Deal with partial upgrades and docs updated

helderpinto · Sep 13, 2024 · c3984e5 · c3984e5
1 parent 93125b6
commit c3984e5
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 15 deletions.
diff --git a/docs/_optimize/optimization-engine/README.md b/docs/_optimize/optimization-engine/README.md
@@ -104,7 +104,7 @@ Once deployed and after all the initial ingestion and recommendations generation
 ## 📋 Requirements
 
 * A supported Azure subscription (see the [FAQ](./faq.md))
-* A user account with Owner permissions over the chosen subscription, so that the Automation Managed Identity is granted the required privileges over the subscription (Reader) and deployment resource group (Contributor)
+* A user account with Owner permissions over the chosen subscription, so that the Automation Managed Identity is granted the required privileges over the subscription (Reader) and deployment resource group (Storage Blob Data Contributor)
 * Azure Powershell 9.0.0+
 * (Optional, for Identity and RBAC governance) Microsoft.Graph.Authentication and Microsoft.Graph.Identity.DirectoryManagement PowerShell modules (version 2.4.0+)
 * (Optional, for Identity and RBAC governance) A user account with at least Privileged Role Administrator permissions over the Microsoft Entra tenant, so that the Managed Identity is granted the required privileges over Microsoft Entra ID (Global Reader)

diff --git a/docs/_resources/changelog.md b/docs/_resources/changelog.md
@@ -76,6 +76,14 @@ Legend:
 >
 > 1. Cost Management export modules for subscriptions and resource groups.
 
+🔍 Optimization engine
+{: .fs-5 .fw-500 .mt-4 mb-0 }
+
+> ✏️ Changed:
+>
+> 1. Improved Storage Account access security, replacing key-based authentication by Entra ID authentication.
+>
+
 <br><a name="latest"></a>
 
 ## 🪛 v0.5 Update 1

diff --git a/src/optimization-engine/Deploy-AzureOptimizationEngine.ps1 b/src/optimization-engine/Deploy-AzureOptimizationEngine.ps1
@@ -1113,6 +1113,18 @@ if ("Y", "y" -contains $continueInput) {
         Write-Host "Enabling Entra ID-only authentication in SQL Database..." -ForegroundColor Green
         Enable-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName $sqlServerName -ResourceGroupName $resourceGroupName | Out-Null
     }
+
+    # Ensuring the Automation Account identity has the necessary permissions to access the Storage Account (needed for partial upgrades)
+    $sa = Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName
+    $auto = Get-AzAutomationAccount -Name $automationAccountName -ResourceGroupName $resourceGroupName
+    $spnId = $auto.Identity.PrincipalId
+    $storageBlobContributorRoleId = "ba92f5b4-2d11-453d-a403-e96b0029c9fe" # Storage Blob Data Contributor role
+    $roleAssignment = Get-AzRoleAssignment -ObjectId $spnId -Scope $sa.Id -ErrorAction SilentlyContinue
+    if (-not($roleAssignment) -or -not($roleAssignment.RoleDefinitionId -contains $storageBlobContributorRoleId))
+    {
+        Write-Host "Granting Storage Blob Data Contributor role to the Automation Account identity..." -ForegroundColor Green
+        New-AzRoleAssignment -ObjectId $spnId -RoleDefinitionId $storageBlobContributorRoleId -Scope $sa.Id | Out-Null
+    }
 
     #region Open SQL Server firewall rule
     if (-not($sqlServerName -like "*.database.*"))
@@ -1153,10 +1165,10 @@ if ("Y", "y" -contains $continueInput) {
         try {
 
             $azureSqlDomain = $cloudDetails.SqlDatabaseDnsSuffix.Substring(1)
-            $dbToken = Get-AzAccessToken -ResourceUrl "https://$azureSqlDomain/"
+            $dbToken = (Get-AzAccessToken -ResourceUrl "https://$azureSqlDomain/" -AsSecureString).Token | ConvertFrom-SecureString -AsPlainText
 
             $Conn = New-Object System.Data.SqlClient.SqlConnection("Server=tcp:$sqlServerEndpoint,1433;Database=$databaseName;Encrypt=True;Connection Timeout=$SqlTimeout;") 
-            $Conn.AccessToken = $dbToken.Token
+            $Conn.AccessToken = $dbToken
             $Conn.Open() 
 
             $createTableQuery = Get-Content -Path "./model/loganalyticsingestcontrol-table.sql"
@@ -1168,7 +1180,7 @@ if ("Y", "y" -contains $continueInput) {
             $Conn.Close()
 
             $Conn = New-Object System.Data.SqlClient.SqlConnection("Server=tcp:$sqlServerEndpoint,1433;Database=$databaseName;Encrypt=True;Connection Timeout=$SqlTimeout;") 
-            $Conn.AccessToken = $dbToken.Token
+            $Conn.AccessToken = $dbToken
             $Conn.Open() 
 
             $initTableQuery = Get-Content -Path "./model/loganalyticsingestcontrol-initialize.sql"
@@ -1180,7 +1192,7 @@ if ("Y", "y" -contains $continueInput) {
             $Conn.Close()
 
             $Conn = New-Object System.Data.SqlClient.SqlConnection("Server=tcp:$sqlServerEndpoint,1433;Database=$databaseName;Encrypt=True;Connection Timeout=$SqlTimeout;") 
-            $Conn.AccessToken = $dbToken.Token
+            $Conn.AccessToken = $dbToken
             $Conn.Open() 
 
