Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add the creation of Microsoft.KeyVault/vaults/secrets in Sql Server Module - avm/res/sql/server #2859

Merged
merged 8 commits into from
Oct 12, 2024
Merged

feat: Add the creation of Microsoft.KeyVault/vaults/secrets in Sql Server Module - avm/res/sql/server #2859

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
de15ee6
fix/2608
jianingwang123 Jul 23, 2024
b25d1bc
fix/2608
jianingwang123 Jul 26, 2024
3bcbec4
remove unrelated input secret value from storing in module
Jul 30, 2024
292b152
Merge branch 'main' into fix/2608
jianingwang123 Oct 9, 2024
5eb2546
Update main.bicep according to the bicep secrets export spec
jianingwang123 Oct 9, 2024
f69e5bd
update test
jianingwang123 Oct 10, 2024
cd31227
remove
jianingwang123 Oct 11, 2024
8a11e71
Merge branch 'main' into fix/2608
jianingwang123 Oct 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/actions/templates/avm-validateModuleDeployment/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,9 @@ runs:
- name: Azure Login
uses: azure/login@v2
with:
creds: ${{ env.AZURE_CREDENTIALS }}
client-id: ${{ env.AZURE_CLIENT_ID }}
AlexanderSehr marked this conversation as resolved.
Show resolved Hide resolved
tenant-id: ${{ env.AZURE_TENANT_ID }}
subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true

# [Set Deployment Location] task(s)
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/avm.template.module.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,10 @@ env:
ARM_MGMTGROUP_ID: "${{ secrets.ARM_MGMTGROUP_ID }}"
ARM_TENANT_ID: "${{ secrets.ARM_TENANT_ID }}"
TOKEN_NAMEPREFIX: "${{ secrets.TOKEN_NAMEPREFIX }}"

AZURE_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
AlexanderSehr marked this conversation as resolved.
Show resolved Hide resolved
AZURE_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
AZURE_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"

jobs:
#########################
# Static validation #
Expand Down
149 changes: 141 additions & 8 deletions avm/res/sql/server/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ This module deploys an Azure SQL Server.
| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
| `Microsoft.KeyVault/vaults/secrets` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/secrets) |
| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) |
| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) |
| `Microsoft.Sql/servers` | [2023-08-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Sql/servers) |
Expand All @@ -50,10 +51,11 @@ The following section provides usage examples for the module, which were used to
- [With an administrator](#example-1-with-an-administrator)
- [With audit settings](#example-2-with-audit-settings)
- [Using only defaults](#example-3-using-only-defaults)
- [Using large parameter set](#example-4-using-large-parameter-set)
- [With a secondary database](#example-5-with-a-secondary-database)
- [With vulnerability assessment](#example-6-with-vulnerability-assessment)
- [WAF-aligned](#example-7-waf-aligned)
- [Deploying with a key vault reference to save secrets](#example-4-deploying-with-a-key-vault-reference-to-save-secrets)
- [Using large parameter set](#example-5-using-large-parameter-set)
- [With a secondary database](#example-6-with-a-secondary-database)
- [With vulnerability assessment](#example-7-with-vulnerability-assessment)
- [WAF-aligned](#example-8-waf-aligned)

### Example 1: _With an administrator_

Expand Down Expand Up @@ -249,7 +251,87 @@ module server 'br/public:avm/res/sql/server:<version>' = {
</details>
<p>

### Example 4: _Using large parameter set_
### Example 4: _Deploying with a key vault reference to save secrets_

This instance deploys the module saving all its secrets in a key vault.


