2022 19:13:42 +0100 Subject: [PATCH 12/28] readme --- modules/Microsoft.Sql/servers/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Sql/servers/readme.md b/modules/Microsoft.Sql/servers/readme.md index 26b60259ca..4aa2e662ff 100644 --- a/modules/Microsoft.Sql/servers/readme.md +++ b/modules/Microsoft.Sql/servers/readme.md @@ -492,7 +492,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { ] systemAssignedIdentity: true userAssignedIdentities: { - '': {} + '': {} } virtualNetworkRules: [ { @@ -631,7 +631,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { }, "userAssignedIdentities": { "value": { - "": {} + "": {} } }, "virtualNetworkRules": { From 2cd40ce1f3321c81a9dacd050ef75e1482a9753f Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Fri, 9 Dec 2022 21:16:07 +0100 Subject: [PATCH 13/28] rimosso pippo --- modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep index 5cf619eff4..29a2448d6b 100644 --- a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep @@ -36,7 +36,7 @@ module resourceGroupResources 'dependencies.bicep' = { name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { keyVaultName: 'dep-<>-kv-${serviceShort}' - managedIdentityName: 'pippo_carml_sqlserver' //'dep-<>-msi-${serviceShort}' + managedIdentityName: 'dep-<>-msi-${serviceShort}' virtualNetworkName: 'dep-<>-vnet-${serviceShort}' location: location } From fad39240bb2bd760f1de87e4bce4740a0d32e76d Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Fri, 9 Dec 2022 21:28:16 +0100 Subject: [PATCH 14/28] update --- modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep index 29a2448d6b..7f4bc5868f 100644 --- a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep @@ -161,3 +161,4 @@ module testDeployment '../../deploy.bicep' = { ] } } + From 313c3522b6056552473d979d7a7a10a9bf5272a7 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Fri, 9 Dec 2022 21:59:30 +0100 Subject: [PATCH 15/28] update --- modules/Microsoft.Sql/servers/keys/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/keys/readme.md b/modules/Microsoft.Sql/servers/keys/readme.md index c14e6f7ba5..6e60ef00e8 100644 --- a/modules/Microsoft.Sql/servers/keys/readme.md +++ b/modules/Microsoft.Sql/servers/keys/readme.md @@ -1,6 +1,6 @@ # SQL Servers Keys `[Microsoft.Sql/servers/keys]` -This module deploys a key for a SQL managed instance. +This module deploys a key for a SQL server. ## Navigation From 6f8b2d0f58c88b3bbf7e36024b0cfad3db69b5c9 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Fri, 9 Dec 2022 22:11:49 +0100 Subject: [PATCH 16/28] dependency scope keyvault --- modules/Microsoft.Sql/servers/.test/common/dependencies.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index 5ac8ffb105..9fbd82e511 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -86,7 +86,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') - scope: keyVault::key + scope: keyVault // keyVault::key properties: { principalId: managedIdentity.properties.principalId roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User From b7a254216008538961e0627de9c6a69d8b6cfb83 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Fri, 9 Dec 2022 23:14:09 +0100 Subject: [PATCH 17/28] added FabioPermissions --- .../servers/.test/common/dependencies.bicep | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index 9fbd82e511..394fab86ec 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -94,7 +94,15 @@ resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { } } - +resource FabioPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + scope: keyVault // keyVault::key + properties: { + principalId: '0664bbad-f57c-4c87-bee4-74cec8b677d2' //managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + principalType: 'User' //'ServicePrincipal' + } +} @description('The principal ID of the created managed identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId From 2e0e8aab59bdf8482c5cfeb0a059cad1dce0545a Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Fri, 9 Dec 2022 23:16:11 +0100 Subject: [PATCH 18/28] guid --- modules/Microsoft.Sql/servers/.test/common/dependencies.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index 394fab86ec..da8b77c146 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -95,7 +95,7 @@ resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { } resource FabioPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + name: guid('msi-${keyVault::key.id}-${location}-FabioMasciotra001-Key-Crypto-Service-Encryption-RoleAssignment') scope: keyVault // keyVault::key properties: { principalId: '0664bbad-f57c-4c87-bee4-74cec8b677d2' //managedIdentity.properties.principalId From 23b258870802244b228c33cf8c0a68702f83b4bf Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Fri, 9 Dec 2022 23:46:02 +0100 Subject: [PATCH 19/28] owner --- modules/Microsoft.Sql/servers/.test/common/dependencies.