This terraform module creates an Azure Synapse with a Synapse security alert policy, a SQL vulnerability assessment, a Synapse extended auditing policy and activated Diagnostics Logs.
Module version | Terraform version | OpenTofu version | AzureRM version |
---|---|---|---|
>= 8.x.x | Unverified | 1.8.x | >= 4.0 |
>= 7.x.x | 1.3.x | >= 3.0 | |
>= 6.x.x | 1.x | >= 3.0 | |
>= 5.x.x | 0.15.x | >= 2.0 | |
>= 4.x.x | 0.13.x / 0.14.x | >= 2.0 | |
>= 3.x.x | 0.12.x | >= 2.0 | |
>= 2.x.x | 0.12.x | < 2.0 | |
< 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper
available in the documentation.
module "region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
location = module.region.location
client_name = var.client_name
environment = var.environment
stack = var.stack
}
module "logs" {
source = "claranet/run/azurerm//modules/logs"
version = "x.x.x"
resource_group_name = module.rg.resource_group_name
stack = var.stack
environment = var.environment
client_name = var.client_name
location = module.region.location
location_short = module.region.location_short
}
data "azurecaf_name" "adls" {
name = var.stack
resource_type = "azurerm_storage_account"
clean_input = true
}
resource "azurerm_storage_account" "adls" {
name = data.azurecaf_name.adls.result
resource_group_name = module.rg.resource_group_name
location = module.region.location
is_hns_enabled = true
account_replication_type = "LRS"
account_tier = "Standard"
min_tls_version = "TLS1_2"
}
resource "azurerm_storage_data_lake_gen2_filesystem" "adls_container" {
name = "container"
storage_account_id = azurerm_storage_account.adls.id
}
resource "azurerm_storage_container" "sql_defender" {
name = "synapse-sql-defender"
storage_account_name = module.logs.logs_storage_account_name
container_access_type = "private"
}
module "synapse" {
source = "claranet/synapse/azurerm"
version = "x.x.x"
resource_group_name = module.rg.resource_group_name
location = module.region.location
location_short = module.region.location_short
stack = var.stack
environment = var.environment
client_name = var.client_name
storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.adls_container.id
sql_administrator_login = "Example"
sql_administrator_password = var.sql_administrator_password
saas_connection = false
logs_destinations_ids = [module.logs.log_analytics_workspace_id]
linking_allowed_for_aad_tenant_ids = []
sql_defender_container = {
name = azurerm_storage_container.sql_defender.name
storage_account_name = module.logs.logs_storage_account_name
resource_group_name = module.rg.resource_group_name
}
auditing_policy_storage_account = module.logs.logs_storage_account_id
sql_defender_recurring_scans = {
enabled = true
email_subscription_admins_enabled = true
emails = ["example@fr.clara.net"]
}
depends_on = [azurerm_storage_container.sql_defender]
}
Name | Version |
---|---|
azurecaf | ~> 1.2, >= 1.2.22 |
azurerm | ~> 3.39 |
Name | Source | Version |
---|---|---|
diagnostics | claranet/diagnostic-settings/azurerm | ~> 7.0.0 |
Name | Type |
---|---|
azurerm_synapse_workspace.synapse | resource |
azurerm_synapse_workspace_extended_auditing_policy.synapse_auditing_policy | resource |
azurerm_synapse_workspace_security_alert_policy.synapse_workspace_security_alert_policy | resource |
azurerm_synapse_workspace_vulnerability_assessment.synapse_vulnerability_assessment | resource |
azurecaf_name.rg | data source |
azurecaf_name.synapse | data source |
azurerm_storage_account.audit_logs | data source |
azurerm_storage_account.auditing_policy | data source |
azurerm_storage_container.vulnerability_assessment | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aad_admin | Credentials of the Azure AD Administrator of this Synapse Workspace. | object({ |
{ |
no |
auditing_policy_storage_account | ID of SQL audit policy storage account | string |
n/a | yes |
azure_devops_configuration | Azure Devops repo Configuration | object({ |
null |
no |
client_name | Client name/account used in naming | string |
n/a | yes |
compute_subnet_id | Subnet ID used for computes in workspace | string |
null |
no |
custom_diagnostic_settings_name | Custom name of the diagnostics settings, name will be 'default' if not set. | string |
"default" |
no |
custom_name | Custom Azure Synapse name, generated if not set | string |
"" |
no |
customer_managed_key | A customer_managed_key block supports the following: key_versionless_id - (Required) The Azure Key Vault Key Versionless ID to be used as the Customer Managed Key (CMK) for double encryption. key_name - (Optional) An identifier for the key. Name needs to match the name of the key used with the azurerm_synapse_workspace_key resource. Defaults to "cmk" if not specified. | object({ |
null |
no |
data_exfiltration_protection_enabled | Is data exfiltration protection enabled in this workspace ? | bool |
false |
no |
default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
environment | Project environment | string |
n/a | yes |
extra_tags | Additional tags to associate with your Azure Synapse. | map(string) |
{} |
no |
linking_allowed_for_aad_tenant_ids | Allowed Aad Tenant Ids For Linking | list(string) |
[] |
no |
location | Azure location. | string |
n/a | yes |
location_short | Short string for Azure location. | string |
n/a | yes |
logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
logs_destinations_ids | List of destination resources IDs for logs diagnostic destination. Can be Storage Account , Log Analytics Workspace and Event Hub . No more than one of each can be set.If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the ` |
` character. | list(string) |
n/a |
logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
managed_resource_group_name | Workspace managed resource group name | string |
null |
no |
name_prefix | Optional prefix for the generated name | string |
"" |
no |
name_suffix | Optional suffix for the generated name | string |
"" |
no |
purview_id | The ID of purview account. | string |
null |
no |
resource_group_name | Resource group name | string |
n/a | yes |
retention_days | Number of days for retention of security policies | number |
30 |
no |
saas_connection | Used to configure Public Network Access | bool |
false |
no |
sql_administrator_login | Administrator login of synapse sql database | string |
n/a | yes |
sql_administrator_password | Administrator password of synapse sql database | string |
n/a | yes |
sql_defender_container | A blob storage container path to hold the scan results and all Threat Detection audit logs. | object({ |
n/a | yes |
sql_defender_recurring_scans | SQL defender scan configuration | object({ |
null |
no |
sql_identity_control_enabled | Are pipelines (running as workspace's system assigned identity) allowed to access SQL pools? | bool |
false |
no |
stack | Project stack name | string |
n/a | yes |
storage_data_lake_gen2_filesystem_id | Azure Data Lake Gen 2 resource id | string |
n/a | yes |
use_caf_naming | Use the Azure CAF naming provider to generate default resource name. custom_name override this if set. Legacy default name is used if this is set to false . |
bool |
true |
no |
Name | Description |
---|---|
connectivity_endpoints | A list of connectivity endpoints for this Synapse Workspace. |
environment | Application environment |
id | Synapse ID |
location | Azure region |
name | Synapse name |
resource_group_name | Azure Resource Group name |
stack | Application name |
tags | Tags set on resources |