feat: Invoke-AzSqlDatabaseMigration supports AccessToken login (#451)

fgheysels · web-flow · commit fef5d3e1c553 · 2025-02-08T12:14:46.000+01:00
* support access-token login

* code cleanup

* remove dbg statement

* some docs
diff --git a/docs/preview/03-Features/powershell/azure-sql.md b/docs/preview/03-Features/powershell/azure-sql.md
@@ -28,8 +28,9 @@ The current version is stored in a table "DatabaseVersion", which will be create
 | ------------------------| --------------------------------------- | ----------------------------------------------------------------------------------- |
 | `ServerName`            | yes                                     | The full name of the SQL Server that hosts the SQL Database.                        |
 | `DatabaseName`          | yes                                     | The name of the SQL Database                                                        |
-| `UserName`              | yes                                     | The UserName of the SQL Database                                                    |
-| `Password`              | yes                                     | The Password of the SQL Database                                                    |
+| `UserName`              | no                                      | The UserName of the user that must be used to login to the SQL Database. Prefer AccessToken instead |
+| `Password`              | no                                      | The Password of the user that must be used to login to the SQL Database. Prefer AccessToken instead |
+| `AccessToken`           | no                                      | The access token used to authenticate to SQL Server, as an alternative to user/password or Windows Authentication. Do not specify UserName/Password when using this parameter. |
 | `TrustServerCertificate`| no (default: `$false`)                  | Indicates whether the channel will be encrypted while bypassing walking the certificate chain to validate trust. |
 | `ScriptsFolder`         | no (default: `$PSScriptRoot/sqlScripts` | The directory folder where the SQL migration scripts are located on the file system |
 | `ScriptsFileFilter`     | no (default: `*.sql`)                   | The file filter to limit the SQL script files to use during the migrations          |
@@ -65,6 +66,20 @@ PS> Invoke-AzSqlDatabaseMigration `
 # Done migrating database. Current Database version is 1.0.0
 ```
 
+**Login using AccessToken**
+
+```powershell
+PS> Connect-AzAccount
+PS> $access_token = (Get-AzAccessToken -ResourceUrl https://database.windows.net).Token
+
+PS> Invoke-AzSqlDatabaseMigration `
+-ServerName "my-server-name.database.windows.net" `
+-DatabaseName "my-database-name" `
+-AccessToken $access_token
+# DB migration 1.0.0 applied!
+# Done migrating database. Current Database version is 1.0.0
+```
+
 ### Adding SQL scripts so they can be picked up by the script
 
 1. In the location where you want to run the script add a folder where the migration scripts will be placed.  By default, we're looking in a folder called `SqlScripts`, but this can be any folder as it is configurable via the `ScriptsFolder` argument.
diff --git a/src/Arcus.Scripting.Sql/Arcus.Scripting.Sql.psd1 b/src/Arcus.Scripting.Sql/Arcus.Scripting.Sql.psd1
diff --git a/src/Arcus.Scripting.Sql/Arcus.Scripting.Sql.psm1 b/src/Arcus.Scripting.Sql/Arcus.Scripting.Sql.psm1
@@ -71,7 +71,10 @@ class DatabaseVersion : System.IComparable {
   The name of the user to be used to connect to the Azure SQL Database.
 
  .Parameter Password
-  The password to be used to connect to the Azure SQL Database.
+  The password to be used to connect to the Azure SQL Database for the specified UserName. Prefer connecting via AccessToken instead.
+
+ .Parameter AccessToken
+  The access token used to authenticate to SQL Server.  Do not specify UserName/Password when using this parameter.
 
  .Parameter TrustServerCertificate
   Indicates whether the channel will be encrypted while bypassing walking the certificate chain to validate trust.
@@ -92,16 +95,17 @@ function Invoke-AzSqlDatabaseMigration {
     param(
         [Parameter(Mandatory = $true)][string] $ServerName = $(throw "Please provide the name of the SQL Server that hosts the SQL Database. (Do not include 'database.windows.net'"),
         [Parameter(Mandatory = $true)][string] $DatabaseName = $(throw "Please provide the name of the SQL Database"),
-        [Parameter(Mandatory = $true)][string] $UserName = $(throw "Please provide the UserName of the SQL Database"),
