Support Azure SqlServer role assignments on app specific managed identity

Adding role assignment support for PostgreSQL following the pattern set in dotnet#8140

Fix dotnet#6161

Author: eerhardt

src/Aspire.Hosting.Azure.Sql/AzureSqlExtensions.cs

@@ -85,7 +85,8 @@ public static IResourceBuilder<AzureSqlServerResource> AddAzureSqlServer(this ID
         };
 
         var resource = new AzureSqlServerResource(name, configureInfrastructure);
-        var azureSqlServer = builder.AddResource(resource);
+        var azureSqlServer = builder.AddResource(resource)
+            .WithAnnotation(new DefaultRoleAssignmentsAnnotation(new HashSet<RoleDefinition>()));
 
         return azureSqlServer;
     }
@@ -203,6 +204,10 @@ private static void CreateSqlServer(
         var principalNameParameter = new ProvisioningParameter(AzureBicepResource.KnownParameters.PrincipalName, typeof(string));
         infrastructure.Add(principalNameParameter);
 
+        var azureResource = (AzureSqlServerResource)infrastructure.AspireResource;
+        var addAdminRole = azureResource.TryGetLastAnnotation<AppliedRoleAssignmentsAnnotation>(out _) ||
+            azureResource.InnerResource is not null; // the obsolete AsAzureSqlDatabase use this as well, ensure we generate the role assignment.
+
         var sqlServer = AzureProvisioningResource.CreateExistingOrNewProvisionableResource(infrastructure,
         (identifier, name) =>
         {
@@ -212,35 +217,35 @@ private static void CreateSqlServer(
         },
         (infrastructure) =>
         {
-            return new SqlServer(infrastructure.AspireResource.GetBicepIdentifier())
+            var sqlServer = new SqlServer(infrastructure.AspireResource.GetBicepIdentifier())
+            {
+                Version = "12.0",
+                PublicNetworkAccess = ServerNetworkAccessFlag.Enabled,
+                MinTlsVersion = SqlMinimalTlsVersion.Tls1_2,
+                Tags = { { "aspire-resource-name", infrastructure.AspireResource.Name } }
+            };
+
+            if (addAdminRole)
             {
-                Administrators = new ServerExternalAdministrator()
+                sqlServer.Administrators = new ServerExternalAdministrator()
                 {
                     AdministratorType = SqlAdministratorType.ActiveDirectory,
                     IsAzureADOnlyAuthenticationEnabled = true,
                     Sid = principalIdParameter,
                     Login = principalNameParameter,
                     TenantId = BicepFunction.GetSubscription().TenantId
-                },
-                Version = "12.0",
-                PublicNetworkAccess = ServerNetworkAccessFlag.Enabled,
-                MinTlsVersion = SqlMinimalTlsVersion.Tls1_2,
-                Tags = { { "aspire-resource-name", infrastructure.AspireResource.Name } }
-            };
+                };
+            }
+
+            return sqlServer;
         });
 
         // If the resource is an existing resource, we model the administrator access
         // for the managed identity as an "edge" between the parent SqlServer resource
         // and a custom SqlServerAzureADAdministrator resource.
-        if (sqlServer.IsExistingResource)
+        if (addAdminRole && sqlServer.IsExistingResource)
         {
-            var admin = new SqlServerAzureADAdministratorWorkaround($"{sqlServer.BicepIdentifier}_admin")
-            {
-                ParentOverride = sqlServer,
-                LoginOverride = principalNameParameter,
-                SidOverride = principalIdParameter
-            };
-            infrastructure.Add(admin);
+            AddActiveDirectoryAdministrator(infrastructure, sqlServer, principalIdParameter, principalNameParameter);
         }
 
         infrastructure.Add(new SqlFirewallRule("sqlFirewallRule_AllowAllAzureIps")
@@ -285,6 +290,21 @@ private static void CreateSqlServer(
         }
 
