Merge pull request #9 from microsoft/master

merge from the master

Author: Melony QIN

samples/demos/azure-sql-edge-demos/Wind Turbine Demo/script.sql

@@ -0,0 +1,77 @@
+-- TABLES --
+/****** Object:  Table [dbo].[RealtimeSensorRecord] ******/
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+CREATE TABLE [dbo].RealtimeSensorRecord(
+	[RecordId] [uniqueidentifier] NOT NULL,
+	[TurbineId] [varchar](50) NULL,
+	[SensorType] [varchar](50) NULL, --
+	[SensorId] [varchar](50) NULL,
+	[SensorValue] [real] NULL,
+	[Timestamp] [datetime] NULL
+
+PRIMARY KEY CLUSTERED
+(
+	[RecordId] ASC
+)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
+) ON [PRIMARY]
+GO
+
+-- STORE PROCEDURES --
+/* Store procedure that clean up the sensor records table */
+CREATE PROCEDURE [dbo].[TruncateRealtimeSensorRecords]
+AS
+DECLARE @SQL VARCHAR(2000)
+SET @SQL='TRUNCATE TABLE dbo.RealtimeSensorRecord'
+EXEC (@SQL);
+
+
+-- Run Model Store Procedure
+SET ANSI_NULLS ON
+GO
+SET QUOTED_IDENTIFIER ON
+GO
+
+IF OBJECT_ID ( 'RunModel', 'P' ) IS NOT NULL
+    DROP PROCEDURE RunModel;
+GO
+
+CREATE PROCEDURE [dbo].RunModel
+	@Result INT = 0 OUTPUT
+AS
+BEGIN
+	SET NOCOUNT ON;
+
+	DECLARE @model VARBINARY(max) = (
+		SELECT DATA
+        FROM dbo.models
+        WHERE id = 1
+    )
+
+	;WITH predict_input AS (
+		SELECT WindSpeedStdDev, TurbineSpeedStdDev, OverallWindDirection, TurbineWindDirection,
+			WindSpeedAverage, WindTempAverage, GearboxOilLevel, GearboxOilTemp, GeneratorActivePower,
+			GeneratorSpeed, GeneratorTemp, GeneratorTorque, GridFrequency, GridVoltage,
+			HydraulicOilPressure, NacelleAngle, PitchAngle, Vibration, TurbineSpeedAverage
+		FROM
+		(
+		  SELECT SensorValue, SensorType, timestamp
+		  FROM RealtimeSensorRecord
+		  GROUP BY SensorValue, SensorType, timestamp
+		) d
+		PIVOT
+		(
+		  MAX(SensorValue)
+		  FOR SensorType IN (WindSpeedStdDev, TurbineSpeedStdDev, OverallWindDirection, TurbineWindDirection,
+			WindSpeedAverage, WindTempAverage, GearboxOilLevel, GearboxOilTemp, GeneratorActivePower,
+			GeneratorSpeed, GeneratorTemp, GeneratorTorque, GridFrequency, GridVoltage,
+			HydraulicOilPressure, NacelleAngle, PitchAngle, Vibration, TurbineSpeedAverage)
+		) piv
+	)
+
+	SELECT @Result = p.output_label
+	FROM PREDICT(MODEL = @model, DATA = predict_input) WITH (output_label bigint) AS p
+END
+GO

samples/demos/azure-sql-edge-demos/Wind Turbine Demo/security.sql

@@ -0,0 +1,78 @@
+/* Create users using the logins created */
+CREATE USER OperatorUser WITHOUT LOGIN;
+CREATE USER DataScientistUser WITHOUT LOGIN;
+CREATE USER SecurityUser WITHOUT LOGIN;
+CREATE USER TurbineUser WITHOUT LOGIN;
+
+/* Grand permissions to users */
+GRANT SELECT ON RealtimeSensorRecord TO OperatorUser;
+GRANT SELECT ON RealtimeSensorRecord TO DataScientistUser;
+GRANT SELECT ON RealtimeSensorRecord TO SecurityUser;
+GRANT SELECT, INSERT ON RealtimeSensorRecord TO TurbineUser;
+
+
+-- Mask the last four digits of the serial number (Sensor ID) of the sensor for the Data Scientist
+ALTER TABLE RealtimeSensorRecord
+ALTER COLUMN SensorId varchar(50) MASKED WITH (FUNCTION = 'partial(34,"XXXX",0)');
+DENY UNMASK TO DataScientistUser;
+GO
+
+/**
+* Operator: Can see all events
+* Data Scientist: Can see everything BUT Hatch Sensor events
+* Security: Can ONLY see HatchSensor events
+*/
+ALTER TABLE RealtimeSensorRecord
+ALTER COLUMN SensorType sysname
+GO
+
+CREATE SCHEMA Security;
+GO
+
+/**
+* Operator: Can see all events
+* Data Scientist: Can see everything BUT Hatch Sensor events
+* Security: Can ONLY see HatchSensor events
+*/
+CREATE FUNCTION Security.fn_securitypredicate(@SensorType AS sysname)
+RETURNS TABLE
+WITH SCHEMABINDING
+AS
+RETURN SELECT 1 AS fn_securitypredicate_result
+	WHERE
+		USER_NAME() = 'OperatorUser' OR USER_NAME() = 'dbo' OR
+		(USER_NAME() = 'DataScientistUser' AND @SensorType <> 'HatchSensor') OR
+		(USER_NAME() = 'SecurityUser' AND @SensorType = 'HatchSensor');
+
+CREATE SECURITY POLICY SensorsDataFilter
+ADD FILTER PREDICATE Security.fn_securitypredicate(SensorType)
+ON dbo.RealtimeSensorRecord
+WITH (STATE = ON);
+
+/* QUERIES FOR TESTING POLICIES */
+
+-- Testing basic policy to deny delete
+EXECUTE AS USER = 'OperatorUser';
+SELECT * FROM RealtimeSensorRecord;
+DELETE FROM RealtimeSensorRecord WHERE SensorType = 'GeneratorTorque';
+REVERT;
+
+-- Testing the masking for data Data Scientist
+EXECUTE AS USER = 'DataScientistUser';
+SELECT TOP 10 * FROM RealtimeSensorRecord;
+REVERT;
+
+-- Testing Row-Level Security policy with Operator that can see all the events
+EXECUTE AS USER = 'OperatorUser';
+SELECT * FROM RealtimeSensorRecord;
+REVERT;
+
+-- Testing Row-Level Security policy with DataScientist that can see all the events but HatchSensor
+EXECUTE AS USER = 'DataScientistUser';
+SELECT * FROM RealtimeSensorRecord;
+REVERT;
+
+-- Testing Row-Level Security policy with Security that can see only the HatchSensor events
+EXECUTE AS USER = 'SecurityUser';
+SELECT * FROM RealtimeSensorRecord;
+REVERT;

