This terraform module creates an Azure Synapse with a Synapse security alert policy, a SQL vulnerability assessment, a Synapse extended auditing policy and activated Diagnostics Logs.
| Module version | Terraform version | OpenTofu version | AzureRM version |
|---|---|---|---|
| >= 8.x.x | Unverified | 1.8.x | >= 4.0 |
| >= 7.x.x | 1.3.x | >= 3.0 | |
| >= 6.x.x | 1.x | >= 3.0 | |
| >= 5.x.x | 0.15.x | >= 2.0 | |
| >= 4.x.x | 0.13.x / 0.14.x | >= 2.0 | |
| >= 3.x.x | 0.12.x | >= 2.0 | |
| >= 2.x.x | 0.12.x | < 2.0 | |
| < 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper available in the documentation.
data "azurecaf_name" "adls" {
name = var.stack
resource_type = "azurerm_storage_account"
clean_input = true
}
resource "azurerm_storage_account" "adls" {
name = data.azurecaf_name.adls.result
resource_group_name = module.rg.name
location = module.azure_region.location
is_hns_enabled = true
account_replication_type = "LRS"
account_tier = "Standard"
min_tls_version = "TLS1_2"
}
resource "azurerm_storage_data_lake_gen2_filesystem" "adls_container" {
name = "container"
storage_account_id = azurerm_storage_account.adls.id
}
resource "azurerm_storage_container" "sql_defender" {
name = "synapse-sql-defender"
storage_account_name = module.logs.storage_account_name
container_access_type = "private"
}
module "synapse" {
source = "claranet/synapse/azurerm"
version = "x.x.x"
resource_group_name = module.rg.name
location = module.azure_region.location
location_short = module.azure_region.location_short
stack = var.stack
environment = var.environment
client_name = var.client_name
storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.adls_container.id
sql_administrator_login = "Example"
sql_administrator_password = var.sql_administrator_password
aad_admin = var.aad_admin
saas_connection = false
logs_destinations_ids = [module.logs.id]
linking_allowed_for_aad_tenant_ids = []
sql_defender_container = {
name = azurerm_storage_container.sql_defender.name
storage_account_name = module.logs.storage_account_name
resource_group_name = module.rg.name
}
auditing_policy_storage_account = module.logs.storage_account_id
sql_defender_recurring_scans = {
enabled = true
email_subscription_admins_enabled = true
emails = ["[email protected]"]
}
depends_on = [azurerm_storage_container.sql_defender]
}| Name | Version |
|---|---|
| azurecaf | >= 1.2.28 |
| azurerm | ~> 4.31 |
| Name | Source | Version |
|---|---|---|
| diagnostics | claranet/diagnostic-settings/azurerm | ~> 8.2.0 |
| Name | Type |
|---|---|
| azurerm_synapse_workspace.main | resource |
| azurerm_synapse_workspace_aad_admin.main | resource |
| azurerm_synapse_workspace_extended_auditing_policy.main | resource |
| azurerm_synapse_workspace_security_alert_policy.main | resource |
| azurerm_synapse_workspace_vulnerability_assessment.main | resource |
| azurecaf_name.rg | data source |
| azurecaf_name.synapse | data source |
| azurerm_storage_account.audit_logs | data source |
| azurerm_storage_account.auditing_policy | data source |
| azurerm_storage_container.vulnerability_assessment | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aad_admin | Credentials of the Azure AD Administrator of this Synapse Workspace. | object({ |
{ |
no |
| auditing_policy_storage_account | ID of SQL audit policy storage account. | string |
n/a | yes |
| azure_devops_configuration | Azure Devops repo configuration. | object({ |
null |
no |
| client_name | Client name/account used in naming. | string |
n/a | yes |
| compute_subnet_id | Subnet ID used for computes in workspace. | string |
null |
no |
| custom_name | Custom Azure Synapse name, generated if not set. | string |
"" |
no |
| customer_managed_key | A customer_managed_key block supports the following:key_versionless_id - (Required) The Azure Key Vault Key Versionless ID to be used as the Customer Managed Key (CMK) for double encryption.key_name - (Optional) An identifier for the key. Name needs to match the name of the key used with the azurerm_synapse_workspace_key resource. Defaults to cmk if not specified. |
object({ |
null |
no |
| data_exfiltration_protection_enabled | Is data exfiltration protection enabled in this workspace ? | bool |
false |
no |
| default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
| diagnostic_settings_custom_name | Custom name of the diagnostics settings, name will be default if not set. |
string |
"default" |
no |
| environment | Project environment. | string |
n/a | yes |
| extra_tags | Additional tags to associate with your Azure Synapse. | map(string) |
{} |
no |
| linking_allowed_for_aad_tenant_ids | Allowed aad tenant ids for linking. | list(string) |
[] |
no |
| location | Azure region to use. | string |
n/a | yes |
| location_short | Short string for Azure location. | string |
n/a | yes |
| logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
| logs_destinations_ids | List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character. |
list(string) |
n/a | yes |
| logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
| managed_resource_group_name | Workspace managed resource group name. | string |
null |
no |
| name_prefix | Optional prefix for the generated name. | string |
"" |
no |
| name_suffix | Optional suffix for the generated name. | string |
"" |
no |
| purview_id | The ID of purview account. | string |
null |
no |
| resource_group_name | Resource group name. | string |
n/a | yes |
| retention_days | Number of days for retention of security policies. | number |
30 |
no |
| saas_connection | Used to configure Public Network Access. | bool |
false |
no |
| sql_administrator_login | Administrator login of synapse sql database. | string |
n/a | yes |
| sql_administrator_password | Administrator password of synapse sql database. | string |
n/a | yes |
| sql_defender_container | A blob storage container path to hold the scan results and all Threat Detection audit logs. | object({ |
n/a | yes |
| sql_defender_recurring_scans | SQL defender scan configuration. | object({ |
null |
no |
| sql_identity_control_enabled | Are pipelines (running as workspace's system assigned identity) allowed to access SQL pools ? | bool |
false |
no |
| stack | Project stack name. | string |
n/a | yes |
| storage_data_lake_gen2_filesystem_id | Azure Data Lake Gen 2 resource id. | string |
n/a | yes |
| Name | Description |
|---|---|
| auditing_policy | Extended Auditing Policy for this Synapse Workspace. |
| connectivity_endpoints | A list of connectivity endpoints for this Synapse Workspace. |
| environment | Application environment. |
| id | Synapse ID. |
| location | Azure region. |
| module_diagnostics | Diagnostics settings module outputs. |
| name | Synapse name. |
| resource | Synaps Workspace resource object. |
| resource_group_name | Azure Resource Group name. |
| security_alert_policy | Security Alert Policy for this Synapse Workspace. |
| stack | Application name. |
| tags | Tags set on resources. |
| vulnerability_assessment | Vulnerability Assessment for this Synapse Workspace. |