updated scripts locations and added headers (Azure#297)

.github/workflows/scheduled-azure-dev.yml

@@ -80,8 +80,8 @@ jobs:
 
       - name: QA - Validate Deployment
         run: |
-          chmod +x ./infra/validateDeployment.sh
-          ./infra/validateDeployment.sh -g ${{ secrets.AZURE_ENV_NAME }}scheduled-rg
+          chmod +x ./infra/deploymentScripts/validateDeployment.sh
+          ./infra/deploymentScripts/validateDeployment.sh -g ${{ secrets.AZURE_ENV_NAME }}scheduled-rg
 
   teardown:
     if: ${{ inputs.run_tear_down }}

.github/workflows/scheduled-azure-teardown.yml

@@ -48,5 +48,5 @@ jobs:
       - name: Purge App Configuration Service
         continue-on-error: true
         run: |
-          chmod +x ./infra/appConfigSvcPurge.sh
-          ./infra/appConfigSvcPurge.sh -g ${{ secrets.AZURE_ENV_NAME }}daily2-rg
+          chmod +x ./infra/deploymentScripts/appConfigSvcPurge.sh
+          ./infra/deploymentScripts/appConfigSvcPurge.sh -g ${{ secrets.AZURE_ENV_NAME }}daily2-rg

infra/azureRedisCache.bicep

@@ -130,7 +130,7 @@ resource makeRedisAccessibleForDevs 'Microsoft.Resources/deploymentScripts@2020-
     forceUpdateTag: uniqueScriptId
     azCliVersion: '2.37.0'
     retentionInterval: 'P1D'
-    scriptContent: loadTextContent('azureRedisCachePublicDevAccess.sh')
+    scriptContent: loadTextContent('./deploymentScripts/azureRedisCachePublicDevAccess.sh')
     arguments:' --subscription ${subscription().subscriptionId} --resource-group ${resourceGroup().name} --name ${redisCache.name}'
   }
 }

infra/azureSqlDatabase.bicep

@@ -51,7 +51,7 @@ resource allowSqlAdminScript 'Microsoft.Resources/deploymentScripts@2020-10-01'
     retentionInterval: 'P1D'
     cleanupPreference: 'OnSuccess'
     arguments: '-SqlServerName \'${sqlServerName}\' -ResourceGroupName \'${resourceGroup().name}\''
-    scriptContent: loadTextContent('enableSqlAdminForServer.ps1')
+    scriptContent: loadTextContent('./deploymentScripts/enableSqlAdminForServer.ps1')
   }
 }
 
@@ -129,7 +129,7 @@ resource createSqlUserScript 'Microsoft.Resources/deploymentScripts@2020-10-01'
     retentionInterval: 'P1D'
     cleanupPreference: 'OnSuccess'
     arguments: '-ServerName \'${sqlServer.name}\' -ResourceGroupName \'${resourceGroup().name}\' -ServerUri \'${sqlServer.properties.fullyQualifiedDomainName}\' -CatalogName \'${sqlCatalogName}\' -ApplicationId \'${managedIdentity.properties.principalId}\' -ManagedIdentityName \'${managedIdentity.name}\' -SqlAdminLogin \'${sqlAdministratorLogin}\' -SqlAdminPwd \'${sqlAdministratorPassword}\' -IsProd ${isProd ? '1' : '0'}'
-    scriptContent: loadTextContent('createSqlAcctForManagedIdentity.ps1')
+    scriptContent: loadTextContent('./deploymentScripts/createSqlAcctForManagedIdentity.ps1')
   }
   dependsOn:[
     sqlDatabase

infra/createAppRegistrations.ps1

@@ -1,19 +1,5 @@
 #Requires -Version 7.0
 
-# This script is part of the sample's workflow for configuring App Registrations
-# in Azure AD and saving the appropriate values in Key Vault, and Azure App Config Service
-# so that the application can authenticate users. Note that an app registration is
-# something you'll want to set up once, and reuse for every version of the web app
-# that you deploy. You can learn more about app registrations at
-# https://learn.microsoft.com/en-us/azure/active-directory/develop/application-model
-#
-# If you do not have permission to create App Registrations consider
-# sharing this script, or something similar, with your administrators to help them
-# set up the variables you need to integrate with Azure AD
-#
-# This code may be repurposed for your scenario as desired
-# but is not covered by the guidance in this content.
-
 <#
 .SYNOPSIS
     Creates two Azure AD app registrations for the reliable-web-app-pattern-dotnet

