From d8bb7fb5e15a9559ce6a60fe5a573bee1e946337 Mon Sep 17 00:00:00 2001 From: Justin Dearing Date: Tue, 28 May 2019 19:37:29 -0400 Subject: [PATCH 1/7] Initial terraform code. --- terraform/.gitignore | 34 ++++++++++++ terraform/main.tf | 128 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 162 insertions(+) create mode 100644 terraform/.gitignore create mode 100644 terraform/main.tf diff --git a/terraform/.gitignore b/terraform/.gitignore new file mode 100644 index 0000000..5590f2b --- /dev/null +++ b/terraform/.gitignore @@ -0,0 +1,34 @@ +# Created by https://www.gitignore.io/api/terraform +# Edit at https://www.gitignore.io/?templates=terraform + +### Terraform ### +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# End of https://www.gitignore.io/api/terraform diff --git a/terraform/main.tf b/terraform/main.tf new file mode 100644 index 0000000..c651b17 --- /dev/null +++ b/terraform/main.tf @@ -0,0 +1,128 @@ +data "azurerm_client_config" "current" { + +} + +output "tenant_id" { + value = "${data.azurerm_client_config.current.tenant_id}" +} + +variable "resource_location" { + type = "string" + default = "East US" +} + +variable "resource_names" { + type = "map" + default = { + "ApplicationInsights" = "AlwaysEncryptedSample" + "AppServicePlan" = "always-encrypted-sample-appserviceplan" + "ResourceGroup" = "AlwaysEncryptedSample" + "SqlServer" = "alwaysencryptedsample" + "SqlDatabase" = "AlwaysEncryptedSample" + "AppService" = "AlwaysEncryptedSampleWeb3" + "KeyVault" = "AlwaysEncryptedSampleKeyVault" + } + +} + +variable "sql_settings" { + type = "map" + default = { + "admin_login" = "essay" + "admin_password" = "lbDG62XZy6i3pL8aC%Lw%uY7RYLN8o3aG2XhaH8dM2wbu0NPCMo0R" + } +} + +resource "azurerm_resource_group" "always_encrypted_sample" { + name = "${var.resource_names["ResourceGroup"]}" + location = "${var.resource_location}" +} + + + +resource "azurerm_app_service_plan" "always_encrypted_sample" { + name = "${var.resource_names["AppServicePlan"]}" + location = "${azurerm_resource_group.always_encrypted_sample.location}" + resource_group_name = "${azurerm_resource_group.always_encrypted_sample.name}" + kind = "app" + sku { + tier = "Free" + size = "F1" + } +} + +resource "azurerm_application_insights" "app_insights" { + name = "${var.resource_names["ApplicationInsights"]}" + resource_group_name = "${azurerm_resource_group.always_encrypted_sample.name}" + location = "${azurerm_resource_group.always_encrypted_sample.location}" + application_type = "Web" +} + +output "instrumentation_key" { + value = "${azurerm_application_insights.app_insights.instrumentation_key}" +} + + +resource "azurerm_sql_server" "sql_server" { + name = "${var.resource_names["SqlServer"]}" + resource_group_name = "${azurerm_resource_group.always_encrypted_sample.name}" + location = "${azurerm_resource_group.always_encrypted_sample.location}" + version = "12.0" + administrator_login = "${var.sql_settings["admin_login"]}" + administrator_login_password = "${var.sql_settings["admin_password"]}" +} + +resource "azurerm_sql_database" "sql_database" { + name = "${var.resource_names["SqlDatabase"]}" + resource_group_name = "${azurerm_resource_group.always_encrypted_sample.*.name[0]}" + location = "${azurerm_resource_group.always_encrypted_sample.*.location[0]}" + server_name = "${azurerm_sql_server.sql_server.*.name[0]}" + edition = "Standard" + create_mode = "Default" + # requested_service_objective_name = "S1" + # tags = "${local.tags}" +} + + +resource "azurerm_app_service" "web_3" { + name = "${var.resource_names["AppService"]}" + resource_group_name = "${azurerm_resource_group.always_encrypted_sample.