diff --git a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep index 70a98d3117..1a227850db 100644 --- a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep @@ -116,6 +116,10 @@ module testDeployment '../../deploy.bicep' = { diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName elasticPoolId: '${resourceGroup.id}/providers/Microsoft.Sql/servers/<>-${serviceShort}/elasticPools/<>-${serviceShort}-ep-001' + encryptionProtectorObj: { + serverKeyType: 'AzureKeyVault' + serverKeyName: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' + } backupShortTermRetentionPolicy: { retentionDays: 14 } diff --git a/modules/Microsoft.Sql/servers/deploy.bicep b/modules/Microsoft.Sql/servers/deploy.bicep index 9245761204..57f0c79b3e 100644 --- a/modules/Microsoft.Sql/servers/deploy.bicep +++ b/modules/Microsoft.Sql/servers/deploy.bicep @@ -94,6 +94,9 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +@description('Optional. The encryption protection configuration.') +param encryptionProtectorObj object = {} + @description('Optional. The vulnerability assessment configuration.') param vulnerabilityAssessmentsObj object = {} @@ -312,6 +315,20 @@ module server_keys 'keys/deploy.bicep' = [for (key, index) in keys: { } }] +module server_encryptionProtector 'encryptionProtector/deploy.bicep' = if (!empty(encryptionProtectorObj)) { + name: '${uniqueString(deployment().name, location)}-Sql-EncryProtector' + params: { + sqlServerName: server.name + serverKeyName: encryptionProtectorObj.serverKeyName + serverKeyType: contains(encryptionProtectorObj, 'serverKeyType') ? encryptionProtectorObj.serverKeyType : 'ServiceManaged' + autoRotationEnabled: contains(encryptionProtectorObj, 'autoRotationEnabled') ? encryptionProtectorObj.autoRotationEnabled : true + enableDefaultTelemetry: enableReferencedModulesTelemetry + } + dependsOn: [ + server_keys + ] +} + @description('The name of the deployed SQL server.') output name string = server.name diff --git a/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep b/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep new file mode 100644 index 0000000000..ba21cc86c4 --- /dev/null +++ b/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep @@ -0,0 +1,53 @@ +@description('Conditional. The name of the sql server. Required if the template is used in a standalone deployment.') +param sqlServerName string + +@description('Required. The name of the server key.') +param serverKeyName string + +@description('Optional. Key auto rotation opt-in.') +param autoRotationEnabled bool = false + +@description('Optional. The encryption protector type.') +@allowed([ + 'AzureKeyVault' + 'ServiceManaged' +]) +param serverKeyType string = 'ServiceManaged' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource sqlServer 'Microsoft.Sql/servers@2022-08-01-preview' existing = { + name: sqlServerName +} + +resource encryptionProtector 'Microsoft.Sql/servers/encryptionProtector@2022-08-01-preview' = { + name: 'current' + parent: sqlServer + properties: { + serverKeyType: serverKeyType + autoRotationEnabled: autoRotationEnabled + serverKeyName: serverKeyName + } +} + +@description('The name of the deployed encryption protector.') +output name string = encryptionProtector.name + +@description('The resource ID of the encryption protector.') +output resourceId string = encryptionProtector.id + +@description('The resource group of the deployed encryption protector.') +output resourceGroupName string = resourceGroup().name diff --git a/modules/Microsoft.Sql/servers/encryptionProtector/readme.md b/modules/Microsoft.Sql/servers/encryptionProtector/readme.md new file mode 100644 index 0000000000..f1799ac1ea --- /dev/null +++ b/modules/Microsoft.Sql/servers/encryptionProtector/readme.md @@ -0,0 +1,51 @@ +# Sql Servers EncryptionProtector `[Microsoft.Sql/servers/encryptionProtector]` + +This module deploys an Sql Servers Encryption Protector. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Sql/servers/encryptionProtector` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01/servers/encryptionProtector) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `serverKeyName` | string | The name of the server key. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `sqlServerName` | string | The name of the sql server. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `autoRotationEnabled` | bool | `False` | | Key auto rotation opt-in. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `serverKeyType` | string | `'ServiceManaged'` | `[AzureKeyVault, ServiceManaged]` | The encryption protector type like "ServiceManaged", "AzureKeyVault". | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed encryption protector. | +| `resourceGroupName` | string | The resource group of the deployed encryption protector. | +| `resourceId` | string | The resource ID of the encryption protector. | + +## Cross-referenced modules + +_None_ diff --git a/modules/Microsoft.Sql/servers/encryptionProtector/version.json b/modules/Microsoft.Sql/servers/encryptionProtector/version.json new file mode 100644 index 0000000000..badc0a2285 --- /dev/null +++ b/modules/Microsoft.Sql/servers/encryptionProtector/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.5" +} diff --git a/modules/Microsoft.Sql/servers/readme.md b/modules/Microsoft.Sql/servers/readme.md index c4a561d06f..a7629ffe4d 100644 --- a/modules/Microsoft.Sql/servers/readme.md +++ b/modules/Microsoft.Sql/servers/readme.md @@ -24,6 +24,7 @@ This module deploys a SQL server. | `Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupLongTermRetentionPolicies) | | `Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupShortTermRetentionPolicies) | | `Microsoft.Sql/servers/elasticPools` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/elasticPools) | +| `Microsoft.Sql/servers/encryptionProtector` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01/servers/encryptionProtector) | | `Microsoft.Sql/servers/firewallRules` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/firewallRules) | | `Microsoft.Sql/servers/keys` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/keys) | | `Microsoft.Sql/servers/securityAlertPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/securityAlertPolicies) | @@ -54,6 +55,7 @@ This module deploys a SQL server. | `databases` | _[databases](databases/readme.md)_ array | `[]` | | The databases to create in the server. | | `elasticPools` | _[elasticPools](elasticPools/readme.md)_ array | `[]` | | The Elastic Pools to create in the server. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `encryptionProtectorObj` | _[encryptionProtector](encryptionProtector/readme.md)_ object | `{object}` | | The encryption protection configuration. | | `firewallRules` | _[firewallRules](firewallRules/readme.md)_ array | `[]` | | The firewall rules to create in the server. | | `keys` | _[keys](keys/readme.md)_ array | `[]` | | The keys to configure. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | @@ -459,6 +461,10 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' elasticPoolId: '' + encryptionProtectorObj: { + serverKeyName: '' + serverKeyType: 'AzureKeyVault' + } licenseType: 'LicenseIncluded' maxSizeBytes: 34359738368 name: '<>-sqlscomdb-001' @@ -592,6 +598,10 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { "diagnosticStorageAccountId": "", "diagnosticWorkspaceId": "", "elasticPoolId": "", + "encryptionProtectorObj": { + "serverKeyName": "", + "serverKeyType": "AzureKeyVault" + }, "licenseType": "LicenseIncluded", "maxSizeBytes": 34359738368, "name": "<>-sqlscomdb-001",