Merge pull request #124 from murggu/murggu/synapse-101

Add Synapse 101 and 201 quickstarts

quickstart/101-synapse/README.md

@@ -0,0 +1,50 @@
+# Azure Synapse Analytics workspace (public network connectivity)
+
+This deployment configuration specifies an [Azure Synapse Analytics workspace](https://learn.microsoft.com/en-us/azure/synapse-analytics/get-started-create-workspace), 
+and its associated resources including Azure Data Lake Storage (gen2), Synapse Spark Pool and Synapse SQL Pool.
+
+This configuration describes the minimal set of resources you require to get started with Azure Synapse Analytics.
+
+Network connectivity to the workspace is allowed over public endpoints, making this configuration suitable for open source projects or pilot environments.
+
+## Resources
+
+| Terraform Resource Type | Description |
+| - | - |
+| `azurerm_resource_group` | The resource group all resources get deployed into. |
+| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Synapse Analytics workspace. |
+| `azurerm_synapse_workspace` | An Azure Synapse Analytics workspace instance. |
+| `azurerm_synapse_spark_pool` | An Azure Synapse Analytics spark pool. |
+| `azurerm_synapse_sql_pool` | An Azure Synapse Analytics dedicated SQL pool. |
+
+## Variables
+
+| Name | Description | Default |
+|-|-|-|
+| name | Name of the deployment | - |
+| environment | The deployment environment name (used for pre- and postfixing resource names) | dev  |
+| location | The Azure region used for deployments | East US |
+| aad_admin.login | The login name of the Azure AD Administrator of the Synapse Workspace | - |
+| aad_admin.object_id| The object id of the Azure AD Administrator of the Synapse Workspace | - |
+| aad_admin.tenant_id| The tenant id of the Azure AD Administrator of the Synapse Workspace | - |
+| synadmin_username| Specifies the login name of the SQL administrator | - |
+| synadmin_password| The Password associated with the synadmin_username for the SQL administrator | - |
+| enable_syn_sparkpool| A feature flag to enable/disable the Spark pool | false |
+| enable_syn_sqlpool| A feature flag to enable/disable the SQL pool | false |
+
+## Usage
+
+1. Copy `terraform.tfvars.example` to `terraform.tfvars`
+2. Update `terraform.tfvars` with your desired values
+3. Run Terraform
+    ```console
+    $ terraform init
+    $ terraform plan
+    $ terraform apply
+    ```
+
+## Learn more
+
+- If you are new to Azure Synapse Analytics, see [Azure Synapse Analytics service](https://azure.microsoft.com/services/synapse-analytics/) and [Azure Synapse Analytics documentation](https://learn.microsoft.com/azure/synapse-analytics/guidance/success-by-design-introduction).
+- To learn more about security configurations in Azure Synapse Analytics, see [Azure Synapse Analytics security white paper](https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-introduction) and watch [Success with Synapse - Security videos](https://www.youtube.com/playlist?list=PLzUAjXZBFU9OWYjSI5TdlpMV0ltAjLaNw).
+- For all configurations of Azure Synapse Analytics in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/synapse_workspace).

quickstart/101-synapse/locals.tf

@@ -0,0 +1,4 @@
+locals {
+  basename      = "${var.name}-${var.environment}"
+  safe_basename = replace(local.basename, "-", "")
+}

quickstart/101-synapse/main.tf

@@ -0,0 +1,10 @@
+data "azurerm_client_config" "current" {}
+
+data "http" "ip" {
+  url = "https://ifconfig.me"
+}
+
+resource "azurerm_resource_group" "default" {
+  name     = "rg-${local.basename}"
+  location = var.location
+}

quickstart/101-synapse/providers.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    azurerm = {
+      version = "= 3.32.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}

