*ADDED:* --settingsfilekey is no longer required when a Key Vault N…

…ame is provided. This will bypass any settings file decryption and only retrieve the secrets directly from Key Vault
mmckechney · Dec 1, 2023 · af63045 · af63045
1 parent 78ee834
commit af63045
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - *UPDATED:* Simplified data object classes and regenerated typed DataSet classes
 - *UPDATED:* Docker base set to .NET Runtime 8.0 and .NET SDK to 8.0
 - *REMOVED:* Removed fall back Settings File Key generation from machine value. Now must be provided via `--settingsfilekey` argument or `sbm-settingsfilekey` Environment variable
+- *ADDED:* `--settingsfilekey` is no longer required when a Key Vault Name is provided. This will bypass any settings file decryption and only retrieve the secrets directly from Key Vault
 
 ### Version 15.5.0
 - *NEW:* For muti-database target builds, you can now specify custom concurrency tag. Previously, the only concurrency differentitor was by SQL Server Name. Please see the docs on [Concurrency](/docs/concurrency_options.md) and [Database targeting options](docs/override_options.md) to understand how to use this new feature.

diff --git a/src/SqlBuildManager.Console.ExternalTest/BatchTests.cs b/src/SqlBuildManager.Console.ExternalTest/BatchTests.cs
@@ -1964,5 +1964,60 @@ public async Task CreateBatchPool_Success(string settingsFile, string settingsFi
             }
         }
 
+
+
+        [DataRow("run", "TestConfig/settingsfile-batch-windows-queue-keyvault.json", ConcurrencyType.Tag, 2)]
+        [DataRow("run", "TestConfig/settingsfile-batch-linux-queue-keyvault.json", ConcurrencyType.Tag, 2)]
+        [DataRow("run", "TestConfig/settingsfile-batch-windows-queue-keyvault-mi.json", ConcurrencyType.Tag, 2)]
+        [DataRow("run", "TestConfig/settingsfile-batch-linux-queue-keyvault-mi.json", ConcurrencyType.Tag, 2)]
+        [DataRow("runthreaded", "TestConfig/settingsfile-batch-windows-queue-keyvault.json", ConcurrencyType.MaxPerTag, 5)]
+        [DataTestMethod]
+        public void Batch_Queue_SBMSource_KeyVault_NoSettingsFileKey_Success(string batchMethod, string settingsFile, ConcurrencyType concurType, int concurrency)
+        {
+            settingsFile = Path.GetFullPath(settingsFile);
+            string sbmFileName = Path.GetFullPath("SimpleSelect.sbm");
+            if (!File.Exists(sbmFileName))
+            {
+                File.WriteAllBytes(sbmFileName, Properties.Resources.SimpleSelect);
+            }
+            string jobName = GetUniqueBatchJobName("batch-sbm-tag");
+            int startingLine = LogFileCurrentLineCount();
+
+            var args = new string[]{
+                "batch", "enqueue",
+                "--settingsfile", settingsFile,
+                "--override" , overrideWithTagFilePath,
+                "--concurrencytype",  concurType.ToString(),
+                "--jobname", jobName};
+
+            RootCommand rootCommand = CommandLineBuilder.SetUp();
+            Task<int> val = rootCommand.InvokeAsync(args);
+            val.Wait();
+            var result = val.Result;
+
+            var logFileContents = ReleventLogFileContents(startingLine);
+            Assert.AreEqual(0, result, StandardExecutionErrorMessage(logFileContents));
+
+            args = new string[]{
+             "--loglevel", "debug",
+            "batch",  batchMethod,
+            "--settingsfile", settingsFile,
+            "--override", overrideWithTagFilePath,
+            "--packagename", sbmFileName,
+            "--concurrencytype", concurType.ToString(),
+            "--concurrency", concurrency.ToString(),
+            "--jobname", jobName,
+            "--unittest",
+            "--monitor",
+            "--stream" };
+
+
+            val = rootCommand.InvokeAsync(args);
+            val.Wait();
+            result = val.Result;
+
+            logFileContents = ReleventLogFileContents(startingLine);
+            Assert.AreEqual(0, result, StandardExecutionErrorMessage(logFileContents));
+        }
     }
 }
diff --git a/src/SqlBuildManager.Console/CommandLine/Cryptography.cs b/src/SqlBuildManager.Console/CommandLine/Cryptography.cs
@@ -80,11 +80,21 @@ public static (bool, CommandLineArgs) DecryptSensitiveFields(CommandLineArgs cmd
                 return (true, cmdLine);
             }
             bool consolidated = true;
+
+            //Look for a encryption key in the settings file, if not found, and there is a value for keyvault, then skip decryption and return true
             (bool success, string key) = GetSettingsFileEncryptionKey(cmdLine);
             if (!success && string.IsNullOrEmpty(key))
             {
-                log.LogError("Unable to decrypt sensitive fields. No encryption key found.");
-                return (false, cmdLine);
+                if (string.IsNullOrWhiteSpace(cmdLine.ConnectionArgs.KeyVaultName))
+                {
+                    log.LogError("Unable to decrypt sensitive fields. No encryption key found.");
+                    return (false, cmdLine);
+                }
+                else
+                {
+                    log.LogInformation("No SettingsFileKey found, but KeyVaultName was provided. Assuming Key Vault will be used to retrieve sensitive fields.");
+                    return (true, cmdLine);
+                }
             }
 
             if (cmdLine.ContainerRegistryArgs != null && !string.IsNullOrWhiteSpace(cmdLine.ContainerRegistryArgs.RegistryPassword))