SGX Demo Modifications

Author: Pietervanhove

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-sgx/README.md

@@ -31,26 +31,20 @@ You also need to make sure the following software is installed on your machine:
 
 1. PowerShell modules:
 
-   1. Az version 5.6 or later. For details on how to install the Az PowerShell module, see [Install the Azure Az PowerShell module](https://docs.microsoft.com/powershell/azure/install-az-ps). To determine the version of the Az module installed on your machine, run the following command from a PowerShell session.
+   1. Az version 9.3 or later. For details on how to install the Az PowerShell module, see [Install the Azure Az PowerShell module](https://docs.microsoft.com/powershell/azure/install-az-ps). To determine the version of the Az module installed on your machine, run the following command from a PowerShell session.
 
      ```powershell
      Get-InstalledModule -Name Az
      ```
 
-   2. Az.Attestation 0.1.8 or later. For details on how to install the Az.Attestation PowerShell module, see [Install Az.Attestation PowerShell module](https://docs.microsoft.com/azure/attestation/quickstart-powershell#install-azattestation-powershell-module). To determine the version of the Az.Attestation module installed on your machine, run the following command from a PowerShell session.
-
-     ```powershell
-     Get-InstalledModule -Name Az.Attestation
-     ```
-
-   3. SqlServer version 21.1.18245 or later. For details on how to install the SqlServer PowerShell module, see [Installing or updating the SqlServer module](https://docs.microsoft.com/sql/powershell/download-sql-server-ps-module#installing-or-updating-the-sqlserver-module). To determine the version the SqlServer module installed on your machine, run the following command from a PowerShell session.
+   2. SqlServer version 22.0.49-preview or later. For details on how to install the SqlServer PowerShell module, see [Installing or updating the SqlServer module](https://docs.microsoft.com/sql/powershell/download-sql-server-ps-module#installing-or-updating-the-sqlserver-module). To determine the version the SqlServer module installed on your machine, run the following command from a PowerShell session.
 
      ```powershell
      Get-InstalledModule -Name SqlServer
      ```
 
-1. [Bicep](https://docs.microsoft.com/azure/azure-resource-manager/templates/bicep-overview) version 0.4.63 or later. You need to install Bicep and ensure it can be invoked from PowerShell. The recommended way to achieve that is to [install Bicep manually with PowerShell](https://docs.microsoft.com/azure/azure-resource-manager/templates/bicep-install?tabs=azure-powershell#manual-with-powershell).
-1. [SQL Server Management Studio](https://msdn.microsoft.com/en-us/library/mt238290.aspx) - version 18.9.1 or later is recommended.
+1. [Bicep](https://docs.microsoft.com/azure/azure-resource-manager/templates/bicep-overview) version 0.13.1 or later. You need to install Bicep and ensure it can be invoked from PowerShell. The recommended way to achieve that is to [install Bicep manually with PowerShell](https://docs.microsoft.com/azure/azure-resource-manager/templates/bicep-install?tabs=azure-powershell#manual-with-powershell).
+1. [SQL Server Management Studio](https://msdn.microsoft.com/en-us/library/mt238290.aspx) - version 19 or later is recommended.
 
 ## Setup
 
@@ -156,7 +150,7 @@ Perform the below steps before each demo presentation.
 
 ### Key Takeaways
 
-Always Encrypted with secure enclaves requires specific hardware that is exposed in Azure SQL Database as the DC-series hardware configuration. Microsoft Azure Attestation is a Platform-as-a-Service solution for attestation enclaves in Azure. Enclaves are attested against a policy, you define and control.
+Always Encrypted with Intel SGX enclaves requires specific hardware that is exposed in Azure SQL Database as the DC-series hardware configuration. Microsoft Azure Attestation is a Platform-as-a-Service solution for attestation enclaves in Azure. Enclaves are attested against a policy, you define and control.
 
 ## Demo 2
 
@@ -272,7 +266,7 @@ Perform the below steps before you show the demo.
 
          ![Connection Properties](./img/ssms-connect-to-server-connection-properties-page.png)
 
-      1. Select the **Always Encrypted** tab. Make sure the **Enable Always Encrypted** checkbox **is** selected. Enter your attestation URL.
+      1. Select the **Always Encrypted** tab. Make sure the **Enable Always Encrypted** and the **Enable secure enclaves** checkbox are selected. Set the Enclave attestation Protocol to **Microsoft Azure Attestation** and enter your attestation URL.
 