*.name[0]}" + app_service_plan_id = "${azurerm_app_service_plan.always_encrypted_sample.id}" + location = "${azurerm_resource_group.always_encrypted_sample.*.location[0]}" + https_only = "true" + app_settings = { + APPINSIGHTS_INSTRUMENTATIONKEY = "${azurerm_application_insights.app_insights.instrumentation_key}" + } + site_config { + default_documents = [ + "Default.htm", + "Default.html", + "Default.asp", + "index.htm", + "index.html", + "iisstart.htm", + "default.aspx", + "index.php", + "hostingstart.html", + ] + http2_enabled = false //TODO: figure out if enabling this helps anything + ftps_state = "Disabled" + use_32_bit_worker_process = true + } + +} + + +resource "azurerm_key_vault" "always_encrypted_sample" { + name = "${azurerm_resource_group.always_encrypted_sample.*.name[0]}" + resource_group_name = "${var.resource_names["ResourceGroup"]}" + location = "${azurerm_resource_group.always_encrypted_sample.*.location[0]}" + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + sku { + name = "standard" + } +} + +output "key_vault_uri" { + value = "${azurerm_key_vault.always_encrypted_sample.vault_uri}" +} From ace12cc5576d1c476b77c0875f6f916e10c23c0a Mon Sep 17 00:00:00 2001 From: Justin Dearing Date: Tue, 28 May 2019 23:15:50 -0400 Subject: [PATCH 2/7] We have a cert --- terraform/README.md | 16 ++++++++++ terraform/main.tf | 75 ++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 86 insertions(+), 5 deletions(-) create mode 100644 terraform/README.md diff --git a/terraform/README.md b/terraform/README.md new file mode 100644 index 0000000..f08b0e7 --- /dev/null +++ b/terraform/README.md @@ -0,0 +1,16 @@ +# Terraform support (experimental) + +## Overview + +This folder contains a terraform file to create an Azure Resource Group with all the necessary infrastructure to deploy the AlwaysEncryptedSample app to (in theory). + +## Creating the resource group + +```powershell +cd .\terraform\ +az login +az account set --subscription='SUBSCRIPTION_ID_I_WANT_TO_USE' +terraform init +terraform plan +terraform apply +``` diff --git a/terraform/main.tf b/terraform/main.tf index c651b17..7169ffc 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -21,9 +21,14 @@ variable "resource_names" { "SqlDatabase" = "AlwaysEncryptedSample" "AppService" = "AlwaysEncryptedSampleWeb3" "KeyVault" = "AlwaysEncryptedSampleKeyVault" + "ColumnCertificate" = "ColumnCertificate" } } +variable "certificate_cn" { + type = "string" + default = "CN=Always Encrypted Sample Cert" +} variable "sql_settings" { type = "map" @@ -38,8 +43,6 @@ resource "azurerm_resource_group" "always_encrypted_sample" { location = "${var.resource_location}" } - - resource "azurerm_app_service_plan" "always_encrypted_sample" { name = "${var.resource_names["AppServicePlan"]}" location = "${azurerm_resource_group.always_encrypted_sample.location}" @@ -70,6 +73,9 @@ resource "azurerm_sql_server" "sql_server" { version = "12.0" administrator_login = "${var.sql_settings["admin_login"]}" administrator_login_password = "${var.sql_settings["admin_password"]}" + lifecycle { + ignore_changes = [ "administrator_login_password" ] + } } resource "azurerm_sql_database" "sql_database" { @@ -79,7 +85,7 @@ resource "azurerm_sql_database" "sql_database" { server_name = "${azurerm_sql_server.sql_server.*.name[0]}" edition = "Standard" create_mode = "Default" - # requested_service_objective_name = "S1" + requested_service_objective_name = "S0" # tags = "${local.tags}" } @@ -109,10 +115,8 @@ resource "azurerm_app_service" "web_3" { ftps_state = "Disabled" use_32_bit_worker_process = true } - } - resource "azurerm_key_vault" "always_encrypted_sample" { name = "${azurerm_resource_group.always_encrypted_sample.