quickstart/101-synapse/storage_account.tf

@@ -0,0 +1,36 @@
+resource "azurerm_storage_account" "default" {
+  name                     = "st${local.safe_basename}"
+  resource_group_name      = azurerm_resource_group.default.name
+  location                 = azurerm_resource_group.default.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+  account_kind             = "StorageV2"
+  is_hns_enabled           = true
+}
+
+resource "azurerm_role_assignment" "sbdc_current_user" {
+  scope                = azurerm_storage_account.default.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = data.azurerm_client_config.current.object_id
+}
+
+resource "azurerm_role_assignment" "sbdc_syn_ws" {
+  scope                = azurerm_storage_account.default.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azurerm_synapse_workspace.default.identity[0].principal_id
+}
+
+resource "azurerm_role_assignment" "c_syn_ws" {
+  scope                = azurerm_storage_account.default.id
+  role_definition_name = "Contributor"
+  principal_id         = azurerm_synapse_workspace.default.identity[0].principal_id
+}
+
+resource "azurerm_storage_data_lake_gen2_filesystem" "default" {
+  name               = "default"
+  storage_account_id = azurerm_storage_account.default.id
+
+  depends_on = [
+    azurerm_role_assignment.sbdc_current_user
+  ]
+}

quickstart/101-synapse/synapse_pools.tf

@@ -0,0 +1,28 @@
+# Sql Pool 
+
+resource "azurerm_synapse_sql_pool" "syn_pool_sql" {
+  name                 = "syndp01"
+  synapse_workspace_id = azurerm_synapse_workspace.default.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+  count                = var.enable_syn_sqlpool ? 1 : 0
+}
+
+# Spark Pool 
+
+resource "azurerm_synapse_spark_pool" "syn_pool_spark" {
+  name                 = "synsp01"
+  synapse_workspace_id = azurerm_synapse_workspace.default.id
+  node_size_family     = "MemoryOptimized"
+  node_size            = "Small"
+  count                = var.enable_syn_sparkpool ? 1 : 0
+
+  auto_scale {
+    max_node_count = 50
+    min_node_count = 3
+  }
+
+  auto_pause {
+    delay_in_minutes = 15
+  }
+}

quickstart/101-synapse/synapse_workspace.tf

@@ -0,0 +1,28 @@
+resource "azurerm_synapse_workspace" "default" {
+  name                                 = "syn-${local.basename}"
+  resource_group_name                  = azurerm_resource_group.default.name
+  location                             = azurerm_resource_group.default.location
+  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.default.id
+
+  sql_administrator_login          = var.synadmin_username
+  sql_administrator_login_password = var.synadmin_password
+
+  managed_resource_group_name = "${azurerm_resource_group.default.name}-syn-managed"
+
+  aad_admin {
+    login     = var.aad_login.name
+    object_id = var.aad_login.object_id
+    tenant_id = var.aad_login.tenant_id
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+resource "azurerm_synapse_firewall_rule" "allow_my_ip" {
+  name                 = "AllowMyPublicIp"
+  synapse_workspace_id = azurerm_synapse_workspace.default.id
+  start_ip_address     = data.http.ip.response_body
+  end_ip_address       = data.http.ip.response_body
+}

quickstart/101-synapse/terraform.tfvars.example

@@ -0,0 +1,15 @@
+name        = "syn101"
+environment = "dev"
+location    = "East US"
+
+synadmin_username = "sqladminuser"
+synadmin_password = "ThisIsNotVerySecure!"
+
+aad_login = {
+  name = "azureuser@contoso.com"
+  object_id = "00000000-0000-0000-0000-000000000000"
+  tenant_id = "00000000-0000-0000-0000-000000000000"
+}
+
+enable_syn_sparkpool = false
+enable_syn_sqlpool   = false