samples/demos/azure-sql-edge-demos/Wind Turbine Demo/turbine-sensor-db-dacpac.zip

@@ -3,12 +3,12 @@ services: Azure SQL
 platforms: Azure
 author: anosov1960
 ms.author: sashan
-ms.date: 1/11/2021
+ms.date: 2/2/2021
 ---
 
 # Overview
 
-This script provides a simple solution to analyze and track the consolidated utilization of SQL Server licenses by all of the SQL resources in a specific subscription or the entire the account. By default, the script scans all subscriptions the user account has access. Alternatively, you can specify a single subscription or a .CSV file with a list of subscription. The usage report includes the following information for each scanned subscription.
+This script provides a simple solution to analyze and track the consolidated utilization of SQL Server licenses by all of the SQL resources in a specific subscription or the entire account. By default, the script scans all subscriptions the user account has access to. Alternatively, you can specify a single subscription or a .CSV file with a list of subscription. The usage report includes the following information for each scanned subscription.
 
 | **Category** | **Description** |
 |:--|:--|
@@ -45,15 +45,14 @@ The following resources are in scope for the license utilization analysis:
 
 The script accepts the following command line parameters:
 
-| **Parameter**                                  | **Value** | **Description** |
+| **Parameter**                                  | **Value**                                                                       | **Description** |
 |:--|:--|:--|
-|-SubId|subscription_id *or* a file_name|Accepts a .csv file with the list of subscriptions<sup>1</sup>|
-|-UseInRunbook||Must be specified when executed as a Runbook|
-|-Server|[protocol:]server[instance_name][,port]|Required to save data to the database| 
-|-Database|database_name|Required to save data to the database|
-|-Username|user_name|Required to save data to the database|
-|-Password|password|Required to save data to the database, must be passed as a *[SecureString]* variable|
-|-FilePath|csv_file_name|Required to save data in a .csv format. Ignored if database parameters are specified|
+|-SubId|subscription_id *or* a file_name|Optional: subscription id or a .csv file with the list of subscriptions<sup>1</sup>|
+|-UseInRunbook| \$True or \$False (default) |Optional: must be $True when executed as a Runbook|
+|-Server|[protocol:]server[instance_name][,port]|Optional: SQL Server connection endpoint to save data to the database.<br>  Must be accompanied by -Database and -Cred | 
+|-Database|database_name|Optional: database name where data will be saved.<br>  Must be accompanied by -Server and -Cred|
+|-Cred|credential_object|Optional: value of type PSCredential to securely pass database user and password|
+|-FilePath|csv_file_name|Optional: filename where the data will be saved in a .csv format. Ignored if database parameters are specified|
 
 <sup>1</sup>You can create a .csv file using the following command and then edit to remove the subscriptions you don't  want to scan.
 ```PowerShell
@@ -79,39 +78,78 @@ The following command will scan the subscription `<sub_id>` and save the results
 
 ## Example 3
 
-The following command will scan all the subscriptions in the account and save the results in a SQL database `<db_name>` on a SQL Server instance `<sql_server_name>.database.windows.net`.
+The following command will scan all the subscriptions in the account and save the results in a SQL database `sql-license-usage` on a SQL Server instance `my-westus2-server.database.windows.net`. It will prompt for the database user name and password.
 
