Improve Always Encrypted Demos

Author: Pietervanhove

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-sgx/setup/azuredeploy.bicep

@@ -14,6 +14,7 @@ param userName string
 @description('The username of the Azure SQL database server administrator for SQL authentication.')
 param sqlAdminUserName string
 
+@secure()
 @description('The password of the Azure SQL database server administrator for SQL authentication.')
 param sqlAdminPassword string
 
@@ -29,9 +30,9 @@ param location string = resourceGroup().location
 ////////////////////////////////////////////
 
 // Create the server
-var SQLServerName_var = '${projectName}server'
-resource Server_Name_resource 'Microsoft.Sql/servers@2022-05-01-preview' = {
-  name: SQLServerName_var
+var SQLServerName = '${projectName}server'
+resource Server_Name_resource 'Microsoft.Sql/servers@2023-02-01-preview' = {
+  name: SQLServerName
   location: location
   tags: {}
   identity: {
@@ -47,41 +48,43 @@ resource Server_Name_resource 'Microsoft.Sql/servers@2022-05-01-preview' = {
 }
 
 // Allow Azure services and resources to access this server
-resource Server_Name_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRules@2022-05-01-preview' = {
-  name: '${Server_Name_resource.name}/AllowAllWindowsAzureIps'
+resource Server_Name_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRules@2023-02-01-preview' = {
+  parent: Server_Name_resource
+  name: 'AllowAllWindowsAzureIps'
   properties: {
     endIpAddress: '0.0.0.0'
     startIpAddress: '0.0.0.0'
   }
 }
 
 // Allow Client IP to access this server
-resource Server_Name_AllowClientIP 'Microsoft.Sql/servers/firewallRules@2022-05-01-preview' = {
-  name: '${Server_Name_resource.name}/AllowClientIP'
+resource Server_Name_AllowClientIP 'Microsoft.Sql/servers/firewallRules@2023-02-01-preview' = {
+  parent: Server_Name_resource
+  name: 'AllowClientIP'
   properties: {
     endIpAddress: clientIP
     startIpAddress: clientIP
   }
 }
 
 // Make the user an Azure AD administrator for the server, so that the user can connect with universal authentication
-resource Server_Name_activeDirectory 'Microsoft.Sql/servers/administrators@2022-05-01-preview' = {
-  name: '${Server_Name_resource.name}/activeDirectory'
+resource Server_Name_activeDirectory 'Microsoft.Sql/servers/administrators@2023-02-01-preview' = {
+  parent: Server_Name_resource
+  name: 'activeDirectory'
   properties: {
     administratorType: 'ActiveDirectory'
     login: userName
-    //sid: reference(resourceId('Microsoft.Sql/servers', '${projectName}server'), '2019-06-01-preview', 'Full').identity.principalId
     sid: userObjectId
-    //tenantId: AAD_TenantId //optional
-  }
+    }
 }
 
 //////////////////////////////////////////////////////////////////////////////
 // Create the ContosoHR database using the DC-series hardware configuration //
 //////////////////////////////////////////////////////////////////////////////
 
-resource Database_Resource 'Microsoft.Sql/servers/databases@2022-05-01-preview' = {
-  name: '${Server_Name_resource.name}/ContosoHR'
+resource Database_Resource 'Microsoft.Sql/servers/databases@2023-02-01-preview' = {
+  parent: Server_Name_resource
+  name: 'ContosoHR'
   location: location
   tags: {}
   sku: {
@@ -96,18 +99,18 @@ resource Database_Resource 'Microsoft.Sql/servers/databases@2022-05-01-preview'
 ///////////////////////////////////////
 
 // Create the attestation provider
-resource attestationProviderName_resource 'Microsoft.Attestation/attestationProviders@2021-06-01-preview' = {
-  name: '${projectName}attest'
+resource attestationProviderName 'Microsoft.Attestation/attestationProviders@2021-06-01' = {
+  name: '${projectName}attestation'
   location: location
   properties: {}
 }
 
 ///////////////////////////////////
 // Configure the web application //
 ///////////////////////////////////
-
+var sqlServerSuffix = environment().suffixes.sqlServerHostname
 // Create an App Service plan
-resource WebAppServicePlan_Resource 'Microsoft.Web/serverfarms@2022-03-01' = {
+resource WebAppServicePlan_Resource 'Microsoft.Web/serverfarms@2022-09-01' = {
   name: '${projectName}plan'
  location: location
  properties: {}
@@ -117,7 +120,7 @@ resource WebAppServicePlan_Resource 'Microsoft.Web/serverfarms@2022-03-01' = {
 }
 
 // Create the App Service
-resource WebApp_Resource 'Microsoft.Web/sites@2022-03-01' = {
+resource WebApp_Resource 'Microsoft.Web/sites@2022-09-01' = {
   name: '${projectName}app'
   location: location
   identity: {
@@ -132,7 +135,7 @@ resource WebApp_Resource 'Microsoft.Web/sites@2022-03-01' = {
   name: 'connectionstrings'
   properties: {
     ContosoHRDatabase: {
-      value: 'Server=tcp:${Server_Name_resource.name}.database.windows.net;Database=ContosoHR;Column Encryption Setting=Enabled; Attestation Protocol = AAS; Enclave Attestation Url=${attestationProviderName_resource.properties.attestUri}; Authentication=Active Directory Managed Identity'
+      value: 'Server=tcp:${Server_Name_resource.name}${sqlServerSuffix};Database=ContosoHR;Column Encryption Setting=Enabled; Attestation Protocol = AAS; Enclave Attestation Url=${attestationProviderName.properties.attestUri}; Authentication=Active Directory Managed Identity'
       type: 'SQLAzure'
     }
   }
@@ -147,8 +150,9 @@ resource WebApp_Resource 'Microsoft.Web/sites@2022-03-01' = {
 }
 
