Azure Synapse Terraform module

This terraform module creates an Azure Synapse with a Synapse security alert policy, a SQL vulnerability assessment, a Synapse extended auditing policy and activated Diagnostics Logs.

Global versioning rule for Claranet Azure modules

Module version	Terraform version	AzureRM version
>= 7.x.x	1.3.x	>= 3.0
>= 6.x.x	1.x	>= 3.0
>= 5.x.x	0.15.x	>= 2.0
>= 4.x.x	0.13.x / 0.14.x	>= 2.0
>= 3.x.x	0.12.x	>= 2.0
>= 2.x.x	0.12.x	< 2.0
< 2.x.x	0.11.x	< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

module "region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "logs" {
  source  = "claranet/run/azurerm//modules/logs"
  version = "x.x.x"

  resource_group_name = module.rg.resource_group_name
  stack               = var.stack
  environment         = var.environment
  client_name         = var.client_name
  location            = module.region.location
  location_short      = module.region.location_short
}

data "azurecaf_name" "adls" {
  name          = var.stack
  resource_type = "azurerm_storage_account"
  clean_input   = true
}

resource "azurerm_storage_account" "adls" {
  name = data.azurecaf_name.adls.result

  resource_group_name      = module.rg.resource_group_name
  location                 = module.region.location
  is_hns_enabled           = true
  account_replication_type = "LRS"
  account_tier             = "Standard"
  min_tls_version          = "TLS1_2"
}

resource "azurerm_storage_data_lake_gen2_filesystem" "adls_container" {
  name               = "container"
  storage_account_id = azurerm_storage_account.adls.id
}

resource "azurerm_storage_container" "sql_defender" {
  name                  = "synapse-sql-defender"
  storage_account_name  = module.logs.logs_storage_account_name
  container_access_type = "private"
}

module "synapse" {
  source  = "claranet/synapse/azurerm"
  version = "x.x.x"

  resource_group_name = module.rg.resource_group_name
  location            = module.region.location
  location_short      = module.region.location_short
  stack               = var.stack
  environment         = var.environment
  client_name         = var.client_name

  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.adls_container.id

  sql_administrator_login    = "Example"
  sql_administrator_password = var.sql_administrator_password

  saas_connection = false

  logs_destinations_ids              = [module.logs.log_analytics_workspace_id]
  linking_allowed_for_aad_tenant_ids = []

  sql_defender_container = {
    name                 = azurerm_storage_container.sql_defender.name
    storage_account_name = module.logs.logs_storage_account_name
    resource_group_name  = module.rg.resource_group_name
  }

  auditing_policy_storage_account = module.logs.logs_storage_account_id

  sql_defender_recurring_scans = {
    enabled                           = true
    email_subscription_admins_enabled = true
    emails                            = ["example@fr.clara.net"]
  }

  depends_on = [azurerm_storage_container.sql_defender]
}

Providers

Name	Version
azurecaf	~> 1.2, >= 1.2.22
azurerm	~> 3.39

Modules

Name	Source	Version
diagnostics	claranet/diagnostic-settings/azurerm	~> 6.5.0

Resources

Name	Type
azurerm_synapse_workspace.synapse	resource
azurerm_synapse_workspace_extended_auditing_policy.synapse_auditing_policy	resource
azurerm_synapse_workspace_security_alert_policy.synapse_workspace_security_alert_policy	resource
azurerm_synapse_workspace_vulnerability_assessment.synapse_vulnerability_assessment	resource
azurecaf_name.rg	data source
azurecaf_name.synapse	data source
azurerm_storage_account.audit_logs	data source
azurerm_storage_account.auditing_policy	data source
azurerm_storage_container.vulnerability_assessment	data source

