From bb48d39e42cd14116ca60f9db8cdcc3d4cd6e0e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20H=C3=BCppauff?= Date: Mon, 20 Mar 2023 09:56:31 +0100 Subject: [PATCH 01/11] added module --- .../servers/encryptionProtector/deploy.bicep | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep diff --git a/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep b/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep new file mode 100644 index 0000000000..d941fc4887 --- /dev/null +++ b/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep @@ -0,0 +1,38 @@ +@description('Conditional. The name of the sql server.') +param sqlServerName string + +@description('Required. The name of the server key.') +param serverKeyName string + +@description('Optional. Key auto rotation opt-in.') +param autoRotationEnabled bool = false + +@description('Optional. The encryption protector type like "ServiceManaged", "AzureKeyVault".') +@allowed([ + 'AzureKeyVault' + 'ServiceManaged' +]) +param serverKeyType string = 'ServiceManaged' + +resource sqlServer 'Microsoft.Sql/servers@2021-11-01' existing = { + name: sqlServerName +} + +resource encryptionProtector 'Microsoft.Sql/servers/encryptionProtector@2021-11-01' = { + name: 'current' + parent: sqlServer + properties: { + serverKeyType: serverKeyType + autoRotationEnabled: autoRotationEnabled + serverKeyName: serverKeyName + } +} + +@description('The name of the deployed encryption protector.') +output name string = encryptionProtector.name + +@description('The resource ID of the encryption protector.') +output resourceId string = encryptionProtector.id + +@description('The resource group of the deployed encryption protector.') +output resourceGroupName string = resourceGroup().name From d8afb46d257f34cc272b38329b30e73723827eb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20H=C3=BCppauff?= Date: Mon, 20 Mar 2023 10:16:51 +0100 Subject: [PATCH 02/11] Added sql protector --- modules/Microsoft.Sql/servers/deploy.bicep | 17 ++++++ .../servers/encryptionProtector/deploy.bicep | 15 ++++++ .../servers/encryptionProtector/readme.md | 53 +++++++++++++++++++ modules/Microsoft.Sql/servers/readme.md | 2 + 4 files changed, 87 insertions(+) create mode 100644 modules/Microsoft.Sql/servers/encryptionProtector/readme.md diff --git a/modules/Microsoft.Sql/servers/deploy.bicep b/modules/Microsoft.Sql/servers/deploy.bicep index 9245761204..1ac4785959 100644 --- a/modules/Microsoft.Sql/servers/deploy.bicep +++ b/modules/Microsoft.Sql/servers/deploy.bicep @@ -94,6 +94,9 @@ var identity = identityType != 'None' ? { var enableReferencedModulesTelemetry = false +@description('Optional. The encryption protection configuration.') +param encryptionProtectorObj object = {} + @description('Optional. The vulnerability assessment configuration.') param vulnerabilityAssessmentsObj object = {} @@ -301,6 +304,20 @@ module server_vulnerabilityAssessment 'vulnerabilityAssessments/deploy.bicep' = ] } +module server_encryptionProtector 'encryptionProtector/deploy.bicep' = if (!empty(encryptionProtectorObj)) { + name: '${uniqueString(deployment().name, location)}-SqlMi-EncryProtector' + params: { + sqlServerName: server.name + serverKeyName: encryptionProtectorObj.serverKeyName + serverKeyType: contains(encryptionProtectorObj, 'serverKeyType') ? encryptionProtectorObj.serverKeyType : 'ServiceManaged' + autoRotationEnabled: contains(encryptionProtectorObj, 'autoRotationEnabled') ? encryptionProtectorObj.autoRotationEnabled : true + enableDefaultTelemetry: enableReferencedModulesTelemetry + } + dependsOn: [ + server_keys + ] +} + module server_keys 'keys/deploy.bicep' = [for (key, index) in keys: { name: '${uniqueString(deployment().name, location)}-Sql-Key-${index}' params: { diff --git a/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep b/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep index d941fc4887..0827696e7e 100644 --- a/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep +++ b/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep @@ -14,6 +14,21 @@ param autoRotationEnabled bool = false ]) param serverKeyType string = 'ServiceManaged' +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + resource sqlServer 'Microsoft.Sql/servers@2021-11-01' existing = { name: sqlServerName } diff --git a/modules/Microsoft.Sql/servers/encryptionProtector/readme.md b/modules/Microsoft.Sql/servers/encryptionProtector/readme.md new file mode 100644 index 0000000000..f43587b82b --- /dev/null +++ b/modules/Microsoft.Sql/servers/encryptionProtector/readme.md @@ -0,0 +1,53 @@ +# Sql Servers EncryptionProtector `[Microsoft.Sql/servers/encryptionProtector]` + +This module deploys Sql Servers EncryptionProtector. + +## Navigation + +- [Sql Servers EncryptionProtector `[Microsoft.Sql/servers/encryptionProtector]`](#sql-servers-encryptionprotector-microsoftsqlserversencryptionprotector) + - [Navigation](#navigation) + - [Resource Types](#resource-types) + - [Parameters](#parameters) + - [Outputs](#outputs) + - [Cross-referenced modules](#cross-referenced-modules) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Sql/servers/encryptionProtector` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01/servers/encryptionProtector) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `serverKeyName` | string | The name of the server key. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `sqlServerName` | string | The name of the sql server. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `autoRotationEnabled` | bool | `False` | | Key auto rotation opt-in. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `serverKeyType` | string | `'ServiceManaged'` | `[AzureKeyVault, ServiceManaged]` | The encryption protector type like "ServiceManaged", "AzureKeyVault". | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed encryption protector. | +| `resourceGroupName` | string | The resource group of the deployed encryption protector. | +| `resourceId` | string | The resource ID of the encryption protector. | + +## Cross-referenced modules + +_None_ diff --git a/modules/Microsoft.Sql/servers/readme.md b/modules/Microsoft.Sql/servers/readme.md index c4a561d06f..05f0b90e15 100644 --- a/modules/Microsoft.Sql/servers/readme.md +++ b/modules/Microsoft.Sql/servers/readme.md @@ -24,6 +24,7 @@ This module deploys a SQL server. | `Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupLongTermRetentionPolicies) | | `Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/databases/backupShortTermRetentionPolicies) | | `Microsoft.Sql/servers/elasticPools` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/elasticPools) | +| `Microsoft.Sql/servers/encryptionProtector` | [2021-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-11-01/servers/encryptionProtector) | | `Microsoft.Sql/servers/firewallRules` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/firewallRules) | | `Microsoft.Sql/servers/keys` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-05-01-preview/servers/keys) | | `Microsoft.Sql/servers/securityAlertPolicies` | [2022-02-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/securityAlertPolicies) | @@ -54,6 +55,7 @@ This module deploys a SQL server. | `databases` | _[databases](databases/readme.md)_ array | `[]` | | The databases to create in the server. | | `elasticPools` | _[elasticPools](elasticPools/readme.md)_ array | `[]` | | The Elastic Pools to create in the server. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `encryptionProtectorObj` | _[encryptionProtector](encryptionProtector/readme.md)_ object | `{object}` | | The encryption protection configuration. | | `firewallRules` | _[firewallRules](firewallRules/readme.md)_ array | `[]` | | The firewall rules to create in the server. | | `keys` | _[keys](keys/readme.md)_ array | `[]` | | The keys to configure. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | From 2d6241818868be9772293ccb3e80173c9806b5e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20H=C3=BCppauff?= Date: Mon, 20 Mar 2023 15:14:56 +0100 Subject: [PATCH 03/11] Added version file --- .../Microsoft.Sql/servers/encryptionProtector/version.json | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 modules/Microsoft.Sql/servers/encryptionProtector/version.json diff --git a/modules/Microsoft.Sql/servers/encryptionProtector/version.json b/modules/Microsoft.Sql/servers/encryptionProtector/version.json new file mode 100644 index 0000000000..badc0a2285 --- /dev/null +++ b/modules/Microsoft.Sql/servers/encryptionProtector/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.5" +} From 722f1498df2700eeacb3699415bbf405c689441e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20H=C3=BCppauff?