  // Deploy the application
-resource sourceControl 'Microsoft.Web/sites/sourcecontrols@2022-03-01' = {
-  name: '${projectName}app/web'
+ resource sourceControl 'Microsoft.Web/sites/sourcecontrols@2022-09-01' = {
+  parent: WebApp_Resource
+  name: 'web'
   properties: {
     repoUrl: 'https://github.com/microsoft/sql-server-samples.git'
     branch: 'master'
@@ -164,7 +168,7 @@ resource sourceControl 'Microsoft.Web/sites/sourcecontrols@2022-03-01' = {
 //////////////////////////////////////
 
 // Create a key vault and assign key permissions to the user, so that the user can manage the keys
-resource KeyVault_Resource 'Microsoft.KeyVault/vaults@2022-07-01' = {
+resource KeyVault_Resource 'Microsoft.KeyVault/vaults@2023-02-01' = {
   name: '${projectName}vault'
   location: location
   tags: {}
@@ -197,7 +201,7 @@ resource KeyVault_Resource 'Microsoft.KeyVault/vaults@2022-07-01' = {
 }
 
 // Assign key permissions to the web app
-resource KeyVaultWebAppAccessPolicy_Resource 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = {
+resource KeyVaultWebAppAccessPolicy_Resource 'Microsoft.KeyVault/vaults/accessPolicies@2023-02-01' = {
   name: any('${KeyVault_Resource.name}/add')
   properties: {
     accessPolicies: [
@@ -218,8 +222,9 @@ resource KeyVaultWebAppAccessPolicy_Resource 'Microsoft.KeyVault/vaults/accessPo
 }
 
 // Create a key
-resource Key_Resource 'Microsoft.KeyVault/vaults/keys@2022-07-01' = {
-  name: '${KeyVault_Resource.name}/CMK'
+resource Key_Resource 'Microsoft.KeyVault/vaults/keys@2023-02-01' = {
+  parent: KeyVault_Resource
+  name: 'CMK'
   tags: {}
   properties: {
     attributes: {

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-sgx/setup/setup.ps1

@@ -1,5 +1,5 @@
-Import-Module "Az" -MinimumVersion "9.3"
-Import-Module "SqlServer" #-Version "22.0.49-preview"
+Import-Module "Az"
+Import-Module "SqlServer"
 
 ######################################################################
 # Prompt the user to enter the values of deployment parameters
@@ -10,9 +10,9 @@ $subscriptionId = Read-Host -Prompt "Enter your subscription id"
 $location = Read-Host -Prompt "Enter a region where you want to deploy the demo environment"
 $sqlAdminUserName = Read-Host -Prompt "Enter the username of the Azure SQL database server administrator for SQL authentication"
 $sqlAdminPasswordSecureString = Read-Host -Prompt "Enter the password of the Azure SQL database server administrator for SQL authentication" -AsSecureString
-
+$Secure_String_Pwd = ConvertTo-SecureString $sqlAdminPasswordSecureString -AsPlainText -Force
 $sqlAdminPassword = (New-Object PSCredential "user",$sqlAdminPasswordSecureString).GetNetworkCredential().Password
-$clientIP = (Invoke-WebRequest ifconfig.me/ip).Content.Trim()
+$clientIP = (Invoke-WebRequest http://ipinfo.io/ip).Content.Trim()
 $bicepFile = "azuredeploy.bicep"
 $projectName = $projectName.ToLower()
 
@@ -42,7 +42,7 @@ New-AzResourceGroupDeployment `
   -userObjectId $userObjectId `
   -userName $userName `
   -sqlAdminUserName $sqlAdminUserName `
-  -sqlAdminPassword $sqlAdminPassword `
+  -sqlAdminPassword $Secure_String_Pwd `
   -clientIP $clientIP
 
 ######################################################################
@@ -105,7 +105,7 @@ $keyName = "CMK"
 $key = Get-AzKeyVaultKey -VaultName $keyVaultName -Name $keyName
 
 # Connect to the database using the SqlServer PowerShell module
-$connStr = "Data Source=tcp:$serverName;Initial Catalog=$databaseName;User ID=$sqlAdminUserName;Password=$sqlAdminPassword"
+$connStr = "Data Source=tcp:$serverName;Initial Catalog=$databaseName;User ID=$sqlAdminUserName;Password=$sqlAdminPasswordSecureString"
 $database = Get-SqlDatabase -ConnectionString $connStr
 
 # Sign in to Azure with your email address using the SqlServer PowerShell module

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-vbs/setup/setup.ps1

@@ -35,7 +35,6 @@ New-AzResourceGroup -Name $resourceGroupName -Location $location
 # Deploy the resources for the demo environment
 ######################################################################
 
-
 New-AzResourceGroupDeployment `
   -ResourceGroupName $resourceGroupName `
   -TemplateFile $bicepFile `
@@ -106,7 +105,7 @@ $keyName = "CMK"
 $key = Get-AzKeyVaultKey -VaultName $keyVaultName -Name $keyName
 
 # Connect to the database using the SqlServer PowerShell module
-$connStr = "Data Source=tcp:$serverName;Initial Catalog=$databaseName;User ID=$sqlAdminUserName;Password=$sqlAdminPassword"
+$connStr = "Data Source=tcp:$serverName;Initial Catalog=$databaseName;User ID=$sqlAdminUserName;Password=$sqlAdminPasswordSecureString"
 $database = Get-SqlDatabase -ConnectionString $connStr
 
 # Sign in to Azure with your email address using the SqlServer PowerShell module