Changed roleassignment logic

Author: Pavan-Microsoft

infra/create-sql-user-and-role.bicep

@@ -31,34 +31,32 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-
   name: managedIdentityName
 }
 
-resource createSqlUserAndRole 'Microsoft.Resources/deploymentScripts@2023-08-01' = [
-  for databaseRole in databaseRoles: {
-    name: 'sqlUserRole-${guid(principalId, databaseRole, sqlServerName, sqlDatabaseName)}'
-    location: location
-    tags: tags
-    kind: 'AzurePowerShell'
-    identity: {
-      type: 'UserAssigned'
-      userAssignedIdentities: {
-        '${managedIdentity.id}': {}
-      }
-    }
-    properties: {
-      forceUpdateTag: uniqueScriptId
-      azPowerShellVersion: '7.2'
-      retentionInterval: 'PT1H'
-      cleanupPreference: 'OnSuccess'
-      arguments: join(
-        [
-          '-SqlServerName \'${sqlServerName}\''
-          '-SqlDatabaseName \'${sqlDatabaseName}\''
-          '-ClientId \'${principalId}\''
-          '-DisplayName \'${principalName}\''
-          '-DatabaseRole \'${databaseRole}\''
-        ],
-        ' '
-      )
-      scriptContent: loadTextContent('./scripts/add_user_scripts/create-sql-user-and-role.ps1')
+resource createSqlUserAndRole 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  name: 'sqlUserRole-${guid(principalId, sqlServerName, sqlDatabaseName)}'
+  location: location
+  tags: tags
+  kind: 'AzurePowerShell'
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
     }
   }
-]
+  properties: {
+    forceUpdateTag: uniqueScriptId
+    azPowerShellVersion: '7.2'
+    retentionInterval: 'PT1H'
+    cleanupPreference: 'OnSuccess'
+    arguments: join(
+      [
+        '-SqlServerName \'${sqlServerName}\''
+        '-SqlDatabaseName \'${sqlDatabaseName}\''
+        '-ClientId \'${principalId}\''
+        '-DisplayName \'${principalName}\''
+        '-DatabaseRoles \'${join(databaseRoles, ',')}\''
+      ],
+      ' '
+    )
+    scriptContent: loadTextContent('./scripts/add_user_scripts/create-sql-user-and-role.ps1')
+  }
+}