quickstart/101-synapse/variables.tf

@@ -0,0 +1,47 @@
+variable "name" {
+  type        = string
+  description = "Name of the deployment"
+}
+
+variable "environment" {
+  type        = string
+  description = "Name of the environment"
+  default     = "dev"
+}
+
+variable "location" {
+  type        = string
+  description = "Location of the resources"
+  default     = "East US"
+}
+
+variable "aad_login" {
+  description = "AAD login"
+  type = object({
+    name      = string
+    object_id = string
+    tenant_id = string
+  })
+}
+
+variable "synadmin_username" {
+  type        = string
+  description = "Specifies The login name of the SQL administrator"
+}
+
+variable "synadmin_password" {
+  type        = string
+  description = "The Password associated with the sql_administrator_login for the SQL administrator"
+}
+
+variable "enable_syn_sparkpool" {
+  type        = bool
+  description = "Variable to enable or disable Synapse Spark pool deployment"
+  default     = false
+}
+
+variable "enable_syn_sqlpool" {
+  type        = bool
+  description = "Variable to enable or disable Synapse Dedicated SQL pool deployment"
+  default     = false
+}

quickstart/201-synapse-secure/README.md

@@ -0,0 +1,58 @@
+# Azure Synapse Analytics workspace (moderately secure network set up)
+
+This deployment configuration specifies an [Azure Synapse Analytics workspace](https://learn.microsoft.com/en-us/azure/synapse-analytics/get-started-create-workspace), 
+and its associated resources including Azure Data Lake Storage (gen2), Synapse Spark Pool and Synapse SQL Pool.
+
+In addition to these core services, this configuration specifies any networking components that are required to set up Azure Synapse Analytics
+for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). 
+
+This configuration describes the minimal set of resources you require to get started with Azure Synapse Analytics in a network-isolated set-up. This configuration creates new network components. Use Azure Bastion to securely connect to the Virtual Machine. 
+
+## Resources
+
+| Terraform Resource Type | Description |
+| - | - |
+| `azurerm_resource_group` | The resource group all resources get deployed into. |
+| `azurerm_bastion_host` | An Azure Bastion Instance to securely RDP into Virtual Machines deployed into the Virtual Network. |
+| `azurerm_windows_virtual_machine` | A Windows Data Science Virtual Machine (jumphost) used for connecting to the Azure Synapse Analytics workspace. |
+| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Synapse Analytics workspace. |
+| `azurerm_synapse_workspace` | An Azure Synapse Analytics workspace instance. |
+| `azurerm_synapse_private_link_hub` | An Azure Synapse Private Link Hub to allow securely connecting to Synapse Studio. |
+| `azurerm_synapse_spark_pool` | An Azure Synapse Analytics spark pool. |
+| `azurerm_synapse_sql_pool` | An Azure Synapse Analytics dedicated SQL pool. |
+| `azurerm_virtual_network` | A default vnet. |
+| `azurerm_subnet` | `bastion` and `default` subnets. |
+
+## Variables
+
+| Name | Description | Default |
+|-|-|-|
+| name | Name of the deployment | - |
+| environment | The deployment environment name (used for pre- and postfixing resource names) | dev  |
+| location | The Azure region used for deployments | East US |
+| aad_admin.login | The login name of the Azure AD Administrator of the Synapse Workspace | - |
+| aad_admin.object_id| The object id of the Azure AD Administrator of the Synapse Workspace | - |
+| aad_admin.tenant_id| The tenant id of the Azure AD Administrator of the Synapse Workspace | - |
+| synadmin_username| Specifies the login name of the SQL administrator | - |
+| synadmin_password| The Password associated with the synadmin_username for the SQL administrator | - |
+| jumphost_username| Admin username of the VM | - |
+| jumphost_password| Password for the admin username of the VM | - |
+| enable_syn_sparkpool| A feature flag to enable/disable the Spark pool | false |
+| enable_syn_sqlpool| A feature flag to enable/disable the SQL pool | false |
+
+## Usage
+
+1. Copy `terraform.tfvars.example` to `terraform.tfvars`
+2. Update `terraform.tfvars` with your desired values
+3. Run Terraform
+    ```console
+    $ terraform init
+    $ terraform plan
+    $ terraform apply
+    ```
+
+## Learn more
+
+- If you are new to Azure Synapse Analytics, see [Azure Synapse Analytics service](https://azure.microsoft.com/services/synapse-analytics/) and [Azure Synapse Analytics documentation](https://learn.microsoft.com/azure/synapse-analytics/guidance/success-by-design-introduction).
+- To learn more about security configurations in Azure Synapse Analytics, see [Azure Synapse Analytics security white paper](https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-introduction) and watch [Success with Synapse - Security videos](https://www.youtube.com/playlist?list=PLzUAjXZBFU9OWYjSI5TdlpMV0ltAjLaNw).
+- For all configurations of Azure Synapse Analytics in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/synapse_workspace).

