diff --git a/quickstart/101-synapse/README.md b/quickstart/101-synapse/README.md new file mode 100644 index 00000000..f18f4690 --- /dev/null +++ b/quickstart/101-synapse/README.md @@ -0,0 +1,50 @@ +# Azure Synapse Analytics workspace (public network connectivity) + +This deployment configuration specifies an [Azure Synapse Analytics workspace](https://learn.microsoft.com/en-us/azure/synapse-analytics/get-started-create-workspace), +and its associated resources including Azure Data Lake Storage (gen2), Synapse Spark Pool and Synapse SQL Pool. + +This configuration describes the minimal set of resources you require to get started with Azure Synapse Analytics. + +Network connectivity to the workspace is allowed over public endpoints, making this configuration suitable for open source projects or pilot environments. + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group all resources get deployed into. | +| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Synapse Analytics workspace. | +| `azurerm_synapse_workspace` | An Azure Synapse Analytics workspace instance. | +| `azurerm_synapse_spark_pool` | An Azure Synapse Analytics spark pool. | +| `azurerm_synapse_sql_pool` | An Azure Synapse Analytics dedicated SQL pool. | + +## Variables + +| Name | Description | Default | +|-|-|-| +| name | Name of the deployment | - | +| environment | The deployment environment name (used for pre- and postfixing resource names) | dev | +| location | The Azure region used for deployments | East US | +| aad_admin.login | The login name of the Azure AD Administrator of the Synapse Workspace | - | +| aad_admin.object_id| The object id of the Azure AD Administrator of the Synapse Workspace | - | +| aad_admin.tenant_id| The tenant id of the Azure AD Administrator of the Synapse Workspace | - | +| synadmin_username| Specifies the login name of the SQL administrator | - | +| synadmin_password| The Password associated with the synadmin_username for the SQL administrator | - | +| enable_syn_sparkpool| A feature flag to enable/disable the Spark pool | false | +| enable_syn_sqlpool| A feature flag to enable/disable the SQL pool | false | + +## Usage + +1. Copy `terraform.tfvars.example` to `terraform.tfvars` +2. Update `terraform.tfvars` with your desired values +3. Run Terraform + ```console + $ terraform init + $ terraform plan + $ terraform apply + ``` + +## Learn more + +- If you are new to Azure Synapse Analytics, see [Azure Synapse Analytics service](https://azure.microsoft.com/services/synapse-analytics/) and [Azure Synapse Analytics documentation](https://learn.microsoft.com/azure/synapse-analytics/guidance/success-by-design-introduction). +- To learn more about security configurations in Azure Synapse Analytics, see [Azure Synapse Analytics security white paper](https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-introduction) and watch [Success with Synapse - Security videos](https://www.youtube.com/playlist?list=PLzUAjXZBFU9OWYjSI5TdlpMV0ltAjLaNw). +- For all configurations of Azure Synapse Analytics in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/synapse_workspace). \ No newline at end of file diff --git a/quickstart/101-synapse/locals.tf b/quickstart/101-synapse/locals.tf new file mode 100644 index 00000000..a0b2c59b --- /dev/null +++ b/quickstart/101-synapse/locals.tf @@ -0,0 +1,4 @@ +locals { + basename = "${var.name}-${var.environment}" + safe_basename = replace(local.basename, "-", "") +} \ No newline at end of file diff --git a/quickstart/101-synapse/main.tf b/quickstart/101-synapse/main.tf new file mode 100644 index 00000000..c87b0966 --- /dev/null +++ b/quickstart/101-synapse/main.tf @@ -0,0 +1,10 @@ +data "azurerm_client_config" "current" {} + +data "http" "ip" { + url = "https://ifconfig.me" +} + +resource "azurerm_resource_group" "default" { + name = "rg-${local.basename}" + location = var.location +} \ No newline at end of file diff --git a/quickstart/101-synapse/providers.tf b/quickstart/101-synapse/providers.tf new file mode 100644 index 00000000..356fa182 --- /dev/null +++ b/quickstart/101-synapse/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + azurerm = { + version = "= 3.32.0" + } + } +} + +provider "azurerm" { + features {} +} \ No newline at end of file diff --git a/quickstart/101-synapse/storage_account.tf