infra/main.json

@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.36.177.2456",
-      "templateHash": "2040642101386319700"
+      "templateHash": "15970509425891056575"
     }
   },
   "parameters": {
@@ -2454,7 +2454,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.36.177.2456",
-              "templateHash": "14904292388458610103"
+              "templateHash": "11761603685152215086"
             }
           },
           "parameters": {
@@ -2609,7 +2609,7 @@
                     "_generator": {
                       "name": "bicep",
                       "version": "0.36.177.2456",
-                      "templateHash": "12065007697995808067"
+                      "templateHash": "15963212505186290885"
                     }
                   },
                   "parameters": {
@@ -2677,7 +2677,7 @@
                     }
                   },
                   "variables": {
-                    "$fxv#0": "#Requires -Version 7.2\r\n\r\n<#\r\n.SYNOPSIS\r\n    Creates a SQL user and assigns the user account to one or more roles.\r\n\r\n.DESCRIPTION\r\n    During an application deployment, the managed identity (and potentially the developer identity)\r\n    must be added to the SQL database as a user and assigned to one or more roles. This script\r\n    accomplishes this task using the owner-managed identity for authentication.\r\n\r\n.PARAMETER SqlServerName\r\n    The name of the Azure SQL Server resource.\r\n\r\n.PARAMETER SqlDatabaseName\r\n    The name of the Azure SQL Database where the user will be created.\r\n\r\n.PARAMETER ClientId\r\n    The Client (Principal) ID (GUID) of the identity to be added.\r\n\r\n.PARAMETER DisplayName\r\n    The Object (Principal) display name of the identity to be added.\r\n\r\n.PARAMETER DatabaseRole\r\n    The database role that should be assigned to the user (e.g., db_datareader, db_datawriter, db_owner).\r\n#>\r\n\r\nParam(\r\n    [string] $SqlServerName,\r\n    [string] $SqlDatabaseName,\r\n    [string] $ClientId,\r\n    [string] $DisplayName,\r\n    [string] $DatabaseRole\r\n)\r\n\r\n# Using specific version of SqlServer module to avoid issues with newer versions\r\n$SqlServerModuleVersion = \"22.3.0\"\r\n\r\nfunction Resolve-Module($moduleName) {\r\n    # If module is imported; say that and do nothing\r\n    if (Get-Module | Where-Object { $_.Name -eq $moduleName }) {\r\n        Write-Debug \"Module $moduleName is already imported\"\r\n    } elseif (Get-Module -ListAvailable | Where-Object { $_.Name -eq $moduleName }) {\r\n        Import-Module $moduleName\r\n    } elseif (Find-Module -Name $moduleName | Where-Object { $_.Name -eq $moduleName }) {\r\n        # Use specific version for SqlServer\r\n        if ($ModuleName -eq \"SqlServer\") {\r\n            Install-Module -Name $ModuleName -RequiredVersion $SqlServerModuleVersion -Force -Scope CurrentUser\r\n        } else {\r\n            Install-Module -Name $ModuleName -Force\r\n        }\r\n        Import-Module $moduleName\r\n    } else {\r\n        Write-Error \"Module $moduleName not found\"\r\n        [Environment]::exit(1)\r\n    }\r\n}\r\n\r\n###\r\n### MAIN SCRIPT\r\n###\r\nResolve-Module -moduleName Az.Resources\r\nResolve-Module -moduleName SqlServer\r\n\r\n$sql = @\"\r\nDECLARE @username nvarchar(max) = N'$($DisplayName)';\r\nDECLARE @clientId uniqueidentifier = '$($ClientId)';\r\nDECLARE @sid NVARCHAR(max) = CONVERT(VARCHAR(max), CONVERT(VARBINARY(16), @clientId), 1);\r\nDECLARE @cmd NVARCHAR(max) = N'CREATE USER [' + @username + '] WITH SID = ' + @sid + ', TYPE = E;';\r\nIF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = @username)\r\nBEGIN\r\n    EXEC(@cmd)\r\nEND\r\nEXEC sp_addrolemember '$($DatabaseRole)', @username;\r\n\"@\r\n\r\nWrite-Output \"`nSQL:`n$($sql)`n`n\"\r\n\r\n$token = (Get-AzAccessToken -AsSecureString -ResourceUrl https://database.windows.net/).Token\r\n$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($token)\r\ntry {\r\n    $serverInstance = if ($SqlServerName -like \"*.database.windows.net\") {  \r\n        $SqlServerName  \r\n    } else {  \r\n        \"$SqlServerName.database.windows.net\"  \r\n    }\r\n    $plaintext = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)\r\n    Invoke-Sqlcmd -ServerInstance $serverInstance -Database $SqlDatabaseName -AccessToken $plaintext -Query $sql -ErrorAction 'Stop'\r\n} finally {\r\n    # The following line ensures that sensitive data is not left in memory.\r\n    $plainText = [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)\r\n}"
