adding synapse managed vnet feature

Azure · Apr 23, 2022 · cbc3663 · cbc3663
1 parent 9fdc298
commit cbc3663
Show file tree

Hide file tree

Showing 5 changed files with 96 additions and 24 deletions.
diff --git a/deploy/enableSecurityFeatures.sh b/deploy/enableSecurityFeatures.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+ENVCODE=$1
+
+SYNAPSE_STORAGE_ACCT=$(az storage account list --query "[?tags.store && tags.store == 'synapse'].name" -o tsv -g $1-pipeline-rg)
+echo $SYNAPSE_STORAGE_ACCT
+
+if [[ -n $SYNAPSE_STORAGE_ACCT ]]
+then
+    echo 'Approving Synapse managed private end points'
+    # check if any private endpoint connection needs approval for the synapse storage account
+    PRIVATE_ENDPOINT_CONNECTION=$(az network private-endpoint-connection list -g $1-pipeline-rg -n $SYNAPSE_STORAGE_ACCT --type Microsoft.Storage/storageAccounts --query "[0]" -ojson)
+    if [[ -n $PRIVATE_ENDPOINT_CONNECTION ]]
+    then
+        PRIVATE_ENDPOINT_CONNECTION_ID=$(echo $PRIVATE_ENDPOINT_CONNECTION | jq -r '.id')
+        if [[ -n $PRIVATE_ENDPOINT_CONNECTION_ID ]]
+        then
+            PRIVATE_ENDPOINT_CONNECTION_STATUS=$(echo $PRIVATE_ENDPOINT_CONNECTION | jq -r '.properties.privateLinkServiceConnectionState.status')
+            if [[ $PRIVATE_ENDPOINT_CONNECTION_STATUS != "Approved" ]]
+            then
+                az network private-endpoint-connection approve \
+                    --id $PRIVATE_ENDPOINT_CONNECTION_ID --description "Approved by script"
+                echo 'Note: Managed Private end points takes time to be effective. Please verify in Synapse Studio before continuing with configure.sh'
+            fi
+        fi
+    fi
+fi
+
+
+
diff --git a/deploy/infra/groups/pipeline.bicep b/deploy/infra/groups/pipeline.bicep
@@ -84,6 +84,8 @@ param synapseMIStorageAccountRoles array = [
 ]
 
 param logAnalyticsWorkspaceId string
+param securityEnabled bool = false
+param preventDataExfiltration bool = false
 
 var namingPrefix = '${environmentCode}-${projectName}'
 var synapseResourceGroupNameVar = empty(synapseResourceGroupName) ? '${namingPrefix}-rg' : synapseResourceGroupName
@@ -129,8 +131,6 @@ module synapseHnsStorageAccount '../modules/storage.hns.bicep' = {
   }
 }
 
-
-
 module synapseWorkspace '../modules/synapse.workspace.bicep' = {
   name: '${namingPrefix}-workspace'
   params:{
@@ -153,6 +153,8 @@ module synapseWorkspace '../modules/synapse.workspace.bicep' = {
     gitRepoRootFolder: synapseGitRepoRootFolder
     gitRepoVstsTenantId: synapseGitRepoVstsTenantId
     gitRepoType: synapseGitRepoType
+    createManagedVnet: securityEnabled
+    preventDataExfiltration: preventDataExfiltration
   }
   dependsOn: [
     synapseHnsStorageAccount

diff --git a/deploy/infra/main.bicep b/deploy/infra/main.bicep
@@ -14,6 +14,12 @@ param environmentCode string
 @description('Environment will be used as Tag on the resource group')
 param environment string
 
+@description('Flag to set whether security resources such as Synapse managed vnet, NSG, etc are created or not')
+param securityEnabled bool = false
+
+@description('preventDataExfiltration for Synapse managed vnet')
+param preventDataExfiltration bool = false
+
 @description('Used for naming of the network resource group and its resources')
 param networkModulePrefix string = 'network'
 
@@ -105,6 +111,8 @@ module pipelineModule 'groups/pipeline.bicep' = {
     environmentCode: environmentCode
     environmentTag: environment
     logAnalyticsWorkspaceId: monitorModule.outputs.workspaceId
+    securityEnabled: securityEnabled
+    preventDataExfiltration: preventDataExfiltration
   }
   dependsOn: [
     networkModule

diff --git a/deploy/infra/modules/synapse.workspace.bicep b/deploy/infra/modules/synapse.workspace.bicep
@@ -26,6 +26,46 @@ param synapseSqlAdminPasswordSecretName string = 'synapse-sqladmin-password'
 param utcValue string = utcNow()
 param workspaceId string = 'default'
 