Inputs

Name	Description	Type	Default	Required
aad_admin	Credentials of the Azure AD Administrator of this Synapse Workspace.	object({ login = string tenant_id = string object_id = string })	{ "login": "", "object_id": "", "tenant_id": "" }	no
auditing_policy_storage_account	ID of SQL audit policy storage account	`string`	n/a	yes
azure_devops_configuration	Azure Devops repo Configuration	object({ account_name = string branch_name = string last_commit_id = optional(string) project_name = string repository_name = string root_folder = string tenant_id = string })	`null`	no
client_name	Client name/account used in naming	`string`	n/a	yes
compute_subnet_id	Subnet ID used for computes in workspace	`string`	`null`	no
custom_diagnostic_settings_name	Custom name of the diagnostics settings, name will be 'default' if not set.	`string`	`"default"`	no
custom_name	Custom Azure Synapse name, generated if not set	`string`	`""`	no
customer_managed_key	A customer_managed_key block supports the following: key_versionless_id - (Required) The Azure Key Vault Key Versionless ID to be used as the Customer Managed Key (CMK) for double encryption. key_name - (Optional) An identifier for the key. Name needs to match the name of the key used with the azurerm_synapse_workspace_key resource. Defaults to "cmk" if not specified.	object({ key_versionless_id = string key_name = optional(string) })	`null`	no
data_exfiltration_protection_enabled	Is data exfiltration protection enabled in this workspace ?	`bool`	`false`	no
default_tags_enabled	Option to enable or disable default tags.	`bool`	`true`	no
environment	Project environment	`string`	n/a	yes
extra_tags	Additional tags to associate with your Azure Synapse.	`map(string)`	`{}`	no
linking_allowed_for_aad_tenant_ids	Allowed Aad Tenant Ids For Linking	`list(string)`	`[]`	no
location	Azure location.	`string`	n/a	yes
location_short	Short string for Azure location.	`string`	n/a	yes
logs_categories	Log categories to send to destinations.	`list(string)`	`null`	no
logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be `Storage Account`, `Log Analytics Workspace` and `Event Hub`. No more than one of each can be set. If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the `	` character.	`list(string)`	n/a
logs_metrics_categories	Metrics categories to send to destinations.	`list(string)`	`null`	no
managed_resource_group_name	Workspace managed resource group name	`string`	`null`	no
name_prefix	Optional prefix for the generated name	`string`	`""`	no
name_suffix	Optional suffix for the generated name	`string`	`""`	no
purview_id	The ID of purview account.	`string`	`null`	no
resource_group_name	Resource group name	`string`	n/a	yes
retention_days	Number of days for retention of security policies	`number`	`30`	no
saas_connection	Used to configure Public Network Access	`bool`	`false`	no
sql_administrator_login	Administrator login of synapse sql database	`string`	n/a	yes
sql_administrator_password	Administrator password of synapse sql database	`string`	n/a	yes
sql_defender_container	A blob storage container path to hold the scan results and all Threat Detection audit logs.	object({ name = string storage_account_name = string resource_group_name = string })	n/a	yes
sql_defender_recurring_scans	SQL defender scan configuration	object({ enabled = bool email_subscription_admins_enabled = bool emails = list(string) })	`null`	no
sql_identity_control_enabled	Are pipelines (running as workspace's system assigned identity) allowed to access SQL pools?	`bool`	`false`	no
stack	Project stack name	`string`	n/a	yes
storage_data_lake_gen2_filesystem_id	Azure Data Lake Gen 2 resource id	`string`	n/a	yes
use_caf_naming	Use the Azure CAF naming provider to generate default resource name. `custom_name` override this if set. Legacy default name is used if this is set to `false`.	`bool`	`true`	no

Outputs

Name	Description
connectivity_endpoints	A list of connectivity endpoints for this Synapse Workspace.
environment	Application environment
id	Synapse ID
location	Azure region
name	Synapse name
resource_group_name	Azure Resource Group name
stack	Application name
tags	Tags set on resources

Name		Name	Last commit message	Last commit date
Latest commit History 52 Commits
.config		.config
.github		.github
.gitlab/merge_request_templates		.gitlab/merge_request_templates
examples/main		examples/main
.commitlintrc.yml		.commitlintrc.yml
.gitignore		.gitignore
.gitlab-ci.yml		.gitlab-ci.yml
.pre-commit-config.yaml		.pre-commit-config.yaml
.releaserc		.releaserc
.tool-versions		.tool-versions
CHANGELOG.md		CHANGELOG.md
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
NOTICE		NOTICE
README.md		README.md
data.tf		data.tf
locals-naming.tf		locals-naming.tf
locals-tags.tf		locals-tags.tf
locals.tf		locals.tf
outputs.tf		outputs.tf
r-logs.tf		r-logs.tf
r-naming.tf		r-naming.tf
r-synapse.tf		r-synapse.tf
renovate.json		renovate.json
terraform.tfvars.ci		terraform.tfvars.ci
variables-logs.tf		variables-logs.tf
variables-naming.tf		variables-naming.tf
variables-tags.tf		variables-tags.tf
variables.tf		variables.tf
versions.tf		versions.tf

License

claranet/terraform-azurerm-synapse

Folders and files

Latest commit

History

Repository files navigation

Azure Synapse Terraform module

Global versioning rule for Claranet Azure modules

Contributing

Usage

Providers

Modules

Resources

Inputs

Outputs

About

Topics

Resources

License

Stars

Watchers

Forks

Languages