Improve managed identity for sql server

Aspire.sln

@@ -1,4 +1,3 @@
-
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 17
 VisualStudioVersion = 17.0.31903.59
@@ -675,6 +674,14 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Aspire.Azure.Npgsql.EntityF
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Aspire.Components.Common.Tests", "tests\Aspire.Components.Common.Tests\Aspire.Components.Common.Tests.csproj", "{30950CEB-2232-F9FC-04FF-ADDCB8AC30A7}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "SqlServerScript", "SqlServerScript", "{02EA681E-C7D8-13C7-8484-4AC65E1B71E8}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AppHost1", "playground\SqlServerScript\AppHost1\AppHost1.csproj", "{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WebApplication1", "playground\SqlServerScript\WebApplication1\WebApplication1.csproj", "{E79A95EA-08D9-9947-377D-6F2213B36E1B}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WebApplication2", "playground\SqlServerScript\WebApplication2\WebApplication2.csproj", "{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -3961,6 +3968,42 @@ Global
 		{30950CEB-2232-F9FC-04FF-ADDCB8AC30A7}.Release|x64.Build.0 = Release|Any CPU
 		{30950CEB-2232-F9FC-04FF-ADDCB8AC30A7}.Release|x86.ActiveCfg = Release|Any CPU
 		{30950CEB-2232-F9FC-04FF-ADDCB8AC30A7}.Release|x86.Build.0 = Release|Any CPU
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}.Debug|x64.Build.0 = Debug|Any CPU
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}.Debug|x86.Build.0 = Debug|Any CPU
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}.Release|Any CPU.Build.0 = Release|Any CPU
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}.Release|x64.ActiveCfg = Release|Any CPU
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}.Release|x64.Build.0 = Release|Any CPU
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}.Release|x86.ActiveCfg = Release|Any CPU
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24}.Release|x86.Build.0 = Release|Any CPU
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B}.Debug|x64.Build.0 = Debug|Any CPU
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B}.Debug|x86.Build.0 = Debug|Any CPU
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B}.Release|x64.ActiveCfg = Release|Any CPU
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B}.Release|x64.Build.0 = Release|Any CPU
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B}.Release|x86.ActiveCfg = Release|Any CPU
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B}.Release|x86.Build.0 = Release|Any CPU
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}.Debug|x64.Build.0 = Debug|Any CPU
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}.Debug|x86.Build.0 = Debug|Any CPU
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}.Release|Any CPU.Build.0 = Release|Any CPU
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}.Release|x64.ActiveCfg = Release|Any CPU
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}.Release|x64.Build.0 = Release|Any CPU
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}.Release|x86.ActiveCfg = Release|Any CPU
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -4285,6 +4328,10 @@ Global
 		{192747A2-9338-DECF-5C8C-28EB8E13829B} = {27381127-6C45-4B4C-8F18-41FF48DFE4B2}
 		{8FCA0CFA-7823-6A2F-342A-107A994915B0} = {C424395C-1235-41A4-BF55-07880A04368C}
 		{30950CEB-2232-F9FC-04FF-ADDCB8AC30A7} = {C424395C-1235-41A4-BF55-07880A04368C}
+		{02EA681E-C7D8-13C7-8484-4AC65E1B71E8} = {D173887B-AF42-4576-B9C1-96B9E9B3D9C0}
+		{3928CF69-B803-43A2-8AE5-5E29CB3E8D24} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
+		{E79A95EA-08D9-9947-377D-6F2213B36E1B} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
+		{554D72B3-F0B0-FB9A-67ED-BBDF55A6DE81} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {47DCFECF-5631-4BDE-A1EC-BE41E90F60C4}

playground/SqlServerScript/AppHost1/AppHost1.csproj

@@ -0,0 +1,24 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>$(DefaultTargetFramework)</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <IsAspireHost>true</IsAspireHost>
+    <UserSecretsId>f6d0abe5-33e8-4825-861a-35b3767a490b</UserSecretsId>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <AspireProjectOrPackageReference Include="Aspire.Hosting.Azure" />
+    <AspireProjectOrPackageReference Include="Aspire.Hosting.Azure.Sql" />
+    <AspireProjectOrPackageReference Include="Aspire.Hosting.AppHost" />
+    <AspireProjectOrPackageReference Include="Aspire.Hosting.Azure.AppContainers" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\WebApplication1\WebApplication1.csproj" />
+    <ProjectReference Include="..\WebApplication2\WebApplication2.csproj" />
+  </ItemGroup>
+
+</Project>

