add Azure Key Vault integration and connection string management

Author: bryansan-local

samples/web-app-sql-database/python/bicep/main.bicep

@@ -322,6 +322,8 @@ param username string = 'paolo'
 var sqlServerName = '${prefix}-sqlserver-${suffix}'
 var webAppName = '${prefix}-webapp-${suffix}'
 var appServicePlanName = '${prefix}-app-service-plan-${suffix}'
+var keyVaultName = '${prefix}-kv-${suffix}'
+var sqlConnectionStringSecretName = 'sql-connection-string'
 var identity = {
     type: 'SystemAssigned'
   }
@@ -429,6 +431,42 @@ resource webApp 'Microsoft.Web/sites@2024-11-01' = {
   }
 }
 
+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
+  name: keyVaultName
+  location: location
+  tags: tags
+  properties: {
+    tenantId: subscription().tenantId
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    accessPolicies: [
+      {
+        tenantId: subscription().tenantId
+        objectId: webApp.identity.principalId
+        permissions: {
+          secrets: [
+            'get'
+            'list'
+          ]
+        }
+      }
+    ]
+    enableRbacAuthorization: false
+    enableSoftDelete: true
+    softDeleteRetentionInDays: 7
+  }
+}
+
+resource sqlConnectionStringSecret 'Microsoft.KeyVault/vaults/secrets@2024-11-01' = {
+  parent: keyVault
+  name: sqlConnectionStringSecretName
+  properties: {
+    value: 'Server=tcp:${sqlServer.properties.fullyQualifiedDomainName},1433;Database=${sqlDatabaseName};User ID=${sqlDatabaseUsername};Password=${sqlDatabasePassword};Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;'
+  }
+}
+
 resource configAppSettings 'Microsoft.Web/sites/config@2024-11-01' = {
   parent: webApp
   name: 'appsettings'
@@ -439,6 +477,7 @@ resource configAppSettings 'Microsoft.Web/sites/config@2024-11-01' = {
     SQL_DATABASE: sqlDatabaseName
     SQL_USERNAME: sqlDatabaseUsername
     SQL_PASSWORD: sqlDatabasePassword
+    SQL_CONNECTION_STRING: '@Microsoft.KeyVault(SecretUri=${sqlConnectionStringSecret.properties.secretUri})'
     LOGIN_NAME: username
   }
 }
@@ -459,3 +498,6 @@ output webAppUrl string = webApp.properties.defaultHostName
 output sqlServerName string = sqlServer.name
 output sqlServerFqdn string = sqlServer.properties.fullyQualifiedDomainName
 output sqlDatabaseName string = sqlDatabase.name
+output keyVaultName string = keyVault.name
+output keyVaultUrl string = keyVault.properties.vaultUri
+output sqlConnectionStringSecretUri string = sqlConnectionStringSecret.properties.secretUri

samples/web-app-sql-database/python/scripts/deploy.sh

@@ -22,6 +22,8 @@ RUNTIME="python"
 RUNTIME_VERSION="3.13"
 DEPLOY_APP=1
 ENVIRONMENT=$(az account show --query environmentName --output tsv)
+KEYVAULT_NAME="${PREFIX}-kv-${SUFFIX}"
+SECRET_NAME="SqlConnectionString"
 
 # Change the current directory to the script's directory
 cd "$CURRENT_DIR" || exit
@@ -298,6 +300,7 @@ $AZ webapp create \
 	--plan "$APP_SERVICE_PLAN_NAME" \
 	--name "$WEB_APP_NAME" \
 	--runtime "$RUNTIME:$RUNTIME_VERSION" \
+	--assign-identity \
 	--only-show-errors 1>/dev/null
 