quickstart/201-synapse-secure/bastion.tf

@@ -0,0 +1,19 @@
+resource "azurerm_bastion_host" "default" {
+  name                = "bas-${local.basename}"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+
+  ip_configuration {
+    name                 = "configuration"
+    subnet_id            = azurerm_subnet.bastion.id
+    public_ip_address_id = azurerm_public_ip.default.id
+  }
+}
+
+resource "azurerm_public_ip" "default" {
+  name                = "pip-${local.basename}"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+}

quickstart/201-synapse-secure/jumphost.tf

@@ -0,0 +1,87 @@
+resource "azurerm_virtual_machine" "jumphost" {
+  name                  = "wvm-${local.basename}"
+  location              = azurerm_resource_group.default.location
+  resource_group_name   = azurerm_resource_group.default.name
+  network_interface_ids = [azurerm_network_interface.jumphost_nic.id]
+  vm_size               = "Standard_DS3_v2"
+
+  delete_os_disk_on_termination    = true
+  delete_data_disks_on_termination = true
+
+  storage_image_reference {
+    publisher = "microsoft-dsvm"
+    offer     = "dsvm-win-2019"
+    sku       = "server-2019"
+    version   = "latest"
+  }
+
+  os_profile {
+    computer_name  = "jumphost"
+    admin_username = var.jumphost_username
+    admin_password = var.jumphost_password
+  }
+
+  os_profile_windows_config {
+    provision_vm_agent        = true
+    enable_automatic_upgrades = true
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  storage_os_disk {
+    name              = "disk-${local.basename}"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "StandardSSD_LRS"
+  }
+}
+
+resource "azurerm_network_interface" "jumphost_nic" {
+  name                = "nic-${local.basename}"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+
+  ip_configuration {
+    name                          = "configuration"
+    private_ip_address_allocation = "Dynamic"
+    subnet_id                     = azurerm_subnet.default.id
+  }
+}
+
+resource "azurerm_network_security_group" "jumphost_nsg" {
+  name                = "nsg-${local.basename}"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+
+  security_rule {
+    name                       = "RDP"
+    priority                   = 1010
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = 3389
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+}
+
+resource "azurerm_network_interface_security_group_association" "syn_jumphost_nsg_association" {
+  network_interface_id      = azurerm_network_interface.jumphost_nic.id
+  network_security_group_id = azurerm_network_security_group.jumphost_nsg.id
+}
+
+resource "azurerm_dev_test_global_vm_shutdown_schedule" "syn_jumphost_schedule" {
+  virtual_machine_id = azurerm_virtual_machine.jumphost.id
+  location           = azurerm_resource_group.default.location
+  enabled            = true
+
+  daily_recurrence_time = "2000"
+  timezone              = "W. Europe Standard Time"
+
+  notification_settings {
+    enabled = false
+  }
+}

quickstart/201-synapse-secure/locals.tf

@@ -0,0 +1,4 @@
+locals {
+  basename      = "${var.name}-${var.environment}"
+  safe_basename = replace(local.basename, "-", "")
+}