playground/SqlServerScript/AppHost1/Program.cs

@@ -0,0 +1,27 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Aspire.Hosting;
+using Azure.Provisioning.Sql;
+
+var builder = DistributedApplication.CreateBuilder(args);
+
+builder.AddAzureContainerAppEnvironment("env");
+
+var dbServer = builder.AddAzureSqlServer("mysqlserver")
+    .ConfigureInfrastructure(c =>
+    {
+        const string FREE_DB_SKU = "GP_S_Gen5_2";
+
+        foreach (var database in c.GetProvisionableResources().OfType<SqlDatabase>())
+        {
+            database.Sku = new SqlSku() { Name = FREE_DB_SKU };
+        }
+    });
+
+var todosDb = dbServer.AddDatabase("todosdb");
+
+builder.AddProject<Projects.WebApplication1>("api1").WithReference(todosDb).WaitFor(todosDb);
+builder.AddProject<Projects.WebApplication2>("api2").WithReference(todosDb).WaitFor(todosDb);
+
+builder.Build().Run();

playground/SqlServerScript/AppHost1/Properties/launchSettings.json

@@ -0,0 +1,29 @@
+{
+  "$schema": "https://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "https": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "https://localhost:17077;http://localhost:15242",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development",
+        "DOTNET_ENVIRONMENT": "Development",
+        "DOTNET_DASHBOARD_OTLP_ENDPOINT_URL": "https://localhost:21045",
+        "DOTNET_RESOURCE_SERVICE_ENDPOINT_URL": "https://localhost:22270"
+      }
+    },
+    "http": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "http://localhost:15242",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development",
+        "DOTNET_ENVIRONMENT": "Development",
+        "DOTNET_DASHBOARD_OTLP_ENDPOINT_URL": "http://localhost:19139",
+        "DOTNET_RESOURCE_SERVICE_ENDPOINT_URL": "http://localhost:20080"
+      }
+    }
+  }
+}

playground/SqlServerScript/AppHost1/api1-identity.module.bicep

@@ -0,0 +1,15 @@
+@description('The location for the resource(s) to be deployed.')
+param location string = resourceGroup().location
+
+resource api1_identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: take('api1_identity-${uniqueString(resourceGroup().id)}', 128)
+  location: location
+}
+
+output id string = api1_identity.id
+
+output clientId string = api1_identity.properties.clientId
+
+output principalId string = api1_identity.properties.principalId
+
+output principalName string = api1_identity.name