b/quickstart/101-synapse/storage_account.tf new file mode 100644 index 00000000..08e072c9 --- /dev/null +++ b/quickstart/101-synapse/storage_account.tf @@ -0,0 +1,36 @@ +resource "azurerm_storage_account" "default" { + name = "st${local.safe_basename}" + resource_group_name = azurerm_resource_group.default.name + location = azurerm_resource_group.default.location + account_tier = "Standard" + account_replication_type = "LRS" + account_kind = "StorageV2" + is_hns_enabled = true +} + +resource "azurerm_role_assignment" "sbdc_current_user" { + scope = azurerm_storage_account.default.id + role_definition_name = "Storage Blob Data Contributor" + principal_id = data.azurerm_client_config.current.object_id +} + +resource "azurerm_role_assignment" "sbdc_syn_ws" { + scope = azurerm_storage_account.default.id + role_definition_name = "Storage Blob Data Contributor" + principal_id = azurerm_synapse_workspace.default.identity[0].principal_id +} + +resource "azurerm_role_assignment" "c_syn_ws" { + scope = azurerm_storage_account.default.id + role_definition_name = "Contributor" + principal_id = azurerm_synapse_workspace.default.identity[0].principal_id +} + +resource "azurerm_storage_data_lake_gen2_filesystem" "default" { + name = "default" + storage_account_id = azurerm_storage_account.default.id + + depends_on = [ + azurerm_role_assignment.sbdc_current_user + ] +} \ No newline at end of file diff --git a/quickstart/101-synapse/synapse_pools.tf b/quickstart/101-synapse/synapse_pools.tf new file mode 100644 index 00000000..baf3f571 --- /dev/null +++ b/quickstart/101-synapse/synapse_pools.tf @@ -0,0 +1,28 @@ +# Sql Pool + +resource "azurerm_synapse_sql_pool" "syn_pool_sql" { + name = "syndp01" + synapse_workspace_id = azurerm_synapse_workspace.default.id + sku_name = "DW100c" + create_mode = "Default" + count = var.enable_syn_sqlpool ? 1 : 0 +} + +# Spark Pool + +resource "azurerm_synapse_spark_pool" "syn_pool_spark" { + name = "synsp01" + synapse_workspace_id = azurerm_synapse_workspace.default.id + node_size_family = "MemoryOptimized" + node_size = "Small" + count = var.enable_syn_sparkpool ? 1 : 0 + + auto_scale { + max_node_count = 50 + min_node_count = 3 + } + + auto_pause { + delay_in_minutes = 15 + } +} \ No newline at end of file diff --git a/quickstart/101-synapse/synapse_workspace.tf b/quickstart/101-synapse/synapse_workspace.tf new file mode 100644 index 00000000..4d64ba80 --- /dev/null +++ b/quickstart/101-synapse/synapse_workspace.tf @@ -0,0 +1,28 @@ +resource "azurerm_synapse_workspace" "default" { + name = "syn-${local.basename}" + resource_group_name = azurerm_resource_group.default.name + location = azurerm_resource_group.default.location + storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.default.id + + sql_administrator_login = var.synadmin_username + sql_administrator_login_password = var.synadmin_password + + managed_resource_group_name = "${azurerm_resource_group.default.name}-syn-managed" + + aad_admin { + login = var.aad_login.name + object_id = var.aad_login.object_id + tenant_id = var.aad_login.tenant_id + } + + identity { + type = "SystemAssigned" + } +} + +resource "azurerm_synapse_firewall_rule" "allow_my_ip" { + name = "AllowMyPublicIp" + synapse_workspace_id = azurerm_synapse_workspace.default.id + start_ip_address = data.http.ip.response_body + end_ip_address = data.http.ip.response_body +} diff --git a/quickstart/101-synapse/terraform.tfvars.example b/quickstart/101-synapse/terraform.tfvars.example new file mode 100644 index 00000000..dba34cc8 --- /dev/null +++ b/quickstart/101-synapse/terraform.tfvars.example @@ -0,0 +1,15 @@ +name = "syn101" +environment = "dev" +location = "East US" + +synadmin_username = "sqladminuser" +synadmin_password = "ThisIsNotVerySecure!" + +aad_login = { + name = "azureuser@contoso.com" + object_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000000" +} + +enable_syn_sparkpool = false +enable_syn_sqlpool = false \ No newline at end of file diff --git a/quickstart/101-synapse/variables.tf b/quickstart/101-synapse/variables.tf new file mode 100644 index 00000000..fe14d367 --- /dev/null +++ b/quickstart/101-synapse/variables.tf @@ -0,0 +1,47 @@ +variable "name" { + type = string + description = "Name of the deployment" +} + +variable "environment" { + type = string + description = "Name of the environment" + default = "dev" +} + +variable "location" { + type = string + description = "Location of the resources" + default = "East US" +} + +variable "aad_login" { + description = "AAD login" + type = object({ + name = string + object_id = string + tenant_id = string + }) +} + +variable "synadmin_username" { + type = string + description = "Specifies The login name of the SQL administrator" +} + +variable "synadmin_password" { + type = string + description = "The Password associated with the sql_administrator_login for the SQL administrator" +} + +variable "enable_syn_sparkpool" { + type = bool + description = "Variable to enable or disable Synapse Spark pool deployment" + default = false +} + +variable "enable_syn_sqlpool" { + type = bool + description = "Variable to enable or disable Synapse Dedicated SQL pool deployment" + default = false +} \ No newline at end of file diff --git a/quickstart/201-synapse-secure/README.md b/quickstart/201-synapse-secure/README.md new file mode 100644 index 00000000..0f8a3441 --- /dev/null +++ b/quickstart/201-synapse-secure/README.md @@ -0,0 +1,58 @@ +# Azure Synapse Analytics workspace (moderately secure network set up) + +This deployment configuration specifies an [Azure Synapse Analytics workspace](https://learn.microsoft.com/en-us/azure/synapse-analytics/get-started-create-workspace), +and its associated resources including Azure Data Lake Storage (gen2), Synapse Spark Pool and Synapse SQL Pool. + +In addition to these core services, this configuration specifies any networking components that are required to set up Azure Synapse Analytics +for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). + +This configuration describes the minimal set of resources you require to get started with Azure Synapse Analytics in a network-isolated set-up. This configuration creates new network components. Use Azure Bastion to securely connect to the Virtual Machine. + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group all resources get deployed into. | +| `azurerm_bastion_host` | An Azure Bastion Instance to securely RDP into Virtual Machines deployed into the Virtual Network. | +| `azurerm_windows_virtual_machine` | A Windows Data Science Virtual Machine (jumphost) used for connecting to the Azure Synapse Analytics workspace. | +| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Synapse Analytics workspace. | +| `azurerm_synapse_workspace` | An Azure Synapse Analytics workspace instance. | +| `azurerm_synapse_private_link_hub` | An Azure Synapse Private Link Hub to allow securely connecting to Synapse Studio. | +| `azurerm_synapse_spark_pool` | An Azure Synapse Analytics spark pool. | +| `azurerm_synapse_sql_pool` | An Azure Synapse Analytics dedicated SQL pool. | +| `azurerm_virtual_network` | A default vnet. | +| `azurerm_subnet` | `bastion` and `default` subnets. | + +## Variables + +| Name | Description | Default | +|-|-|-| +| name | Name of the deployment | - | +| environment | The deployment environment name (used for pre- and postfixing resource names) | dev | +| location | The Azure region used for deployments | East US | +| aad_admin.login | The login name of the Azure AD Administrator of the Synapse Workspace | - | +| aad_admin.object_id| The object id of the Azure AD Administrator of the Synapse Workspace | - | +| aad_admin.tenant_id| The tenant id of the Azure AD Administrator of the Synapse Workspace | - | +| synadmin_username| Specifies the login name of the SQL administrator | - | +| synadmin_password| The Password associated with the synadmin_username for the SQL administrator | - | +| jumphost_username| Admin username of the VM | - | +| jumphost_password| Password for the admin username of the VM | - | +| enable_syn_sparkpool| A feature flag to enable/disable the Spark pool | false | +| enable_syn_sqlpool| A feature flag to enable/disable the SQL pool | false | + +## Usage + +1. Copy `terraform.tfvars.example` to `terraform.tfvars` +2. Update `terraform.tfvars` with your desired values +3. Run Terraform + ```console + $ terraform init + $ terraform plan + $ terraform apply + ``` + +## Learn more + +- If you are new to Azure Synapse Analytics, see [Azure Synapse Analytics service](https://azure.microsoft.com/services/synapse-analytics/) and [Azure Synapse Analytics documentation](https://learn.microsoft.com/azure/synapse-analytics/guidance/success-by-design-introduction). +- To