-        [Parameter(Mandatory = $true)][string] $Password = $(throw "Please provide the Password of the SQL Database"),
+        [Parameter(Mandatory = $false)][string] $UserName,
+        [Parameter(Mandatory = $false)][string] $Password,
+        [Parameter(Mandatory = $false)][string] $AccessToken,
         [Parameter(Mandatory = $false)][switch] $TrustServerCertificate,
         [Parameter(Mandatory = $false)][string] $ScriptsFolder = "$PSScriptRoot/sqlScripts",
         [Parameter(Mandatory = $false)][string] $ScriptsFileFilter = "*.sql",
         [Parameter(Mandatory = $false)][string] $DatabaseSchema = "dbo",
         [Parameter(Mandatory = $false)][string] $DatabaseVersionTable = "DatabaseVersion"
     )
 
-    . $PSScriptRoot\Scripts\Invoke-AzSqlDatabaseMigration.ps1 -ServerName $ServerName -DatabaseName $DatabaseName -UserName $UserName -Password $Password -TrustServerCertificate $TrustServerCertificate -ScriptsFolder $ScriptsFolder -ScriptsFileFilter $ScriptsFileFilter -DatabaseSchema $DatabaseSchema -DatabaseVersionTable $DatabaseVersionTable
+    . $PSScriptRoot\Scripts\Invoke-AzSqlDatabaseMigration.ps1 -ServerName $ServerName -DatabaseName $DatabaseName -UserName $UserName -Password $Password -AccessToken $AccessToken -TrustServerCertificate $TrustServerCertificate -ScriptsFolder $ScriptsFolder -ScriptsFileFilter $ScriptsFileFilter -DatabaseSchema $DatabaseSchema -DatabaseVersionTable $DatabaseVersionTable
 }
 
 Export-ModuleMember -Function Invoke-AzSqlDatabaseMigration
diff --git a/src/Arcus.Scripting.Sql/Scripts/Invoke-AzSqlDatabaseMigration.ps1 b/src/Arcus.Scripting.Sql/Scripts/Invoke-AzSqlDatabaseMigration.ps1
@@ -1,8 +1,9 @@
 param(
     [Parameter(Mandatory = $true)][string] $ServerName = $(throw "Please provide the name of the SQL Server that hosts the SQL Database. (Do not include 'database.windows.net'"),
     [Parameter(Mandatory = $true)][string] $DatabaseName = $(throw "Please provide the name of the SQL Database"),
-    [Parameter(Mandatory = $true)][string] $UserName = $(throw "Please provide the user name of the user that must be used to perform the update"),
-    [Parameter(Mandatory = $true)][string] $Password = $(throw "Please provide the password of the user that must be used to perform the update"),
+    [Parameter(Mandatory = $false)][string] $UserName,
+    [Parameter(Mandatory = $false)][string] $Password,
+    [Parameter(Mandatory = $false)][string] $AccessToken,
     [Parameter(Mandatory = $false)][bool] $TrustServerCertificate = $false,
     [Parameter(Mandatory = $false)][string] $ScriptsFolder = "$PSScriptRoot/sqlScripts",
     [Parameter(Mandatory = $false)][string] $ScriptsFileFilter = "*.sql",
@@ -29,28 +30,40 @@ function Execute-DbCommandWithResult($params, [string] $query) {
     return $result
 }
 
-function Create-DbParams([string] $DatabaseName, [string] $serverInstance, [string] $UserName, [string] $Password, [bool] $TrustServerCertificate) {
+function Create-DbParams([string] $DatabaseName, [string] $serverInstance, [string] $UserName = $null, [string] $Password = $null, [string] $AccessToken = $null, [bool] $TrustServerCertificate) {
     Write-Debug "databasename = $DatabaseName"
     Write-Debug "serverinstance = $serverInstance"
     Write-Debug "username = $UserName"
     
-    return $params = @{
+    $params = @{
         'Database'               = $DatabaseName
-        'ServerInstance'         = $serverInstance
-        'Username'               = $UserName
-        'Password'               = $Password
+        'ServerInstance'         = $serverInstance        
         'TrustServerCertificate' = $TrustServerCertificate
         'OutputSqlErrors'        = $true
         'AbortOnError'           = $true
     }
+
+    if ($UserName) {        
+        $params['UserName'] = $UserName
+    }
+
+    if ($Password) {
+        $params['Password'] = $Password
+    }
+
+    if ($AccessToken) {
+        $params['AccessToken'] = $AccessToken
+    }
+
+    return $params
 }
 
 function Get-SqlScriptFileText([string] $scriptPath, [string] $fileName) {
     $currentfilepath = "$scriptPath/$fileName.sql"
     return $query = Get-Content $currentfilepath
 }
 
-$params = Create-DbParams $DatabaseName $ServerName $UserName $Password $TrustServerCertificate
+$params = Create-DbParams $DatabaseName $ServerName $UserName $Password $AccessToken $TrustServerCertificate
 
 $createDatabaseVersionTable = "IF NOT EXISTS ( SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '$DatabaseVersionTable' AND TABLE_SCHEMA = '$DatabaseSchema' ) " +
 "BEGIN " +
