Skip to content

Commit

Permalink
Update sql server password to MI (#3946)
Browse files Browse the repository at this point in the history 
This changes the ARM deployment to use Managed Identity exclusively vs SQL admin & password. This affects new deployments only. Users that use the new ARM deployment will not be able to connect to an existing SQL server that was configured to use passwords. They would have to create a new SQL Server.
  • Loading branch information
@aponakampalli
aponakampalli authored Jul 12, 2024
1 parent bba5937 commit 7d45e4b
Show file tree
Hide file tree
Showing 7 changed files with 65 additions and 94 deletions.
19 changes: 0 additions & 19 deletions build/ci-deploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,17 +62,6 @@ stages:
steps:
- template: ./jobs/add-aad-test-environment.yml

- stage: UpdateRandom
displayName: 'Determine Random String'
dependsOn: []
jobs:
- job: Password
pool:
name: '$(DefaultLinuxPool)'
vmImage: '$(LinuxVmImage)'
steps:
- template: ./jobs/update-sqlAdminPassword.yml

- stage: deployStu3
displayName: 'Deploy STU3 CosmosDB Site'
dependsOn:
Expand All @@ -96,7 +85,6 @@ stages:
dependsOn:
- aadTestEnvironment
- DockerBuild
- UpdateRandom
jobs:
- template: ./jobs/provision-deploy.yml
parameters:
Expand All @@ -110,7 +98,6 @@ stages:
testEnvironmentUrl: $(TestApplicationResource)
imageTag: $(ImageTag)
schemaAutomaticUpdatesEnabled: 'auto'
sqlServerAdminPassword: $[stageDependencies.UpdateRandom.Password.outputs['SetVariablesFromRandomString.password']]
sqlServerName: $(DeploymentEnvironmentName)
reindexEnabled: true

Expand All @@ -137,7 +124,6 @@ stages:
dependsOn:
- aadTestEnvironment
- DockerBuild
- UpdateRandom
jobs:
- template: ./jobs/provision-deploy.yml
parameters:
Expand All @@ -151,7 +137,6 @@ stages:
testEnvironmentUrl: $(TestApplicationResource)
imageTag: $(ImageTag)
schemaAutomaticUpdatesEnabled: 'auto'
sqlServerAdminPassword: $[stageDependencies.UpdateRandom.Password.outputs['SetVariablesFromRandomString.password']]
sqlServerName: $(DeploymentEnvironmentName)
reindexEnabled: true

Expand All @@ -178,7 +163,6 @@ stages:
dependsOn:
- aadTestEnvironment
- DockerBuild
- UpdateRandom
jobs:
- template: ./jobs/provision-deploy.yml
parameters:
Expand All @@ -190,7 +174,6 @@ stages:
subscription: $(ConnectedServiceName)
resourceGroup: $(DeploymentEnvironmentName)
testEnvironmentUrl: $(TestApplicationResource)
sqlServerAdminPassword: $[stageDependencies.UpdateRandom.Password.outputs['SetVariablesFromRandomString.password']]
sqlServerName: $(DeploymentEnvironmentName)
imageTag: $(ImageTag)
schemaAutomaticUpdatesEnabled: 'auto'
Expand Down Expand Up @@ -218,7 +201,6 @@ stages:
dependsOn:
- aadTestEnvironment
- DockerBuild
- UpdateRandom
jobs:
- template: ./jobs/provision-deploy.yml
parameters:
Expand All @@ -232,6 +214,5 @@ stages:
testEnvironmentUrl: $(TestApplicationResource)
imageTag: $(ImageTag)
schemaAutomaticUpdatesEnabled: 'auto'
sqlServerAdminPassword: $[stageDependencies.UpdateRandom.Password.outputs['SetVariablesFromRandomString.password']]
sqlServerName: $(DeploymentEnvironmentName)
reindexEnabled: true
4 changes: 0 additions & 4 deletions build/jobs/provision-deploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,6 @@ parameters:
- name: schemaAutomaticUpdatesEnabled
type: string
default: 'tool'
- name: sqlServerAdminPassword
type: string
default: ''
- name: sqlServerName
type: string
default: ''
Expand Down Expand Up @@ -90,7 +87,6 @@ jobs:
if("${{ parameters.sql }}" -eq "true"){
# Set SQL Variables
$templateParameters["solutionType"] = "FhirServerSqlServer"
$templateParameters["sqlAdminPassword"] = "${{parameters.sqlServerAdminPassword}}"
$templateParameters["sqlServerName"] = "${{parameters.sqlServerName}}".ToLower()
$templateParameters["sqlServerNewOrExisting"] = "existing"
$templateParameters["sqlSchemaAutomaticUpdatesEnabled"] = "${{parameters.schemaAutomaticUpdatesEnabled}}"
Expand Down
5 changes: 2 additions & 3 deletions build/jobs/provision-sqlServer.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,8 @@ parameters:
- name: schemaAutomaticUpdatesEnabled
type: string
default: 'auto'
- name: sqlServerAdminPassword
- name: userAssignedManagedIdentityName
type: string
default: ''

jobs:
- job: provisionEnvironment
Expand All @@ -33,7 +32,7 @@ jobs:
Add-Type -AssemblyName System.Web
$templateParameters = @{
sqlAdminPassword = "${{parameters.sqlServerAdminPassword}}"
userAssignedManagedIdentityName = "${{parameters.userAssignedManagedIdentityName}}"
sqlServerName = "${{parameters.sqlServerName}}".ToLower()
sqlSchemaAutomaticUpdatesEnabled = "${{parameters.schemaAutomaticUpdatesEnabled}}"
}
Expand Down
18 changes: 0 additions & 18 deletions build/jobs/update-sqlAdminPassword.yml
View file

This file was deleted.

