diff --git a/quickstart/101-synapse/README.md b/quickstart/101-synapse/README.md index 2f829ddc..d97d3350 100644 --- a/quickstart/101-synapse/README.md +++ b/quickstart/101-synapse/README.md @@ -9,7 +9,6 @@ Network connectivity to the workspace is allowed over public endpoints, making t ## Resources - | Terraform Resource Type | Description | | - | - | | `azurerm_resource_group` | The resource group all resources get deployed into. | @@ -46,6 +45,6 @@ Network connectivity to the workspace is allowed over public endpoints, making t ## Learn more -- If you are new to Azure Synapse Analytics, see [Azure Synapse Analytics service](https://azure.microsoft.com/services/synapse-analytics/) and [Azure Synapse Analytics documentation](https://learn.microsoft.com/azure/synapse-analytics/overview-what-is). -- To learn more about security configurations in Azure Synapse Analytics, see [Azure Synapse Analytics security white paper](https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-introduction). -- For all configurations of Azure Synapse Analytics in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/synapse_workspace). +- If you are new to Azure Synapse Analytics, see [Azure Synapse Analytics service](https://azure.microsoft.com/services/synapse-analytics/) and [Azure Synapse Analytics documentation](https://learn.microsoft.com/azure/synapse-analytics/guidance/success-by-design-introduction). +- To learn more about security configurations in Azure Synapse Analytics, see [Azure Synapse Analytics security white paper](https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-introduction) and watch [Success with Synapse - Security videos](https://www.youtube.com/playlist?list=PLzUAjXZBFU9OWYjSI5TdlpMV0ltAjLaNw). +- For all configurations of Azure Synapse Analytics in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/synapse_workspace). \ No newline at end of file diff --git a/quickstart/101-synapse/locals.tf b/quickstart/101-synapse/locals.tf index 6e7e93e2..a0b2c59b 100644 --- a/quickstart/101-synapse/locals.tf +++ b/quickstart/101-synapse/locals.tf @@ -1,4 +1,4 @@ locals { - basename = "${var.name}-${var.environment}" + basename = "${var.name}-${var.environment}" safe_basename = replace(local.basename, "-", "") } \ No newline at end of file diff --git a/quickstart/101-synapse/main.tf b/quickstart/101-synapse/main.tf index dfa3bd98..c87b0966 100644 --- a/quickstart/101-synapse/main.tf +++ b/quickstart/101-synapse/main.tf @@ -1,15 +1,3 @@ -terraform { - required_providers { - azurerm = { - version = "= 3.30.0" - } - } -} - -provider "azurerm" { - features {} -} - data "azurerm_client_config" "current" {} data "http" "ip" { diff --git a/quickstart/101-synapse/providers.tf b/quickstart/101-synapse/providers.tf new file mode 100644 index 00000000..356fa182 --- /dev/null +++ b/quickstart/101-synapse/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + azurerm = { + version = "= 3.32.0" + } + } +} + +provider "azurerm" { + features {} +} \ No newline at end of file diff --git a/quickstart/101-synapse/synapse_workspace.tf b/quickstart/101-synapse/synapse_workspace.tf index 5673dedd..4d64ba80 100644 --- a/quickstart/101-synapse/synapse_workspace.tf +++ b/quickstart/101-synapse/synapse_workspace.tf @@ -23,6 +23,6 @@ resource "azurerm_synapse_workspace" "default" { resource "azurerm_synapse_firewall_rule" "allow_my_ip" { name = "AllowMyPublicIp" synapse_workspace_id = azurerm_synapse_workspace.default.id - start_ip_address = data.http.ip.body - end_ip_address = data.http.ip.body + start_ip_address = data.http.ip.response_body + end_ip_address = data.http.ip.response_body } diff --git a/quickstart/101-synapse/variables.tf b/quickstart/101-synapse/variables.tf index 4bfb92fc..3a8deab5 100644 --- a/quickstart/101-synapse/variables.tf +++ b/quickstart/101-synapse/variables.tf @@ -32,13 +32,11 @@ variable "aad_login" { variable "synadmin_username" { type = string description = "Specifies The login name of the SQL administrator" - default = "sqladminuser" } variable "synadmin_password" { type = string description = "The Password associated with the sql_administrator_login for the SQL administrator" - default = "ThisIsNotVerySecure!" } variable "enable_syn_sparkpool" { diff --git a/quickstart/201-synapse-secure/README.md b/quickstart/201-synapse-secure/README.md index 541774e2..1c004d39 100644 --- a/quickstart/201-synapse-secure/README.md +++ b/quickstart/201-synapse-secure/README.md @@ -6,7 +6,7 @@ and its associated resources including Azure Data Lake Storage (gen2), Synapse S In addition to these core services, this configuration specifies any networking components that are required to set up Azure Synapse Analytics for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). -This configuration describes the minimal set of resources you require to get started with Azure Synapse Analytics in a network-isolated set-up. This configuration creates new network components. Use Azure Bastion to securely connect to the Virtual Machine. +This configuration describes the minimal set of resources you require to get started with Azure Synapse Analytics in a network-isolated set-up. This configuration creates new network components. Use Azure Bastion to securely connect to the Virtual Machine. ## Resources @@ -40,8 +40,6 @@ This configuration describes the minimal set of resources you require to get sta | enable_syn_sparkpool| A feature flag to enable/disable the Spark pool | false | | enable_syn_sqlpool| A feature flag to enable/disable the SQL pool | false | - - ## Usage 1. Copy `terraform.tfvars.example` to `terraform.tfvars` @@ -55,6 +53,6 @@ This configuration describes the minimal set of resources you require to get sta ## Learn more -- If you are new to Azure Synapse Analytics, see [Azure Synapse Analytics service](https://azure.microsoft.com/services/synapse-analytics/) and [Azure Synapse Analytics documentation](https://learn.microsoft.com/azure/synapse-analytics/overview-what-is). -- To learn more about security configurations in Azure Synapse Analytics, see [Azure Synapse Analytics security white paper](https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-introduction). +- If you are new to Azure Synapse Analytics, see [Azure Synapse Analytics service](https://azure.microsoft.com/services/synapse-analytics/) and [Azure Synapse Analytics documentation](https://learn.microsoft.com/azure/synapse-analytics/guidance/success-by-design-introduction). +- To learn more about security configurations in Azure Synapse Analytics, see [Azure Synapse Analytics security white paper](https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-introduction) and watch [Success with Synapse - Security videos](https://www.youtube.com/playlist?list=PLzUAjXZBFU9OWYjSI5TdlpMV0ltAjLaNw). - For all configurations of Azure Synapse Analytics in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/synapse_workspace). \ No newline at end of file diff --git a/quickstart/201-synapse-secure/locals.tf b/quickstart/201-synapse-secure/locals.tf index 6e7e93e2..a0b2c59b 100644 --- a/quickstart/201-synapse-secure/locals.tf +++ b/quickstart/201-synapse-secure/locals.tf @@ -1,4 +1,4 @@ locals { - basename = "${var.name}-${var.environment}" + basename = "${var.name}-${var.environment}" safe_basename = replace(local.basename, "-", "") } \ No newline at end of file diff --git a/quickstart/201-synapse-secure/main.tf b/quickstart/201-synapse-secure/main.tf index dfa3bd98..c87b0966 100644 --- a/quickstart/201-synapse-secure/main.tf +++ b/quickstart/201-synapse-secure/main.tf @@ -1,15 +1,3 @@ -terraform { - required_providers { - azurerm = { - version = "= 3.30.0" - } - } -} - -provider "azurerm" { - features {} -} - data "azurerm_client_config" "current" {} data "http" "ip" { diff --git a/quickstart/201-synapse-secure/network.tf b/quickstart/201-synapse-secure/network.tf index 567e5ac3..59e5536e 100644 --- a/quickstart/201-synapse-secure/network.tf +++ b/quickstart/201-synapse-secure/network.tf @@ -8,12 +8,12 @@ resource "azurerm_virtual_network" "default" { # Subnets resource "azurerm_subnet" "default" { - name = "snet-${local.basename}" - resource_group_name = azurerm_resource_group.default.name - virtual_network_name = azurerm_virtual_network.default.name - address_prefixes = ["10.0.1.0/24"] - service_endpoints = [] - enforce_private_link_endpoint_network_policies = true + name = "snet-${local.basename}" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = ["10.0.1.0/24"] + service_endpoints = [] + private_endpoint_network_policies_enabled = true } resource "azurerm_subnet" "bastion" { diff --git a/quickstart/201-synapse-secure/providers.tf b/quickstart/201-synapse-secure/providers.tf new file mode 100644 index 00000000..356fa182 --- /dev/null +++ b/quickstart/201-synapse-secure/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + azurerm = { + version = "= 3.32.0" + } + } +} + +provider "azurerm" { + features {} +} \ No newline at end of file diff --git a/quickstart/201-synapse-secure/storage_account.tf b/quickstart/201-synapse-secure/storage_account.tf index 756c0353..9e2bdf11 100644 --- a/quickstart/201-synapse-secure/storage_account.tf +++ b/quickstart/201-synapse-secure/storage_account.tf @@ -41,7 +41,7 @@ resource "azurerm_storage_account_network_rules" "firewall_rules" { storage_account_id = azurerm_storage_account.default.id default_action = "Deny" - ip_rules = [data.http.ip.body] + ip_rules = [data.http.ip.response_body] virtual_network_subnet_ids = [] bypass = ["None"] } diff --git a/quickstart/201-synapse-secure/synapse_workspace.tf b/quickstart/201-synapse-secure/synapse_workspace.tf index 848c860a..80438596 100644 --- a/quickstart/201-synapse-secure/synapse_workspace.tf +++ b/quickstart/201-synapse-secure/synapse_workspace.tf @@ -8,7 +8,9 @@ resource "azurerm_synapse_workspace" "default" { sql_administrator_login_password = var.synadmin_password managed_virtual_network_enabled = true - managed_resource_group_name = "${azurerm_resource_group.default.name}-syn-managed" + managed_resource_group_name = "${azurerm_resource_group.default.name}-syn-managed" + + public_network_access_enabled = false aad_admin { login = var.aad_login.name @@ -21,13 +23,6 @@ resource "azurerm_synapse_workspace" "default" { } } -resource "azurerm_synapse_firewall_rule" "allow_my_ip" { - name = "AllowMyPublicIp" - synapse_workspace_id = azurerm_synapse_workspace.default.id - start_ip_address = data.http.ip.body - end_ip_address = data.http.ip.body -} - # DNS Zones resource "azurerm_private_dns_zone" "zone_dev" { diff --git a/quickstart/201-synapse-secure/variables.tf b/quickstart/201-synapse-secure/variables.tf index ce26c0e4..ecf212d5 100644 --- a/quickstart/201-synapse-secure/variables.tf +++ b/quickstart/201-synapse-secure/variables.tf @@ -32,25 +32,21 @@ variable "aad_login" { variable "jumphost_username" { type = string description = "Admin username of the VM" - default = "azureuser" } variable "jumphost_password" { type = string description = "Password for the admin username of the VM" - default = "ThisIsNotVerySecure!" } variable "synadmin_username" { type = string description = "Specifies The login name of the SQL administrator" - default = "sqladminuser" } variable "synadmin_password" { type = string description = "The Password associated with the sql_administrator_login for the SQL administrator" - default = "ThisIsNotVerySecure!" } variable "enable_syn_sparkpool" {