+                    "$fxv#0": "#Requires -Version 7.2\r\n\r\n<#\r\n.SYNOPSIS\r\n    Creates a SQL user and assigns the user account to one or more roles.\r\n\r\n.DESCRIPTION\r\n    During an application deployment, the managed identity (and potentially the developer identity)\r\n    must be added to the SQL database as a user and assigned to one or more roles. This script\r\n    accomplishes this task using the owner-managed identity for authentication.\r\n\r\n.PARAMETER SqlServerName\r\n    The name of the Azure SQL Server resource.\r\n\r\n.PARAMETER SqlDatabaseName\r\n    The name of the Azure SQL Database where the user will be created.\r\n\r\n.PARAMETER ClientId\r\n    The Client (Principal) ID (GUID) of the identity to be added.\r\n\r\n.PARAMETER DisplayName\r\n    The Object (Principal) display name of the identity to be added.\r\n\r\n.PARAMETER DatabaseRoles\r\n    A comma-separated string of database roles to assign (e.g., 'db_datareader,db_datawriter')\r\n#>\r\n\r\nParam(\r\n    [string] $SqlServerName,\r\n    [string] $SqlDatabaseName,\r\n    [string] $ClientId,\r\n    [string] $DisplayName,\r\n    [string] $DatabaseRoles\r\n)\r\n\r\n# Using specific version of SqlServer module to avoid issues with newer versions\r\n$SqlServerModuleVersion = \"22.3.0\"\r\n\r\nfunction Resolve-Module($moduleName) {\r\n    # If module is imported; say that and do nothing\r\n    if (Get-Module | Where-Object { $_.Name -eq $moduleName }) {\r\n        Write-Debug \"Module $moduleName is already imported\"\r\n    } elseif (Get-Module -ListAvailable | Where-Object { $_.Name -eq $moduleName }) {\r\n        Import-Module $moduleName\r\n    } elseif (Find-Module -Name $moduleName | Where-Object { $_.Name -eq $moduleName }) {\r\n        # Use specific version for SqlServer\r\n        if ($ModuleName -eq \"SqlServer\") {\r\n            Install-Module -Name $ModuleName -RequiredVersion $SqlServerModuleVersion -Force -Scope CurrentUser\r\n        } else {\r\n            Install-Module -Name $ModuleName -Force\r\n        }\r\n        Import-Module $moduleName\r\n    } else {\r\n        Write-Error \"Module $moduleName not found\"\r\n        [Environment]::exit(1)\r\n    }\r\n}\r\n\r\n###\r\n### MAIN SCRIPT\r\n###\r\nResolve-Module -moduleName Az.Resources\r\nResolve-Module -moduleName SqlServer\r\n\r\n# Split comma-separated roles into an array\r\n$roleArray = $DatabaseRoles -split ','\r\n\r\n$roleSql = \"\"\r\nforeach ($role in $roleArray) {\r\n    $trimmedRole = $role.Trim()\r\n    $roleSql += \"EXEC sp_addrolemember N'$trimmedRole', N'$DisplayName';`n\"\r\n}\r\n\r\n$sql = @\"\r\nDECLARE @username nvarchar(max) = N'$($DisplayName)';\r\nDECLARE @clientId uniqueidentifier = '$($ClientId)';\r\nDECLARE @sid NVARCHAR(max) = CONVERT(VARCHAR(max), CONVERT(VARBINARY(16), @clientId), 1);\r\nDECLARE @cmd NVARCHAR(max) = N'CREATE USER [' + @username + '] WITH SID = ' + @sid + ', TYPE = E;';\r\nIF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = @username)\r\nBEGIN\r\n    EXEC(@cmd)\r\nEND\r\n$($roleSql)\r\n\"@\r\n\r\nWrite-Output \"`nSQL:`n$($sql)`n`n\"\r\n\r\n$token = (Get-AzAccessToken -AsSecureString -ResourceUrl https://database.windows.net/).Token\r\n$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($token)\r\ntry {\r\n    $serverInstance = if ($SqlServerName -like \"*.database.windows.net\") {  \r\n        $SqlServerName  \r\n    } else {  \r\n        \"$SqlServerName.database.windows.net\"  \r\n    }\r\n    $plaintext = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)\r\n    Invoke-Sqlcmd -ServerInstance $serverInstance -Database $SqlDatabaseName -AccessToken $plaintext -Query $sql -ErrorAction 'Stop'\r\n} finally {\r\n    # The following line ensures that sensitive data is not left in memory.\r\n    $plainText = [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)\r\n}"
                   },
                   "resources": {
                     "managedIdentity": {
@@ -2687,13 +2687,9 @@
                       "name": "[parameters('managedIdentityName')]"
                     },
                     "createSqlUserAndRole": {
-                      "copy": {
-                        "name": "createSqlUserAndRole",
-                        "count": "[length(parameters('databaseRoles'))]"
-                      },
                       "type": "Microsoft.Resources/deploymentScripts",
                       "apiVersion": "2023-08-01",
-                      "name": "[format('sqlUserRole-{0}', guid(parameters('principalId'), parameters('databaseRoles')[copyIndex()], parameters('sqlServerName'), parameters('sqlDatabaseName')))]",
+                      "name": "[format('sqlUserRole-{0}', guid(parameters('principalId'), parameters('sqlServerName'), parameters('sqlDatabaseName')))]",
                       "location": "[parameters('location')]",
                       "tags": "[parameters('tags')]",
                       "kind": "AzurePowerShell",
@@ -2708,7 +2704,7 @@
                         "azPowerShellVersion": "7.2",
                         "retentionInterval": "PT1H",
                         "cleanupPreference": "OnSuccess",
-                        "arguments": "[join(createArray(format('-SqlServerName ''{0}''', parameters('sqlServerName')), format('-SqlDatabaseName ''{0}''', parameters('sqlDatabaseName')), format('-ClientId ''{0}''', parameters('principalId')), format('-DisplayName ''{0}''', parameters('principalName')), format('-DatabaseRole ''{0}''', parameters('databaseRoles')[copyIndex()])), ' ')]",
+                        "arguments": "[join(createArray(format('-SqlServerName ''{0}''', parameters('sqlServerName')), format('-SqlDatabaseName ''{0}''', parameters('sqlDatabaseName')), format('-ClientId ''{0}''', parameters('principalId')), format('-DisplayName ''{0}''', parameters('principalName')), format('-DatabaseRoles ''{0}''', join(parameters('databaseRoles'), ','))), ' ')]",
                         "scriptContent": "[variables('$fxv#0')]"
                       }
                     }