*.name[0]}" resource_group_name = "${var.resource_names["ResourceGroup"]}" @@ -121,6 +125,67 @@ resource "azurerm_key_vault" "always_encrypted_sample" { sku { name = "standard" } + access_policy { + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + object_id = "" # TODO: Make this a variable + + certificate_permissions = [ + "create", "get" + ] + } +} + + +resource "azurerm_key_vault_certificate" "column_certificate" { + name = "${var.resource_names["ColumnCertificate"]}" + key_vault_id = "${azurerm_key_vault.always_encrypted_sample.id}" + + certificate_policy { + issuer_parameters { + name = "Self" + } + + key_properties { + exportable = false + key_size = 4096 + key_type = "RSA" + reuse_key = true #TODO: Can I make this false? + } + + #TODO We might want to auto renew if we are crazy. + /* + lifetime_action { + action { + action_type = "AutoRenew" + } + + trigger { + days_before_expiry = 30 + } + } + */ + secret_properties { + content_type = "application/x-pkcs12" + } + + x509_certificate_properties { + extended_key_usage = [ + "1.3.6.1.5.5.8.2.2", + "1.3.6.1.4.1.311.10.3.1" + ] + + key_usage = [ + "dataEncipherment", + ] + + subject_alternative_names { + dns_names = [ "${azurerm_sql_server.sql_server.fully_qualified_domain_name}" ] + } + + subject = "${var.certificate_cn}" + validity_in_months = 12 + } + } } output "key_vault_uri" { From 9dd640fefadd6f9d1fedc3a72a478e358bdc2aff Mon Sep 17 00:00:00 2001 From: Justin Dearing Date: Tue, 28 May 2019 23:19:25 -0400 Subject: [PATCH 3/7] Added cleanup notes. --- terraform/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/README.md b/terraform/README.md index f08b0e7..7c1f7b7 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -14,3 +14,7 @@ terraform init terraform plan terraform apply ``` + +## Cleaning up + +If you don't want to rack of charges then the command is `az group delete --name AlwaysEncryptedSample` From bf3a051d4ea9d6ab37c884964e497ea12f4c93fd Mon Sep 17 00:00:00 2001 From: Justin Dearing Date: Wed, 29 May 2019 14:57:31 -0400 Subject: [PATCH 4/7] Closer to working. --- terraform/README.md | 23 +++++++++++++++++++---- terraform/main.tf | 25 ++++++++++++++++++------- 2 files changed, 37 insertions(+), 11 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index 7c1f7b7..a60d082 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -4,17 +4,32 @@ This folder contains a terraform file to create an Azure Resource Group with all the necessary infrastructure to deploy the AlwaysEncryptedSample app to (in theory). -## Creating the resource group +All thise commands assume you are in the `/terraform/` folder in the git repo. The best way to ensure you are there (assuming your terminals working directory is anywhere in the git repo) is `Join-Path -Path "$(git rev-parse --show-toplevel)" -childpath 'terraform' | Set-Location` + +## Howto + +### Creating the resource group ```powershell -cd .\terraform\ az login az account set --subscription='SUBSCRIPTION_ID_I_WANT_TO_USE' +# TODO: This line doesn't work and i need to fix +$env:TF_VAR_certificate_creator = $(az account show --query id -otsv) terraform init terraform plan terraform apply ``` -## Cleaning up +### Cleaning up + +If you don't want to rack of charges then the command is `az group delete --name AlwaysEncryptedSample`. You are also going to want to delete your terraform state (i.e. the `terraform.tfstate` file, hereafter referred to as tfstate) after deleting the reource grouns as your next `terraform apply` will fail otherwise. The tfstate associates the terraform objects in your `.tf` files with the guid identifiers of the azure resources. I haven't looked to hard into the details, but the script as is can't create everything from scratch if there is an existing tfstate. Therefore you probably want to do the following: + +```powershell +az group delete --name AlwaysEncryptedSample +Remove-Item -Path .