= Date: Mon, 20 Mar 2023 15:15:03 +0100 Subject: [PATCH 04/11] updated readme --- .../servers/encryptionProtector/readme.md | 12 +++++------- modules/Microsoft.Sql/servers/readme.md | 8 ++++++++ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/modules/Microsoft.Sql/servers/encryptionProtector/readme.md b/modules/Microsoft.Sql/servers/encryptionProtector/readme.md index f43587b82b..f1799ac1ea 100644 --- a/modules/Microsoft.Sql/servers/encryptionProtector/readme.md +++ b/modules/Microsoft.Sql/servers/encryptionProtector/readme.md @@ -1,15 +1,13 @@ # Sql Servers EncryptionProtector `[Microsoft.Sql/servers/encryptionProtector]` -This module deploys Sql Servers EncryptionProtector. +This module deploys an Sql Servers Encryption Protector. ## Navigation -- [Sql Servers EncryptionProtector `[Microsoft.Sql/servers/encryptionProtector]`](#sql-servers-encryptionprotector-microsoftsqlserversencryptionprotector) - - [Navigation](#navigation) - - [Resource Types](#resource-types) - - [Parameters](#parameters) - - [Outputs](#outputs) - - [Cross-referenced modules](#cross-referenced-modules) +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) ## Resource Types diff --git a/modules/Microsoft.Sql/servers/readme.md b/modules/Microsoft.Sql/servers/readme.md index 05f0b90e15..a7629ffe4d 100644 --- a/modules/Microsoft.Sql/servers/readme.md +++ b/modules/Microsoft.Sql/servers/readme.md @@ -461,6 +461,10 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' elasticPoolId: '' + encryptionProtectorObj: { + serverKeyName: '' + serverKeyType: 'AzureKeyVault' + } licenseType: 'LicenseIncluded' maxSizeBytes: 34359738368 name: '<>-sqlscomdb-001' @@ -594,6 +598,10 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { "diagnosticStorageAccountId": "", "diagnosticWorkspaceId": "", "elasticPoolId": "", + "encryptionProtectorObj": { + "serverKeyName": "", + "serverKeyType": "AzureKeyVault" + }, "licenseType": "LicenseIncluded", "maxSizeBytes": 34359738368, "name": "<>-sqlscomdb-001", From 5f0820ec3ffb76e3fe795ed3639999abaf022753 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20H=C3=BCppauff?= Date: Mon, 20 Mar 2023 15:15:14 +0100 Subject: [PATCH 05/11] Moved module --- modules/Microsoft.Sql/servers/deploy.bicep | 24 +++++++++++----------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/Microsoft.Sql/servers/deploy.bicep b/modules/Microsoft.Sql/servers/deploy.bicep index 1ac4785959..57f0c79b3e 100644 --- a/modules/Microsoft.Sql/servers/deploy.bicep +++ b/modules/Microsoft.Sql/servers/deploy.bicep @@ -304,8 +304,19 @@ module server_vulnerabilityAssessment 'vulnerabilityAssessments/deploy.bicep' = ] } +module server_keys 'keys/deploy.bicep' = [for (key, index) in keys: { + name: '${uniqueString(deployment().name, location)}-Sql-Key-${index}' + params: { + name: key.name + serverName: server.name + serverKeyType: contains(key, 'serverKeyType') ? key.serverKeyType : 'ServiceManaged' + uri: contains(key, 'uri') ? key.uri : '' + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + module server_encryptionProtector 'encryptionProtector/deploy.bicep' = if (!empty(encryptionProtectorObj)) { - name: '${uniqueString(deployment().name, location)}-SqlMi-EncryProtector' + name: '${uniqueString(deployment().name, location)}-Sql-EncryProtector' params: { sqlServerName: server.name serverKeyName: encryptionProtectorObj.serverKeyName @@ -318,17 +329,6 @@ module server_encryptionProtector 'encryptionProtector/deploy.bicep' = if (!empt ] } -module server_keys 'keys/deploy.bicep' = [for (key, index) in keys: { - name: '${uniqueString(deployment().name, location)}-Sql-Key-${index}' - params: { - name: key.name - serverName: server.name - serverKeyType: contains(key, 'serverKeyType') ? key.serverKeyType : 'ServiceManaged' - uri: contains(key, 'uri') ? key.uri : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - @description('The name of the deployed SQL server.') output name string = server.name From b38f9d30a0ef31424a74b5869f945f1d2cf4d30c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20H=C3=BCppauff?= Date: Mon, 20 Mar 2023 15:15:23 +0100 Subject: [PATCH 06/11] added encryption to test --- modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep index 70a98d3117..1a227850db 100644 --- a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep @@ -116,6 +116,10 @@ module testDeployment '../../deploy.bicep' = { diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName elasticPoolId: '${resourceGroup.id}/providers/Microsoft.Sql/servers/<>-${serviceShort}/elasticPools/<>-${serviceShort}-ep-001' + encryptionProtectorObj: { + serverKeyType: 'AzureKeyVault' + serverKeyName: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' + } backupShortTermRetentionPolicy: { retentionDays: 14 } From 936fe0459520f0a1e08bd69d45842ecb5c954303 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20H=C3=BCppauff?