 ```PowerShell
-$cred = Get-Credential -credential <user_name>
-.\sql-license-usage.ps1 -Server <server_name>.database.windows.net -Database <db_name> -Username $cred.Username -Password $cred.Password
+$cred = Get-Credential
+.\sql-license-usage.ps1 -Server my-westus2-server.database.windows.net -Database sql-license-usage -Cred $cred 
+```
+
+## Example 4
+
+The following command uses the parameter splatting method to achieve the same outcome as Example 3.
+
+```PowerShell
+$params =@{
+    Server="my-westus2-server.database.windows.net";
+    Database="sql-license-usage";
+    Cred=Get-Credential;
+}    
+.\sql-license-usage.ps1 @params
 ```
 
 # Running the script using Cloud Shell
 
-Use the following steps to calculate the SQL Server license usage:
+To run the script in the Cloud Shell, use the following steps:
 
 1. Launch the [Cloud Shell](https://shell.azure.com/). For details, read [PowerShell in Cloud Shell](https://aka.ms/pscloudshell/docs).
 
 2. Upload the script to the shell using the following command:
 
     ```console
-        curl https://raw.githubusercontent.com/microsoft/sql-server-samples/master/samples/manage/azure-hybrid-benefit/sql-license-usage.ps1 -o sql-license-usage.ps1
+    curl https://raw.githubusercontent.com/microsoft/sql-server-samples/master/samples/manage/azure-hybrid-benefit/sql-license-usage.ps1 -o sql-license-usage.ps1
     ```
 
 3. Run the script with a set of parameters that reflect your desired configuration.
 
     ```console
-       ./sql-license-usage.ps1 <parameters>
+    ./sql-license-usage.ps1 <parameters>
     ```
 
 > [!NOTE]
 > - To paste the commands into the shell, use `Ctrl-Shift-V` on Windows or `Cmd-v` on MacOS.
 > - The `curl` command will copy the script directly to the home folder associated with your Cloud Shell session.
 
-# Tracking SQL license usage over time
+# Running the script as a Azure runbook
+
+You can track your license utilization over time by running this script on schedule as a runbook. To set it up using Azure Portal, follow these steps. 
 
-You can track your license utilization over time by periodically running this script. To schedule automatic execution of the script, create a PowerShell runbook using an Azure Automation account. See the [Runbook tutorial](https://docs.microsoft.com/en-us/azure/automation/learn/automation-tutorial-runbook-textual-powershell) for the details of how to create a PowerShell runbook. Because the script accesses the resources across multiple subscriptions, the runbook must be able to authenticate using the Run As account that was automatically created when you created your Automation account. The logic required for the Runbooks is part of the script.
+1. Open a command shell on your device and run this command. It will copy the script to your local folder.
+```console
+curl https://raw.githubusercontent.com/microsoft/sql-server-samples/master/samples/manage/azure-hybrid-benefit/sql-license-usage.ps1 -o sql-license-usage.ps1
+```
+2. [Create a new automation account](https://ms.portal.azure.com/#create/Microsoft.AutomationAccount)  or open an existing one.
+1. Select *Rus as accounts* in the **Account Settings** group, open the automatically created *Azure Run As Account* and note or copy the Display Name property. You must add this user to all the subscriptions you wish to scan with the *Reader* access role.  See [Role assignment portal](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal) for the instructions about role assignments.
+1. Select *Credentials* in the **Shared resources** group and create a credential object with the database username and password. The script will use these to connect to the specified database to save the license utilization data.
+1. Select *Modules* in the **Shared resources** group and make sure your automation account have the following PowerShell modules installed. If not, add them from the Gallery.
+    - Az.Accounts
+    - Az.Compute
+    - Az.DataFactory
+    - Az.Resources
+    - Az.Sql
+    - Az.SqlVirtualMachine
+1. Select *Runbooks* in the **Process automation** group and click on *Import a runbook*, select the file you downloaded in Step 1 and click **Create**.
+1. When import is completed, click the *Publish* button.
+1. From the runbook blade, click on the *Link to schedule* button and select an existing schedule or create a new one with the desired frequency of runs and the expiration time.
+1. Click on *Parameters and run settings* and specify the following parameters:
+    - SUBID. Put in a subscription ID or leave it blank if you want to scan all the subscriptions the *Azure Run As Account* has been given access to in Step 3.
+    - SERVER. Put in the SQL Server connection endpoint (e.g. my-westus2-sql-server.database.windows.net)
+    - CRED. Put in the name of the credential object you created in Step 4.
+    - DATABASE. Put in the database name where you want to save the license utilization data.
+    - USEINRUNBOOKS. Select True to activate the logic that authenticates the runbook using the *Azure Run As Account*.
+1. Click **OK** to link to the schedule and **OK** again to create the job.
+
+For more information about the runbooks, see the [Runbook tutorial](https://docs.microsoft.com/en-us/azure/automation/learn/automation-tutorial-runbook-textual-powershell) 
 
 >[!IMPORTANT]
-> - When running the script as a runbook, use a database to ensure that the results can be analyzed outside of the runbook.
-> - You must specify a *-UseInRunbook* switch to ensure that the runbook is authenticated using the Run As account.
+> When running the script as a runbook, it is necessary to save the data in a database so that the results could be analyzed outside of the runbook.