playground/SqlServerScript/AppHost1/api1-roles-mysqlserver.module.bicep

@@ -0,0 +1,53 @@
+@description('The location for the resource(s) to be deployed.')
+param location string = resourceGroup().location
+
+param mysqlserver_outputs_name string
+
+param principalName string
+
+param principalId string
+
+param mysqlserver_outputs_sqlserveradminname string
+
+resource mysqlserver 'Microsoft.Sql/servers@2021-11-01' existing = {
+  name: mysqlserver_outputs_name
+}
+
+resource sqlServerAdmin 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: mysqlserver_outputs_sqlserveradminname
+}
+
+resource script_81de323e2cb9c0ad 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  name: take('scriptdeecbcad${uniqueString(resourceGroup().id)}', 24)
+  location: location
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${sqlServerAdmin.id}': { }
+    }
+  }
+  kind: 'AzurePowerShell'
+  properties: {
+    scriptContent: '\$sqlServerFqdn = "\$env:DBSERVER"\r\n\$sqlDatabaseName = "\$env:DBNAME"\r\n\$username = "\$env:USERNAME"\r\n\$clientId = "\$env:CLIENTID"\r\n\r\n# Install SqlServer module\r\nInstall-Module -Name SqlServer -Force -AllowClobber -Scope CurrentUser\r\nImport-Module SqlServer\r\n\r\n\$sqlCmd = @"\r\nDECLARE @principal_name SYSNAME = \'\$username\';\r\nDECLARE @clientId UNIQUEIDENTIFIER = \'\$clientId\';\r\n\r\n-- Convert the guid to the right type\r\nDECLARE @castClientId NVARCHAR(MAX) = CONVERT(VARCHAR(MAX), CONVERT (VARBINARY(16), @clientId), 1);\r\n\r\n-- Construct command: CREATE USER [@principal_name] WITH SID = @castClientId, TYPE = E;\r\nDECLARE @cmd NVARCHAR(MAX) = N\'CREATE USER [\' + @principal_name + \'] WITH SID = \' + @castClientId + \', TYPE = E;\'\r\nEXEC (@cmd);\r\n\r\n-- Assign roles to the new user\r\nDECLARE @role1 NVARCHAR(MAX) = N\'ALTER ROLE db_datareader ADD MEMBER [\' + @principal_name + \']\';\r\nEXEC (@role1);\r\n\r\nDECLARE @role2 NVARCHAR(MAX) = N\'ALTER ROLE db_datawriter ADD MEMBER [\' + @principal_name + \']\';\r\nEXEC (@role2);\r\n"@\r\n# Note: the string terminator must not have whitespace before it, therefore it is not indented.\r\n\r\nWrite-Host \$sqlCmd\r\n\r\n\$connectionString = "Server=tcp:\${sqlServerFqdn},1433;Initial Catalog=\${sqlDatabaseName};Authentication=Active Directory Default;"\r\n\r\nInvoke-Sqlcmd -ConnectionString \$connectionString -Query \$sqlCmd'
+    azPowerShellVersion: '7.4'
+    retentionInterval: 'PT1H'
+    environmentVariables: [
+      {
+        name: 'DBNAME'
+        value: 'todosdb'
+      }
+      {
+        name: 'DBSERVER'
+        value: mysqlserver.properties.fullyQualifiedDomainName
+      }
+      {
+        name: 'USERNAME'
+        value: principalName
+      }
+      {
+        name: 'CLIENTID'
+        value: principalId
+      }
+    ]
+  }
+}

playground/SqlServerScript/AppHost1/api1.module.bicep

@@ -0,0 +1,90 @@
+@description('The location for the resource(s) to be deployed.')
+param location string = resourceGroup().location
+
+param api1_identity_outputs_id string
+
+param api1_identity_outputs_clientid string
+
+param api1_containerport string
+
+param mysqlserver_outputs_sqlserverfqdn string
+
+param env_outputs_azure_container_apps_environment_default_domain string
+
+param env_outputs_azure_container_apps_environment_id string
+
+param env_outputs_azure_container_registry_endpoint string
+
+param env_outputs_azure_container_registry_managed_identity_id string
+
+param api1_containerimage string
+
+resource api1 'Microsoft.App/containerApps@2024-03-01' = {
+  name: 'api1'
+  location: location
+  properties: {
+    configuration: {
+      activeRevisionsMode: 'Single'
+      ingress: {
+        external: false
+        targetPort: api1_containerport
+        transport: 'http'
+      }
+      registries: [
+        {
+          server: env_outputs_azure_container_registry_endpoint
+          identity: env_outputs_azure_container_registry_managed_identity_id
+        }
+      ]
+    }
+    environmentId: env_outputs_azure_container_apps_environment_id
+    template: {
+      containers: [
+        {
+          image: api1_containerimage
+          name: 'api1'
+          env: [
+            {
+              name: 'OTEL_DOTNET_EXPERIMENTAL_OTLP_EMIT_EXCEPTION_LOG_ATTRIBUTES'
+              value: 'true'
+            }
+            {
+              name: 'OTEL_DOTNET_EXPERIMENTAL_OTLP_EMIT_EVENT_LOG_ATTRIBUTES'
+              value: 'true'
+            }
+            {
+              name: 'OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY'
+              value: 'in_memory'
+            }
+            {
+              name: 'ASPNETCORE_FORWARDEDHEADERS_ENABLED'
+              value: 'true'
+            }
+            {
+              name: 'HTTP_PORTS'
+              value: api1_containerport
+            }
+            {
+              name: 'ConnectionStrings__todosdb'
+              value: 'Server=tcp:${mysqlserver_outputs_sqlserverfqdn},1433;Encrypt=True;Authentication="Active Directory Default";Database=todosdb'
+            }
+            {
+              name: 'AZURE_CLIENT_ID'
+              value: api1_identity_outputs_clientid
+            }
+          ]
+        }
+      ]
+      scale: {
+        minReplicas: 1
+      }
+    }
+  }
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${api1_identity_outputs_id}': { }
+      '${env_outputs_azure_container_registry_managed_identity_id}': { }
+    }
+  }
+}

