|
1 | | -@description('Azure AD administrator login for SQL Server (user or group UPN)') |
2 | | -param sqlAadAdminLogin string = '' |
3 | | - |
4 | | -@description('Azure AD administrator objectId for SQL Server (user or group objectId)') |
5 | | -param sqlAadAdminObjectId string = '' |
6 | | - |
7 | | -@description('Azure AD tenantId for SQL Server') |
8 | | -param sqlAadAdminTenantId string = '' |
9 | 1 | // -------------------------------------------------------------------------------------- |
10 | 2 | // CELL Layer Module |
11 | 3 | // - Deploys isolated application/data resources for a single CELL |
@@ -37,6 +29,9 @@ param storageAccountName string |
37 | 29 | @description('Name for the Key Vault for this CELL/Stamp') |
38 | 30 | param keyVaultName string |
39 | 31 |
|
| 32 | +@description('Optional salt to ensure unique resource names for repeated deployments (e.g., date, initials, or random chars)') |
| 33 | +param salt string = '' |
| 34 | + |
40 | 35 | @description('Name for the Cosmos DB account for this CELL/Stamp') |
41 | 36 | param cosmosDbStampName string |
42 | 37 |
|
@@ -343,7 +338,7 @@ resource storageLifecyclePolicy 'Microsoft.Storage/storageAccounts/managementPol |
343 | 338 |
|
344 | 339 | // Key Vault for CELL with security hardening |
345 | 340 | resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = { |
346 | | - name: keyVaultName |
| 341 | + name: empty(salt) ? keyVaultName : '${keyVaultName}${salt}' |
347 | 342 | location: location |
348 | 343 | properties: { |
349 | 344 | sku: { |
@@ -422,7 +417,7 @@ resource sqlEncryptionKey 'Microsoft.KeyVault/vaults/keys@2023-02-01' = { |
422 | 417 |
|
423 | 418 | // Diagnostic settings for Key Vault |
424 | 419 | resource keyVaultDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = { |
425 | | - name: '${keyVaultName}-diagnostics' |
| 420 | + name: empty(salt) ? '${keyVaultName}-diagnostics' : '${keyVaultName}${salt}-diagnostics' |
426 | 421 | scope: keyVault |
427 | 422 | properties: { |
428 | 423 | workspaceId: globalLogAnalyticsWorkspaceId |
@@ -487,15 +482,15 @@ resource sqlPrivateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = if |
487 | 482 |
|
488 | 483 | // Private endpoint for Key Vault |
489 | 484 | resource keyVaultPrivateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = if (enablePrivateEndpoints && !empty(privateEndpointSubnetId)) { |
490 | | - name: '${keyVaultName}-pe' |
| 485 | + name: empty(salt) ? '${keyVaultName}-pe' : '${keyVaultName}${salt}-pe' |
491 | 486 | location: location |
492 | 487 | properties: { |
493 | 488 | subnet: { |
494 | 489 | id: privateEndpointSubnetId |
495 | 490 | } |
496 | 491 | privateLinkServiceConnections: [ |
497 | 492 | { |
498 | | - name: '${keyVaultName}-psc' |
| 493 | + name: empty(salt) ? '${keyVaultName}-psc' : '${keyVaultName}${salt}-psc' |
499 | 494 | properties: { |
500 | 495 | privateLinkServiceId: keyVault.id |
501 | 496 | groupIds: ['vault'] |
@@ -749,27 +744,17 @@ resource sqlServer 'Microsoft.Sql/servers@2022-11-01-preview' = { |
749 | 744 | identity: { |
750 | 745 | type: 'SystemAssigned' |
751 | 746 | } |
752 | | - // Note: Only AAD admin is configured to comply with AAD-only authentication policy. |
| 747 | + // Note: Only SQL admin login is configured. AAD-only authentication is NOT enabled by default. |
753 | 748 | properties: { |
| 749 | + administratorLogin: sqlAdminUsername |
| 750 | + administratorLoginPassword: sqlAdminPassword |
754 | 751 | version: '12.0' |
755 | 752 | // Security hardening |
756 | 753 | minimalTlsVersion: '1.2' |
757 | 754 | publicNetworkAccess: 'Disabled' |
758 | 755 | } |
759 | 756 | } |
760 | 757 |
|
761 | | -// Azure AD administrator for SQL Server (required for AAD-only authentication) |
762 | | -resource sqlServerAadAdmin 'Microsoft.Sql/servers/administrators@2022-11-01-preview' = if (!empty(sqlAadAdminObjectId) && !empty(sqlAadAdminLogin) && !empty(sqlAadAdminTenantId)) { |
763 | | - name: 'activeDirectory' |
764 | | - parent: sqlServer |
765 | | - properties: { |
766 | | - administratorType: 'ActiveDirectory' |
767 | | - login: sqlAadAdminLogin |
768 | | - sid: sqlAadAdminObjectId |
769 | | - tenantId: sqlAadAdminTenantId |
770 | | - } |
771 | | -} |
772 | | - |
773 | 758 | // SQL Server firewall rule is not created because public network access is disabled. |
774 | 759 | // If you enable public access, add a conditional firewall rule accordingly. |
775 | 760 |
|
|
0 commit comments