quickstart/201-synapse-secure/main.tf

@@ -0,0 +1,10 @@
+data "azurerm_client_config" "current" {}
+
+data "http" "ip" {
+  url = "https://ifconfig.me"
+}
+
+resource "azurerm_resource_group" "default" {
+  name     = "rg-${local.basename}"
+  location = var.location
+}

quickstart/201-synapse-secure/network.tf

@@ -0,0 +1,24 @@
+resource "azurerm_virtual_network" "default" {
+  name                = "vnet-${local.basename}"
+  address_space       = ["10.0.0.0/16"]
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+# Subnets
+
+resource "azurerm_subnet" "default" {
+  name                                      = "snet-${local.basename}"
+  resource_group_name                       = azurerm_resource_group.default.name
+  virtual_network_name                      = azurerm_virtual_network.default.name
+  address_prefixes                          = ["10.0.1.0/24"]
+  service_endpoints                         = []
+  private_endpoint_network_policies_enabled = true
+}
+
+resource "azurerm_subnet" "bastion" {
+  name                 = "AzureBastionSubnet"
+  resource_group_name  = azurerm_resource_group.default.name
+  virtual_network_name = azurerm_virtual_network.default.name
+  address_prefixes     = ["10.0.10.0/27"]
+}

quickstart/201-synapse-secure/providers.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    azurerm = {
+      version = "= 3.32.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}

quickstart/201-synapse-secure/storage_account.tf

@@ -0,0 +1,115 @@
+resource "azurerm_storage_account" "default" {
+  name                     = "st${local.safe_basename}"
+  resource_group_name      = azurerm_resource_group.default.name
+  location                 = azurerm_resource_group.default.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+  account_kind             = "StorageV2"
+  is_hns_enabled           = true
+}
+
+resource "azurerm_role_assignment" "sbdc_current_user" {
+  scope                = azurerm_storage_account.default.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = data.azurerm_client_config.current.object_id
+}
+
+resource "azurerm_role_assignment" "sbdc_syn_ws" {
+  scope                = azurerm_storage_account.default.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azurerm_synapse_workspace.default.identity[0].principal_id
+}
+
+resource "azurerm_role_assignment" "c_syn_ws" {
+  scope                = azurerm_storage_account.default.id
+  role_definition_name = "Contributor"
+  principal_id         = azurerm_synapse_workspace.default.identity[0].principal_id
+}
+
+resource "azurerm_storage_data_lake_gen2_filesystem" "default" {
+  name               = "default"
+  storage_account_id = azurerm_storage_account.default.id
+
+  depends_on = [
+    azurerm_role_assignment.sbdc_current_user
+  ]
+}
+
+# Virtual Network & Firewall configuration
+
+resource "azurerm_storage_account_network_rules" "firewall_rules" {
+  storage_account_id = azurerm_storage_account.default.id
+
+  default_action             = "Deny"
+  ip_rules                   = [data.http.ip.response_body]
+  virtual_network_subnet_ids = []
+  bypass                     = ["None"]
+}
+
+# DNS Zones
+
+resource "azurerm_private_dns_zone" "zone_blob" {
+  name                = "privatelink.blob.core.windows.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone" "zone_dfs" {
+  name                = "privatelink.dfs.core.windows.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+# Linking of DNS zones to Virtual Network
+
+resource "azurerm_private_dns_zone_virtual_network_link" "zone_blob_link" {
+  name                  = "${local.basename}_link_blob"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.zone_blob.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "zone_dfs_link" {
+  name                  = "${local.basename}_link_dfs"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.zone_dfs.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+# Private Endpoint configuration
+
+resource "azurerm_private_endpoint" "pe_blob" {
+  name                = "pe-${azurerm_storage_account.default.name}-blob"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = azurerm_subnet.default.id
+
+  private_service_connection {
+    name                           = "psc-blob-${local.basename}"
+    private_connection_resource_id = azurerm_storage_account.default.id
+    subresource_names              = ["blob"]
+    is_manual_connection           = false
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group-blob"
+    private_dns_zone_ids = [azurerm_private_dns_zone.zone_blob.id]
+  }
+}
+
+resource "azurerm_private_endpoint" "pe_dfs" {
+  name                = "pe-${azurerm_storage_account.default.name}-dfs"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = azurerm_subnet.default.id
+
+  private_service_connection {
+    name                           = "psc-dfs-${local.basename}"
+    private_connection_resource_id = azurerm_storage_account.default.id
+    subresource_names              = ["dfs"]
+    is_manual_connection           = false
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group-dfs"
+    private_dns_zone_ids = [azurerm_private_dns_zone.zone_dfs.id]
+  }
+}