infra/deploymentScripts/createSqlAcctForManagedIdentity.ps1

@@ -0,0 +1,86 @@
+#Requires -Version 7.0
+
+<#
+.SYNOPSIS
+    Used to create Sql Account for Managed Identity
+.DESCRIPTION
+    Creates a new Sql Account for the Managed Identity service principal and grants account db_owner role
+
+    Also configures the Sql Database for AAD authentication only
+
+    NOTE: This script is not intended to be run from a local environment.
+    This script is run by azd during devOps deployment.
+    For the local environment version of this script, please see makeSqlUserAccount.ps1
+
+    This script provides a workflow to automatically configure the deployed Azure resources and make it easier to get
+    started. It is not intended as part of a recommended best practice as we do not recommend deploying Azure SQL
+    with network configurations that would allow a deployment script such as this to connect.
+
+    We recommend handling this one-time process as part of your SQL data migration process
+    More details can be found in our docs for Azure SQL server
+    https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-sql-database?tabs=windowsclient%2Cef%2Cdotnet
+
+    Assumes the service principal that will connect to SQL has been set as the Azure AD Admin
+    This was handled by the bicep templates
+    see https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#azure-portal
+.PARAMETER ServerName
+    A required parameter for the name of target Azure SQL Server.
+.PARAMETER ResourceGroupName
+    A required parameter for the name of resource group that contains the environment that was
+    created by the azd command.
+.PARAMETER ServerUri
+    A required parameter for the Uri of target Azure SQL Server.
+.PARAMETER CatalogName
+    A required parameter for the name the Azure SQL Database name used.
+.PARAMETER ApplicationId
+    A required parameter for the Managed Identity's Application ID used to generate its SID 
+    used for creating a user in SQL.
+.PARAMETER ManagedIdentityName
+    A required parameter for the name of Managed Identity that will be used.
+.PARAMETER SqlAdminLogin
+    A required parameter for the SQL Administrator Login used.
+.PARAMETER SqlAdminPwd
+    A required parameter for the SQL Administrator Password used.
+.PARAMETER IsProd
+    A required parameter indicating Production environment is being used.
+#>
+
+Param(
+  [Parameter(Mandatory = $true)][string]$ServerName,
+  [Parameter(Mandatory = $true)][string]$ResourceGroupName,
+  [Parameter(Mandatory = $true)][string]$ServerUri,
+  [Parameter(Mandatory = $true)][string]$CatalogName,
+  [Parameter(Mandatory = $true)][string]$ApplicationId,
+  [Parameter(Mandatory = $true)][string]$ManagedIdentityName,
+  [Parameter(Mandatory = $true)][string]$SqlAdminLogin,
+  [Parameter(Mandatory = $true)][string]$SqlAdminPwd,
+  [Parameter(Mandatory = $true)][bool]$IsProd
+)
+
+# Make Invoke-Sqlcmd available
+Install-Module -Name SqlServer -Force
+Import-Module -Name SqlServer
+
+# translate applicationId into SID
+[guid]$guid = [System.Guid]::Parse($ApplicationId)
+
+foreach ($byte in $guid.ToByteArray()) {
+  $byteGuid += [System.String]::Format("{0:X2}", $byte)
+}
+$Sid = "0x" + $byteGuid
+
+# Prepare SQL cmd to CREATE USER
+$CreateUserSQL = "IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'$ManagedIdentityName') create user [$ManagedIdentityName] with sid = $Sid, type = E;"
+
+# Connect as SQL Admin acct and execute SQL cmd
+Invoke-Sqlcmd -ServerInstance $ServerUri -database $CatalogName -Username $SqlAdminLogin -Password $SqlAdminPwd -Query $CreateUserSQL
+
+# Prepare SQL cmd to grant db_owner role
+$GrantDbOwner = "IF NOT EXISTS (SELECT * FROM sys.database_principals p JOIN sys.database_role_members db_owner_role ON db_owner_role.member_principal_id = p.principal_id JOIN sys.database_principals role_names ON role_names.principal_id = db_owner_role.role_principal_id AND role_names.[name] = 'db_owner' WHERE p.[name]=N'$ManagedIdentityName') ALTER ROLE db_owner ADD MEMBER [$ManagedIdentityName];"
+
+# Connect as SQL Admin acct and execute SQL cmd
+Invoke-Sqlcmd -ServerInstance $ServerUri -database $CatalogName -Username $SqlAdminLogin -Password $SqlAdminPwd -Query $GrantDbOwner
+
+# Restrict access to Azure AD users
+Enable-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName $ServerName -ResourceGroupName $ResourceGroupName
+