          ![Always Encrypted disabled](./img/ssms-connect-to-server-always-encrypted-enabled.png)
 

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-sgx/img/portal-attestation-policy.png

@@ -3,7 +3,7 @@ authorizationrules
 {
      [ type=="x-ms-sgx-is-debuggable", value==false ]
       && [ type=="x-ms-sgx-product-id", value==4639 ]
-      && [ type=="x-ms-sgx-svn", value>= 0 ]
+      && [ type=="x-ms-sgx-svn", value>= 2 ]
       && [ type=="x-ms-sgx-mrsigner", value=="e31c9e505f37a58de09335075fc8591254313eb20bb1a27e5443cc450b6e33e5"] 
   => permit();
 };

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-sgx/img/ssms-connect-to-server-always-encrypted-disabled.png

@@ -30,7 +30,7 @@ param location string = resourceGroup().location
 
 // Create the server
 var SQLServerName_var = '${projectName}server'
-resource Server_Name_resource 'Microsoft.Sql/servers@2019-06-01-preview' = {
+resource Server_Name_resource 'Microsoft.Sql/servers@2022-05-01-preview' = {
   name: SQLServerName_var
   location: location
   tags: {}
@@ -47,7 +47,7 @@ resource Server_Name_resource 'Microsoft.Sql/servers@2019-06-01-preview' = {
 }
 
 // Allow Azure services and resources to access this server
-resource Server_Name_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRules@2015-05-01-preview' = {
+resource Server_Name_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRules@2022-05-01-preview' = {
   name: '${Server_Name_resource.name}/AllowAllWindowsAzureIps'
   properties: {
     endIpAddress: '0.0.0.0'
@@ -56,7 +56,7 @@ resource Server_Name_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRule
 }
 
 // Allow Client IP to access this server
-resource Server_Name_AllowClientIP 'Microsoft.Sql/servers/firewallRules@2015-05-01-preview' = {
+resource Server_Name_AllowClientIP 'Microsoft.Sql/servers/firewallRules@2022-05-01-preview' = {
   name: '${Server_Name_resource.name}/AllowClientIP'
   properties: {
     endIpAddress: clientIP
@@ -65,7 +65,7 @@ resource Server_Name_AllowClientIP 'Microsoft.Sql/servers/firewallRules@2015-05-
 }
 
 // Make the user an Azure AD administrator for the server, so that the user can connect with universal authentication
-resource Server_Name_activeDirectory 'Microsoft.Sql/servers/administrators@2019-06-01-preview' = {
+resource Server_Name_activeDirectory 'Microsoft.Sql/servers/administrators@2022-05-01-preview' = {
   name: '${Server_Name_resource.name}/activeDirectory'
   properties: {
     administratorType: 'ActiveDirectory'
@@ -80,7 +80,7 @@ resource Server_Name_activeDirectory 'Microsoft.Sql/servers/administrators@2019-
 // Create the ContosoHR database using the DC-series hardware configuration //
 //////////////////////////////////////////////////////////////////////////////
 
-resource Database_Resource 'Microsoft.Sql/servers/databases@2020-08-01-preview' = {
+resource Database_Resource 'Microsoft.Sql/servers/databases@2022-05-01-preview' = {
   name: '${Server_Name_resource.name}/ContosoHR'
   location: location
   tags: {}
@@ -96,7 +96,7 @@ resource Database_Resource 'Microsoft.Sql/servers/databases@2020-08-01-preview'
 ///////////////////////////////////////
 
 // Create the attestation provider
-resource attestationProviderName_resource 'Microsoft.Attestation/attestationProviders@2020-10-01' = {
+resource attestationProviderName_resource 'Microsoft.Attestation/attestationProviders@2021-06-01-preview' = {
   name: '${projectName}attest'
   location: location
   properties: {}
@@ -107,7 +107,7 @@ resource attestationProviderName_resource 'Microsoft.Attestation/attestationProv
 ///////////////////////////////////
 
 // Create an App Service plan 
-resource WebAppServicePlan_Resource 'Microsoft.Web/serverfarms@2021-01-01' = {
+resource WebAppServicePlan_Resource 'Microsoft.Web/serverfarms@2022-03-01' = {
   name: '${projectName}plan'
  location: location
  properties: {}
@@ -117,7 +117,7 @@ resource WebAppServicePlan_Resource 'Microsoft.Web/serverfarms@2021-01-01' = {
 }
 
