This is Azure DevOps project sample to build and deploy DACPAC with Azure SQL Server Always Encrypted*.
*Always Encrypted is a feature included in Azure SQL Server. Data is encrypted all the time, not only at rest but also in motion. Furthermore, the encryption keys which are essential for both encrypting and decrypting are not stored in the database. For more information on Always Encrypted, please refer to the official documentation.
The following steps will be executed in the pipeline:
- Build DACPAC
- Deploy DACPAC
- Add Sample Data
- Create CMK and CEK in Kay Vault and DB
- Encrypt selected columns
- Create Azure resources
- Create Azure DevOps project
- Create Service connection
- Create variable group
- Configure YAML pipeline
Go to the Azure portal and create required resources in a resource group:
- SQL Server
- SQL Database
- Key Vault
Also, the following resources are required:
Create a new project in Azure DevOps by following this document. You can also import this GitHub repository easily. Please refer to here.
Create a Service connection which is required to access the resources in the resource group from Azure DevOps.
- Sign in to your organization (https://dev.azure.com/{yourorganization}) and select your project.
- Select Project settings > Service connections.
- Select + New service connection, select the type of service connection that you need, and then select Next.
- Choose an authentication method, and then select Next.
- Enter the parameters for the service connection. The list of parameters differs for each type of service connection. For more information, see the list of service connection types and associated parameters.
- Select Save to create the connection.
Create variable group in Library under Pipelines and add the following variables:
- Variable group name : iac-deploy-variables
- clientId
- clientSecret
- SQLPASSWORD
- SQLUSER
- tenantId
Go to Azure portal and search for your service principal for Azure DevOps in your App Registration page.
Create a Secret for the Service Principal and copy the secret.
Change the following variables in sql-deployment-template.yml
to your own values.
variables:
- name: AzureSvcName
value: AyharaSampleConnectionService # Change your own Service Connection name
- group: iac-deploy-variables
- name: SqlServerName
value: sql-ayhara-sample # Change your own SQL Server name
- name: SqlDatabaseName
value: sqldb-ayhara-sample-ado # Change your own SQL DB name
- name: resourceGroup
value: rg-ayhara-playground # Change your own resource group name
- name: akvName
value: kv-ayhara-sample-ado # Change your own Key Vault name
Then go to Pipelines in your DevOps and then click “New pipeline”. Go to the wizard, select the Azure Repos Git and the repository, and choose “Existing Azure Pipelines YAML file” which is sql-deployment-template.yml
.
Once pipeline run is completed, please check the result by querying a table with encrypted field.