Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL Azure - add support for AD admin #1047

Merged
merged 5 commits into from
Jul 12, 2023
Merged

SQL Azure - add support for AD admin #1047

merged 5 commits into from
Jul 12, 2023

Conversation

gursharan001
Copy link
Contributor

@gursharan001 gursharan001 commented Jun 27, 2023
edited
Loading

This PR closes Azure/bicep#1036

The changes in this PR are as follows:

  • introduce new type ActiveDirectoryAdminSettings
  • change to apply these settings to handle
    • sql admin with no AD admin (existing capability)
    • sql admin with AD admin (new)
    • AD admin only (new)

I have read the contributing guidelines and have completed the following:

  • Tested my code end-to-end against a live Azure subscription.
  • Updated the documentation in the docs folder for the affected changes.
  • Written unit tests against the modified code that I have made.
  • Updated the release notes with a new entry for this PR.
  • Checked the coding standards outlined in the contributions guide and ensured my code adheres to them.

Below is a minimal example configuration that includes the new features, which can be used to deploy to Azure:

let activeDirectoryAdmin: ActiveDirectoryAdminSettings =
  {
    Login = "admingroup"
    Sid = "F9D49C34-01BA-4897-B7E2-3694BF3DE2CF"
    PrincipalType = ActiveDirectoryPrincipalType.Group
    AdOnlyAuth = false
  }

sqlServer {
     name "adtestserver"
     active_directory_admin (Some(activeDirectoryAdmin))
     admin_username "sqladminuser"
}

Issues

I have found that ARM templates need modification to switch SQL server configuration among following -

  1. sql admin with no AD admin
  2. sql admin with AD admin
  3. AD admin only

Please refer this blog post - https://www.codez.one/azure-sql-with-managed-identities-part-2/

One possible way forward is to make AdOnlyAuth member optional and let the user write correct farmer template by detecting existence of SQL server out of band (using AZ cli or powershell etc)

@ninjarobot ninjarobot added this to the 1.7.25 milestone Jul 5, 2023
ninjarobot
ninjarobot requested changes Jul 5, 2023
View reviewed changes
Copy link
Collaborator

@ninjarobot ninjarobot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again for your continued work on this. I made some recommendations to try to reduce the code complexity a bit. The compiler can deal with it, but it's getting a bit difficult to follow some of the logic for building the various auth settings records.

RELEASE_NOTES.md Outdated
@@ -1,5 +1,8 @@
Release Notes
=============
## 1.7.26
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will be in the next release - 1.7.25

src/Farmer/Arm/Sql.fs Outdated
| Some Tls12 -> "1.2"
| None -> null
|}
let props =
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the logic here has grown in complexity beyond just building a record - now the record is built then copies are modified a couple of times. This is too much to do in the implementation of the properties field, so if this level of complexity is needed, please move it to a separate function or a private member method.

src/Farmer/Builders/Builders.Sql.fs Outdated
Password = this.AdministratorCredentials.Password
|}
match this.ActiveDirectoryAdmin with
| Some (x) when x.AdOnlyAuth -> Unchecked.defaultof<_>
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This particular check is in here many times so it would clarify the code to make this an active pattern. For example,

let (|ActiveDirAuth|AdOnlyAuth|StandardAuth|) activeDirAdmin =
    match activeDirAdmin with 
    | Some x when x.AdOnlyAuth -> AdOnlyAuth
    | Some x -> ActiveDirAuth
    | None -> StandardAuth

and then the code expresses the intent without having to read through the options and boolean logic:

match this.ActiveDirectoryAdmin with
| ActiveDirAuth -> // whatever happens for AD auth
| AdOnlyAuth -> // whatever happens when it's AD only
| StandardAuth -> // whatever happens when not using AD auth (not sure if it's called standard, this was just an example)

src/Tests/Tests.fsproj Show resolved Hide resolved
@gursharan001
Copy link
Contributor Author

@ninjarobot I have made further changes to hopefully simplify the code. Please do let me know if it can be made better. Thanks again.

ninjarobot
ninjarobot approved these changes Jul 12, 2023
View reviewed changes
Copy link
Collaborator

@ninjarobot ninjarobot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks for simplifying the code a bit!

@ninjarobot ninjarobot merged commit 2c00e36 into CompositionalIT:master Jul 12, 2023
3 checks passed
github-actions bot pushed a commit that referenced this pull request Jul 12, 2023
@ninjarobot
Merge pull request #1047 from gursharan001/sql-adauth 2c00e36
597b1d0
@martin-bmc
Copy link

Maybe the wrong place to add this but I just tested this feature and found an issue when changing from an existing Azure AD admin to a new one. It seems like this is not supported in ARM/Bicep:
Azure/bicep-types-az#2320

@ninjarobot
Copy link
Collaborator

Does it work in json, just not in bicep? Or is this impacted by the bug regardless?

@martin-bmc
Copy link

As far as I understand the comments on the issue, the Microsoft SQL team allows the value to be set but not changed via the ARM template that is generated in this PR:

The initial (deployment) template has to have AAD admin set as a property of "Microsoft.Sql/servers" resource. The "update" template would have to have "Microsoft.Sql/servers/administrators" resource.

Azure/bicep-types-az#2320

It might be to complex for Farmer to handle this case but perhaps it should be mentioned in the documentation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ninjarobot ninjarobot ninjarobot approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.7.25
Development

Successfully merging this pull request may close these issues.
3 participants
@gursharan001 @martin-bmc @ninjarobot