 // Create the App Service
-resource WebApp_Resource 'Microsoft.Web/sites@2021-01-01' = {
+resource WebApp_Resource 'Microsoft.Web/sites@2022-03-01' = {
   name: '${projectName}app'
   location: location
   identity: {
@@ -147,11 +147,13 @@ resource WebApp_Resource 'Microsoft.Web/sites@2021-01-01' = {
 }
 
  // Deploy the application
-resource sourceControl 'Microsoft.Web/sites/sourcecontrols@2021-01-01' = {
+resource sourceControl 'Microsoft.Web/sites/sourcecontrols@2022-03-01' = {
   name: '${projectName}app/web'
   properties: {
-    repoUrl: 'https://github.com/microsoft/sql-server-samples.git'
-    branch: 'master'
+    //repoUrl: 'https://github.com/microsoft/sql-server-samples.git'
+    //branch: 'master'
+    repoUrl: 'https://github.com/Pietervanhove/sql-server-samples.git'
+    branch: 'AEVBSDemo'
     isManualIntegration: true
   }
   dependsOn: [
@@ -164,7 +166,7 @@ resource sourceControl 'Microsoft.Web/sites/sourcecontrols@2021-01-01' = {
 //////////////////////////////////////
 
 // Create a key vault and assign key permissions to the user, so that the user can manage the keys
-resource KeyVault_Resource 'Microsoft.KeyVault/vaults@2019-09-01' = {
+resource KeyVault_Resource 'Microsoft.KeyVault/vaults@2022-07-01' = {
   name: '${projectName}vault'
   location: location
   tags: {}
@@ -197,7 +199,7 @@ resource KeyVault_Resource 'Microsoft.KeyVault/vaults@2019-09-01' = {
 }
 
 // Assign key permissions to the web app 
-resource KeyVaultWebAppAccessPolicy_Resource 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
+resource KeyVaultWebAppAccessPolicy_Resource 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = {
   name: any('${KeyVault_Resource.name}/add')
   properties: {
     accessPolicies: [
@@ -218,7 +220,7 @@ resource KeyVaultWebAppAccessPolicy_Resource 'Microsoft.KeyVault/vaults/accessPo
 }
 
 // Create a key
-resource Key_Resource 'Microsoft.KeyVault/vaults/keys@2019-09-01' = {
+resource Key_Resource 'Microsoft.KeyVault/vaults/keys@2022-07-01' = {
   name: '${KeyVault_Resource.name}/CMK'
   tags: {}
   properties: {

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-sgx/img/ssms-connect-to-server-always-encrypted-enabled.png

@@ -1,6 +1,5 @@
-Import-Module "Az" -MinimumVersion "5.6"
-Import-Module "Az.Attestation" -MinimumVersion "0.1.8"
-Import-Module "SqlServer" -MinimumVersion "21.1.18235"
+Import-Module "Az" -MinimumVersion "9.3"
+Import-Module "SqlServer" #-Version "22.0.49-preview" 
 
 ######################################################################
 # Prompt the user to enter the values of deployment parameters
@@ -143,7 +142,7 @@ $policy=Get-Content -path $policyFile -Raw
 Set-AzAttestationPolicy -Name $attestationProviderName -ResourceGroupName $resourceGroupName -Tee $teeType -Policy $policy -PolicyFormat  $policyFormat
 
 # Get the attestation URL
-$attestationProvider = Get-AzAttestation -Name $attestationProviderName -ResourceGroupName $resourceGroupName 
+$attestationProvider = Get-AzAttestationProvider -Name $attestationProviderName -ResourceGroupName $resourceGroupName 
 $attestationUrl = $attestationProvider.AttestUri
 
 ######################################################################

samples/features/security/always-encrypted-with-secure-enclaves/azure-sql-database-sgx/setup/AttestationPolicy.txt

@@ -1,5 +1,5 @@
 Import-Module "Az" -MinimumVersion "9.3"
-Import-Module "SqlServer"
+Import-Module "SqlServer" -Version "22.0.49-preview" 
 
 ######################################################################
 # Prompt the user to enter the values of deployment parameters