Open stuartpa opened 7 months ago
Set the public IP address of the person running azd (hence the Entra admin) in the Azure SQL firewall
We will need some intrinsic in azd
that allows you to fetch this value so we can pass it as a parameter in the bicep. We also need to consider what this means if this value changes over time (for example, if you take your application and start running azd provision
in CI, the IP will now be of the VM that's running the azd provision
and this is likely not what you would expect or want.
In general, our strategy of "allow everyone to access the database" feels like it isn't how most folks structure things when working with Azure SQL. I think it is much more common in these cases to restrict access to your individual services (which may or may not be running in a VPC). The firewall rules we use by default try to enable the "you can use cloud resources from your local machine" but this may be an anti-pattern for these sort of workloads?
This is related to https://github.com/Azure/azure-dev/issues/3402.
When Azure SQL is a supported database,
https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/make-azd-compatible?tabs=use-code#detection
ensure the resulting deployment uses Entra Auth only (this is the best practices deployment now). Suggest:
azd auth
user as admin.