\terraform.tfstate +Remove-Item -Path .\terraform.tfstate.backup +``` + +## Further directions -If you don't want to rack of charges then the command is `az group delete --name AlwaysEncryptedSample` +* I'd like t0 store the state in Azure cloud storage and just be smarter about things. diff --git a/terraform/main.tf b/terraform/main.tf index 7169ffc..24790eb 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -11,6 +11,11 @@ variable "resource_location" { default = "East US" } +variable "certificate_creator" { + type = "string" + default = "" +} + variable "resource_names" { type = "map" default = { @@ -86,7 +91,6 @@ resource "azurerm_sql_database" "sql_database" { edition = "Standard" create_mode = "Default" requested_service_objective_name = "S0" - # tags = "${local.tags}" } @@ -117,6 +121,13 @@ resource "azurerm_app_service" "web_3" { } } +/* +output "web_3_service_principle_id" { + value = "${azurerm_app_service.web_3.identity.0.principal_id}" +} +*/ + + resource "azurerm_key_vault" "always_encrypted_sample" { name = "${azurerm_resource_group.always_encrypted_sample.*.name[0]}" resource_group_name = "${var.resource_names["ResourceGroup"]}" @@ -125,16 +136,20 @@ resource "azurerm_key_vault" "always_encrypted_sample" { sku { name = "standard" } + access_policy { tenant_id = "${data.azurerm_client_config.current.tenant_id}" - object_id = "" # TODO: Make this a variable + object_id = "${var.certificate_creator}" certificate_permissions = [ - "create", "get" + "create", "get" # Terraform needs get to make the cert, probably to check its existance ] } } +output "key_vault_uri" { + value = "${azurerm_key_vault.always_encrypted_sample.vault_uri}" +} resource "azurerm_key_vault_certificate" "column_certificate" { name = "${var.resource_names["ColumnCertificate"]}" @@ -187,7 +202,3 @@ resource "azurerm_key_vault_certificate" "column_certificate" { } } } - -output "key_vault_uri" { - value = "${azurerm_key_vault.always_encrypted_sample.vault_uri}" -} From 2690ed45b0c9873300eebacd73d2230f814250ed Mon Sep 17 00:00:00 2001 From: Justin Dearing Date: Sat, 1 Jun 2019 08:40:29 -0400 Subject: [PATCH 5/7] Indenting the terraform file. --- terraform/main.tf | 100 +++++++++++++++++++++++----------------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 24790eb..ac1ec1f 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -1,4 +1,4 @@ -data "azurerm_client_config" "current" { +data "azurerm_client_config" "current" { } @@ -7,52 +7,52 @@ output "tenant_id" { } variable "resource_location" { - type = "string" + type = "string" default = "East US" } variable "certificate_creator" { - type = "string" + type = "string" default = "" } variable "resource_names" { - type = "map" - default = { - "ApplicationInsights" = "AlwaysEncryptedSample" - "AppServicePlan" = "always-encrypted-sample-appserviceplan" - "ResourceGroup" = "AlwaysEncryptedSample" - "SqlServer" = "alwaysencryptedsample" - "SqlDatabase" = "AlwaysEncryptedSample" - "AppService" = "AlwaysEncryptedSampleWeb3" - "KeyVault" = "AlwaysEncryptedSampleKeyVault" - "ColumnCertificate" = "ColumnCertificate" - } + type = "map" + default = { + "ApplicationInsights" = "AlwaysEncryptedSample" + "AppServicePlan" = "always-encrypted-sample-appserviceplan" + "ResourceGroup" = "AlwaysEncryptedSample" + "SqlServer" = "alwaysencryptedsample" + "SqlDatabase" = "AlwaysEncryptedSample" + "AppService" = "AlwaysEncryptedSampleWeb3" + "KeyVault" = "AlwaysEncryptedSampleKeyVault" + "ColumnCertificate" = "ColumnCertificate" + } } variable "certificate_cn" { - type = "string" + type = "string" default = "CN=Always Encrypted Sample Cert" } variable "sql_settings" { type = "map" default = { - "admin_login" = "essay" + "admin_login" = "essay" "admin_password" = "lbDG62XZy6i3pL8aC%Lw%uY7RYLN8o3aG2XhaH8dM2wbu0NPCMo0R" } } resource "azurerm_resource_group" "always_encrypted_sample" { - name = "${var.resource_names["ResourceGroup"]}" - location = "${var.resource_location}" + name = "${var.resource_names["ResourceGroup"]}" + location = "${var.resource_location}" } resource "azurerm_app_service_plan" "always_encrypted_sample" { name = "${var.resource_names["AppServicePlan"]}" location = "${azurerm_resource_group.always_encrypted_sample.location}" resource_group_name = "${azurerm_resource_group.always_encrypted_sample.name}" - kind = "app" + kind = "app" sku { tier = "Free" size = "F1" @@ -72,39 +72,39 @@ output "instrumentation_key" { resource "azurerm_sql_server" "sql_server" { - name = "${var.resource_names["SqlServer"]}" - resource_group_name = "${azurerm_resource_group.always_encrypted_sample.name}" - location = "${azurerm_resource_group.always_encrypted_sample.location}" - version = "12.0" - administrator_login = "${var.sql_settings["admin_login"]}" - administrator_login_password = "${var.sql_settings["admin_password"]}" - lifecycle { - ignore_changes = [ "administrator_login_password" ] - } + name = "${var.resource_names["SqlServer"]}" + resource_group_name = "${azurerm_resource_group.always_encrypted_sample.name}" + location = "${azurerm_resource_group.always_encrypted_sample.location}" + version = "12.0" + administrator_login = "${var.sql_settings["admin_login"]}" + administrator_login_password = "${var.sql_settings["admin_password"]}" + lifecycle { + ignore_changes = ["administrator_login_password"] + } } resource "azurerm_sql_database" "sql_database" { - name = "${var.resource_names["SqlDatabase"]}" - resource_group_name = "${azurerm_resource_group.always_encrypted_sample.*.name[0]}" - location = "${azurerm_resource_group.always_encrypted_sample.*.location[0]}" - server_name = "${azurerm_sql_server.sql_server.*.name[0]}" - edition = "Standard" - create_mode = "Default" + name = "${var.resource_names["SqlDatabase"]}" + resource_group_name = "${azurerm_resource_group.always_encrypted_sample.*.name[0]}" + location = "${azurerm_resource_group.always_encrypted_sample.*.location[0]}" + server_name = "${azurerm_sql_server.sql_server.*.name[0]}" + edition = "Standard" + create_mode = "Default" requested_service_objective_name = "S0" } resource "azurerm_app_service" "web_3" { - name = "${var.resource_names["AppService"]}" - resource_group_name = "${azurerm_resource_group.always_encrypted_sample.*.name[0]}" - app_service_plan_id = "${azurerm_app_service_plan.always_encrypted_sample.id}" - location = "${azurerm_resource_group.always_encrypted_sample.*.location[0]}" - https_only = "true" + name = "${var.resource_names["AppService"]}" + resource_group_name = "${azurerm_resource_group.always_encrypted_sample.*.name[0]}" + app_service_plan_id = "${azurerm_app_service_plan.always_encrypted_sample.id}" + location = "${azurerm_resource_group.always_encrypted_sample.