Merge pull request #4 from helderpinto/helderpinto/dev/aoe-sqlauth

Entra ID-based SQL authentication

.all-contributorsrc

@@ -159,6 +159,8 @@
       "avatar_url": "https://avatars.githubusercontent.com/u/10661605?v=4",
       "profile": "https://aka.ms/helderpinto",
       "contributions": [
+        "code",
+        "review",
         "doc",
         "bug"
       ]

.github/workflows/aoe-cd-dev.yml

@@ -16,8 +16,6 @@ jobs:
     runs-on: ubuntu-latest
     env:
       AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      AOE_SQL_ADMIN: ${{ secrets.AOE_SQL_ADMIN }}
-      AOE_SQL_PASSWD: ${{ secrets.AOE_SQL_PASSWD }}
       AOE_LOCATION: ${{ secrets.AOE_LOCATION }}
       AOE_NAMEPREFIX: ${{ secrets.AOE_NAMEPREFIX }}
     steps:
@@ -49,14 +47,12 @@ jobs:
             "NamePrefix": "'"$AOE_NAMEPREFIX"'",
             "WorkspaceReuse": "n",
             "DeployWorkbooks": "y",
-            "SqlAdmin": "'"$AOE_SQL_ADMIN"'",
-            "SqlPass": "'"$AOE_SQL_PASSWD"'",
             "TargetLocation": "'"$AOE_LOCATION"'",
             "DeployBenefitsUsageDependencies": "n"
           }' > ./src/optimization-engine/deploymentSettings.json          
       - name: Testing PowerShell script call
         shell: pwsh
         run: |
           Set-Location ./src/optimization-engine
-          ./Deploy-AzureOptimizationEngine.ps1 -SilentDeploymentSettingsPath ./deploymentSettings.json -TemplateUri "https://raw.githubusercontent.com/${{ github.repository }}/${{ github.ref_name }}/src/optimization-engine/azuredeploy.bicep"
+          ./Deploy-AzureOptimizationEngine.ps1 -SilentDeploymentSettingsPath ./deploymentSettings.json -TemplateUri "https://raw.githubusercontent.com/${{ github.repository }}/${{ github.ref_name }}/src/optimization-engine/azuredeploy.bicep" -SqlAdminPrincipalType "Group" -SqlAdminPrincipalName ${{ secrets.AOE_SQL_ADMIN_PRINCIPAL_NAME }} -SqlAdminPrincipalObjectId ${{ secrets.AOE_SQL_ADMIN_PRINCIPAL_ID }}
       - run: echo "🍏 This job's status is ${{ job.status }}."

.github/workflows/aoe-cd-prod.yml

@@ -16,8 +16,6 @@ jobs:
     runs-on: ubuntu-latest
     env:
       AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      AOE_SQL_ADMIN: ${{ secrets.AOE_SQL_ADMIN }}
-      AOE_SQL_PASSWD: ${{ secrets.AOE_SQL_PASSWD }}
       AOE_LOCATION: ${{ secrets.AOE_LOCATION }}
       AOE_NAMEPREFIX: ${{ secrets.AOE_NAMEPREFIX }}
     steps:
@@ -49,14 +47,12 @@ jobs:
             "NamePrefix": "'"$AOE_NAMEPREFIX"'",
             "WorkspaceReuse": "n",
             "DeployWorkbooks": "y",
-            "SqlAdmin": "'"$AOE_SQL_ADMIN"'",
-            "SqlPass": "'"$AOE_SQL_PASSWD"'",
             "TargetLocation": "'"$AOE_LOCATION"'",
             "DeployBenefitsUsageDependencies": "n"
           }' > ./src/optimization-engine/deploymentSettings.json          
       - name: Testing PowerShell script call
         shell: pwsh
         run: |
           Set-Location ./src/optimization-engine
-          ./Deploy-AzureOptimizationEngine.ps1 -SilentDeploymentSettingsPath ./deploymentSettings.json -TemplateUri "https://raw.githubusercontent.com/${{ github.repository }}/${{ github.ref_name }}/src/optimization-engine/azuredeploy.bicep"
+          ./Deploy-AzureOptimizationEngine.ps1 -SilentDeploymentSettingsPath ./deploymentSettings.json -TemplateUri "https://raw.githubusercontent.com/${{ github.repository }}/${{ github.ref_name }}/src/optimization-engine/azuredeploy.bicep" -SqlAdminPrincipalType "Group" -SqlAdminPrincipalName ${{ secrets.AOE_SQL_ADMIN_PRINCIPAL_NAME }} -SqlAdminPrincipalObjectId ${{ secrets.AOE_SQL_ADMIN_PRINCIPAL_ID }}
       - run: echo "🍏 This job's status is ${{ job.status }}."