<details>

<summary>via Bicep module</summary>

```bicep
module server 'br/public:avm/res/sql/server:<version>' = {
name: 'serverDeployment'
params: {
// Required parameters
name: 'sqlkvs001'
// Non-required parameters
administratorLogin: 'adminUserName'
administratorLoginPassword: '<administratorLoginPassword>'
databases: [
{
name: 'myDatabase'
}
]
location: '<location>'
secretsExportConfiguration: {
keyVaultResourceId: '<keyVaultResourceId>'
sqlAdminPasswordSecretName: 'adminLoginPasswordKey'
sqlAzureConnectionStringSercretName: 'sqlConnectionStringKey'
}
}
}
```

</details>
<p>

<details>

<summary>via JSON Parameter file</summary>

```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "sqlkvs001"
},
// Non-required parameters
"administratorLogin": {
"value": "adminUserName"
},
"administratorLoginPassword": {
"value": "<administratorLoginPassword>"
},
"databases": {
"value": [
{
"name": "myDatabase"
}
]
},
"location": {
"value": "<location>"
},
"secretsExportConfiguration": {
"value": {
"keyVaultResourceId": "<keyVaultResourceId>",
"sqlAdminPasswordSecretName": "adminLoginPasswordKey",
"sqlAzureConnectionStringSercretName": "sqlConnectionStringKey"
}
}
}
}
```

</details>
<p>

### Example 5: _Using large parameter set_

This instance deploys the module with most of its features enabled.

Expand Down Expand Up @@ -593,7 +675,7 @@ module server 'br/public:avm/res/sql/server:<version>' = {
</details>
<p>

### Example 5: _With a secondary database_
### Example 6: _With a secondary database_

This instance deploys the module with a secondary database.

Expand Down Expand Up @@ -683,7 +765,7 @@ module server 'br/public:avm/res/sql/server:<version>' = {
</details>
<p>

### Example 6: _With vulnerability assessment_
### Example 7: _With vulnerability assessment_

This instance deploys the module with a vulnerability assessment.

Expand Down Expand Up @@ -811,7 +893,7 @@ module server 'br/public:avm/res/sql/server:<version>' = {
</details>
<p>

### Example 7: _WAF-aligned_
### Example 8: _WAF-aligned_

This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.