*.location[0]}" + https_only = "true" app_settings = { APPINSIGHTS_INSTRUMENTATIONKEY = "${azurerm_application_insights.app_insights.instrumentation_key}" } site_config { - default_documents = [ + default_documents = [ "Default.htm", "Default.html", "Default.asp", @@ -115,8 +115,8 @@ resource "azurerm_app_service" "web_3" { "index.php", "hostingstart.html", ] - http2_enabled = false //TODO: figure out if enabling this helps anything - ftps_state = "Disabled" + http2_enabled = false //TODO: figure out if enabling this helps anything + ftps_state = "Disabled" use_32_bit_worker_process = true } } @@ -129,10 +129,10 @@ output "web_3_service_principle_id" { resource "azurerm_key_vault" "always_encrypted_sample" { - name = "${azurerm_resource_group.always_encrypted_sample.*.name[0]}" - resource_group_name = "${var.resource_names["ResourceGroup"]}" - location = "${azurerm_resource_group.always_encrypted_sample.*.location[0]}" - tenant_id = "${data.azurerm_client_config.current.tenant_id}" + name = "${azurerm_resource_group.always_encrypted_sample.*.name[0]}" + resource_group_name = "${var.resource_names["ResourceGroup"]}" + location = "${azurerm_resource_group.always_encrypted_sample.*.location[0]}" + tenant_id = "${data.azurerm_client_config.current.tenant_id}" sku { name = "standard" } @@ -152,7 +152,7 @@ output "key_vault_uri" { } resource "azurerm_key_vault_certificate" "column_certificate" { - name = "${var.resource_names["ColumnCertificate"]}" + name = "${var.resource_names["ColumnCertificate"]}" key_vault_id = "${azurerm_key_vault.always_encrypted_sample.id}" certificate_policy { @@ -167,8 +167,8 @@ resource "azurerm_key_vault_certificate" "column_certificate" { reuse_key = true #TODO: Can I make this false? } - #TODO We might want to auto renew if we are crazy. - /* + #TODO We might want to auto renew if we are crazy. + /* lifetime_action { action { action_type = "AutoRenew" @@ -194,7 +194,7 @@ resource "azurerm_key_vault_certificate" "column_certificate" { ] subject_alternative_names { - dns_names = [ "${azurerm_sql_server.sql_server.fully_qualified_domain_name}" ] + dns_names = ["${azurerm_sql_server.sql_server.fully_qualified_domain_name}"] } subject = "${var.certificate_cn}" From 56aa8b97904303d861e6a16d96feead3045492d2 Mon Sep 17 00:00:00 2001 From: Justin Dearing Date: Sat, 1 Jun 2019 21:02:15 -0400 Subject: [PATCH 6/7] FInally we have some terrraform. --- terraform/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index a60d082..739ce9a 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -13,8 +13,7 @@ All thise commands assume you are in the `/terraform/` folder in the git repo. T ```powershell az login az account set --subscription='SUBSCRIPTION_ID_I_WANT_TO_USE' -# TODO: This line doesn't work and i need to fix -$env:TF_VAR_certificate_creator = $(az account show --query id -otsv) +$env:TF_VAR_certificate_creator = $(az ad signed-in-user show --query objectId --otsv) terraform init terraform plan terraform apply From eb411e4bff1329617dd67858e90e0a7968b86c5a Mon Sep 17 00:00:00 2001 From: Justin Dearing Date: Wed, 21 Aug 2019 23:00:00 -0400 Subject: [PATCH 7/7] Tweak appvayor.yml and add to solution --- AlwaysEncryptedSample.sln | 1 + appveyor.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/AlwaysEncryptedSample.sln b/AlwaysEncryptedSample.sln index 3911587..515806f 100644 --- a/AlwaysEncryptedSample.sln +++ b/AlwaysEncryptedSample.sln @@ -11,6 +11,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution ProjectSection(SolutionItems) = preProject .gitattributes = .gitattributes .gitignore = .gitignore + appveyor.yml = appveyor.yml Invoke-EncryptColumns.ps1 = Invoke-EncryptColumns.ps1 License.md = License.md New-EncryptionKeys.ps1 = New-EncryptionKeys.ps1 diff --git a/appveyor.yml b/appveyor.yml index d21f4df..e50a2c7 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -29,7 +29,7 @@ environment: SQL_SERVER_COLUMN_CERTIFICATE: AlwaysEncryptedSampleCMK matrix: - {} -services: +services: - mssql2016 nuget: # This might be causing a hang.