infra/deploymentScripts/enableSqlAdminForServer.ps1

@@ -0,0 +1,40 @@
+#Requires -Version 7.0
+
+<#
+.SYNOPSIS
+    Used to enable Sql Authentication only for target Azure SQL Server
+.DESCRIPTION
+    Used to enable Sql Authentication only for target Azure SQL Server
+    
+    NOTE: This script is not intended to be run from a local environment.
+    This script is run by azd during devOps deployment. This script handles rolling back auth changes
+    that would block the createSqlAcctForManagedIdentity.ps1 scripts from connecting when run as a deploymentScript
+    https://github.com/Azure/reliable-web-app-pattern-dotnet/issues/224
+
+    This script provides a workflow to automatically configure the deployed Azure resources and make it easier to get
+    started. It is not intended as part of a recommended best practice as we do not recommend deploying Azure SQL
+    with network configurations that would allow a deployment script such as this to connect.
+
+.PARAMETER SqlServerName
+    A required parameter for the name of the Azure SQL Server instance.
+.PARAMETER ResourceGroupName
+    A required parameter for the name of resource group that contains the environment that was
+    created by the azd command.
+#>
+
+Param(
+    [Parameter(Mandatory = $true)][string]$SqlServerName,
+    [Parameter(Mandatory = $true)][string]$ResourceGroupName
+)
+
+# check if resource group exists
+if (!(Get-AzResourceGroup -Name $ResourceGroupName -ErrorAction SilentlyContinue)) {
+    Exit
+}
+
+$DoesSqlServerExist = Get-AzResource -ResourceGroupName $ResourceGroupName -ODataQuery "ResourceType eq 'Microsoft.Sql/servers'"
+
+if ($DoesSqlServerExist) {
+    Write-Host "Disabling Ad only admin"
+    Disable-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName $SqlServerName -ResourceGroupName $ResourceGroupName
+}

infra/validateDeployment.ps1 → infra/devOpsScripts/validateDeployment.ps1

@@ -1,28 +1,30 @@
-# This script is used by our QA process to ensure the quality of this sample it measures
-# characteristics of the deployment and will be modified as needed to explore intermittent issues
-
-# This engineering code may be repurposed for your scenario as desired
-# but is not covered by the guidance in this content.
+#Requires -Version 7.0
 
 <#
 .SYNOPSIS
-    Examines the web app that was deployed to identify any known issues and provide recommendations.
+  Examines the web app that was deployed to identify any known issues and provide recommendations.
 
-    <This command should only be run after using the azd command to deploy resources to Azure>
+  <This command should only be run after using the azd command to deploy resources to Azure>
 .DESCRIPTION
-    Use this command to examine your deployed settings and automatically find recommendations
-    that can help you troubleshoot issues that you may encounter.
+  Use this command to examine your deployed settings and automatically find recommendations
+  that can help you troubleshoot issues that you may encounter.
+
+  This script was created after identifying intermittent Azure deployment issues. Many
+  of which can be resolved by re-running 'azd provision' command.
 
