Merge pull request microsoft#1216 from Pietervanhove/AlwaysEncryptedDemos

Always encrypted demos

Author: uc-msft

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-sgx/README.md

@@ -118,7 +118,7 @@ Perform the below steps before each demo presentation.
    - `<project name>vault` - a key vault in Azure Key Vault, containing the column master key for Always Encrypted.
    - `ContosoHR` - a database.
 
-1. Right-click on the **ContosoHR** database in the resource group and open its **Overview** blade in the new tab. Click on **Compute + storage** under **Settings**.  Click **Change configuration**. Note that the database is already configured to use the DC-series hardware configuration that supports confidential computing using secure enclaves. Setting the DC-series hardware configuration for a database is required to use Always Encrypted with secure enclaves in the database. For more information, see [Enable Intel SGX for your Azure SQL Database](https://docs.microsoft.com/azure/azure-sql/database/always-encrypted-enclaves-enable-sgx).
+1. Right-click on the **ContosoHR** database in the resource group and open its **Overview** blade in the new tab. Click on **Compute + storage** under **Settings**.  Click **Change configuration**. Note that the database is already configured to use the DC-series hardware configuration that supports confidential computing using secure enclaves. Setting the DC-series hardware configuration for a database is required to use Always Encrypted with secure enclaves in the database. For more information, see [Enable Intel SGX for your Azure SQL Database](https://docs.microsoft.com/azure/azure-sql/database/always-encrypted-enclaves-enable-sgx). In the left ribbon, click on **Data Encryption** and click in the blade on **Always Encrypted**. Confirm that the Secure Enclave is enabled and that the enclave type is **Intel Software Guard Extension (Intel SGX)**
 
    ![DC-series hardware configuration](./img/portal-dc-series-configuration.png)
 

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-sgx/setup/azuredeploy.bicep

@@ -14,6 +14,7 @@ param userName string
 @description('The username of the Azure SQL database server administrator for SQL authentication.')
 param sqlAdminUserName string
 
+@secure()
 @description('The password of the Azure SQL database server administrator for SQL authentication.')
 param sqlAdminPassword string
 
@@ -29,9 +30,9 @@ param location string = resourceGroup().location
 ////////////////////////////////////////////
 
 // Create the server
-var SQLServerName_var = '${projectName}server'
-resource Server_Name_resource 'Microsoft.Sql/servers@2022-05-01-preview' = {
-  name: SQLServerName_var
+var SQLServerName = '${projectName}server'
+resource Server_Name_resource 'Microsoft.Sql/servers@2023-02-01-preview' = {
+  name: SQLServerName
   location: location
   tags: {}
   identity: {
@@ -47,41 +48,43 @@ resource Server_Name_resource 'Microsoft.Sql/servers@2022-05-01-preview' = {
 }
 
 // Allow Azure services and resources to access this server
-resource Server_Name_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRules@2022-05-01-preview' = {
-  name: '${Server_Name_resource.name}/AllowAllWindowsAzureIps'
+resource Server_Name_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRules@2023-02-01-preview' = {
+  parent: Server_Name_resource
+  name: 'AllowAllWindowsAzureIps'
   properties: {
     endIpAddress: '0.0.0.0'
     startIpAddress: '0.0.0.0'
   }
 }
 
 // Allow Client IP to access this server
-resource Server_Name_AllowClientIP 'Microsoft.Sql/servers/firewallRules@2022-05-01-preview' = {
-  name: '${Server_Name_resource.name}/AllowClientIP'
+resource Server_Name_AllowClientIP 'Microsoft.Sql/servers/firewallRules@2023-02-01-preview' = {
+  parent: Server_Name_resource
+  name: 'AllowClientIP'
   properties: {
     endIpAddress: clientIP
     startIpAddress: clientIP
   }
 }
 
 // Make the user an Azure AD administrator for the server, so that the user can connect with universal authentication
-resource Server_Name_activeDirectory 'Microsoft.Sql/servers/administrators@2022-05-01-preview' = {
-  name: '${Server_Name_resource.name}/activeDirectory'
+resource Server_Name_activeDirectory 'Microsoft.Sql/servers/administrators@2023-02-01-preview' = {
+  parent: Server_Name_resource
+  name: 'activeDirectory'
   properties: {
     administratorType: 'ActiveDirectory'
     login: userName
-    //sid: reference(resourceId('Microsoft.Sql/servers', '${projectName}server'), '2019-06-01-preview', 'Full').identity.principalId
     sid: userObjectId
-    //tenantId: AAD_TenantId //optional
-  }
+    }
 }
 