learn more about security configurations in Azure Synapse Analytics, see [Azure Synapse Analytics security white paper](https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-introduction) and watch [Success with Synapse - Security videos](https://www.youtube.com/playlist?list=PLzUAjXZBFU9OWYjSI5TdlpMV0ltAjLaNw). +- For all configurations of Azure Synapse Analytics in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/synapse_workspace). \ No newline at end of file diff --git a/quickstart/201-synapse-secure/bastion.tf b/quickstart/201-synapse-secure/bastion.tf new file mode 100644 index 00000000..4c245c6f --- /dev/null +++ b/quickstart/201-synapse-secure/bastion.tf @@ -0,0 +1,19 @@ +resource "azurerm_bastion_host" "default" { + name = "bas-${local.basename}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + + ip_configuration { + name = "configuration" + subnet_id = azurerm_subnet.bastion.id + public_ip_address_id = azurerm_public_ip.default.id + } +} + +resource "azurerm_public_ip" "default" { + name = "pip-${local.basename}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + allocation_method = "Static" + sku = "Standard" +} \ No newline at end of file diff --git a/quickstart/201-synapse-secure/jumphost.tf b/quickstart/201-synapse-secure/jumphost.tf new file mode 100644 index 00000000..957c8400 --- /dev/null +++ b/quickstart/201-synapse-secure/jumphost.tf @@ -0,0 +1,87 @@ +resource "azurerm_virtual_machine" "jumphost" { + name = "wvm-${local.basename}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + network_interface_ids = [azurerm_network_interface.jumphost_nic.id] + vm_size = "Standard_DS3_v2" + + delete_os_disk_on_termination = true + delete_data_disks_on_termination = true + + storage_image_reference { + publisher = "microsoft-dsvm" + offer = "dsvm-win-2019" + sku = "server-2019" + version = "latest" + } + + os_profile { + computer_name = "jumphost" + admin_username = var.jumphost_username + admin_password = var.jumphost_password + } + + os_profile_windows_config { + provision_vm_agent = true + enable_automatic_upgrades = true + } + + identity { + type = "SystemAssigned" + } + + storage_os_disk { + name = "disk-${local.basename}" + caching = "ReadWrite" + create_option = "FromImage" + managed_disk_type = "StandardSSD_LRS" + } +} + +resource "azurerm_network_interface" "jumphost_nic" { + name = "nic-${local.basename}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + + ip_configuration { + name = "configuration" + private_ip_address_allocation = "Dynamic" + subnet_id = azurerm_subnet.default.id + } +} + +resource "azurerm_network_security_group" "jumphost_nsg" { + name = "nsg-${local.basename}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + + security_rule { + name = "RDP" + priority = 1010 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = 3389 + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource "azurerm_network_interface_security_group_association" "syn_jumphost_nsg_association" { + network_interface_id = azurerm_network_interface.jumphost_nic.id + network_security_group_id = azurerm_network_security_group.jumphost_nsg.id +} + +resource "azurerm_dev_test_global_vm_shutdown_schedule" "syn_jumphost_schedule" { + virtual_machine_id = azurerm_virtual_machine.jumphost.id + location = azurerm_resource_group.default.location + enabled = true + + daily_recurrence_time = "2000" + timezone = "W. Europe Standard Time" + + notification_settings { + enabled = false + } +} \ No newline at end of file diff --git a/quickstart/201-synapse-secure/locals.tf b/quickstart/201-synapse-secure/locals.tf new file mode 100644 index 00000000..a0b2c59b --- /dev/null +++ b/quickstart/201-synapse-secure/locals.tf @@ -0,0 +1,4 @@ +locals { + basename = "${var.name}-${var.environment}" + safe_basename = replace(local.basename, "-", "") +} \ No newline at end of file diff --git a/quickstart/201-synapse-secure/main.tf b/quickstart/201-synapse-secure/main.tf new file mode 100644 index 00000000..c87b0966 --- /dev/null +++ b/quickstart/201-synapse-secure/main.tf @@ -0,0 +1,10 @@ +data "azurerm_client_config" "current" {} + +data "http" "ip" { + url = "https://ifconfig.me" +} + +resource "azurerm_resource_group" "default" { + name = "rg-${local.basename}" + location = var.location +} \ No newline