Created sql server bicep module (#67)

* first draft

* first end2end traft

* Minor update

* Minor update

* Minor update

* Minor update

* Minor cleanup

* Minor cleanup

* Minor cleanup

* Added version output

* Added  output

* Minor cleanup

* Added  output

* Added  output

* Added  output

* Simplified logic

* Added output

* Added output

* Added output + refactoring

* Added output

* Added output

* Added replacement

* Added replacement v2

* Cleanup

* Reset trigger

* Added output

* Fixed typo

* Added todo.

* Updated docs

* Replaced login with cred

* Replaced cred ref

* added missing func

* Minor update

* Pretest changes

* Updated remaining tests + extended api tests to exclude preview and allows for latest 5

* Added template translation to test-deployment

* Temp add publish condition

* Another try

* Another try

* Another try

* Another try

* Undid temp changes

* Added workaround to acocunt for bicep compile issue [deployments api version]

* Shifted bicep handling to native PS commands with bicep cli support + updated both RG + Gallery pipelines to ref bicep

* Updated remaining pipelines to use creds object

* Fixed schema eval

* Updated readme

* Temp remove arm templates to ensure it runs without

* Updated removal jobs to bicep + added publish workaround to allow for conditions

* Minor updates

* Further updates

* Further updates

* Restored templates

* Moved lock + rg bicep fix

* Fixed path

* Temp disabled template spec publish

* Undo after test

* Aligned bicep templates rbac

* Reduced roles for gallery

* Reduced role ref

* Cleanup

* Created vmss template

* Adjusted api tests

* Added output

* Switched ref for vmss to bicep

* Updated param

* Updated api

* Adjusted output

* Updated error handling

* Updated output

* Updated function input print

* Finishing touches

* Small update

* Fallback scale set to split PRs

* Updated module name

* Cleanup

* Cleanupo

* Added sql server bicep

* Undo previous changes

* Updated rbac

* minor update

Co-authored-by: Alexander Sehr <[email protected]>

.github/workflows/ms.sql.servers.yml

@@ -80,7 +80,7 @@ jobs:
       - name: "Test module"
         uses: ./.github/actions/templates/validateModuleDeploy
         with:
-          templateFilePath: '${{ env.modulePath }}/deploy.json'
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
           parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}'
           location: '${{ env.defaultLocation }}'
           resourceGroupName: '${{ env.resourceGroupName }}'
@@ -114,7 +114,7 @@ jobs:
         uses: ./.github/actions/templates/deployModule
         with:
           moduleName: '${{ env.moduleName }}'
-          templateFilePath: '${{ env.modulePath }}/deploy.json'
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
           parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}'
           location: '${{ env.defaultLocation }}'
           resourceGroupName: '${{ env.resourceGroupName }}'
@@ -144,7 +144,7 @@ jobs:
       - name: "Publish module"
         uses: ./.github/actions/templates/publishModule
         with:
-          templateFilePath: '${{ env.modulePath }}/deploy.json'
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
           componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}'
           componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}'
           componentTemplateSpecName: '${{ env.moduleName }}'
@@ -176,5 +176,5 @@ jobs:
         uses: ./.github/actions/templates/removeModule
         with:
           moduleName: '${{ env.moduleName }}'
-          templateFilePath: '${{ env.modulePath }}/deploy.json'
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
           resourceGroupName: '${{ env.resourceGroupName }}'

arm/Microsoft.Sql/servers/.bicep/nested_rbac.bicep

@@ -0,0 +1,12 @@
+param roleAssignment object
+param builtInRoleNames object
+param serverName string
+
+resource nested_rbac  'Microsoft.Web/sites/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: {
+  name: '${serverName}/Microsoft.Authorization/${guid(serverName, principalId, roleAssignment.roleDefinitionIdOrName)}'
+  properties: {
+    roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName)
+    principalId: principalId
+  }
+  dependsOn: []
+}]

arm/Microsoft.Sql/servers/deploy.bicep

@@ -0,0 +1,110 @@
+@description('Required. Administrator username for the server.')
+param administratorLogin string
+
+@description('Required. The administrator login password.')
+@secure()
+param administratorLoginPassword string
+
+@description('Optional. Location for all resources.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the server.')
+param serverName string
+
+@description('Optional. Whether or not ADS should be enabled.')
+param enableADS bool = false
+
+@description('Required. Whether or not Azure IP\'s are allowed.')
+param allowAzureIps bool = false
+
+@description('Optional. Switch to lock Key Vault from deletion.')
+param lockForDeletion bool = false
+
+@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'')
+param roleAssignments array = []
+
+@description('Optional. Tags of the resource.')
+param tags object = {}
+
+@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered')
+param cuaId string = ''
+
+var builtInRoleNames = {
+  'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')
+  'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293')
+  'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893')
+  'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e')     
+  'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae')        
+  'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44')
+  'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa')
+  'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb')
+  'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05')
+  'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f7b75c60-3036-4b75-91c3-6b41c27c1689')
+  'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608')
+  'SQL DB Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')
+  'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','056cd41c-7e88-42e1-933e-88ba6a50c9c3')
+  'SQL Server Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')
+  'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
+}
+
+module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) {
+  name: 'pid-${cuaId}'
+  params: {}
+}
+
+resource server 'Microsoft.Sql/servers@2020-02-02-preview' = {
+  location: location
+  name: serverName
+  tags: tags
+  properties: {
+    administratorLogin: administratorLogin
+    administratorLoginPassword: administratorLoginPassword
+    version: '12.0'
+  }
+}
+
+resource server_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) {
+  name: '${serverName}-serverDoNotDelete'
+  properties: {
+    level: 'CanNotDelete'
+  }
+  scope: server
+}
+
+resource server_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallrules@2021-02-01-preview' = if (allowAzureIps) {
+  parent: server
+  name: 'AllowAllWindowsAzureIps'
+  properties: {
+    endIpAddress: '0.0.0.0'
+    startIpAddress: '0.0.0.0'
+  }
+}
+
+resource server_Default 'Microsoft.Sql/servers/securityAlertPolicies@2021-02-01-preview' = if (enableADS) {
+  parent: server
+  name: 'Default'
+  properties: {
+    state: 'Enabled'
+    disabledAlerts: []
+    emailAddresses: []
+    emailAccountAdmins: true
+  }
+}
+
+module server_rbac './.bicep/nested_rbac.bicep' = [for (item, i) in roleAssignments: {
+  name: 'rbac-${deployment().name}${i}'
+  params: {
+    roleAssignment: item
+    builtInRoleNames: builtInRoleNames
+    serverName: serverName
+  }
+  dependsOn: [
+    server
+  ]
+}]
+
+output serverName string = serverName
+output serverResourceId string = server.id
+output serverResourceGroup string = resourceGroup().name