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index da8b77c146..5d459a3839 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -95,11 +95,11 @@ resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { } resource FabioPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-FabioMasciotra001-Key-Crypto-Service-Encryption-RoleAssignment') + name: guid('msi-${keyVault::key.id}-${location}-FabioMasciotra002-Key-Crypto-Service-Encryption-RoleAssignment') scope: keyVault // keyVault::key properties: { principalId: '0664bbad-f57c-4c87-bee4-74cec8b677d2' //managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') // Key Vault Crypto Service Encryption User principalType: 'User' //'ServicePrincipal' } } From db720b0ef7c74d248cf1080a3de1d9f05aab4872 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Sat, 10 Dec 2022 00:17:29 +0100 Subject: [PATCH 20/28] managedidentity carml-scom --- modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep index 7f4bc5868f..0e3e9a95db 100644 --- a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep @@ -36,7 +36,7 @@ module resourceGroupResources 'dependencies.bicep' = { name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { keyVaultName: 'dep-<>-kv-${serviceShort}' - managedIdentityName: 'dep-<>-msi-${serviceShort}' + managedIdentityName: '<>-${serviceShort}' //'dep-<>-msi-${serviceShort}' virtualNetworkName: 'dep-<>-vnet-${serviceShort}' location: location } From 6081fddefde36dc190c92147e21ad39824c5c77c Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Sat, 10 Dec 2022 00:31:34 +0100 Subject: [PATCH 21/28] systemmanagedidentity --- .../Microsoft.Sql/servers/.test/common/dependencies.bicep | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index 5d459a3839..451547d9d9 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -10,9 +10,13 @@ param location string = resourceGroup().location @description('Required. The name of the Key Vault to create.') param keyVaultName string -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { +// resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { +// name: managedIdentityName +// location: location +// } + +resource managedIdentity 'Microsoft.ManagedIdentity/identities@2022-01-31-preview' existing = { name: managedIdentityName - location: location } resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { From 94c9c3f2fb7953c61056773e102ddfd05fd07be5 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Sat, 10 Dec 2022 00:51:40 +0100 Subject: [PATCH 22/28] systemidentity=false --- .../Microsoft.Sql/servers/.test/common/dependencies.bicep | 8 ++------ .../Microsoft.Sql/servers/.test/common/deploy.test.bicep | 4 ++-- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index 451547d9d9..5d459a3839 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -10,13 +10,9 @@ param location string = resourceGroup().location @description('Required. The name of the Key Vault to create.') param keyVaultName string -// resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { -// name: managedIdentityName -// location: location -// } - -resource managedIdentity 'Microsoft.ManagedIdentity/identities@2022-01-31-preview' existing = { +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { name: managedIdentityName + location: location } resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { diff --git a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep index 0e3e9a95db..083988b199 100644 --- a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep @@ -36,7 +36,7 @@ module resourceGroupResources 'dependencies.bicep' = { name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { keyVaultName: 'dep-<>-kv-${serviceShort}' - managedIdentityName: '<>-${serviceShort}' //'dep-<>-msi-${serviceShort}' + managedIdentityName: 'dep-<>-msi-${serviceShort}' virtualNetworkName: 'dep-<>-vnet-${serviceShort}' location: location } @@ -137,7 +137,7 @@ module testDeployment '../../deploy.bicep' = { uri: resourceGroupResources.outputs.keyVaultEncryptionKeyUrl } ] - systemAssignedIdentity: true + systemAssignedIdentity: false userAssignedIdentities: { '${resourceGroupResources.outputs.managedIdentityResourceId}': {} } From 53024818f05fdf2fb50be3a62604864f62bc9c20 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Sat, 10 Dec 2022 00:59:53 +0100 Subject: [PATCH 23/28] readme --- modules/Microsoft.Sql/servers/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Sql/servers/readme.md b/modules/Microsoft.Sql/servers/readme.md index 4aa2e662ff..16175d8a3c 100644 --- a/modules/Microsoft.Sql/servers/readme.md +++ b/modules/Microsoft.Sql/servers/readme.md @@ -490,7 +490,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { state: 'Enabled' } ] - systemAssignedIdentity: true + systemAssignedIdentity: false userAssignedIdentities: { '': {} } @@ -627,7 +627,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { ] }, "systemAssignedIdentity": { - "value": true + "value": false }, "userAssignedIdentities": { "value": { From 98684ce545c88ca54f207c38a32d31c9a483d893 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Sat, 10 Dec 2022 01:26:55 +0100 Subject: [PATCH 24/28] systemidentity true --- modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep | 2 +- modules/Microsoft.Sql/servers/readme.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep index 083988b199..7f4bc5868f 100644 --- a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep @@ -137,7 +137,7 @@ module testDeployment '../../deploy.bicep' = { uri: resourceGroupResources.outputs.keyVaultEncryptionKeyUrl } ] - systemAssignedIdentity: false + systemAssignedIdentity: true userAssignedIdentities: { '${resourceGroupResources.outputs.managedIdentityResourceId}': {} } diff --git a/modules/Microsoft.Sql/servers/readme.md b/modules/Microsoft.Sql/servers/readme.md index 16175d8a3c..4aa2e662ff 100644 --- a/modules/Microsoft.Sql/servers/readme.md +++ b/modules/Microsoft.Sql/servers/readme.md @@ -490,7 +490,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { state: 'Enabled' } ] - systemAssignedIdentity: false + systemAssignedIdentity: true userAssignedIdentities: { '': {} } @@ -627,7 +627,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { ] }, "systemAssignedIdentity": { - "value": false + "value": true }, "userAssignedIdentities": { "value": { From 72aa186aa1fa570d93506c5d58e539d4e667df69 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Sat, 10 Dec 2022 02:07:25 +0100 Subject: [PATCH 25/28] primaryUserAssignedIdentity --- modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep | 1 + modules/Microsoft.Sql/servers/deploy.bicep | 4 ++++ modules/Microsoft.Sql/servers/readme.md | 5 +++++ 3 files changed, 10 insertions(+) diff --git a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep index 7f4bc5868f..87c83e02e5 100644 --- a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep @@ -67,6 +67,7 @@ module testDeployment '../../deploy.bicep' = { enableDefaultTelemetry: enableDefaultTelemetry name: '<>-${serviceShort}' lock: 'CanNotDelete' + primaryUserAssignedIdentityId: resourceGroupResources.outputs.managedIdentityResourceId administratorLogin: 'adminUserName' administratorLoginPassword: password location: location diff --git a/modules/Microsoft.Sql/servers/deploy.bicep b/modules/Microsoft.Sql/servers/deploy.bicep index 544bcc2718..735bd32b4c 100644 --- a/modules/Microsoft.Sql/servers/deploy.bicep +++ b/modules/Microsoft.Sql/servers/deploy.bicep @@ -17,6 +17,9 @@ param systemAssignedIdentity bool = false @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} +@description('Conditional. The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty.') +param primaryUserAssignedIdentityId string = '' + @allowed([ '' 'CanNotDelete' @@ -116,6 +119,7 @@ resource server 'Microsoft.Sql/servers@2022-05-01-preview' = { } : null version: '12.0' minimalTlsVersion: minimalTlsVersion + primaryUserAssignedIdentityId: !empty(primaryUserAssignedIdentityId) ? primaryUserAssignedIdentityId : null publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(firewallRules) && empty(virtualNetworkRules) ? 'Disabled' : null) } } diff --git a/modules/Microsoft.Sql/servers/readme.md b/modules/Microsoft.Sql/servers/readme.md index 4aa2e662ff..8d376a76ae 100644 --- a/modules/Microsoft.Sql/servers/readme.md +++ b/modules/Microsoft.Sql/servers/readme.md @@ -43,6 +43,7 @@ This module deploys a SQL server. | `administratorLogin` | string | `''` | The administrator username for the server. Required if no `administrators` object for AAD authentication is provided. | | `administratorLoginPassword` | secureString | `''` | The administrator login password. Required if no `administrators` object for AAD authentication is provided. | | `administrators` | object | `{object}` | The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided. | +| `primaryUserAssignedIdentityId` | string | `''` | The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty. | **Optional parameters** @@ -463,6 +464,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { ] location: '' lock: 'CanNotDelete' + primaryUserAssignedIdentityId: '' privateEndpoints: [ { privateDnsZoneGroup: { @@ -593,6 +595,9 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { "lock": { "value": "CanNotDelete" }, + "primaryUserAssignedIdentityId": { + "value": "" + }, "privateEndpoints": { "value": [ { From 87d7c96fc92c7fd412131d84515bfb86ec0d3351 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Sat, 10 Dec 2022 02:25:11 +0100 Subject: [PATCH 26/28] rimosso FabioPermissions --- .../servers/.test/common/dependencies.bicep | 9 --------- 1 file changed, 9 deletions(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index 5d459a3839..3acb32a759 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -94,15 +94,6 @@ resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { } } -resource FabioPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-FabioMasciotra002-Key-Crypto-Service-Encryption-RoleAssignment') - scope: keyVault // keyVault::key - properties: { - principalId: '0664bbad-f57c-4c87-bee4-74cec8b677d2' //managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') // Key Vault Crypto Service Encryption User - principalType: 'User' //'ServicePrincipal' - } -} @description('The principal ID of the created managed identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId From 3c95d0770fcd23f91febde387eeaa80471b4ed25 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Wed, 14 Dec 2022 08:48:02 +0100 Subject: [PATCH 27/28] Update modules/Microsoft.Sql/servers/.test/common/dependencies.bicep Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- modules/Microsoft.Sql/servers/.test/common/dependencies.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index 3acb32a759..5825c17fb0 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -85,7 +85,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { } resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Vault-Crypto-Service-Encryption-User-RoleAssignment') scope: keyVault // keyVault::key properties: { principalId: managedIdentity.properties.principalId From 515e3e3e5c7b1efca022525734c84875520e45db Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Wed, 14 Dec 2022 08:50:46 +0100 Subject: [PATCH 28/28] KeyPermissions applied to Key --- modules/Microsoft.Sql/servers/.test/common/dependencies.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep index 5825c17fb0..da6583678c 100644 --- a/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/dependencies.bicep @@ -86,7 +86,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Vault-Crypto-Service-Encryption-User-RoleAssignment') - scope: keyVault // keyVault::key + scope: keyVault::key properties: { principalId: managedIdentity.properties.principalId roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User