-    This script was created after identifying intermittent Azure deployment issues. Many
-    of which can be resolved by re-running 'azd provision' command.
+  NOTE: This script is used by our QA process to ensure the quality of this sample it measures
+  characteristics of the deployment and will be modified as needed to explore intermittent issues
 
-    NOTE: This functionality assumes that the web app, app configuration service, and app
-    service have already been successfully deployed.
+  This engineering code may be repurposed for your scenario as desired
+  but is not covered by the guidance in this content.
+  
+  This functionality assumes that the web app, app configuration service, and app
+  service have already been successfully deployed.
 
 .PARAMETER ResourceGroupName
-    A required parameter for the name of resource group that contains the environment that was
-    created by the azd command. The cmdlet will populate the App Config Svc and Key
-    Vault services in this resource group with Azure AD app registration config data.
+  A required parameter for the name of resource group that contains the environment that was
+  created by the azd command. The cmdlet will populate the App Config Svc and Key
+  Vault services in this resource group with Azure AD app registration config data.
 #>
 
 Param(

infra/localDevScripts/addLocalIPToSqlFirewall.ps1

@@ -1,11 +1,4 @@
-# This script is part of the sample's workflow for giving developers access
-# to the resources that were deployed. Note that a better solution, beyond
-# the scope of this demo, would be to associate permissions based on
-# Azure AD groups so that all team members inherit access from Azure AD.
-# https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept
-#
-# This code may be repurposed for your scenario as desired
-# but is not covered by the guidance in this content.
+#Requires -Version 7.0
 
 <#
 .SYNOPSIS
@@ -18,7 +11,8 @@
     service have already been successfully deployed.
 
 .PARAMETER ResourceGroupName
-    Name of resource group containing the environment that was created by the azd command.
+    A required parameter for the name of resource group that contains the environment that was
+    created by the azd command.
 #>
 
 Param(

infra/localDevScripts/getSecretsForLocalDev.ps1

@@ -1,13 +1,4 @@
-# Does not require pwsh
-
-# This script is part of the sample's workflow for giving developers access
-# to the resources that were deployed. Note that a better solution, beyond
-# the scope of this demo, would be to associate permissions based on
-# Azure AD groups so that all team members inherit access from Azure AD.
-# https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept
-#
-# This code may be repurposed for your scenario as desired
-# but is not covered by the guidance in this content.
+#Requires -Version 7.0
 
 <#
 .SYNOPSIS

infra/localDevScripts/makeSqlUserAccount.ps1

@@ -1,14 +1,5 @@
 #Requires -Version 7.0
 
-# This script is part of the sample's workflow for giving developers access
-# to the resources that were deployed. Note that a better solution, beyond
-# the scope of this demo, would be to associate permissions based on
-# Azure AD groups so that all team members inherit access from Azure AD.
-# https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept
-#
-# This code may be repurposed for your scenario as desired
-# but is not covered by the guidance in this content.
-
 <#
 .SYNOPSIS
   Will make the SQL user account required to authenticate with Azure AD to Azure SQL Database.
@@ -17,7 +8,7 @@
 
   <This command should only be run after using the azd command to deploy resources to Azure>
 .PARAMETER ResourceGroupName
-    Name of resource group containing the environment that was created by the azd command..
+  Name of resource group containing the environment that was created by the azd command.
 #>
 
 Param(

known-issues.md

@@ -27,7 +27,7 @@ The following topics are intended to help readers with our most commonly reporte
 
     ```bash
     sed "s/$(printf '\r')\$//" -i ./infra/createAppRegistrations.sh
-    sed "s/$(printf '\r')\$//" -i ./infra/validateDeployment.sh
+    sed "s/$(printf '\r')\$//" -i ./infra/deploymentScripts/validateDeployment.sh
     sed "s/$(printf '\r')\$//" -i ./infra/localDevScripts/addLocalIPToSqlFirewall.sh
     sed "s/$(printf '\r')\$//" -i ./infra/localDevScripts/getSecretsForLocalDev.sh
     sed "s/$(printf '\r')\$//" -i ./infra/localDevScripts/makeSqlUserAccount.sh