quickstart/201-synapse-secure/synapse_pools.tf

@@ -0,0 +1,28 @@
+# Sql Pool 
+
+resource "azurerm_synapse_sql_pool" "syn_pool_sql" {
+  name                 = "syndp01"
+  synapse_workspace_id = azurerm_synapse_workspace.default.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+  count                = var.enable_syn_sqlpool ? 1 : 0
+}
+
+# Spark Pool 
+
+resource "azurerm_synapse_spark_pool" "syn_pool_spark" {
+  name                 = "synsp01"
+  synapse_workspace_id = azurerm_synapse_workspace.default.id
+  node_size_family     = "MemoryOptimized"
+  node_size            = "Small"
+  count                = var.enable_syn_sparkpool ? 1 : 0
+
+  auto_scale {
+    max_node_count = 50
+    min_node_count = 3
+  }
+
+  auto_pause {
+    delay_in_minutes = 15
+  }
+}

quickstart/201-synapse-secure/synapse_private_link_hub.tf

@@ -0,0 +1,33 @@
+resource "azurerm_synapse_private_link_hub" "default" {
+  name                = "synplh${local.safe_basename}"
+  resource_group_name = azurerm_resource_group.default.name
+  location            = azurerm_resource_group.default.location
+}
+
+# DNS Zones
+
+resource "azurerm_private_dns_zone" "zone_web" {
+  name                = "privatelink.azuresynapse.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+# Private Endpoint configuration
+
+resource "azurerm_private_endpoint" "pe_web" {
+  name                = "pe-${azurerm_synapse_private_link_hub.default.name}-web"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = azurerm_subnet.default.id
+
+  private_service_connection {
+    name                           = "psc-web-${local.basename}"
+    private_connection_resource_id = azurerm_synapse_private_link_hub.default.id
+    subresource_names              = ["web"]
+    is_manual_connection           = false
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group-syn-web"
+    private_dns_zone_ids = [azurerm_private_dns_zone.zone_web.id]
+  }
+}