 //////////////////////////////////////////////////////////////////////////////
 // Create the ContosoHR database using the DC-series hardware configuration //
 //////////////////////////////////////////////////////////////////////////////
 
-resource Database_Resource 'Microsoft.Sql/servers/databases@2022-05-01-preview' = {
-  name: '${Server_Name_resource.name}/ContosoHR'
+resource Database_Resource 'Microsoft.Sql/servers/databases@2023-02-01-preview' = {
+  parent: Server_Name_resource
+  name: 'ContosoHR'
   location: location
   tags: {}
   sku: {
@@ -96,18 +99,18 @@ resource Database_Resource 'Microsoft.Sql/servers/databases@2022-05-01-preview'
 ///////////////////////////////////////
 
 // Create the attestation provider
-resource attestationProviderName_resource 'Microsoft.Attestation/attestationProviders@2021-06-01-preview' = {
-  name: '${projectName}attest'
+resource attestationProviderName 'Microsoft.Attestation/attestationProviders@2021-06-01' = {
+  name: '${projectName}attestation'
   location: location
   properties: {}
 }
 
 ///////////////////////////////////
 // Configure the web application //
 ///////////////////////////////////
-
+var sqlServerSuffix = environment().suffixes.sqlServerHostname
 // Create an App Service plan
-resource WebAppServicePlan_Resource 'Microsoft.Web/serverfarms@2022-03-01' = {
+resource WebAppServicePlan_Resource 'Microsoft.Web/serverfarms@2022-09-01' = {
   name: '${projectName}plan'
  location: location
  properties: {}
@@ -117,7 +120,7 @@ resource WebAppServicePlan_Resource 'Microsoft.Web/serverfarms@2022-03-01' = {
 }
 
 // Create the App Service
-resource WebApp_Resource 'Microsoft.Web/sites@2022-03-01' = {
+resource WebApp_Resource 'Microsoft.Web/sites@2022-09-01' = {
   name: '${projectName}app'
   location: location
   identity: {
@@ -132,7 +135,7 @@ resource WebApp_Resource 'Microsoft.Web/sites@2022-03-01' = {
   name: 'connectionstrings'
   properties: {
     ContosoHRDatabase: {
-      value: 'Server=tcp:${Server_Name_resource.name}.database.windows.net;Database=ContosoHR;Column Encryption Setting=Enabled; Attestation Protocol = AAS; Enclave Attestation Url=${attestationProviderName_resource.properties.attestUri}; Authentication=Active Directory Managed Identity'
+      value: 'Server=tcp:${Server_Name_resource.name}${sqlServerSuffix};Database=ContosoHR;Column Encryption Setting=Enabled; Attestation Protocol = AAS; Enclave Attestation Url=${attestationProviderName.properties.attestUri}; Authentication=Active Directory Managed Identity'
       type: 'SQLAzure'
     }
   }
@@ -147,8 +150,9 @@ resource WebApp_Resource 'Microsoft.Web/sites@2022-03-01' = {
 }
 
  // Deploy the application
-resource sourceControl 'Microsoft.Web/sites/sourcecontrols@2022-03-01' = {
-  name: '${projectName}app/web'
+ resource sourceControl 'Microsoft.Web/sites/sourcecontrols@2022-09-01' = {
+  parent: WebApp_Resource
+  name: 'web'
   properties: {
     repoUrl: 'https://github.com/microsoft/sql-server-samples.git'
     branch: 'master'
@@ -164,7 +168,7 @@ resource sourceControl 'Microsoft.Web/sites/sourcecontrols@2022-03-01' = {
 //////////////////////////////////////
 