at end of file diff --git a/quickstart/201-synapse-secure/network.tf b/quickstart/201-synapse-secure/network.tf new file mode 100644 index 00000000..59e5536e --- /dev/null +++ b/quickstart/201-synapse-secure/network.tf @@ -0,0 +1,24 @@ +resource "azurerm_virtual_network" "default" { + name = "vnet-${local.basename}" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name +} + +# Subnets + +resource "azurerm_subnet" "default" { + name = "snet-${local.basename}" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = ["10.0.1.0/24"] + service_endpoints = [] + private_endpoint_network_policies_enabled = true +} + +resource "azurerm_subnet" "bastion" { + name = "AzureBastionSubnet" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = ["10.0.10.0/27"] +} \ No newline at end of file diff --git a/quickstart/201-synapse-secure/providers.tf b/quickstart/201-synapse-secure/providers.tf new file mode 100644 index 00000000..356fa182 --- /dev/null +++ b/quickstart/201-synapse-secure/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + azurerm = { + version = "= 3.32.0" + } + } +} + +provider "azurerm" { + features {} +} \ No newline at end of file diff --git a/quickstart/201-synapse-secure/storage_account.tf b/quickstart/201-synapse-secure/storage_account.tf new file mode 100644 index 00000000..9e2bdf11 --- /dev/null +++ b/quickstart/201-synapse-secure/storage_account.tf @@ -0,0 +1,115 @@ +resource "azurerm_storage_account" "default" { + name = "st${local.safe_basename}" + resource_group_name = azurerm_resource_group.default.name + location = azurerm_resource_group.default.location + account_tier = "Standard" + account_replication_type = "LRS" + account_kind = "StorageV2" + is_hns_enabled = true +} + +resource "azurerm_role_assignment" "sbdc_current_user" { + scope = azurerm_storage_account.default.id + role_definition_name = "Storage Blob Data Contributor" + principal_id = data.azurerm_client_config.current.object_id +} + +resource "azurerm_role_assignment" "sbdc_syn_ws" { + scope = azurerm_storage_account.default.id + role_definition_name = "Storage Blob Data Contributor" + principal_id = azurerm_synapse_workspace.default.identity[0].principal_id +} + +resource "azurerm_role_assignment" "c_syn_ws" { + scope = azurerm_storage_account.default.id + role_definition_name = "Contributor" + principal_id = azurerm_synapse_workspace.default.identity[0].principal_id +} + +resource "azurerm_storage_data_lake_gen2_filesystem" "default" { + name = "default" + storage_account_id = azurerm_storage_account.default.id + + depends_on = [ + azurerm_role_assignment.sbdc_current_user + ] +} + +# Virtual Network & Firewall configuration + +resource "azurerm_storage_account_network_rules" "firewall_rules" { + storage_account_id = azurerm_storage_account.default.id + + default_action = "Deny" + ip_rules = [data.http.ip.response_body] + virtual_network_subnet_ids = [] + bypass = ["None"] +} + +# DNS Zones + +resource "azurerm_private_dns_zone" "zone_blob" { + name = "privatelink.blob.core.windows.net" + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_private_dns_zone" "zone_dfs" { + name = "privatelink.dfs.core.windows.net" + resource_group_name = azurerm_resource_group.default.name +} + +# Linking of DNS zones to Virtual Network + +resource "azurerm_private_dns_zone_virtual_network_link" "zone_blob_link" { + name = "${local.basename}_link_blob" + resource_group_name = azurerm_resource_group.default.name + private_dns_zone_name = azurerm_private_dns_zone.zone_blob.name + virtual_network_id = azurerm_virtual_network.default.id +} + +resource "azurerm_private_dns_zone_virtual_network_link" "zone_dfs_link" { + name = "${local.basename}_link_dfs" + resource_group_name = azurerm_resource_group.default.name + private_dns_zone_name = azurerm_private_dns_zone.zone_dfs.name + virtual_network_id = azurerm_virtual_network.default.id +} + +# Private Endpoint configuration + +resource "azurerm_private_endpoint" "pe_blob" { + name = "pe-${azurerm_storage_account.default.name}-blob" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + subnet_id = azurerm_subnet.default.id + + private_service_connection { + name = "psc-blob-${local.basename}" + private_connection_resource_id = azurerm_storage_account.default.id + subresource_names = ["blob"] + is_manual_connection = false + } + + private_dns_zone_group { + name = "private-dns-zone-group-blob" + private_dns_zone_ids = [azurerm_private_dns_zone.zone_blob.id] + } +} + +resource "azurerm_private_endpoint" "pe_dfs" { + name = "pe-${azurerm_storage_account.default.name}-dfs" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + subnet_id = azurerm_subnet.default.id + + private_service_connection { + name = "psc-dfs-${local.basename}" + private_connection_resource_id = azurerm_storage_account.default.id + subresource_names = ["dfs"] + is_manual_connection = false + } + + private_dns_zone_group { + name = "private-dns-zone-group-dfs" + private_dns_zone_ids = [azurerm_private_dns_zone.zone_dfs.id] + } +} \ No newline at end of file diff --git a/quickstart/201-synapse-secure/synapse_pools.tf b/quickstart/201-synapse-secure/synapse_pools.tf new file mode 100644 index 00000000..baf3f571 --- /dev/null +++ b/quickstart/201-synapse-secure/synapse_pools.tf @@ -0,0 +1,28 @@ +# Sql Pool + +resource "azurerm_synapse_sql_pool" "syn_pool_sql" { + name = "syndp01" + synapse_workspace_id = azurerm_synapse_workspace.default.id + sku_name = "DW100c" + create_mode = "Default" + count = var.enable_syn_sqlpool ? 1 : 0 +} + +# Spark Pool + +resource "azurerm_synapse_spark_pool" "syn_pool_spark" { + name = "synsp01" + synapse_workspace_id = azurerm_synapse_workspace.default.id + node_size_family = "MemoryOptimized" + node_size = "Small" + count = var.enable_syn_sparkpool ? 1 : 0 + + auto_scale { + max_node_count = 50 + min_node_count = 3 + } + + auto_pause { + delay_in_minutes = 15 + } +} \ No newline at end of file diff --git a/quickstart/201-synapse-secure/synapse_private_link_hub.tf b/quickstart/201-synapse-secure/synapse_private_link_hub.tf new file mode 100644 index 00000000..86b6edb0 --- /dev/null +++ b/quickstart/201-synapse-secure/synapse_private_link_hub.tf @@ -0,0 +1,33 @@ +resource "azurerm_synapse_private_link_hub" "default" { + name = "synplh${local.safe_basename}" + resource_group_name = azurerm_resource_group.default.name + location = azurerm_resource_group.default.location +} + +# DNS Zones + +resource "azurerm_private_dns_zone" "zone_web" { + name = "privatelink.azuresynapse.net" + resource_group_name = azurerm_resource_group.default.name +} + +# Private Endpoint configuration + +resource "azurerm_private_endpoint" "pe_web" { + name = "pe-${azurerm_synapse_private_link_hub.default.name}-web" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + subnet_id = azurerm_subnet.default.id + + private_service_connection { + name = "psc-web-${local.basename}" + private_connection_resource_id = azurerm_synapse_private_link_hub.default.id + subresource_names = ["web"] + is_manual_connection = false + } + + private_dns_zone_group { + name = "private-dns-zone-group-syn-web" + private_dns_zone_ids = [azurerm_private_dns_zone.zone_web.id] + } +} \ No newline at end of file diff --git a/quickstart/201-synapse-secure/synapse_workspace.tf b/quickstart/201-synapse-secure/synapse_workspace.tf new file mode 100644 index 00000000..80438596 --- /dev/null +++ b/quickstart/201-synapse-secure/synapse_workspace.tf @@ -0,0 +1,111 @@ +resource "azurerm_synapse_workspace" "default" { + name = "syn-${local.basename}" + resource_group_name = azurerm_resource_group.default.name + location = azurerm_resource_group.default.location + storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.default.id + + sql_administrator_login = var.synadmin_username + sql_administrator_login_password = var.synadmin_password + + managed_virtual_network_enabled = true + managed_resource_group_name = "${azurerm_resource_group.default.name}-syn-managed" + + public_network_access_enabled = false + + aad_admin { + login = var.aad_login.name + object_id = var.aad_login.object_id + tenant_id = var.aad_login.tenant_id + } + + identity { + type = "SystemAssigned" + } +} + +# DNS Zones + +resource "azurerm_private_dns_zone" "zone_dev" { + name = "privatelink.dev.azuresynapse.net" + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_private_dns_zone" "zone_sql" { + name = "privatelink.sql.azuresynapse.net" + resource_group_name = azurerm_resource_group.default.name +} + +# Linking of DNS zones to Virtual Network + +resource "azurerm_private_dns_zone_virtual_network_link" "zone_dev_link" { + name = "${local.basename}_link_dev" + resource_group_name = azurerm_resource_group.default.name + private_dns_zone_name = azurerm_private_dns_zone.zone_dev.name + virtual_network_id = azurerm_virtual_network.default.id +} + +resource "azurerm_private_dns_zone_virtual_network_link" "zone_sql_link" { + name = "${local.basename}_link_sql" + resource_group_name = azurerm_resource_group.default.name + private_dns_zone_name = azurerm_private_dns_zone.zone_sql.name + virtual_network_id = azurerm_virtual_network.default.id +} + +# Private Endpoint configuration + +resource "azurerm_private_endpoint" "pe_dev" { + name = "pe-${azurerm_synapse_workspace.default.name}-dev" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + subnet_id = azurerm_subnet.default.id + + private_service_connection { + name = "psc-dev-${local.basename}" + private_connection_resource_id = azurerm_synapse_workspace.default.id + subresource_names = ["dev"] + is_manual_connection = false + } + + private_dns_zone_group { + name = "private-dns-zone-group-dev" + private_dns_zone_ids = [azurerm_private_dns_zone.zone_dev.id] + } +} + +resource "azurerm_private_endpoint" "pe_sql" { + name = "pe-${azurerm_synapse_workspace.default.name}-sql" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + subnet_id = azurerm_subnet.default.id + + private_service_connection { + name = "psc-sql-${local.basename}" + private_connection_resource_id = azurerm_synapse_workspace.default.id + subresource_names = ["sql"] + is_manual_connection = false + } + + private_dns_zone_group { + name = "private-dns-zone-group-sql" + private_dns_zone_ids = [azurerm_private_dns_zone.zone_sql.id] + } +} + +resource "azurerm_private_endpoint" "pe_sqlondemand" { + name = "pe-${azurerm_synapse_workspace.default.name}-sqlondemand" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + subnet_id = azurerm_subnet.default.id + + private_service_connection { + name = "psc-sqlondemand-${local.basename}" + private_connection_resource_id = azurerm_synapse_workspace.default.id + subresource_names = ["sqlondemand"] + is_manual_connection = false + } + + private_dns_zone_group { + name = "private-dns-zone-group-sqlondemand" + private_dns_zone_ids = [azurerm_private_dns_zone.zone_sql.id] + } +} diff --git a/quickstart/201-synapse-secure/terraform.tfvars.example b/quickstart/201-synapse-secure/terraform.tfvars.example new file mode 100644 index 00000000..b28f018e --- /dev/null +++ b/quickstart/201-synapse-secure/terraform.tfvars.example @@ -0,0 +1,18 @@ +name = "syn201" +environment = "dev" +location = "East US" + +jumphost_username = "azureuser" +jumphost_password = "ThisIsNotVerySecure!" + +synadmin_username = "sqladminuser" +synadmin_password = "ThisIsNotVerySecure!" + +aad_login = { + name = "azureuser@contoso.com" + object_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000000" +} + +enable_syn_sparkpool = false +enable_syn_sqlpool = false \ No newline at end of file diff --git a/quickstart/201-synapse-secure/variables.tf b/quickstart/201-synapse-secure/variables.tf new file mode 100644 index 00000000..15d78c4f --- /dev/null +++ b/quickstart/201-synapse-secure/variables.tf @@ -0,0 +1,57 @@ +variable "name" { + type = string + description = "Name of the deployment" +} + +variable "environment" { + type = string + description = "Name of the environment" + default = "dev" +} + +variable "location" { + type = string + description = "Location of the resources" + default = "East US" +} + +variable "aad_login" { + description = "AAD login" + type = object({ + name = string + object_id = string + tenant_id = string + }) +} + +variable "jumphost_username" { + type = string + description = "Admin username of the VM" +} + +variable "jumphost_password" { + type = string + description = "Password for the admin username of the VM" +} + +variable "synadmin_username" { + type = string + description = "Specifies The login name of the SQL administrator" +} + +variable "synadmin_password" { + type = string + description = "The Password associated with the sql_administrator_login for the SQL administrator" +} + +variable "enable_syn_sparkpool" { + type = bool + description = "Variable to enable or disable Synapse Spark pool deployment" + default = false +} + +variable "enable_syn_sqlpool" { + type = bool + description = "Variable to enable or disable Synapse Dedicated SQL pool deployment" + default = false +} \ No newline at end of file