quickstart/201-synapse-secure/synapse_workspace.tf

@@ -0,0 +1,111 @@
+resource "azurerm_synapse_workspace" "default" {
+  name                                 = "syn-${local.basename}"
+  resource_group_name                  = azurerm_resource_group.default.name
+  location                             = azurerm_resource_group.default.location
+  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.default.id
+
+  sql_administrator_login          = var.synadmin_username
+  sql_administrator_login_password = var.synadmin_password
+
+  managed_virtual_network_enabled = true
+  managed_resource_group_name     = "${azurerm_resource_group.default.name}-syn-managed"
+
+  public_network_access_enabled = false
+
+  aad_admin {
+    login     = var.aad_login.name
+    object_id = var.aad_login.object_id
+    tenant_id = var.aad_login.tenant_id
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+# DNS Zones
+
+resource "azurerm_private_dns_zone" "zone_dev" {
+  name                = "privatelink.dev.azuresynapse.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone" "zone_sql" {
+  name                = "privatelink.sql.azuresynapse.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+# Linking of DNS zones to Virtual Network
+
+resource "azurerm_private_dns_zone_virtual_network_link" "zone_dev_link" {
+  name                  = "${local.basename}_link_dev"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.zone_dev.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "zone_sql_link" {
+  name                  = "${local.basename}_link_sql"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.zone_sql.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+# Private Endpoint configuration
+
+resource "azurerm_private_endpoint" "pe_dev" {
+  name                = "pe-${azurerm_synapse_workspace.default.name}-dev"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = azurerm_subnet.default.id
+
+  private_service_connection {
+    name                           = "psc-dev-${local.basename}"
+    private_connection_resource_id = azurerm_synapse_workspace.default.id
+    subresource_names              = ["dev"]
+    is_manual_connection           = false
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group-dev"
+    private_dns_zone_ids = [azurerm_private_dns_zone.zone_dev.id]
+  }
+}
+
+resource "azurerm_private_endpoint" "pe_sql" {
+  name                = "pe-${azurerm_synapse_workspace.default.name}-sql"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = azurerm_subnet.default.id
+
+  private_service_connection {
+    name                           = "psc-sql-${local.basename}"
+    private_connection_resource_id = azurerm_synapse_workspace.default.id
+    subresource_names              = ["sql"]
+    is_manual_connection           = false
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group-sql"
+    private_dns_zone_ids = [azurerm_private_dns_zone.zone_sql.id]
+  }
+}
+
+resource "azurerm_private_endpoint" "pe_sqlondemand" {
+  name                = "pe-${azurerm_synapse_workspace.default.name}-sqlondemand"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = azurerm_subnet.default.id
+
+  private_service_connection {
+    name                           = "psc-sqlondemand-${local.basename}"
+    private_connection_resource_id = azurerm_synapse_workspace.default.id
+    subresource_names              = ["sqlondemand"]
+    is_manual_connection           = false
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group-sqlondemand"
+    private_dns_zone_ids = [azurerm_private_dns_zone.zone_sql.id]
+  }
+}

quickstart/201-synapse-secure/terraform.tfvars.example

@@ -0,0 +1,18 @@
+name        = "syn201"
+environment = "dev"
+location    = "East US"
+
+jumphost_username = "azureuser"
+jumphost_password = "ThisIsNotVerySecure!"
+
+synadmin_username = "sqladminuser"
+synadmin_password = "ThisIsNotVerySecure!"
+
+aad_login = {
+  name = "azureuser@contoso.com"
+  object_id = "00000000-0000-0000-0000-000000000000"
+  tenant_id = "00000000-0000-0000-0000-000000000000"
+}
+
+enable_syn_sparkpool = false
+enable_syn_sqlpool   = false

quickstart/201-synapse-secure/variables.tf

@@ -0,0 +1,57 @@
+variable "name" {
+  type        = string
+  description = "Name of the deployment"
+}
+
+variable "environment" {
+  type        = string
+  description = "Name of the environment"
+  default     = "dev"
+}
+
+variable "location" {
+  type        = string
+  description = "Location of the resources"
+  default     = "East US"
+}
+
+variable "aad_login" {
+  description = "AAD login"
+  type = object({
+    name      = string
+    object_id = string
+    tenant_id = string
+  })
+}
+
+variable "jumphost_username" {
+  type        = string
+  description = "Admin username of the VM"
+}
+
+variable "jumphost_password" {
+  type        = string
+  description = "Password for the admin username of the VM"
+}
+
+variable "synadmin_username" {
+  type        = string
+  description = "Specifies The login name of the SQL administrator"
+}
+
+variable "synadmin_password" {
+  type        = string
+  description = "The Password associated with the sql_administrator_login for the SQL administrator"
+}
+
+variable "enable_syn_sparkpool" {
+  type        = bool
+  description = "Variable to enable or disable Synapse Spark pool deployment"
+  default     = false
+}
+
+variable "enable_syn_sqlpool" {
+  type        = bool
+  description = "Variable to enable or disable Synapse Dedicated SQL pool deployment"
+  default     = false
+}