             $upgradeTableQuery = Get-Content -Path "./model/loganalyticsingestcontrol-upgrade.sql"
@@ -1192,7 +1204,7 @@ if ("Y", "y" -contains $continueInput) {
             $Conn.Close()
 
             $Conn = New-Object System.Data.SqlClient.SqlConnection("Server=tcp:$sqlServerEndpoint,1433;Database=$databaseName;Encrypt=True;Connection Timeout=$SqlTimeout;") 
-            $Conn.AccessToken = $dbToken.Token
+            $Conn.AccessToken = $dbToken
             $Conn.Open() 
 
             $createTableQuery = Get-Content -Path "./model/sqlserveringestcontrol-table.sql"
@@ -1204,7 +1216,7 @@ if ("Y", "y" -contains $continueInput) {
             $Conn.Close()
 
             $Conn = New-Object System.Data.SqlClient.SqlConnection("Server=tcp:$sqlServerEndpoint,1433;Database=$databaseName;Encrypt=True;Connection Timeout=$SqlTimeout;") 
-            $Conn.AccessToken = $dbToken.Token
+            $Conn.AccessToken = $dbToken
             $Conn.Open() 
 
             $initTableQuery = Get-Content -Path "./model/sqlserveringestcontrol-initialize.sql"
@@ -1216,7 +1228,7 @@ if ("Y", "y" -contains $continueInput) {
             $Conn.Close()
 
             $Conn = New-Object System.Data.SqlClient.SqlConnection("Server=tcp:$sqlServerEndpoint,1433;Database=$databaseName;Encrypt=True;Connection Timeout=$SqlTimeout;") 
-            $Conn.AccessToken = $dbToken.Token
+            $Conn.AccessToken = $dbToken
             $Conn.Open() 
 
             $createTableQuery = Get-Content -Path "./model/recommendations-table.sql"
@@ -1228,7 +1240,7 @@ if ("Y", "y" -contains $continueInput) {
             $Conn.Close()
 
             $Conn = New-Object System.Data.SqlClient.SqlConnection("Server=tcp:$sqlServerEndpoint,1433;Database=$databaseName;Encrypt=True;Connection Timeout=$SqlTimeout;") 
-            $Conn.AccessToken = $dbToken.Token
+            $Conn.AccessToken = $dbToken
             $Conn.Open() 
 
             $createTableQuery = Get-Content -Path "./model/recommendations-sp.sql"
@@ -1240,7 +1252,7 @@ if ("Y", "y" -contains $continueInput) {
             $Conn.Close()
 
             $Conn = New-Object System.Data.SqlClient.SqlConnection("Server=tcp:$sqlServerEndpoint,1433;Database=$databaseName;Encrypt=True;Connection Timeout=$SqlTimeout;") 
-            $Conn.AccessToken = $dbToken.Token
+            $Conn.AccessToken = $dbToken
             $Conn.Open() 
 
             $createTableQuery = Get-Content -Path "./model/filters-table.sql"
@@ -1252,7 +1264,7 @@ if ("Y", "y" -contains $continueInput) {
             $Conn.Close()
 
             $Conn = New-Object System.Data.SqlClient.SqlConnection("Server=tcp:$sqlServerEndpoint,1433;Database=$databaseName;Encrypt=True;Connection Timeout=$SqlTimeout;") 
-            $Conn.AccessToken = $dbToken.Token
+            $Conn.AccessToken = $dbToken
             $Conn.Open() 
 
             $createUserQuery = (Get-Content -Path "./model/automation-user.sql").Replace("<automation-account-name>", $automationAccountName)

diff --git a/src/optimization-engine/Suppress-Recommendation.ps1 b/src/optimization-engine/Suppress-Recommendation.ps1
@@ -114,9 +114,9 @@ $connectionSuccess = $false
 do {
     $tries++
     try {
-        $dbToken = Get-AzAccessToken -ResourceUrl "https://$azureSqlDomain/"
+        $dbToken = Get-AzAccessToken -ResourceUrl "https://$azureSqlDomain/" -AsSecureString
         $Conn = New-Object System.Data.SqlClient.SqlConnection("Server=tcp:$databaseServer,1433;Database=$databaseName;Encrypt=True;Connection Timeout=$SqlTimeout;") 
-        $Conn.AccessToken = $dbToken.Token
+        $Conn.AccessToken = $dbToken.Token | ConvertFrom-SecureString -AsPlainText
         $Conn.Open() 
         $Cmd=new-object system.Data.SqlClient.SqlCommand
         $Cmd.Connection = $Conn
@@ -261,9 +261,9 @@ if ("Y", "y" -contains $continueInput)
 
     $sqlStatement = "INSERT INTO [$suppressionsTable] VALUES (NEWID(), '$($controlRows.RecommendationSubTypeId)', '$suppressionType', $scope, GETDATE(), $endDate, '$author', '$notes', 1)"
 
-    $dbToken = Get-AzAccessToken -ResourceUrl "https://$azureSqlDomain/"
+    $dbToken = Get-AzAccessToken -ResourceUrl "https://$azureSqlDomain/" -AsSecureString
     $Conn2 = New-Object System.Data.SqlClient.SqlConnection("Server=tcp:$databaseServer,1433;Database=$databaseName;Encrypt=True;Connection Timeout=$SqlTimeout;") 
-    $Conn2.AccessToken = $dbToken.Token
+    $Conn2.AccessToken = $dbToken.Token | ConvertFrom-SecureString -AsPlainText
     $Conn2.Open() 
 
     $Cmd=new-object system.Data.SqlClient.SqlCommand