Skip to content

Commit

Permalink
[Modules] Configure privateDnsZoneGroups on sqlServer (#1900)
Browse files Browse the repository at this point in the history 
* publicNetworkAccess

* privateDNSResourceIds

* readme

* vnet rules

* readme

* version

* pe login

* readme

* newVnetRule1

* virtualNetworkSubnetId
  • Loading branch information
@eriqua
eriqua authored Sep 5, 2022
1 parent faf82dd commit 36c9e7f
Show file tree
Hide file tree
Showing 8 changed files with 284 additions and 2 deletions.
16 changes: 15 additions & 1 deletion modules/Microsoft.Sql/servers/.test/parameters.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,15 @@
}
]
},
"virtualNetworkRules": {
"value": [
{
"name": "newVnetRule1",
"ignoreMissingVnetServiceEndpoint": true,
"virtualNetworkSubnetId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-001"
}
]
},
"securityAlertPolicies": {
"value": [
{
Expand All @@ -96,7 +105,12 @@
"value": [
{
"subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints",
"service": "sqlServer"
"service": "sqlServer",
"privateDnsZoneGroup": {
"privateDNSResourceIds": [
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"
]
}
}
]
}
Expand Down
33 changes: 33 additions & 0 deletions modules/Microsoft.Sql/servers/.test/pe.parameters.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-az-sqlsrv-pe-001"
},
"administratorLogin": {
"value": "adminUserName"
},
"administratorLoginPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<<subscriptionId>>/resourceGroups/<<resourceGroupName>>/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
},
"secretName": "administratorLoginPassword"
}
},
"privateEndpoints": {
"value": [
{
"subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints",
"service": "sqlServer",
"privateDnsZoneGroup": {
"privateDNSResourceIds": [
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"
]
}
}
]
}
}
}
23 changes: 23 additions & 0 deletions modules/Microsoft.Sql/servers/deploy.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ param databases array = []
@description('Optional. The firewall rules to create in the server.')
param firewallRules array = []

@description('Optional. The virtual network rules to create in the server.')
param virtualNetworkRules array = []

@description('Optional. The security alert policies to create in the server.')
param securityAlertPolicies array = []

Expand All @@ -57,6 +60,14 @@ param minimalTlsVersion string = '1.2'
@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
param privateEndpoints array = []

@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set.')
@allowed([
''
'Enabled'
'Disabled'
])
param publicNetworkAccess string = ''

var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None')

var identity = identityType != 'None' ? {
Expand Down Expand Up @@ -99,6 +110,7 @@ resource server 'Microsoft.Sql/servers@2022-02-01-preview' = {
} : null
version: '12.0'
minimalTlsVersion: minimalTlsVersion
publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(firewallRules) && empty(virtualNetworkRules) ? 'Disabled' : null)
}
}

Expand Down Expand Up @@ -190,6 +202,17 @@ module server_firewallRules 'firewallRules/deploy.bicep' = [for (firewallRule, i
}
}]

module server_virtualNetworkRules 'virtualNetworkRules/deploy.bicep' = [for (virtualNetworkRule, index) in virtualNetworkRules: {
name: '${uniqueString(deployment().name, location)}-Sql-VirtualNetworkRules-${index}'
params: {
name: virtualNetworkRule.name
serverName: server.name
ignoreMissingVnetServiceEndpoint: contains(virtualNetworkRule, 'ignoreMissingVnetServiceEndpoint') ? virtualNetworkRule.ignoreMissingVnetServiceEndpoint : false
virtualNetworkSubnetId: virtualNetworkRule.virtualNetworkSubnetId
enableDefaultTelemetry: enableReferencedModulesTelemetry
}
}]

module server_securityAlertPolicies 'securityAlertPolicies/deploy.bicep' = [for (securityAlertPolicy, index) in securityAlertPolicies: {
name: '${uniqueString(deployment().name, location)}-Sql-SecAlertPolicy-${index}'
params: {
Expand Down
112 changes: 112 additions & 0 deletions modules/Microsoft.Sql/servers/readme.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ This module deploys a SQL server.
| `Microsoft.Sql/servers/databases` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/databases) |
| `Microsoft.Sql/servers/firewallRules` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/firewallRules) |
| `Microsoft.Sql/servers/securityAlertPolicies` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/securityAlertPolicies) |
| `Microsoft.Sql/servers/virtualNetworkRules` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/virtualNetworkRules) |
| `Microsoft.Sql/servers/vulnerabilityAssessments` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/vulnerabilityAssessments) |

## Parameters
Expand All @@ -49,11 +50,13 @@ This module deploys a SQL server.
| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. |
| `minimalTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2]` | Minimal TLS version allowed. |
| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. |
| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
| `securityAlertPolicies` | _[securityAlertPolicies](securityAlertPolicies/readme.md)_ array | `[]` | | The security alert policies to create in the server. |
| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. |
| `tags` | object | `{object}` | | Tags of the resource. |
| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. |
| `virtualNetworkRules` | _[virtualNetworkRules](virtualNetworkRules/readme.md)_ array | `[]` | | The virtual network rules to create in the server. |
| `vulnerabilityAssessmentsObj` | _[vulnerabilityAssessments](vulnerabilityAssessments/readme.md)_ object | `{object}` | | The vulnerability assessment configuration. |


