Updated ADF templates to reuse existing SQL Server

Author: alrios-ms

Deployment/Deploy-Resources.ps1

@@ -537,6 +537,8 @@ function Set-SQLServerPermissions {
         [Parameter(Mandatory = $true)]
         [string]$ConnectionString,
         [Parameter(Mandatory = $true)]
+        [string]$ConnectionStringADF,
+        [Parameter(Mandatory = $true)]
         [string]$ComputeResourceGroup,
         [Parameter(Mandatory = $true)]
         [string]$DataResourceGroup
@@ -587,11 +589,20 @@ function Set-SQLServerPermissions {
         $roleCommand.Dispose()
     }
 
+    $connection.Close()
+
+    # ADF Permissions
     $dataFactoryName = "$SolutionAbbreviation-data-$EnvironmentAbbreviation-adf"
     $dataFactory = Get-AzDataFactoryV2 -ResourceGroupName $DataResourceGroup -Name $dataFactoryName -ErrorAction SilentlyContinue
+    $functionAppsADF = $functionApps | Where-Object { $_.Name -match "-webapi" -or $_.Name -match "-SqlMembershipObtainer"}
 
     if($null -ne $dataFactory) {
 
+        $connectionADF = New-Object System.Data.SqlClient.SqlConnection
+        $connectionADF.ConnectionString = $ConnectionStringADF
+        $connectionADF.AccessToken = $sqlToken
+        $connectionADF.Open()
+
         $dataFactorySqlScript = "IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'$dataFactoryName')
         BEGIN
             CREATE USER [$dataFactoryName] FROM EXTERNAL PROVIDER
@@ -602,13 +613,30 @@ function Set-SQLServerPermissions {
 
         Write-Host "Granting permissions to SQL database for $dataFactoryName"
 
-        $roleCommand = $connection.CreateCommand()
-        $roleCommand.CommandText = $dataFactorySqlScript
-        [void]$roleCommand.ExecuteNonQuery()
-        $roleCommand.Dispose()
-    }
+        $roleCommandADF = $connectionADF.CreateCommand()
+        $roleCommandADF.CommandText = $dataFactorySqlScript
+        [void]$roleCommandADF.ExecuteNonQuery()
+        $roleCommandADF.Dispose()
 
-    $connection.Close()
+        foreach ($functionApp in $functionAppsADF) {
+
+            $functionSqlScript = "IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'$($functionApp.Name)')
+            BEGIN
+                CREATE USER [$($functionApp.Name)] FROM EXTERNAL PROVIDER
+                ALTER ROLE db_datareader ADD MEMBER [$($functionApp.Name)]
+                ALTER ROLE db_datawriter ADD MEMBER [$($functionApp.Name)]
+            END"
+
+            Write-Host "Granting permissions to SQL database for $($functionApp.Name)"
+
+            $roleCommandADF = $connectionADF.CreateCommand()
+            $roleCommandADF.CommandText = $functionSqlScript
+            [void]$roleCommandADF.ExecuteNonQuery()
+            $roleCommandADF.Dispose()
+        }
+
+        $connectionADF.Close()
+    }
 }
 
 function Set-RBACPermissions {
@@ -1101,8 +1129,14 @@ function Deploy-Resources {
         -Name "sqlDatabaseConnectionString" `
         -AsPlainText
 
+    $connectionStringADF = Get-AzKeyVaultSecret `
+        -VaultName "$SolutionAbbreviation-data-$EnvironmentAbbreviation" `
+        -Name "sqlServerBasicConnectionStringADF" `
+        -AsPlainText
+
     Set-SQLServerPermissions `
         -ConnectionString $connectionString `
+        -ConnectionStringADF $connectionStringADF `
         -ComputeResourceGroup $computeResourceGroup `
         -DataResourceGroup $dataResourceGroup
 

Infrastructure/adf/pipeline/azureDataFactory.bicep

@@ -25,7 +25,7 @@ param azureUserReaderFunctionKey string
 @secure()
 param storageAccountConnectionString string
 
-var sqlServerUrl = 'Server=tcp:${sqlServerName}${environment().suffixes.sqlServerHostname},1433'
+var sqlServerUrl = '${sqlServerName}${environment().suffixes.sqlServerHostname}'
 
 
 resource dataFactory 'Microsoft.DataFactory/factories@2018-06-01' = {
@@ -62,9 +62,13 @@ resource linkedService_DestinationDatabase 'Microsoft.DataFactory/factories/link
   name: '${factoryName}/DestinationDatabase'
   properties: {
     annotations: []
-    type: 'SqlServer'
+    type: 'AzureSqlDatabase'
     typeProperties: {
-      connectionString: '${sqlServerUrl};${sqlDataBaseName};Authentication=Active Directory Default;TrustServerCertificate=True;Encrypt=True;Connection Timeout=90;'
+      server: sqlServerUrl
+      database: sqlDataBaseName
+      encrypt: 'mandatory'
+      trustServerCertificate: false
+      authenticationType: 'SystemAssignedManagedIdentity'
     }
   }
   dependsOn: [

Infrastructure/adf/sql/sqlServer.bicep

@@ -7,6 +7,13 @@ param sqlServerName string
 @description('Name of SQL Database')
 param sqlDatabaseName string
 
+@description('Data Key vault name.')
+param dataKeyVaultName string
+
+var sqlServerUrl = 'Server=tcp:${sqlServerName}${environment().suffixes.sqlServerHostname},1433;'
+var sqlServerDataBaseName = 'Initial Catalog=${sqlDatabaseName};'
+var sqlServerAdditionalSettings = 'MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=90;'
+
 resource sqlServer 'Microsoft.Sql/servers@2022-11-01-preview' existing = {
   name: sqlServerName
 }
@@ -22,3 +29,21 @@ resource sqlDatabase 'Microsoft.Sql/servers/databases@2021-02-01-preview' = {
     capacity: 0
   }
 }
+
+module secureKeyvaultSecrets 'keyVaultSecretsSecure.bicep' = {
+  name: 'secureKeyvaultSecrets'
+  params: {
+    keyVaultName: dataKeyVaultName
+    keyVaultSecrets: {
+      secrets: [
+        {
+          name: 'sqlServerBasicConnectionStringADF'
+          value: '${sqlServerUrl}${sqlServerDataBaseName}${sqlServerAdditionalSettings}'
+        }
+      ]
+    }
+  }
+  dependsOn: [
+    sqlDatabase
+  ]
+}

Infrastructure/adf/sql/template.bicep

@@ -43,6 +43,7 @@ module sqlServer 'sqlServer.bicep' =  {
     location: location
     sqlServerName: sqlServerName
     sqlDatabaseName: sqlDataBaseName
+    dataKeyVaultName: dataKeyVaultName
   }
 }