 if [ $? -eq 0 ]; then
@@ -307,6 +310,72 @@ else
 	exit 1
 fi
 
+# Get Web App principal ID
+PRINCIPAL_ID=$($AZ webapp identity show \
+	--name "$WEB_APP_NAME" \
+	--resource-group "$RESOURCE_GROUP_NAME" \
+	--query "principalId" \
+	--output tsv)
+
+# Create Key Vault
+echo "Creating Key Vault [$KEY_VAULT_NAME]..."
+$AZ keyvault create \
+	--name "$KEY_VAULT_NAME" \
+	--resource-group "$RESOURCE_GROUP_NAME" \
+	--location "$LOCATION" \
+	--enable-soft-delete true \
+	--retention-days 7 \
+	--only-show-errors 1>/dev/null
+
+if [ $? -eq 0 ]; then
+	echo "Key Vault [$KEY_VAULT_NAME] created successfully."
+else
+	echo "Failed to create Key Vault [$KEY_VAULT_NAME]."
+	exit 1
+fi
+
+# Assign access policy to Web App managed identity
+echo "Assigning Key Vault access policy to Web App..."
+$AZ keyvault set-policy \
+	--name "$KEY_VAULT_NAME" \
+	--object-id "$PRINCIPAL_ID" \
+	--secret-permissions get \
+	--only-show-errors 1>/dev/null
+
+if [ $? -eq 0 ]; then
+	echo "Key Vault access policy assigned successfully."
+else
+	echo "Failed to assign Key Vault access policy."
+	exit 1
+fi
+
+# Build connection string
+SQL_CONNECTION_STRING="Server=tcp:${SQL_SERVER_FQDN},1433;Database=${SQL_DATABASE_NAME};User ID=${DATABASE_USER_NAME};Password=${DATABASE_USER_PASSWORD};Encrypt=yes;TrustServerCertificate=yes;Connection Timeout=30;"
+
+# Create secret
+echo "Creating secret [$SECRET_NAME] in Key Vault..."
+$AZ keyvault secret set \
+	--vault-name "$KEY_VAULT_NAME" \
+	--name "$SECRET_NAME" \
+	--value "$SQL_CONNECTION_STRING" \
+	--only-show-errors 1>/dev/null
+
+if [ $? -eq 0 ]; then
+	echo "Secret [$SECRET_NAME] created successfully."
+else
+	echo "Failed to create secret [$SECRET_NAME]."
+	exit 1
+fi
+
+# Get Secret URI
+SECRET_URI=$($AZ keyvault secret show \
+	--vault-name "$KEY_VAULT_NAME" \
+	--name "$SECRET_NAME" \
+	--query "id" \
+	--output tsv)
+
+echo "Secret URI: $SECRET_URI"
+
 # Set web app settings
 echo "Setting web app settings for [$WEB_APP_NAME]..."
 $AZ webapp config appsettings set \

samples/web-app-sql-database/python/scripts/validate.sh

@@ -39,4 +39,17 @@ $AZ sql db show \
 --name PlannerDB \
 --server local-sqlserver-test \
 --resource-group local-rg \
+--output table
+
+# Check Azure Key Vault
+$AZ keyvault show \
+--name local-kv-test \
+--resource-group local-rg \
+--output table
+
+# Check Key Vault secret
+$AZ keyvault secret show \
+--vault-name local-kv-test \
+--name sql-connection-string \
+--query "{name:name, enabled:attributes.enabled, created:attributes.created}" \
 --output table

samples/web-app-sql-database/python/src/database.py

@@ -3,6 +3,7 @@
 Supports both traditional ODBC connections and passwordless Azure AD authentication
 """
 
+from multiprocessing import connection
 import os
 import struct
 import pyodbc
@@ -73,6 +74,10 @@ def from_env(cls) -> 'SqlHelper':
             - SQL_USERNAME
             - SQL_PASSWORD
         """
+        connection_string = os.environ.get("SQL_CONNECTION_STRING")
+        if connection_string:
+            return cls.from_connection_string(connection_string)
+        
         client_id = os.environ.get("AZURE_CLIENT_ID")
         client_secret = os.environ.get("AZURE_CLIENT_SECRET")
         tenant_id = os.environ.get("AZURE_TENANT_ID")
@@ -94,6 +99,44 @@ def from_env(cls) -> 'SqlHelper':
             use_azure_credential=all([client_id, client_secret, tenant_id])
         )
 
+    @classmethod
+    def from_connection_string(cls, connection_string: str) -> 'SqlHelper':
+        """
+        Create a SqlHelper instance from a connection string.
+        
+        This is useful when the connection string is stored in an environment variable
+        (e.g., resolved by Azure App Service from Key Vault via @Microsoft.KeyVault(SecretUri=...)).
+        
+        """
+        parts = {}
+        for part in connection_string.split(';'):
+            if '=' in part:
+                key, value = part.split('=', 1)
+                parts[key.strip()] = value.strip()
+            
+        server = parts.get('Server', '').replace('tcp:', '').replace(',1433', '')
+        database = parts.get('Database')
+        username = parts.get('User ID')
+        password = parts.get('Password')
+            
+        if not all([server, database, username, password]):
+            raise ValueError(
+                f"Could not parse all required parameters from connection string. "
+                f"Found - Server: {bool(server)}, Database: {bool(database)}, "
+                f"Username: {bool(username)}, Password: {bool(password)}"
+            )
+            
+        logger.info("Connection string parsed successfully")
+        logger.debug(f"Server: {server}, Database: {database}, Username: {username}")
+            
+        return cls(
+            server=server,
+            database=database,
+            username=username,
+            password=password,
+            use_azure_credential=False
+            )
+
     def _build_connection_string(self) -> str:
         """Build the ODBC connection string."""
         conn_str = (