Merge pull request #2 from bennyaustin/iac-add-asql

Add ASQL contrlDB
bennyaustin · Sep 6, 2024 · 53b9f5e · 53b9f5e
2 parents 7318e28 + e668184
commit 53b9f5e
Show file tree

Hide file tree

Showing 3 changed files with 178 additions and 2 deletions.
diff --git a/iac/bicep/main.bicep b/iac/bicep/main.bicep
@@ -41,6 +41,7 @@ var fabric_deployment_name = 'fabric_dataplatform_deployment_${deployment_suffix
 var purview_deployment_name = 'purview_deployment_${deployment_suffix}'
 var keyvault_deployment_name = 'keyvault_deployment_${deployment_suffix}'
 var audit_deployment_name = 'audit_deployment_${deployment_suffix}'
+var controldb_deployment_name = 'controldb_deployment_${deployment_suffix}'
 
 // Create data platform resource group
 resource fabric_rg  'Microsoft.Resources/resourceGroups@2024-03-01' = {
@@ -138,6 +139,30 @@ module fabric_capacity './modules/fabric-capacity.bicep' = {
     cost_centre_tag: cost_centre_tag
     owner_tag: owner_tag
     sme_tag: sme_tag
-    adminUsers: ['[email protected]']
+    adminUsers: kv_ref.getSecret('fabric-capacity-admin-username')
+  }
+}
+
+//Deploy SQL control DB 
+module controldb './modules/sqldb.bicep' = {
+  name: controldb_deployment_name
+  scope: fabric_rg
+  params:{
+     sqlserver_name: 'ba-sql01'
+     database_name: 'controlDB' 
+     location: fabric_rg.location
+     cost_centre_tag: cost_centre_tag
+     owner_tag: owner_tag
+     sme_tag: sme_tag
+     sql_admin_username: kv_ref.getSecret('sqlserver-admin-username')
+     sql_admin_password: kv_ref.getSecret('sqlserver-admin-password')
+     ad_admin_username:  kv_ref.getSecret('sqlserver-ad-admin-username')
+     ad_admin_sid:  kv_ref.getSecret('sqlserver-ad-admin-sid')  
+     auto_pause_duration: 60
+     database_sku_name: 'GP_S_Gen5_1' 
+     enable_purview: enable_purview
+     purview_resource: purview.outputs.purview_resource
+     audit_storage_name: audit_integration.outputs.audit_storage_uniquename
+     auditrg: audit_rg.name
   }
 }
diff --git a/iac/bicep/modules/fabric-capacity.bicep b/iac/bicep/modules/fabric-capacity.bicep
@@ -34,7 +34,8 @@ param skuName string = 'F64'
 param skuTier string = 'Fabric'
 
 @description('The list of administrators for the Fabric Capacity instance.')
-param adminUsers array
+@secure()
+param adminUsers string
 
