Grant SQL server identities the DirectoryReader role

[nilsgstrabo]

Today the deploy-database GH actions for radix-cost-allocation and radix-vulnerability-scanner is unable to create users (CREATE USER FROM EXTERNAL PROVIDER) because the SQL Server identity is missing the DirectoryReader role, ref. https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-service-principal?view=azuresql

Omnia has created an Entra security group which is member of this role, and is intented to grant service principals (managed identities/app registrations) membership to this role. Adding as SP to this group is a manual process which involved sending an email to [email protected] (ref https://docs.omnia.equinor.com/governance/iam/App-Admin-Consent/).

Tasks:

• Send email to [email protected] requesting the SQL server identities to be member of the Entra Group
• Add information in radix-private on how to request DirectoryReader role membership.
• Update readme in radix-vulnerability-scanner and radix-cost-allocation with a description on what permissions are required, and perhaps a link to radix-private, which can contain more Equinor specific details.