playground/SqlServerScript/AppHost1/api2-identity.module.bicep

@@ -0,0 +1,15 @@
+@description('The location for the resource(s) to be deployed.')
+param location string = resourceGroup().location
+
+resource api2_identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: take('api2_identity-${uniqueString(resourceGroup().id)}', 128)
+  location: location
+}
+
+output id string = api2_identity.id
+
+output clientId string = api2_identity.properties.clientId
+
+output principalId string = api2_identity.properties.principalId
+
+output principalName string = api2_identity.name

playground/SqlServerScript/AppHost1/api2-roles-mysqlserver.module.bicep

@@ -0,0 +1,53 @@
+@description('The location for the resource(s) to be deployed.')
+param location string = resourceGroup().location
+
+param mysqlserver_outputs_name string
+
+param principalName string
+
+param principalId string
+
+param mysqlserver_outputs_sqlserveradminname string
+
+resource mysqlserver 'Microsoft.Sql/servers@2021-11-01' existing = {
+  name: mysqlserver_outputs_name
+}
+
+resource sqlServerAdmin 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: mysqlserver_outputs_sqlserveradminname
+}
+
+resource script_d4d29beaabeca77b 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  name: take('scriptddbeaabecab${uniqueString(resourceGroup().id)}', 24)
+  location: location
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${sqlServerAdmin.id}': { }
+    }
+  }
+  kind: 'AzurePowerShell'
+  properties: {
+    scriptContent: '\$sqlServerFqdn = "\$env:DBSERVER"\r\n\$sqlDatabaseName = "\$env:DBNAME"\r\n\$username = "\$env:USERNAME"\r\n\$clientId = "\$env:CLIENTID"\r\n\r\n# Install SqlServer module\r\nInstall-Module -Name SqlServer -Force -AllowClobber -Scope CurrentUser\r\nImport-Module SqlServer\r\n\r\n\$sqlCmd = @"\r\nDECLARE @principal_name SYSNAME = \'\$username\';\r\nDECLARE @clientId UNIQUEIDENTIFIER = \'\$clientId\';\r\n\r\n-- Convert the guid to the right type\r\nDECLARE @castClientId NVARCHAR(MAX) = CONVERT(VARCHAR(MAX), CONVERT (VARBINARY(16), @clientId), 1);\r\n\r\n-- Construct command: CREATE USER [@principal_name] WITH SID = @castClientId, TYPE = E;\r\nDECLARE @cmd NVARCHAR(MAX) = N\'CREATE USER [\' + @principal_name + \'] WITH SID = \' + @castClientId + \', TYPE = E;\'\r\nEXEC (@cmd);\r\n\r\n-- Assign roles to the new user\r\nDECLARE @role1 NVARCHAR(MAX) = N\'ALTER ROLE db_datareader ADD MEMBER [\' + @principal_name + \']\';\r\nEXEC (@role1);\r\n\r\nDECLARE @role2 NVARCHAR(MAX) = N\'ALTER ROLE db_datawriter ADD MEMBER [\' + @principal_name + \']\';\r\nEXEC (@role2);\r\n"@\r\n# Note: the string terminator must not have whitespace before it, therefore it is not indented.\r\n\r\nWrite-Host \$sqlCmd\r\n\r\n\$connectionString = "Server=tcp:\${sqlServerFqdn},1433;Initial Catalog=\${sqlDatabaseName};Authentication=Active Directory Default;"\r\n\r\nInvoke-Sqlcmd -ConnectionString \$connectionString -Query \$sqlCmd'
+    azPowerShellVersion: '7.4'
+    retentionInterval: 'PT1H'
+    environmentVariables: [
+      {
+        name: 'DBNAME'
+        value: 'todosdb'
+      }
+      {
+        name: 'DBSERVER'
+        value: mysqlserver.properties.fullyQualifiedDomainName
+      }
+      {
+        name: 'USERNAME'
+        value: principalName
+      }
+      {
+        name: 'CLIENTID'
+        value: principalId
+      }
+    ]
+  }
+}