Expand Down Expand Up @@ -1126,6 +1208,7 @@ module server 'br/public:avm/res/sql/server:<version>' = {
| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. |
| [`restrictOutboundNetworkAccess`](#parameter-restrictoutboundnetworkaccess) | string | Whether or not to restrict outbound network access for this server. |
| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
| [`secretsExportConfiguration`](#parameter-secretsexportconfiguration) | object | Key vault reference and secret settings for the module's secrets export. |
| [`securityAlertPolicies`](#parameter-securityalertpolicies) | array | The security alert policies to create in the server. |
| [`tags`](#parameter-tags) | object | Tags of the resource. |
| [`virtualNetworkRules`](#parameter-virtualnetworkrules) | array | The virtual network rules to create in the server. |
Expand Down Expand Up @@ -1874,6 +1957,55 @@ The principal type of the assigned principal ID.
]
```

### Parameter: `secretsExportConfiguration`

Key vault reference and secret settings for the module's secrets export.

- Required: No
- Type: object

**Required parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`keyVaultResourceId`](#parameter-secretsexportconfigurationkeyvaultresourceid) | string | The resource ID of the key vault where to store the secrets of this module. |

**Optional parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`resourceGroupName`](#parameter-secretsexportconfigurationresourcegroupname) | string | Default to the resource group where this account is. The resource group name where the key vault is. |
| [`sqlAdminPasswordSecretName`](#parameter-secretsexportconfigurationsqladminpasswordsecretname) | string | The name of sql admin login password for secret to create. |
| [`sqlAzureConnectionStringSercretName`](#parameter-secretsexportconfigurationsqlazureconnectionstringsercretname) | string | The name of sql server connection string for secret to create. |

### Parameter: `secretsExportConfiguration.keyVaultResourceId`

The resource ID of the key vault where to store the secrets of this module.

- Required: Yes
- Type: string

### Parameter: `secretsExportConfiguration.resourceGroupName`

Default to the resource group where this account is. The resource group name where the key vault is.

- Required: No
- Type: string

### Parameter: `secretsExportConfiguration.sqlAdminPasswordSecretName`

The name of sql admin login password for secret to create.

- Required: No
- Type: string

### Parameter: `secretsExportConfiguration.sqlAzureConnectionStringSercretName`

The name of sql server connection string for secret to create.

- Required: No
- Type: string

### Parameter: `securityAlertPolicies`

The security alert policies to create in the server.
Expand Down Expand Up @@ -1914,6 +2046,7 @@ The vulnerability assessment configuration.
| `name` | string | The name of the deployed SQL server. |
| `resourceGroupName` | string | The resource group of the deployed SQL server. |
| `resourceId` | string | The resource ID of the deployed SQL server. |
| `secretResourceIds` | array | The resource ID of the secrets. |
| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. |

## Cross-referenced modules
Expand Down
51 changes: 51 additions & 0 deletions avm/res/sql/server/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,9 @@ var builtInRoleNames = {
)
}

@description('Optional. Key vault reference and secret settings for the module\'s secrets export.')
param secretsExportConfiguration secretsExportConfigurationType?

#disable-next-line no-deployments-resources
resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) {
name: '46d3xbcp.res.sql-server.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
Expand Down Expand Up @@ -485,6 +488,35 @@ module server_audit_settings 'audit-settings/main.bicep' = if (!empty(auditSetti
}
}

module server_secrets_export 'modules/key-vault-export.bicep' = if (!empty(secretsExportConfiguration)) {
AlexanderSehr marked this conversation as resolved.
Show resolved Hide resolved
name: '${uniqueString(deployment().name, location)}-secrets-kv'
scope: resourceGroup(secretsExportConfiguration.?resourceGroupName ?? resourceGroup().name)
params: {
keyVaultName: !empty(secretsExportConfiguration!.keyVaultResourceId)
? last(split(secretsExportConfiguration!.keyVaultResourceId, '/'))
: ''
secrets: union(
[],
contains(secretsExportConfiguration!, 'sqlAdminPasswordSecretName')
? [
{
name: secretsExportConfiguration.?sqlAdminPasswordSecretName
value: administratorLoginPassword
}
]
: [],
contains(secretsExportConfiguration!, 'sqlAzureConnectionStringSercretName')
? [
{
name: secretsExportConfiguration.?sqlAzureConnectionStringSercretName
value: 'Server=${server.properties.fullyQualifiedDomainName}; Database=${!empty(databases) ? databases[0].name : ''}; User=${administratorLogin}; Password=${administratorLoginPassword}'
}
]
: []
)
}
}

@description('The name of the deployed SQL server.')
output name string = server.name

Expand All @@ -500,6 +532,11 @@ output systemAssignedMIPrincipalId string = server.?identity.?principalId ?? ''
@description('The location the resource was deployed into.')
output location string = server.location

@description('The resource ID of the secrets.')
output secretResourceIds string[] = !empty(secretsExportConfiguration)
? server_secrets_export.outputs.secretResourceIds
: []

// =============== //
// Definitions //
// =============== //
Expand Down Expand Up @@ -652,3 +689,17 @@ type auditSettingsType = {
@description('Optional. Specifies the identifier key of the auditing storage account.')
storageAccountResourceId: string?
}

type secretsExportConfigurationType = {
@description('Required. The resource ID of the key vault where to store the secrets of this module.')
keyVaultResourceId: string

@description('Optional. Default to the resource group where this account is. The resource group name where the key vault is.')
resourceGroupName: string?
AlexanderSehr marked this conversation as resolved.
Show resolved Hide resolved

@description('Optional. The name of sql admin login password for secret to create.')
sqlAdminPasswordSecretName: string?

@description('Optional. The name of sql server connection string for secret to create.')
sqlAzureConnectionStringSercretName: string?
}?
Loading