.github/workflows/aoe-cd-test.yml

@@ -16,8 +16,6 @@ jobs:
     runs-on: ubuntu-latest
     env:
       AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      AOE_SQL_ADMIN: ${{ secrets.AOE_SQL_ADMIN }}
-      AOE_SQL_PASSWD: ${{ secrets.AOE_SQL_PASSWD }}
       AOE_LOCATION: ${{ secrets.AOE_LOCATION }}
       AOE_NAMEPREFIX: ${{ secrets.AOE_NAMEPREFIX }}
     steps:
@@ -49,14 +47,12 @@ jobs:
             "NamePrefix": "'"$AOE_NAMEPREFIX"'",
             "WorkspaceReuse": "n",
             "DeployWorkbooks": "y",
-            "SqlAdmin": "'"$AOE_SQL_ADMIN"'",
-            "SqlPass": "'"$AOE_SQL_PASSWD"'",
             "TargetLocation": "'"$AOE_LOCATION"'",
             "DeployBenefitsUsageDependencies": "n"
           }' > ./src/optimization-engine/deploymentSettings.json          
       - name: Testing PowerShell script call
         shell: pwsh
         run: |
           Set-Location ./src/optimization-engine
-          ./Deploy-AzureOptimizationEngine.ps1 -SilentDeploymentSettingsPath ./deploymentSettings.json -TemplateUri "https://raw.githubusercontent.com/${{ github.repository }}/${{ github.ref_name }}/src/optimization-engine/azuredeploy.bicep"
+          ./Deploy-AzureOptimizationEngine.ps1 -SilentDeploymentSettingsPath ./deploymentSettings.json -TemplateUri "https://raw.githubusercontent.com/${{ github.repository }}/${{ github.ref_name }}/src/optimization-engine/azuredeploy.bicep" -SqlAdminPrincipalType "Group" -SqlAdminPrincipalName ${{ secrets.AOE_SQL_ADMIN_PRINCIPAL_NAME }} -SqlAdminPrincipalObjectId ${{ secrets.AOE_SQL_ADMIN_PRINCIPAL_ID }}
       - run: echo "🍏 This job's status is ${{ job.status }}."

docs/_optimize/optimization-engine/README.md

@@ -1,6 +1,6 @@
 ---
 layout: default
-title: Optimization Engine
+title: Optimization engine
 has_children: true
 nav_order: 40
 description: 'The Azure Optimization Engine (AOE) is an extensible solution designed to generate optimization recommendations for your Azure environment.'
@@ -105,7 +105,7 @@ Once deployed and after all the initial ingestion and recommendations generation
 
 * A supported Azure subscription (see the [FAQ](./faq.md))
 * A user account with Owner permissions over the chosen subscription, so that the Automation Managed Identity is granted the required privileges over the subscription (Reader) and deployment resource group (Contributor)
-* Azure Powershell 6.6.0+
+* Azure Powershell 9.0.0+
 * (Optional, for Identity and RBAC governance) Microsoft.Graph.Authentication and Microsoft.Graph.Identity.DirectoryManagement PowerShell modules (version 2.4.0+)
 * (Optional, for Identity and RBAC governance) A user account with at least Privileged Role Administrator permissions over the Microsoft Entra tenant, so that the Managed Identity is granted the required privileges over Microsoft Entra ID (Global Reader)
 * (Optional, for Azure commitments insights) A user account with administrative privileges over the Enterprise Agreement (Enterprise Enrollment Administrator) or the Microsoft Customer Agreement (Billing Profile Owner), so that the Managed Identity is granted the required privileges over your consumption agreement