 // Create a key vault and assign key permissions to the user, so that the user can manage the keys
-resource KeyVault_Resource 'Microsoft.KeyVault/vaults@2022-07-01' = {
+resource KeyVault_Resource 'Microsoft.KeyVault/vaults@2023-02-01' = {
   name: '${projectName}vault'
   location: location
   tags: {}
@@ -197,7 +201,7 @@ resource KeyVault_Resource 'Microsoft.KeyVault/vaults@2022-07-01' = {
 }
 
 // Assign key permissions to the web app
-resource KeyVaultWebAppAccessPolicy_Resource 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = {
+resource KeyVaultWebAppAccessPolicy_Resource 'Microsoft.KeyVault/vaults/accessPolicies@2023-02-01' = {
   name: any('${KeyVault_Resource.name}/add')
   properties: {
     accessPolicies: [
@@ -218,8 +222,9 @@ resource KeyVaultWebAppAccessPolicy_Resource 'Microsoft.KeyVault/vaults/accessPo
 }
 
 // Create a key
-resource Key_Resource 'Microsoft.KeyVault/vaults/keys@2022-07-01' = {
-  name: '${KeyVault_Resource.name}/CMK'
+resource Key_Resource 'Microsoft.KeyVault/vaults/keys@2023-02-01' = {
+  parent: KeyVault_Resource
+  name: 'CMK'
   tags: {}
   properties: {
     attributes: {

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-sgx/setup/setup.ps1

@@ -1,5 +1,5 @@
-Import-Module "Az" -MinimumVersion "9.3"
-Import-Module "SqlServer" #-Version "22.0.49-preview"
+Import-Module "Az"
+Import-Module "SqlServer"
 
 ######################################################################
 # Prompt the user to enter the values of deployment parameters
@@ -10,9 +10,9 @@ $subscriptionId = Read-Host -Prompt "Enter your subscription id"
 $location = Read-Host -Prompt "Enter a region where you want to deploy the demo environment"
 $sqlAdminUserName = Read-Host -Prompt "Enter the username of the Azure SQL database server administrator for SQL authentication"
 $sqlAdminPasswordSecureString = Read-Host -Prompt "Enter the password of the Azure SQL database server administrator for SQL authentication" -AsSecureString
-
+$Secure_String_Pwd = ConvertTo-SecureString $sqlAdminPasswordSecureString -AsPlainText -Force
 $sqlAdminPassword = (New-Object PSCredential "user",$sqlAdminPasswordSecureString).GetNetworkCredential().Password
-$clientIP = (Invoke-WebRequest ifconfig.me/ip).Content.Trim()
+$clientIP = (Invoke-WebRequest http://ipinfo.io/ip).Content.Trim()
 $bicepFile = "azuredeploy.bicep"
 $projectName = $projectName.ToLower()
 
@@ -42,7 +42,7 @@ New-AzResourceGroupDeployment `
   -userObjectId $userObjectId `
   -userName $userName `
   -sqlAdminUserName $sqlAdminUserName `
-  -sqlAdminPassword $sqlAdminPassword `
+  -sqlAdminPassword $Secure_String_Pwd `
   -clientIP $clientIP
 
 ######################################################################
@@ -105,7 +105,7 @@ $keyName = "CMK"
 $key = Get-AzKeyVaultKey -VaultName $keyVaultName -Name $keyName
 
 # Connect to the database using the SqlServer PowerShell module
-$connStr = "Data Source=tcp:$serverName;Initial Catalog=$databaseName;User ID=$sqlAdminUserName;Password=$sqlAdminPassword"
+$connStr = "Data Source=tcp:$serverName;Initial Catalog=$databaseName;User ID=$sqlAdminUserName;Password=$sqlAdminPasswordSecureString"
 $database = Get-SqlDatabase -ConnectionString $connStr
 
 # Sign in to Azure with your email address using the SqlServer PowerShell module
@@ -134,7 +134,7 @@ Set-SqlColumnEncryption -ColumnEncryptionSettings $encryptedColumnSettings -Inpu
 ######################################################################
 
 $resourceGroupName = "${projectName}"
-$attestationProviderName = "${projectName}attest"
+$attestationProviderName = "${projectName}attestation"
 $policyFile = "AttestationPolicy.txt"
 $teeType = "SgxEnclave"
 $policyFormat = "Text"

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-vbs/README.md

@@ -128,6 +128,11 @@ Perform the below steps before each demo presentation.
 
