Azure Synapse Terraform module

This terraform module creates an Azure Synapse with a Synapse security alert policy, a SQL vulnerability assessment, a Synapse extended auditing policy and activated Diagnostics Logs.

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "logs" {
  source  = "claranet/run/azurerm//modules/logs"
  version = "x.x.x"

  resource_group_name = module.rg.resource_group_name
  stack               = var.stack
  environment         = var.environment
  client_name         = var.client_name
  location            = module.region.location
  location_short      = module.region.location_short
}

data "azurecaf_name" "adls" {
  name          = var.stack
  resource_type = "azurerm_storage_account"
  clean_input   = true
}

resource "azurerm_storage_account" "adls" {
  name = data.azurecaf_name.adls.result

  resource_group_name      = module.rg.resource_group_name
  location                 = module.region.location
  is_hns_enabled           = true
  account_replication_type = "LRS"
  account_tier             = "Standard"
  min_tls_version          = "TLS1_2"
}

resource "azurerm_storage_data_lake_gen2_filesystem" "adls_container" {
  name               = "container"
  storage_account_id = azurerm_storage_account.adls.id
}

resource "azurerm_storage_container" "sql_defender" {
  name                  = "synapse-sql-defender"
  storage_account_name  = module.logs.logs_storage_account_name
  container_access_type = "private"
}

module "synapse" {
  source  = "claranet/synapse/azurerm"
  version = "x.x.x"

  resource_group_name = module.rg.resource_group_name
  location            = module.region.location
  location_short      = module.region.location_short
  stack               = var.stack
  environment         = var.environment
  client_name         = var.client_name

  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.adls_container.id

  sql_administrator_login    = "Example"
  sql_administrator_password = var.sql_administrator_password

  saas_connection = false

  logs_destinations_ids              = [module.logs.log_analytics_workspace_id]
  linking_allowed_for_aad_tenant_ids = []

  sql_defender_container = {
    name                 = azurerm_storage_container.sql_defender.name
    storage_account_name = module.logs.logs_storage_account_name
    resource_group_name  = module.rg.resource_group_name
  }

  auditing_policy_storage_account = module.logs.logs_storage_account_id

  sql_defender_recurring_scans = {
    enabled                           = true
    email_subscription_admins_enabled = true
    emails                            = ["[email protected]"]
  }

  depends_on = [azurerm_storage_container.sql_defender]
}

Providers

Name	Version
azurecaf	~> 1.2, >= 1.2.22
azurerm	~> 3.39

Modules

Name	Source	Version
diagnostics	claranet/diagnostic-settings/azurerm	~> 7.0.0

Resources

Name	Type
azurerm_synapse_workspace.synapse	resource
azurerm_synapse_workspace_extended_auditing_policy.synapse_auditing_policy	resource
azurerm_synapse_workspace_security_alert_policy.synapse_workspace_security_alert_policy	resource
azurerm_synapse_workspace_vulnerability_assessment.synapse_vulnerability_assessment	resource
azurecaf_name.rg	data source
azurecaf_name.synapse	data source
azurerm_storage_account.audit_logs	data source
azurerm_storage_account.auditing_policy	data source
azurerm_storage_container.vulnerability_assessment	data source

Inputs

Name	Description	Type	Default	Required
aad_admin	Credentials of the Azure AD Administrator of this Synapse Workspace.	object({ login = string tenant_id = string object_id = string })	{ "login": "", "object_id": "", "tenant_id": "" }	no
auditing_policy_storage_account	ID of SQL audit policy storage account	string	n/a	yes
azure_devops_configuration	Azure Devops repo Configuration	object({ account_name = string branch_name = string last_commit_id = optional(string) project_name = string repository_name = string root_folder = string tenant_id = string })	null	no
client_name	Client name/account used in naming	string	n/a	yes
compute_subnet_id	Subnet ID used for computes in workspace	string	null	no
custom_diagnostic_settings_name	Custom name of the diagnostics settings, name will be 'default' if not set.	string	"default"	no
custom_name	Custom Azure Synapse name, generated if not set	string	""	no
customer_managed_key	A customer_managed_key block supports the following: key_versionless_id - (Required) The Azure Key Vault Key Versionless ID to be used as the Customer Managed Key (CMK) for double encryption. key_name - (Optional) An identifier for the key. Name needs to match the name of the key used with the azurerm_synapse_workspace_key resource. Defaults to "cmk" if not specified.	object({ key_versionless_id = string key_name = optional(string) })	null	no
data_exfiltration_protection_enabled	Is data exfiltration protection enabled in this workspace ?	bool	false	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
environment	Project environment	string	n/a	yes
extra_tags	Additional tags to associate with your Azure Synapse.	map(string)	{}	no
linking_allowed_for_aad_tenant_ids	Allowed Aad Tenant Ids For Linking	list(string)	[]	no
location	Azure location.	string	n/a	yes
location_short	Short string for Azure location.	string	n/a	yes
logs_categories	Log categories to send to destinations.	list(string)	null	no
logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the `	` character.	list(string)	n/a
logs_metrics_categories	Metrics categories to send to destinations.	list(string)	null	no
managed_resource_group_name	Workspace managed resource group name	string	null	no
name_prefix	Optional prefix for the generated name	string	""	no
name_suffix	Optional suffix for the generated name	string	""	no
purview_id	The ID of purview account.	string	null	no
resource_group_name	Resource group name	string	n/a	yes
retention_days	Number of days for retention of security policies	number	30	no
saas_connection	Used to configure Public Network Access	bool	false	no
sql_administrator_login	Administrator login of synapse sql database	string	n/a	yes
sql_administrator_password	Administrator password of synapse sql database	string	n/a	yes
sql_defender_container	A blob storage container path to hold the scan results and all Threat Detection audit logs.	object({ name = string storage_account_name = string resource_group_name = string })	n/a	yes
sql_defender_recurring_scans	SQL defender scan configuration	object({ enabled = bool email_subscription_admins_enabled = bool emails = list(string) })	null	no
sql_identity_control_enabled	Are pipelines (running as workspace's system assigned identity) allowed to access SQL pools?	bool	false	no
stack	Project stack name	string	n/a	yes
storage_data_lake_gen2_filesystem_id	Azure Data Lake Gen 2 resource id	string	n/a	yes
use_caf_naming	Use the Azure CAF naming provider to generate default resource name. custom_name override this if set. Legacy default name is used if this is set to false.	bool	true	no

Outputs

Name	Description
connectivity_endpoints	A list of connectivity endpoints for this Synapse Workspace.
environment	Application environment
id	Synapse ID
location	Azure region
name	Synapse name
resource_group_name	Azure Resource Group name
stack	Application name
tags	Tags set on resources