Skip to content

azurermSynapseWorkspaceSecurityAlertPolicy

Manages a Security Alert Policy for a Synapse Workspace.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermStorageAccountAuditLogs =
  new azurerm.storageAccount.StorageAccount(this, "audit_logs", {
    account_replication_type: "LRS",
    account_tier: "Standard",
    location: azurermResourceGroupExample.location,
    name: "examplesa",
    resource_group_name: azurermResourceGroupExample.name,
  });
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
  this,
  "example_2",
  {
    account_kind: "StorageV2",
    account_replication_type: "LRS",
    account_tier: "Standard",
    is_hns_enabled: "true",
    location: azurermResourceGroupExample.location,
    name: "examplestorageacc",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermStorageDataLakeGen2FilesystemExample =
  new azurerm.storageDataLakeGen2Filesystem.StorageDataLakeGen2Filesystem(
    this,
    "example_3",
    {
      name: "example",
      storage_account_id: azurermStorageAccountExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageDataLakeGen2FilesystemExample.overrideLogicalId("example");
const azurermSynapseWorkspaceExample =
  new azurerm.synapseWorkspace.SynapseWorkspace(this, "example_4", {
    aad_admin: [
      {
        login: "AzureAD Admin",
        object_id: "00000000-0000-0000-0000-000000000000",
        tenant_id: "00000000-0000-0000-0000-000000000000",
      },
    ],
    identity: [
      {
        type: "SystemAssigned",
      },
    ],
    location: azurermResourceGroupExample.location,
    name: "example",
    resource_group_name: azurermResourceGroupExample.name,
    sql_administrator_login: "sqladminuser",
    sql_administrator_login_password: "H@Sh1CoR3!",
    storage_data_lake_gen2_filesystem_id:
      azurermStorageDataLakeGen2FilesystemExample.id,
    tags: {
      Env: "production",
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSynapseWorkspaceExample.overrideLogicalId("example");
const azurermSynapseWorkspaceSecurityAlertPolicyExample =
  new azurerm.synapseWorkspaceSecurityAlertPolicy.SynapseWorkspaceSecurityAlertPolicy(
    this,
    "example_5",
    {
      disabled_alerts: ["Sql_Injection", "Data_Exfiltration"],
      policy_state: "Enabled",
      retention_days: 20,
      storage_account_access_key:
        azurermStorageAccountAuditLogs.primaryAccessKey,
      storage_endpoint: azurermStorageAccountAuditLogs.primaryBlobEndpoint,
      synapse_workspace_id: azurermSynapseWorkspaceExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSynapseWorkspaceSecurityAlertPolicyExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • synapseWorkspaceId - (Required) Specifies the ID of the Synapse Workspace. Changing this forces a new resource to be created.

  • policyState - (Required) Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific workspace. Possible values are disabled, enabled and new.

  • disabledAlerts - (Optional) Specifies an array of alerts that are disabled. Allowed values are: sqlInjection, sqlInjectionVulnerability, accessAnomaly, dataExfiltration, unsafeAction.

  • emailAccountAdminsEnabled - (Optional) Boolean flag which specifies if the alert is sent to the account administrators or not. Defaults to false.

  • emailAddresses - (Optional) Specifies an array of email addresses to which the alert is sent.

  • retentionDays - (Optional) Specifies the number of days to keep in the Threat Detection audit logs. Defaults to 0.

  • storageAccountAccessKey - (Optional) Specifies the identifier key of the Threat Detection audit storage account.

  • storageEndpoint - (Optional) Specifies the blob storage endpoint (e.g. https://example.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.

Attributes Reference

The following attributes are exported:

  • id - The ID of the Synapse Workspace Security Alert Policy.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Synapse Workspace Security Alert Policy.
  • update - (Defaults to 30 minutes) Used when updating the Synapse Workspace Security Alert Policy.
  • read - (Defaults to 5 minutes) Used when retrieving the Synapse Workspace Security Alert Policy.
  • delete - (Defaults to 30 minutes) Used when deleting the Synapse Workspace Security Alert Policy.

Import

Synapse Workspace Security Alert Policies can be imported using the resourceId, e.g.

terraform import azurerm_synapse_workspace_security_alert_policy.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Synapse/workspaces/workspace1/securityAlertPolicies/Default