    2. Click on **Access Policies**. You should see two access policy entries: one for your identity and one for the web app's identity. These policies grant you permissions necessary to perform key management operations and they grant the web app permissions required to decrypt column encryption keys, protecting the data.
 
+1. Close the browser tab for the key vault. Right-click on the logical server in your resource group and open its **Overview** blade in a new tab.
+   1. Click on **SQL Databases** and select **ContosoHR** database.
+   2. In the left ribbon, click on **Data Encryption** and click in the blade on **Always Encrypted**.
+   3. Confirm that the Secure Enclave is enabled and that the enclave type is **Virtualization based security (VBS)**
+
 1. Switch to SSMS.
    1. In Object Explorer, navigate to the **ContosoHR** database. Then go to **Security** > **Always Encrypted Keys**.
    1. Open the **Column Master Keys** and **Column Encryption Keys** folders. You should see the metadata object, named **CMK1**, for the column master key and the metadata object, named **CEK1**, for the column encryption key.

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-vbs/setup/azuredeploy.bicep

@@ -15,6 +15,7 @@ param userName string
 param sqlAdminUserName string
 
 @description('The password of the Azure SQL database server administrator for SQL authentication.')
+@secure()
 param sqlAdminPassword string
 
 @description('The IP address the user will connect from to the logical server in Azure SQL Database.')
@@ -29,9 +30,9 @@ param location string = resourceGroup().location
 ////////////////////////////////////////////
 
 // Create the server
-var SQLServerName_var = '${projectName}server'
-resource Server_Name_resource 'Microsoft.Sql/servers@2022-05-01-preview' = {
-  name: SQLServerName_var
+var SQLServerName = '${projectName}server'
+resource Server_Name_resource 'Microsoft.Sql/servers@2023-02-01-preview' = {
+  name: SQLServerName
   location: location
   tags: {}
   identity: {
@@ -47,58 +48,60 @@ resource Server_Name_resource 'Microsoft.Sql/servers@2022-05-01-preview' = {
 }
 
 // Allow Azure services and resources to access this server
-resource Server_Name_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRules@2022-05-01-preview' = {
-  name: '${Server_Name_resource.name}/AllowAllWindowsAzureIps'
+resource Server_Name_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRules@2023-02-01-preview' = {
+  parent: Server_Name_resource
+  name: 'AllowAllWindowsAzureIps'
   properties: {
     endIpAddress: '0.0.0.0'
     startIpAddress: '0.0.0.0'
   }
 }
 
 // Allow Client IP to access this server
-resource Server_Name_AllowClientIP 'Microsoft.Sql/servers/firewallRules@2022-05-01-preview' = {
-  name: '${Server_Name_resource.name}/AllowClientIP'
+resource Server_Name_AllowClientIP 'Microsoft.Sql/servers/firewallRules@2023-02-01-preview' = {
+  parent: Server_Name_resource
+  name: 'AllowClientIP'
   properties: {
     endIpAddress: clientIP
     startIpAddress: clientIP
   }
 }
 
 // Make the user an Azure AD administrator for the server, so that the user can connect with universal authentication
-resource Server_Name_activeDirectory 'Microsoft.Sql/servers/administrators@2022-05-01-preview' = {
-  name: '${Server_Name_resource.name}/activeDirectory'
+resource Server_Name_activeDirectory 'Microsoft.Sql/servers/administrators@2023-02-01-preview' = {
+  parent: Server_Name_resource
+  name: 'activeDirectory'
   properties: {
     administratorType: 'ActiveDirectory'
     login: userName
-    //sid: reference(resourceId('Microsoft.Sql/servers', '${projectName}server'), '2019-06-01-preview', 'Full').identity.principalId
     sid: userObjectId
-    //tenantId: AAD_TenantId //optional
-  }
+    }
 }
 
 //////////////////////////////////////////////////////////////////////////////
 // Create the ContosoHR database using the DC-series hardware configuration //
 //////////////////////////////////////////////////////////////////////////////
 
