Skip to content

Latest commit

 

History

History
215 lines (174 loc) · 12.7 KB

README.md

File metadata and controls

215 lines (174 loc) · 12.7 KB

Azure Synapse Terraform module

Changelog Notice Apache V2 License OpenTofu Registry

This terraform module creates an Azure Synapse with a Synapse security alert policy, a SQL vulnerability assessment, a Synapse extended auditing policy and activated Diagnostics Logs.

Global versioning rule for Claranet Azure modules

Module version Terraform version OpenTofu version AzureRM version
>= 8.x.x Unverified 1.8.x >= 4.0
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "logs" {
  source  = "claranet/run/azurerm//modules/logs"
  version = "x.x.x"

  resource_group_name = module.rg.resource_group_name
  stack               = var.stack
  environment         = var.environment
  client_name         = var.client_name
  location            = module.region.location
  location_short      = module.region.location_short
}

data "azurecaf_name" "adls" {
  name          = var.stack
  resource_type = "azurerm_storage_account"
  clean_input   = true
}

resource "azurerm_storage_account" "adls" {
  name = data.azurecaf_name.adls.result

  resource_group_name      = module.rg.resource_group_name
  location                 = module.region.location
  is_hns_enabled           = true
  account_replication_type = "LRS"
  account_tier             = "Standard"
  min_tls_version          = "TLS1_2"
}

resource "azurerm_storage_data_lake_gen2_filesystem" "adls_container" {
  name               = "container"
  storage_account_id = azurerm_storage_account.adls.id
}

resource "azurerm_storage_container" "sql_defender" {
  name                  = "synapse-sql-defender"
  storage_account_name  = module.logs.logs_storage_account_name
  container_access_type = "private"
}

module "synapse" {
  source  = "claranet/synapse/azurerm"
  version = "x.x.x"

  resource_group_name = module.rg.resource_group_name
  location            = module.region.location
  location_short      = module.region.location_short
  stack               = var.stack
  environment         = var.environment
  client_name         = var.client_name

  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.adls_container.id

  sql_administrator_login    = "Example"
  sql_administrator_password = var.sql_administrator_password

  saas_connection = false

  logs_destinations_ids              = [module.logs.log_analytics_workspace_id]
  linking_allowed_for_aad_tenant_ids = []

  sql_defender_container = {
    name                 = azurerm_storage_container.sql_defender.name
    storage_account_name = module.logs.logs_storage_account_name
    resource_group_name  = module.rg.resource_group_name
  }

  auditing_policy_storage_account = module.logs.logs_storage_account_id

  sql_defender_recurring_scans = {
    enabled                           = true
    email_subscription_admins_enabled = true
    emails                            = ["[email protected]"]
  }

  depends_on = [azurerm_storage_container.sql_defender]
}

Providers

Name Version
azurecaf ~> 1.2, >= 1.2.22
azurerm ~> 3.39

Modules

Name Source Version
diagnostics claranet/diagnostic-settings/azurerm ~> 7.0.0

Resources

Name Type
azurerm_synapse_workspace.synapse resource
azurerm_synapse_workspace_extended_auditing_policy.synapse_auditing_policy resource
azurerm_synapse_workspace_security_alert_policy.synapse_workspace_security_alert_policy resource
azurerm_synapse_workspace_vulnerability_assessment.synapse_vulnerability_assessment resource
azurecaf_name.rg data source
azurecaf_name.synapse data source
azurerm_storage_account.audit_logs data source
azurerm_storage_account.auditing_policy data source
azurerm_storage_container.vulnerability_assessment data source

Inputs

Name Description Type Default Required
aad_admin Credentials of the Azure AD Administrator of this Synapse Workspace.
object({
login = string
tenant_id = string
object_id = string
})
{
"login": "",
"object_id": "",
"tenant_id": ""
}
no
auditing_policy_storage_account ID of SQL audit policy storage account string n/a yes
azure_devops_configuration Azure Devops repo Configuration
object({
account_name = string
branch_name = string
last_commit_id = optional(string)
project_name = string
repository_name = string
root_folder = string
tenant_id = string
})
null no
client_name Client name/account used in naming string n/a yes
compute_subnet_id Subnet ID used for computes in workspace string null no
custom_diagnostic_settings_name Custom name of the diagnostics settings, name will be 'default' if not set. string "default" no
custom_name Custom Azure Synapse name, generated if not set string "" no
customer_managed_key A customer_managed_key block supports the following: key_versionless_id - (Required) The Azure Key Vault Key Versionless ID to be used as the Customer Managed Key (CMK) for double encryption. key_name - (Optional) An identifier for the key. Name needs to match the name of the key used with the azurerm_synapse_workspace_key resource. Defaults to "cmk" if not specified.
object({
key_versionless_id = string
key_name = optional(string)
})
null no
data_exfiltration_protection_enabled Is data exfiltration protection enabled in this workspace ? bool false no
default_tags_enabled Option to enable or disable default tags. bool true no
environment Project environment string n/a yes
extra_tags Additional tags to associate with your Azure Synapse. map(string) {} no
linking_allowed_for_aad_tenant_ids Allowed Aad Tenant Ids For Linking list(string) [] no
location Azure location. string n/a yes
location_short Short string for Azure location. string n/a yes
logs_categories Log categories to send to destinations. list(string) null no
logs_destinations_ids List of destination resources IDs for logs diagnostic destination.
Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.
If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the `
` character. list(string) n/a
logs_metrics_categories Metrics categories to send to destinations. list(string) null no
managed_resource_group_name Workspace managed resource group name string null no
name_prefix Optional prefix for the generated name string "" no
name_suffix Optional suffix for the generated name string "" no
purview_id The ID of purview account. string null no
resource_group_name Resource group name string n/a yes
retention_days Number of days for retention of security policies number 30 no
saas_connection Used to configure Public Network Access bool false no
sql_administrator_login Administrator login of synapse sql database string n/a yes
sql_administrator_password Administrator password of synapse sql database string n/a yes
sql_defender_container A blob storage container path to hold the scan results and all Threat Detection audit logs.
object({
name = string
storage_account_name = string
resource_group_name = string
})
n/a yes
sql_defender_recurring_scans SQL defender scan configuration
object({
enabled = bool
email_subscription_admins_enabled = bool
emails = list(string)
})
null no
sql_identity_control_enabled Are pipelines (running as workspace's system assigned identity) allowed to access SQL pools? bool false no
stack Project stack name string n/a yes
storage_data_lake_gen2_filesystem_id Azure Data Lake Gen 2 resource id string n/a yes
use_caf_naming Use the Azure CAF naming provider to generate default resource name. custom_name override this if set. Legacy default name is used if this is set to false. bool true no

Outputs

Name Description
connectivity_endpoints A list of connectivity endpoints for this Synapse Workspace.
environment Application environment
id Synapse ID
location Azure region
name Synapse name
resource_group_name Azure Resource Group name
stack Application name
tags Tags set on resources