Use Entra/AAD authentication only (azd init - "Use code in current directory" workflow)

[stuartpa]

This is related to https://github.com/Azure/azure-dev/issues/3402.

When Azure SQL is a supported database,

https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/make-azd-compatible?tabs=use-code#detection

ensure the resulting deployment uses Entra Auth only (this is the best practices deployment now). Suggest:

• Set the azd auth user as admin.
• Set up UMI of other relevant services as a USER of the Azure SQL.
• Set the public IP address of the person running azd (hence the Entra admin) in the Azure SQL firewall
• Do not create a Key Vault artefacts, if all services run Entra only (and there is no other reason to create a Key Vault).
  • Key vault is pain (due to having to purge, which can take a long time), especially if it is not needed at all, which is normally the case in an Entra only env, i.e. no connection string passwords.

[ellismg]

Set the public IP address of the person running azd (hence the Entra admin) in the Azure SQL firewall

We will need some intrinsic in azd that allows you to fetch this value so we can pass it as a parameter in the bicep. We also need to consider what this means if this value changes over time (for example, if you take your application and start running azd provision in CI, the IP will now be of the VM that's running the azd provision and this is likely not what you would expect or want.

In general, our strategy of "allow everyone to access the database" feels like it isn't how most folks structure things when working with Azure SQL. I think it is much more common in these cases to restrict access to your individual services (which may or may not be running in a VPC). The firewall rules we use by default try to enable the "you can use cloud resources from your local machine" but this may be an anti-pattern for these sort of workloads?