-resource Database_Resource 'Microsoft.Sql/servers/databases@2022-05-01-preview' = {
-  name: '${Server_Name_resource.name}/ContosoHR'
+resource Database_Resource 'Microsoft.Sql/servers/databases@2023-02-01-preview' = {
+  parent: Server_Name_resource
+  name: 'ContosoHR'
   location: location
   tags: {}
   sku: {
     name: 'GP_Gen5_2'
     tier: 'GeneralPurpose'
   }
   properties: {
-    //preferredEnclaveType: 'VBS'
+    preferredEnclaveType: 'VBS'
   }
 }
 
 ///////////////////////////////////
 // Configure the web application //
 ///////////////////////////////////
-
+var sqlServerSuffix = environment().suffixes.sqlServerHostname
 // Create an App Service plan
-resource WebAppServicePlan_Resource 'Microsoft.Web/serverfarms@2022-03-01' = {
+resource WebAppServicePlan_Resource 'Microsoft.Web/serverfarms@2022-09-01' = {
   name: '${projectName}plan'
  location: location
  properties: {}
@@ -108,7 +111,7 @@ resource WebAppServicePlan_Resource 'Microsoft.Web/serverfarms@2022-03-01' = {
 }
 
 // Create the App Service
-resource WebApp_Resource 'Microsoft.Web/sites@2022-03-01' = {
+resource WebApp_Resource 'Microsoft.Web/sites@2022-09-01' = {
   name: '${projectName}app'
   location: location
   identity: {
@@ -123,7 +126,7 @@ resource WebApp_Resource 'Microsoft.Web/sites@2022-03-01' = {
   name: 'connectionstrings'
   properties: {
     ContosoHRDatabase: {
-      value: 'Server=tcp:${Server_Name_resource.name}.database.windows.net;Database=ContosoHR;Column Encryption Setting=Enabled; Attestation Protocol = None; Authentication=Active Directory Managed Identity'
+      value: 'Server=tcp:${Server_Name_resource.name}${sqlServerSuffix};Database=ContosoHR;Column Encryption Setting=Enabled; Attestation Protocol = None; Authentication=Active Directory Managed Identity'
       type: 'SQLAzure'
     }
   }
@@ -138,8 +141,9 @@ resource WebApp_Resource 'Microsoft.Web/sites@2022-03-01' = {
 }
 
  // Deploy the application
-resource sourceControl 'Microsoft.Web/sites/sourcecontrols@2022-03-01' = {
-  name: '${projectName}app/web'
+resource sourceControl 'Microsoft.Web/sites/sourcecontrols@2022-09-01' = {
+  parent: WebApp_Resource
+  name: 'web'
   properties: {
     repoUrl: 'https://github.com/microsoft/sql-server-samples.git'
     branch: 'master'
@@ -155,7 +159,7 @@ resource sourceControl 'Microsoft.Web/sites/sourcecontrols@2022-03-01' = {
 //////////////////////////////////////
 
 // Create a key vault and assign key permissions to the user, so that the user can manage the keys
-resource KeyVault_Resource 'Microsoft.KeyVault/vaults@2022-07-01' = {
+resource KeyVault_Resource 'Microsoft.KeyVault/vaults@2023-02-01' = {
   name: '${projectName}vault'
   location: location
   tags: {}
@@ -188,7 +192,7 @@ resource KeyVault_Resource 'Microsoft.KeyVault/vaults@2022-07-01' = {
 }
 
 // Assign key permissions to the web app
-resource KeyVaultWebAppAccessPolicy_Resource 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = {
+resource KeyVaultWebAppAccessPolicy_Resource 'Microsoft.KeyVault/vaults/accessPolicies@2023-02-01' = {
   name: any('${KeyVault_Resource.name}/add')
   properties: {
     accessPolicies: [
@@ -209,8 +213,9 @@ resource KeyVaultWebAppAccessPolicy_Resource 'Microsoft.KeyVault/vaults/accessPo
 }
 
 // Create a key
-resource Key_Resource 'Microsoft.KeyVault/vaults/keys@2022-07-01' = {
-  name: '${KeyVault_Resource.name}/CMK'
+resource Key_Resource 'Microsoft.KeyVault/vaults/keys@2023-02-01' = {
+  parent: KeyVault_Resource
+  name: 'CMK'
   tags: {}
   properties: {
     attributes: {