infra/scripts/add_user_scripts/create-sql-user-and-role.ps1

@@ -21,16 +21,16 @@
 .PARAMETER DisplayName
     The Object (Principal) display name of the identity to be added.
 
-.PARAMETER DatabaseRole
-    The database role that should be assigned to the user (e.g., db_datareader, db_datawriter, db_owner).
+.PARAMETER DatabaseRoles
+    A comma-separated string of database roles to assign (e.g., 'db_datareader,db_datawriter')
 #>
 
 Param(
     [string] $SqlServerName,
     [string] $SqlDatabaseName,
     [string] $ClientId,
     [string] $DisplayName,
-    [string] $DatabaseRole
+    [string] $DatabaseRoles
 )
 
 # Using specific version of SqlServer module to avoid issues with newer versions
@@ -62,6 +62,15 @@ function Resolve-Module($moduleName) {
 Resolve-Module -moduleName Az.Resources
 Resolve-Module -moduleName SqlServer
 
+# Split comma-separated roles into an array
+$roleArray = $DatabaseRoles -split ','
+
+$roleSql = ""
+foreach ($role in $roleArray) {
+    $trimmedRole = $role.Trim()
+    $roleSql += "EXEC sp_addrolemember N'$trimmedRole', N'$DisplayName';`n"
+}
+
 $sql = @"
 DECLARE @username nvarchar(max) = N'$($DisplayName)';
 DECLARE @clientId uniqueidentifier = '$($ClientId)';
@@ -71,7 +80,7 @@ IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = @username)
 BEGIN
     EXEC(@cmd)
 END
-EXEC sp_addrolemember '$($DatabaseRole)', @username;
+$($roleSql)
 "@
 
 Write-Output "`nSQL:`n$($sql)`n`n"