= Date: Tue, 21 Mar 2023 14:50:52 +0100 Subject: [PATCH 07/11] Updated API Version --- .../Microsoft.Sql/servers/encryptionProtector/deploy.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep b/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep index 0827696e7e..2fc040b0a8 100644 --- a/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep +++ b/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep @@ -29,11 +29,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource sqlServer 'Microsoft.Sql/servers@2021-11-01' existing = { +resource sqlServer 'Microsoft.Sql/servers@2022-08-01-preview' existing = { name: sqlServerName } -resource encryptionProtector 'Microsoft.Sql/servers/encryptionProtector@2021-11-01' = { +resource encryptionProtector 'Microsoft.Sql/servers/encryptionProtector@2022-08-01-preview' = { name: 'current' parent: sqlServer properties: { From 5f8be866917d03a7cc29cf037c1a5981970f6885 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20H=C3=BCppauff?= Date: Tue, 21 Mar 2023 15:01:41 +0100 Subject: [PATCH 08/11] Added required description to parameter --- modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep b/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep index 2fc040b0a8..07a7f3a381 100644 --- a/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep +++ b/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep @@ -1,4 +1,4 @@ -@description('Conditional. The name of the sql server.') +@description('Conditional. The name of the sql server. Required if the template is used in a standalone deployment.') param sqlServerName string @description('Required. The name of the server key.') From 595eacb7fa6b2e90983c7df2eb9b59c3cd2ec7e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20H=C3=BCppauff?= Date: Mon, 27 Mar 2023 10:37:00 +0200 Subject: [PATCH 09/11] Update settings.yml --- settings.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/settings.yml b/settings.yml index 6ed96e59e8..e315e62a02 100644 --- a/settings.yml +++ b/settings.yml @@ -68,7 +68,7 @@ variables: # ------------------------------- # bicepRegistryDoPublish: true # Set to true, if you would like to publish module templates to a bicep registry - bicepRegistryName: adpsxxazacrx001 # The name of the bicep registry (ACR) to publish to. If it does not exist, it will be created. + bicepRegistryName: adpabxazacrx001 # The name of the bicep registry (ACR) to publish to. If it does not exist, it will be created. bicepRegistryRGName: 'artifacts-rg' # The resource group that hosts the private bicep registry (ACR) bicepRegistryRgLocation: 'West Europe' # The location of the resource group to publish to From 5f8e0312e457e1b2d1d8d13d04f3f2197cdec5fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20H=C3=BCppauff?= Date: Mon, 27 Mar 2023 11:46:28 +0200 Subject: [PATCH 10/11] Update modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep Co-authored-by: Alexander Sehr --- modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep b/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep index 07a7f3a381..ba21cc86c4 100644 --- a/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep +++ b/modules/Microsoft.Sql/servers/encryptionProtector/deploy.bicep @@ -7,7 +7,7 @@ param serverKeyName string @description('Optional. Key auto rotation opt-in.') param autoRotationEnabled bool = false -@description('Optional. The encryption protector type like "ServiceManaged", "AzureKeyVault".') +@description('Optional. The encryption protector type.') @allowed([ 'AzureKeyVault' 'ServiceManaged' From 668b84fdbd3184609ea1d16703088fef3c4fa8ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20H=C3=BCppauff?= Date: Thu, 30 Mar 2023 09:01:34 +0200 Subject: [PATCH 11/11] Update settings.yml Co-authored-by: Alexander Sehr --- settings.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/settings.yml b/settings.yml index e315e62a02..6ed96e59e8 100644 --- a/settings.yml +++ b/settings.yml @@ -68,7 +68,7 @@ variables: # ------------------------------- # bicepRegistryDoPublish: true # Set to true, if you would like to publish module templates to a bicep registry - bicepRegistryName: adpabxazacrx001 # The name of the bicep registry (ACR) to publish to. If it does not exist, it will be created. + bicepRegistryName: adpsxxazacrx001 # The name of the bicep registry (ACR) to publish to. If it does not exist, it will be created. bicepRegistryRGName: 'artifacts-rg' # The resource group that hosts the private bicep registry (ACR) bicepRegistryRgLocation: 'West Europe' # The location of the resource group to publish to