docs/_optimize/optimization-engine/configuring-workspaces.md

@@ -1,6 +1,6 @@
 ---
 layout: default
-parent: Optimization Engine
+parent: Optimization engine
 title: Configuring workspaces
 nav_order: 30
 description: 'Include the VM performance logs available in your Log Analytics workspaces to get deeper insights and more accurate results.'

docs/_optimize/optimization-engine/customize.md

@@ -1,6 +1,6 @@
 ---
 layout: default
-parent: Optimization Engine
+parent: Optimization engine
 title: Customizations
 nav_order: 20
 description: 'Customize the Azure Optimization Engine settings according to your organization requirements.'

docs/_optimize/optimization-engine/faq.md

@@ -1,6 +1,6 @@
 ---
 layout: default
-parent: Optimization Engine
+parent: Optimization engine
 title: FAQ
 nav_order: 60
 description: 'All the frequently asked questions about AOE in one place.'

docs/_optimize/optimization-engine/reports.md

@@ -1,6 +1,6 @@
 ---
 layout: default
-parent: Optimization Engine
+parent: Optimization engine
 title: Reports
 nav_order: 10
 description: 'Visualize the Azure Optimization Engine rich recommendations and insights.'

docs/_optimize/optimization-engine/setup-options.md

@@ -1,6 +1,6 @@
 ---
 layout: default
-parent: Optimization Engine
+parent: Optimization engine
 title: Setup options
 nav_order: 50
 description: 'Advanced scenarios for setting up or upgrading AOE.'
@@ -57,16 +57,20 @@ An example of the content of such silent deployment file is:
     "WorkspaceName": "<<ExistingName>>", // mandatory if WorkspaceReuse is set to 'n'
     "WorkspaceResourceGroupName": "<<ExistingName>>", // mandatory if workspaceReuse is set to 'n'
     "DeployWorkbooks": "y", // y = deploy the workbooks, n = don't deploy the workbooks
-    "SqlAdmin": "<<sqlaAdmin>>",
-    "SqlPass": "<<sqlPass>>",
     "TargetLocation": "westeurope",
     "DeployBenefitsUsageDependencies": "y", // deploy the dependencies for the Azure commitments workbooks (EA/MCA customers only + agreement administrator role required)
     "CustomerType": "MCA", // mandatory if DeployBenefitsUsageDependencies is set to 'y', MCA/EA
     "BillingAccountId": "<guid>:<guid>_YYYY-MM-DD", // mandatory if DeployBenefitsUsageDependencies is set to 'y', MCA or EA Billing Account ID
     "BillingProfileId": "ABCD-DEF-GHI-JKL", // mandatory if CustomerType is set to 'MCA"
     "CurrencyCode": "EUR" // mandatory if DeployBenefitsUsageDependencies is set to 'y'
-  }
-
+  } 
+```
+
+When silently deploying AOE, which typically happens in automated continuous deployment workflows, you might want to leverage SQL Entra ID authentication
+parameters, for example to grant the SQL administrator role to an Entra ID group having the workflow automation service principal as member. For example:
+
+```powershell
+.\Deploy-AzureOptimizationEngine.ps1 -SilentDeploymentSettingsPath "<path to deployment settings file>" -SqlAdminPrincipalType Group -SqlAdminPrincipalName "<Group Name>" -SqlAdminPrincipalObjectId "<Group Object GUID>"
 ```
 
 ## 🤝 Enabling Azure commitments workbooks

docs/_optimize/optimization-engine/suppressing-recommendations.md

@@ -1,6 +1,6 @@
 ---
 layout: default
-parent: Optimization Engine
+parent: Optimization engine
 title: Suppressing recommendations
 nav_order: 40
 description: 'Adjust the recommendations results to your environment characteristics.'