Expand Down Expand Up @@ -441,6 +444,11 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = {
minimalTlsVersion: '1.2'
privateEndpoints: [
{
privateDnsZoneGroup: {
privateDNSResourceIds: [
'/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net'
]
}
service: 'sqlServer'
subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints'
}
Expand All @@ -464,6 +472,13 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = {
userAssignedIdentities: {
'/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001': {}
}
virtualNetworkRules: [
{
ignoreMissingVnetServiceEndpoint: true
name: 'newVnetRule1'
virtualNetworkSubnetId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-001'
}
]
vulnerabilityAssessmentsObj: {
emailSubscriptionAdmins: true
name: 'default'
Expand Down Expand Up @@ -546,6 +561,11 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = {
"privateEndpoints": {
"value": [
{
"privateDnsZoneGroup": {
"privateDNSResourceIds": [
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"
]
},
"service": "sqlServer",
"subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints"
}
Expand Down Expand Up @@ -578,6 +598,15 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = {
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
}
},
"virtualNetworkRules": {
"value": [
{
"ignoreMissingVnetServiceEndpoint": true,
"name": "newVnetRule1",
"virtualNetworkSubnetId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-001"
}
]
},
"vulnerabilityAssessmentsObj": {
"value": {
"emailSubscriptionAdmins": true,
Expand All @@ -596,3 +625,86 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = {

</details>
<p>

<h3>Example 3: Pe</h3>

<details>

<summary>via Bicep module</summary>

```bicep
resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: 'adp-<<namePrefix>>-az-kv-x-001'
scope: resourceGroup('<<subscriptionId>>','<<resourceGroupName>>')
}
module servers './Microsoft.Sql/servers/deploy.bicep' = {
name: '${uniqueString(deployment().name)}-Servers'
params: {
// Required parameters
name: '<<namePrefix>>-az-sqlsrv-pe-001'
// Non-required parameters
administratorLogin: 'adminUserName'
administratorLoginPassword: kv1.getSecret('administratorLoginPassword')
privateEndpoints: [
{
privateDnsZoneGroup: {
privateDNSResourceIds: [
'/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net'
]
}
service: 'sqlServer'
subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints'
}
]
}
}
```

</details>
<p>

<details>

<summary>via JSON Parameter file</summary>

```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "<<namePrefix>>-az-sqlsrv-pe-001"
},
// Non-required parameters
"administratorLogin": {
"value": "adminUserName"
},
"administratorLoginPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<<subscriptionId>>/resourceGroups/<<resourceGroupName>>/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
},
"secretName": "administratorLoginPassword"
}
},
"privateEndpoints": {
"value": [
{
"privateDnsZoneGroup": {
"privateDNSResourceIds": [
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.database.windows.net"
]
},
"service": "sqlServer",
"subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints"
}
]
}
}
}
```

</details>
<p>
2 changes: 1 addition & 1 deletion modules/Microsoft.Sql/servers/version.json
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.4"
"version": "0.5"
}
48 changes: 48 additions & 0 deletions modules/Microsoft.Sql/servers/virtualNetworkRules/deploy.bicep
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
@description('Required. The name of the Server Virtual Network Rule.')
param name string

@description('Optional. Allow creating a firewall rule before the virtual network has vnet service endpoint enabled.')
param ignoreMissingVnetServiceEndpoint bool = false

@description('Required. The resource ID of the virtual network subnet.')
param virtualNetworkSubnetId string

@description('Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment.')
param serverName string

@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
param enableDefaultTelemetry bool = true

resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
}
}
}

resource server 'Microsoft.Sql/servers@2022-02-01-preview' existing = {
name: serverName
}

resource virtualNetworkRule 'Microsoft.Sql/servers/virtualNetworkRules@2022-02-01-preview' = {
name: name
parent: server
properties: {
ignoreMissingVnetServiceEndpoint: ignoreMissingVnetServiceEndpoint
virtualNetworkSubnetId: virtualNetworkSubnetId
}
}

@description('The name of the deployed virtual network rule.')
output name string = virtualNetworkRule.name

@description('The resource ID of the deployed virtual network rule.')
output resourceId string = virtualNetworkRule.id

@description('The resource group of the deployed virtual network rule.')
output resourceGroupName string = resourceGroup().name
48 changes: 48 additions & 0 deletions modules/Microsoft.Sql/servers/virtualNetworkRules/readme.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# Sql Servers VirtualNetworkRules `[Microsoft.Sql/servers/virtualNetworkRules]`

This module deploys a Sql Server Virtual Network Rule.

## Navigation

- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
- [Cross-referenced modules](#Cross-referenced-modules)

## Resource Types

| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.Sql/servers/virtualNetworkRules` | [2022-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2022-02-01-preview/servers/virtualNetworkRules) |

## Parameters

**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the Server Virtual Network Rule. |
| `virtualNetworkSubnetId` | string | The resource ID of the virtual network subnet. |

**Conditional parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `serverName` | string | The name of the parent SQL Server. Required if the template is used in a standalone deployment. |

**Optional parameters**
| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
| `ignoreMissingVnetServiceEndpoint` | bool | `False` | Allow creating a firewall rule before the virtual network has vnet service endpoint enabled. |


## Outputs

| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The name of the deployed virtual network rule. |
| `resourceGroupName` | string | The resource group of the deployed virtual network rule. |
| `resourceId` | string | The resource ID of the deployed virtual network rule. |

## Cross-referenced modules

_None_
4 changes: 4 additions & 0 deletions modules/Microsoft.Sql/servers/virtualNetworkRules/version.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
"version": "0.1"
}

0 comments on commit 36c9e7f

Please sign in to comment.