Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change cost allocation / vulnerability scanner DB admin account with azure account #1107

Closed
5 tasks done
sondresjolyst opened this issue Nov 27, 2023 · 2 comments · Fixed by #1169, equinor/radix-vulnerability-scanner#39, equinor/radix-cost-allocation#114, #1172 or #1173
Closed
5 tasks done

Change cost allocation / vulnerability scanner DB admin account with azure account #1107

sondresjolyst opened this issue Nov 27, 2023 · 2 comments · Fixed by #1169, equinor/radix-vulnerability-scanner#39, equinor/radix-cost-allocation#114, #1172 or #1173
Assignees
@Richard87
Labels
security Issues related to security improvements

Comments

@sondresjolyst
Copy link
Contributor

sondresjolyst commented Nov 27, 2023
edited by Richard87
Loading

Azure SQL Database should have Microsoft Entra Only Authentication enabled
To disable local authentication methods and only allow Azure Active Directory authentication:

  1. Find your Azure Sql server in the portal.
  2. Navigate to Microsoft Entra ID in the left navigation pane.
  3. Select "Set admin" if Microsoft Entra ID admin is not already set.
  4. Check the "Support only Microsoft Entra ID authentication for this server" box and press "Save"

Vulnerability scanner
@sondresjolyst sondresjolyst changed the title Change cost allocation / vulnerability scanner DB account with azure account Change cost allocation / vulnerability scanner DB admin account with azure account Nov 27, 2023
@emirgens emirgens added refinement needed Issues marked for refinement security Issues related to security improvements labels Dec 6, 2023
@Awildev Awildev removed the refinement needed Issues marked for refinement label Dec 8, 2023
@emirgens emirgens added the refinement needed Issues marked for refinement label Jan 16, 2024
@emirgens
Copy link
Contributor

  1. Create Managed Identity for each database when a database is created
  2. Create SQL user for this MI
  3. Add SQL user in dbo group of the server
  4. Create federated credential for this MI for GitHub actions
  5. Update GitHub action

@emirgens emirgens removed the refinement needed Issues marked for refinement label Jan 16, 2024
@Richard87
Copy link
Contributor

Richard87 commented Jan 31, 2024
edited
Loading

Vulnerability Scanner

  • Create Managed Identity
  • Create Federated credentials for Github Actions
  • Optional Terraform
    • Create database
    • Create db credentials - store in key vaults
    • Use Azure Key Vault for radix-vulnerability-scanner-api radix integration
    • Use external secret for helm install?
    • Create private links
  • optional kubernetes
    • create federated credentials for Azure Workload Identity

Cost

@Richard87 Richard87 linked a pull request Feb 6, 2024 that will close this issue
Initial Vulnerability scanner module #1169
Merged
@emirgens emirgens reopened this Feb 6, 2024
@emirgens emirgens linked a pull request Feb 7, 2024 that will close this issue
Use workload identity for sql server auth equinor/radix-vulnerability-scanner#39
Merged
This was linked to pull requests Feb 7, 2024
Use workload identity to access database and ACR equinor/radix-cost-allocation#114
Merged
Vulnerability scanner part2 #1172
Merged
terraform config for Vulnerability Scanner in C2 + Prod #1173
Merged
@Richard87 Richard87 reopened this Feb 9, 2024
This was linked to pull requests Feb 12, 2024
fix target branch equinor/radix-vulnerability-scanner#40
Merged
Vulnerability Scan: Update target branch in federated credentials #1191
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Richard87 Richard87

Labels
security Issues related to security improvements
Projects
None yet
Milestone
No milestone
4 participants
@Richard87 @sondresjolyst @emirgens @Awildev