 
 // Variables

diff --git a/iac/bicep/modules/sqldb.bicep b/iac/bicep/modules/sqldb.bicep
@@ -0,0 +1,150 @@
+@description('Name of SQL Server')
+param sqlserver_name string
+
+@description('Name of Database')
+param database_name string
+
+@description('Azure Location SQL Server')
+param location string = resourceGroup().location
+
+@description('Cost Centre tag that will be applied to all resources in this deployment')
+param cost_centre_tag string
+
+@description('System Owner tag that will be applied to all resources in this deployment')
+param owner_tag string
+
+@description('Subject Matter Expert (SME) tag that will be applied to all resources in this deployment')
+param sme_tag string
+
+@description('SQL Server admin user name')
+@secure()
+param sql_admin_username string
+
+@description('SQL Server admin user name')
+@secure()
+param sql_admin_password string
+
+@description('AD server admin user name')
+@secure()
+param ad_admin_username string
+
+@description('SID (object ID) of the server administrator')
+@secure()
+param ad_admin_sid string
+
+@description('Database SKU name, e.g P3. For valid values, run this CLI az sql db list-editions -l australiaeast -o table')
+param database_sku_name string ='GP_S_Gen5_1'
+
+@description('Time in minutes after which database is automatically paused')
+param auto_pause_duration int =60
+
+@description('Flag to indicate whether to enable integration of data platform resources with either an existing or new Purview resource')
+param enable_purview bool
+
+@description('Resource Name of new or existing Purview Account. Specify a resource name if create_purview=true or enable_purview=true')
+param purview_resource object
+
+@description('Resource name of audit storage account.')
+param audit_storage_name string
+
+@description('Resource group of audit storage account is deployed')
+param auditrg string
+
+// Variables
+var suffix = uniqueString(resourceGroup().id)
+var sqlserver_unique_name = '${sqlserver_name}-${suffix}'
+
+// Deploy SQL Server
+resource sqlserver 'Microsoft.Sql/servers@2023-08-01-preview' ={
+  name: sqlserver_unique_name
+  location: location
+  tags: {
+    CostCentre: cost_centre_tag
+    Owner: owner_tag
+    SME: sme_tag
+    }
+  identity:{ type: 'SystemAssigned'}
+  properties: {
+    administratorLogin: sql_admin_username
+    administratorLoginPassword: sql_admin_password
+    administrators:{
+      administratorType: 'ActiveDirectory'
+      azureADOnlyAuthentication: false
+      login: ad_admin_username
+      sid: ad_admin_sid
+      principalType: 'User'
+      tenantId: subscription().tenantId
+    }
+    minimalTlsVersion: '1.2'
+
+  }
+}
+
+// Create firewall rule to Allow Azure services and resources to access this SQL Server
+resource allowAzure_Firewall 'Microsoft.Sql/servers/firewallRules@2021-11-01' ={
+  name: 'AllowAllWindowsAzureIps'
+  parent: sqlserver
+  properties:{
+    startIpAddress:'0.0.0.0'
+    endIpAddress: '0.0.0.0'
+  }
+}
+// Deploy database
+resource database 'Microsoft.Sql/servers/databases@2021-11-01' ={
+  name: database_name
+  location: location
+  tags: {
+    CostCentre: cost_centre_tag
+    Owner: owner_tag
+    SME: sme_tag
+    }
+  sku:{name: database_sku_name}
+  parent: sqlserver
+  properties: {
+    autoPauseDelay:auto_pause_duration
+  }
+}
+
+//Get Reference to audit storage account
+resource audit_storage_account 'Microsoft.Storage/storageAccounts@2023-01-01' existing = {
+  name: audit_storage_name
+  scope: resourceGroup(auditrg)
+}
+
+// Deploy audit diagnostics Azure SQL Server to storage account
+resource sqlserver_audit 'Microsoft.Sql/servers/auditingSettings@2023-08-01-preview' = {
+  name: 'default'
+  parent: sqlserver
+  properties: {
+    auditActionsAndGroups: ['BATCH_COMPLETED_GROUP','SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP','FAILED_DATABASE_AUTHENTICATION_GROUP']
+    isAzureMonitorTargetEnabled: true
+    isDevopsAuditEnabled: true
+    isManagedIdentityInUse: false
+    isStorageSecondaryKeyInUse: false
+    retentionDays: 90
+    state: 'Enabled'
+    storageAccountSubscriptionId: subscription().subscriptionId
+    storageEndpoint: audit_storage_account.properties.primaryEndpoints.blob
+    storageAccountAccessKey: audit_storage_account.listKeys().keys[0].value
+  }
+}
+//Role Assignment
+@description('This is the built-in Reader role. See https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#contributor')
+resource readerRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
+  scope: subscription()
+  name: 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
+}
+
+
+resource grant_purview_reader_role 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (enable_purview){
+  name: guid(subscription().subscriptionId, sqlserver.name, readerRoleDefinition.id)
+  scope: sqlserver
+  properties: {
+    principalType: 'ServicePrincipal'
+    principalId: purview_resource.identity.principalId
+    roleDefinitionId: readerRoleDefinition.id
+  }
+}
+
+output sqlserver_uniquename string = sqlserver.name
+output database_name string = database.name