22 changes: 1 addition & 21 deletions build/pr-pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,17 +26,6 @@ stages:
Write-Host "Updated build number to '$buildNumber"
name: SetBuildVersion
- stage: UpdateRandom
displayName: 'Determine Random String'
dependsOn: []
jobs:
- job: Password
pool:
name: '$(DefaultLinuxPool)'
vmImage: '$(LinuxVmImage)'
steps:
- template: ./jobs/update-sqlAdminPassword.yml

- stage: BuildUnitTests
displayName: 'Build and run unit tests'
dependsOn:
Expand Down Expand Up @@ -160,14 +149,13 @@ stages:
displayName: 'Deploy SQLServer'
dependsOn:
- setupEnvironment
- UpdateRandom
jobs:
- template: ./jobs/provision-sqlServer.yml
parameters:
resourceGroup: $(ResourceGroupName)
sqlServerName: $(DeploymentEnvironmentName)
schemaAutomaticUpdatesEnabled: 'auto'
sqlServerAdminPassword: $[stageDependencies.UpdateRandom.Password.outputs['SetVariablesFromRandomString.password']]
userAssignedManagedIdentityName: "$(DeploymentEnvironmentName)-uami"

- stage: deployStu3
displayName: 'Deploy STU3 CosmosDB Site'
Expand All @@ -193,7 +181,6 @@ stages:
- DockerBuild
- setupEnvironment
- deploySqlServer
- UpdateRandom
jobs:
- template: ./jobs/provision-deploy.yml
parameters:
Expand All @@ -207,7 +194,6 @@ stages:
testEnvironmentUrl: $(TestApplicationResource)
imageTag: $(ImageTag)
schemaAutomaticUpdatesEnabled: 'auto'
sqlServerAdminPassword: $[stageDependencies.UpdateRandom.Password.outputs['SetVariablesFromRandomString.password']]
sqlServerName: $(DeploymentEnvironmentName)
reindexEnabled: true

Expand Down Expand Up @@ -235,7 +221,6 @@ stages:
- DockerBuild
- setupEnvironment
- deploySqlServer
- UpdateRandom
jobs:
- template: ./jobs/provision-deploy.yml
parameters:
Expand All @@ -249,7 +234,6 @@ stages:
testEnvironmentUrl: $(TestApplicationResource)
imageTag: $(ImageTag)
schemaAutomaticUpdatesEnabled: 'auto'
sqlServerAdminPassword: $[stageDependencies.UpdateRandom.Password.outputs['SetVariablesFromRandomString.password']]
sqlServerName: $(DeploymentEnvironmentName)
reindexEnabled: true

Expand Down Expand Up @@ -277,7 +261,6 @@ stages:
- DockerBuild
- setupEnvironment
- deploySqlServer
- UpdateRandom
jobs:
- template: ./jobs/provision-deploy.yml
parameters:
Expand All @@ -291,7 +274,6 @@ stages:
testEnvironmentUrl: $(TestApplicationResource)
imageTag: $(ImageTag)
schemaAutomaticUpdatesEnabled: 'auto'
sqlServerAdminPassword: $[stageDependencies.UpdateRandom.Password.outputs['SetVariablesFromRandomString.password']]
sqlServerName: $(DeploymentEnvironmentName)
reindexEnabled: true

Expand Down Expand Up @@ -319,7 +301,6 @@ stages:
- DockerBuild
- setupEnvironment
- deploySqlServer
- UpdateRandom
jobs:
- template: ./jobs/provision-deploy.yml
parameters:
Expand All @@ -333,7 +314,6 @@ stages:
testEnvironmentUrl: $(TestApplicationResource)
imageTag: $(ImageTag)
schemaAutomaticUpdatesEnabled: 'auto'
sqlServerAdminPassword: $[stageDependencies.UpdateRandom.Password.outputs['SetVariablesFromRandomString.password']]
sqlServerName: $(DeploymentEnvironmentName)
reindexEnabled: true