         infrastructure.Add(new ProvisioningOutput("sqlServerFqdn", typeof(string)) { Value = sqlServer.FullyQualifiedDomainName });
+
+        // We need to output name to externalize role assignments.
+        infrastructure.Add(new ProvisioningOutput("name", typeof(string)) { Value = sqlServer.Name });
+    }
+
+    internal static SqlServerAzureADAdministrator AddActiveDirectoryAdministrator(AzureResourceInfrastructure infra, SqlServer sqlServer, BicepValue<Guid> principalId, BicepValue<string> principalName)
+    {
+        var admin = new SqlServerAzureADAdministratorWorkaround($"{sqlServer.BicepIdentifier}_admin")
+        {
+            ParentOverride = sqlServer,
+            LoginOverride = principalName,
+            SidOverride = principalId
+        };
+        infra.Add(admin);
+        return admin;
     }
 
     /// <remarks>

src/Aspire.Hosting.Azure.Sql/AzureSqlServerResource.cs

@@ -2,6 +2,8 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using Aspire.Hosting.ApplicationModel;
+using Azure.Provisioning.Primitives;
+using Azure.Provisioning.Sql;
 
 namespace Aspire.Hosting.Azure;
 
@@ -39,6 +41,8 @@ public AzureSqlServerResource(SqlServerServerResource innerResource, Action<Azur
     /// </summary>
     public BicepOutputReference FullyQualifiedDomainName => new("sqlServerFqdn", this);
 
+    private BicepOutputReference NameOutputReference => new("name", this);
+
     /// <summary>
     /// Gets the connection template for the manifest for the Azure SQL Server resource.
     /// </summary>
@@ -90,4 +94,25 @@ internal void SetInnerResource(SqlServerServerResource innerResource)
 
         InnerResource = innerResource;
     }
+
+    /// <inheritdoc/>
+    public override ProvisionableResource AddAsExistingResource(AzureResourceInfrastructure infra)
+    {
+        var store = SqlServer.FromExisting(this.GetBicepIdentifier());
+        store.Name = NameOutputReference.AsProvisioningParameter(infra);
+        infra.Add(store);
+        return store;
+    }
+
+    /// <inheritdoc/>
+    public override void AddRoleAssignments(IAddRoleAssignmentsContext roleAssignmentContext)
+    {
+        var infra = roleAssignmentContext.Infrastructure;
+        var postgres = (SqlServer)AddAsExistingResource(infra);
+
+        var principalId = roleAssignmentContext.PrincipalId;
+        var principalName = roleAssignmentContext.PrincipalName;
+
+        AzureSqlExtensions.AddActiveDirectoryAdministrator(infra, postgres, principalId, principalName);
+    }
 }

tests/Aspire.Hosting.Azure.Tests/AzureBicepResourceTests.cs

@@ -1397,6 +1397,8 @@ param principalType string
             }
 
             output sqlServerFqdn string = sql.properties.fullyQualifiedDomainName
+
+            output name string = sql.name
             """;
         output.WriteLine(manifest.BicepText);
         Assert.Equal(expectedBicep, manifest.BicepText);
@@ -1478,6 +1480,8 @@ param principalName string
             }
 
             output sqlServerFqdn string = sql.properties.fullyQualifiedDomainName
+
+            output name string = sql.name
             """;
         output.WriteLine(manifest.BicepText);
         Assert.Equal(expectedBicep, manifest.BicepText);

tests/Aspire.Hosting.Azure.Tests/AzureResourceOptionsTests.cs

@@ -130,6 +130,8 @@ param principalName string
                 }
 
                 output sqlServerFqdn string = sql_server.properties.fullyQualifiedDomainName
+
+                output name string = sql_server.name
                 """;
             output.WriteLine(actualBicep);
             Assert.Equal(expectedBicep, actualBicep);

tests/Aspire.Hosting.Azure.Tests/AzureSqlExtensionsTests.cs

@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Runtime.CompilerServices;
 using Aspire.Hosting.ApplicationModel;
 using Aspire.Hosting.Utils;
 using Xunit;
@@ -11,9 +12,11 @@ namespace Aspire.Hosting.Azure.Tests;
 public class AzureSqlExtensionsTests(ITestOutputHelper output)
 {
     [Theory]
-    [InlineData(true)]
-    [InlineData(false)]
-    public async Task AddAzureSqlServer(bool publishMode)
+    // [InlineData(true, true)] this scenario is covered in RoleAssignmentTests.SqlSupport. The output doesn't match the pattern here because the role assignment isn't generated
+    [InlineData(true, false)]
+    [InlineData(false, true)]
+    [InlineData(false, false)]
+    public async Task AddAzureSqlServer(bool publishMode, bool useAcaInfrastructure)
     {
         using var builder = TestDistributedApplicationBuilder.Create(publishMode ? DistributedApplicationOperation.Publish : DistributedApplicationOperation.Run);
 