+param createManagedVnet bool = false
+@allowed([
+  'default'
+  ''
+])
+param managedVirtualNetwork string = 'default'
+param preventDataExfiltration bool = false
+param managedVirtualNetworkSettings object = {
+  managedVirtualNetworkSettings : {
+    allowedAadTenantIdsForLinking: []
+    preventDataExfiltration: preventDataExfiltration
+  }
+  managedVirtualNetwork : managedVirtualNetwork
+}
+
+var defaultDataLakeStorageSettings = {
+  resourceId: hnsStorage.id
+  accountUrl: hnsStorage.properties.primaryEndpoints.dfs
+  filesystem: hnsStorageFileSystem
+  createManagedPrivateEndpoint: createManagedVnet
+}
+
+var synapseCommonProperties = {
+  defaultDataLakeStorage: defaultDataLakeStorageSettings
+  sqlAdministratorLogin: sqlAdminLogin
+  sqlAdministratorLoginPassword: sqlAdminLoginPassword
+  workspaceRepositoryConfiguration:(empty(gitRepoType))? {}: {
+    accountName: gitRepoAccountName
+    collaborationBranch: gitRepoCollaborationBranch
+    hostName: gitRepoHostName
+    lastCommitId: gitRepoLastCommitId
+    projectName: gitRepoVstsProjectName
+    repositoryName: gitRepoRepositoryName
+    rootFolder: gitRepoRootFolder
+    tenantId: gitRepoVstsTenantId
+    type: gitRepoType
+  }
+}
+var selectedSynapseProperties = createManagedVnet ? union(synapseCommonProperties, managedVirtualNetworkSettings) : synapseCommonProperties
+
 resource hnsStorage 'Microsoft.Storage/storageAccounts@2021-08-01' existing = {
   name: hnsStorageAccountName
 }
@@ -40,26 +80,7 @@ resource synapseWorspace 'Microsoft.Synapse/workspaces@2021-06-01' = {
   identity: {
     type: 'SystemAssigned'
   }
-  properties: {
-    defaultDataLakeStorage: {
-      resourceId: hnsStorage.id
-      accountUrl: hnsStorage.properties.primaryEndpoints.dfs
-      filesystem: hnsStorageFileSystem
-    }
-    sqlAdministratorLogin: sqlAdminLogin
-    sqlAdministratorLoginPassword: sqlAdminLoginPassword
-    workspaceRepositoryConfiguration:(empty(gitRepoType))? {}: {
-      accountName: gitRepoAccountName
-      collaborationBranch: gitRepoCollaborationBranch
-      hostName: gitRepoHostName
-      lastCommitId: gitRepoLastCommitId
-      projectName: gitRepoVstsProjectName
-      repositoryName: gitRepoRepositoryName
-      rootFolder: gitRepoRootFolder
-      tenantId: gitRepoVstsTenantId
-      type: gitRepoType
-    }
-  }
+  properties: selectedSynapseProperties
 }
 
 resource synapseWorkspaceFwRules 'Microsoft.Synapse/workspaces/firewallRules@2021-06-01' = {

diff --git a/deploy/install.sh b/deploy/install.sh
@@ -22,13 +22,22 @@ envCode=${envCode:-"${1}"}
 location=${location:-"${2}"}
 envTag=${envTag:-"synapse-${envCode}"}
 deploymentName=${3:-"${envTag}-deploy"}
+securityEnabled=${securityEnabled:-false}
+preventDataExfiltration=${preventDataExfiltration:-false}
 
 DEPLOYMENT_SCRIPT="az deployment sub create -l $location -n $deploymentName \
     -f ./deploy/infra/main.bicep \
     -p \
     location=$location \
     environmentCode=$envCode \
-    environment=$envTag"
+    environment=$envTag \
+    securityEnabled=$securityEnabled \
+    preventDataExfiltration=$preventDataExfiltration"
 $DEPLOYMENT_SCRIPT
-set +x
 
+if [[ $securityEnabled ]]
+then
+  ./deploy/enableSecurityFeatures.sh $envCode
+fi
+
+set +x