Expand Down
51 changes: 34 additions & 17 deletions samples/templates/default-azuredeploy-docker.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,13 +146,6 @@
"description": "Determines whether or not a new SqlServer should be provisioned."
}
},
"sqlAdminPassword": {
"type": "securestring",
"defaultValue": "",
"metadata": {
"description": "The password for the sql admin user if using SQL server."
}
},
"sqlLocation": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
Expand Down Expand Up @@ -286,6 +279,7 @@
},
"combinedFhirServerConfigProperties": "[union(variables('staticFhirServerConfigProperties'), parameters('additionalFhirServerConfigProperties'))]",
"sqlServerDerivedName": "[if(empty(parameters('sqlServerName')),variables('serviceName'),parameters('sqlServerName'))]",
"managedIdentityName": "[concat(if(empty(parameters('sqlServerName')), variables('serviceName'), parameters('sqlServerName')), '-uami')]",
"sqlDatabaseName": "[concat('FHIR', parameters('fhirVersion'))]",
"computedSqlServerReference": "[concat('Microsoft.Sql/servers/', variables('sqlServerDerivedName'))]",
"storageAccountName": "[concat(substring(replace(variables('serviceName'), '-', ''), 0, min(11, length(replace(variables('serviceName'), '-', '')))), uniquestring(resourceGroup().id, variables('serviceName')))]",
Expand Down Expand Up @@ -319,6 +313,13 @@
"reserved": true
}
},
{
"condition": "[or(equals(parameters('solutionType'), 'FhirServerCosmosDB'), and(equals(parameters('solutionType'), 'FhirServerSqlServer'), equals(parameters('sqlServerNewOrExisting'), 'new')))]",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2018-11-30",
"name": "[variables('managedIdentityName')]",
"location": "[resourceGroup().location]"
},
{
"apiVersion": "2018-11-01",
"type": "Microsoft.Web/sites",
Expand All @@ -328,7 +329,10 @@
},
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
"type": "SystemAssigned, UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]": {}
}
},
"properties": {
"name": "[parameters('serviceName')]",
Expand Down Expand Up @@ -359,7 +363,8 @@
"httpsOnly": true
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
"[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]"
],
"resources": [
{
Expand Down Expand Up @@ -460,16 +465,26 @@
"condition": "[and(equals(parameters('solutionType'),'FhirServerSqlServer'),equals(parameters('sqlServerNewOrExisting'), 'new'))]",
"name": "[variables('sqlServerDerivedName')]",
"type": "Microsoft.Sql/servers",
"apiVersion": "2015-05-01-preview",
"apiVersion": "2020-11-01-preview",
"location": "[parameters('sqlLocation')]",
"tags": {
"FhirServerSolution": "[parameters('solutionType')]"
},
"properties": {
"administratorLogin": "fhirAdmin",
"administratorLoginPassword": "[parameters('sqlAdminPassword')]",
"version": "12.0"
"version": "12.0",
"primaryUserAssignedIdentityId": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]",
"administrators": {
"administratorType": "ActiveDirectory",
"azureADOnlyAuthentication": true,
"principalType": "User",
"login": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')), '2018-11-30').principalId]",
"sid": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')), '2018-11-30').principalId]",
"tenantId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')), '2018-11-30').tenantId]"
}
},
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName'))]"
],
"resources": [
{
"condition": "[equals(parameters('solutionType'),'FhirServerSqlServer')]",
Expand Down Expand Up @@ -602,7 +617,7 @@
"principalId": "[reference(variables('appServiceResourceId'), '2015-08-01', 'Full').Identity.principalId]"
}
},
{
{
"type": "Microsoft.KeyVault/vaults/providers/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[concat(variables('serviceName'), '/Microsoft.Authorization/', guid(uniqueString('Reader', parameters('fhirVersion'), variables('serviceName'))))]",
Expand Down Expand Up @@ -649,7 +664,7 @@
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[concat('Server=tcp:', if(equals(parameters('solutionType'),'FhirServerSqlServer'), reference(variables('computedSqlServerReference'), '2015-05-01-preview').fullyQualifiedDomainName, ''),',1433;Initial Catalog=',variables('sqlDatabaseName'),';Persist Security Info=False;User ID=', if(equals(parameters('solutionType'),'FhirServerSqlServer'), reference(variables('computedSqlServerReference'), '2015-05-01-preview').administratorLogin, ''),';Password=',parameters('sqlAdminPassword'),';MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;')]"
"value": "[concat('Server=tcp:', if(equals(parameters('solutionType'),'FhirServerSqlServer'), reference(variables('computedSqlServerReference'), '2015-05-01-preview').fullyQualifiedDomainName, ''),',1433;Initial Catalog=',variables('sqlDatabaseName'),';Persist Security Info=False;Authentication=ActiveDirectoryMsi;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;User Id=', reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')), '2018-11-30').clientId, ';')]"
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('serviceName'))]",
Expand All @@ -662,8 +677,10 @@
"apiVersion": "2019-06-01",
"location": "[resourceGroup().location]",
"properties": {
"supportsHttpsTrafficOnly": true
},
"supportsHttpsTrafficOnly": true,
"allowBlobPublicAccess": false,
"allowSharedKeyAccess": false
},
"condition": "[variables('enableIntegrationStore')]",
"dependsOn": [],
"sku": {
Expand Down
Loading

0 comments on commit 7d45e4b

Please sign in to comment.