@@ -22,7 +25,20 @@ public async Task AddAzureSqlServer(bool publishMode)
         sql.AddDatabase("db1");
         sql.AddDatabase("db2", "db2Name");
 
-        var manifest = await AzureManifestUtils.GetManifestWithBicep(sql.Resource);
+        if (useAcaInfrastructure)
+        {
+            builder.AddAzureContainerAppsInfrastructure();
+
+            // on ACA infrastructure, if there are no references to the resource,
+            // then there won't be any roles created. So add a reference here.
+            builder.AddContainer("api", "myimage")
+                .WithReference(sql);
+        }
+
+        using var app = builder.Build();
+        await ExecuteBeforeStartHooksAsync(app, default);
+
+        var manifest = await AzureManifestUtils.GetManifestWithBicep(sql.Resource, skipPreparer: true);
 
         var principalTypeParam = "";
         if (!publishMode)
@@ -125,6 +141,8 @@ param principalName string
             }
 
             output sqlServerFqdn string = sql.properties.fullyQualifiedDomainName
+
+            output name string = sql.name
             """;
         output.WriteLine(manifest.BicepText);
         Assert.Equal(expectedBicep, manifest.BicepText);
@@ -237,4 +255,7 @@ private sealed class Dummy1Annotation : IResourceAnnotation
     private sealed class Dummy2Annotation : IResourceAnnotation
     {
     }
+
+    [UnsafeAccessor(UnsafeAccessorKind.Method, Name = "ExecuteBeforeStartHooksAsync")]
+    private static extern Task ExecuteBeforeStartHooksAsync(DistributedApplication app, CancellationToken cancellationToken);
 }

tests/Aspire.Hosting.Azure.Tests/ExistingAzureResourceTests.cs

@@ -1169,6 +1169,8 @@ param existingResourceName string
             }
 
             output sqlServerFqdn string = sqlServer.properties.fullyQualifiedDomainName
+
+            output name string = existingResourceName
             """;
 
         output.WriteLine(BicepText);
@@ -1243,6 +1245,8 @@ param existingResourceName string
             }
 
             output sqlServerFqdn string = sqlServer.properties.fullyQualifiedDomainName
+
+            output name string = existingResourceName
             """;
 
         output.WriteLine(BicepText);

tests/Aspire.Hosting.Azure.Tests/RoleAssignmentTests.cs

@@ -389,6 +389,43 @@ param principalName string
             includePrincipalName: true);
     }
 
+    [Fact]
+    public Task SqlSupport()
+    {
+        return RoleAssignmentTest("sql",
+            builder =>
+            {
+                var redis = builder.AddAzureSqlServer("sql");
+
+                builder.AddProject<Project>("api", launchProfileName: null)
+                    .WithReference(redis);
+            },
+            """
+            @description('The location for the resource(s) to be deployed.')
+            param location string = resourceGroup().location
+
+            param sql_outputs_name string
+
+            param principalId string
+
+            param principalName string
+
+            resource sql 'Microsoft.Sql/servers@2021-11-01' existing = {
+              name: sql_outputs_name
+            }
+            
+            resource sql_admin 'Microsoft.Sql/servers/administrators@2021-11-01' = {
+              name: 'ActiveDirectory'
+              properties: {
+                login: principalName
+                sid: principalId
+              }
+              parent: sql
+            }
+            """,
+            includePrincipalName: true);
+    }
+
     private async Task RoleAssignmentTest(
         string azureResourceName,
         Action<IDistributedApplicationBuilder> configureBuilder,