Azure Synapse SQL Pool Security Alert Policy
This page shows how to write Terraform and Azure Resource Manager for Synapse SQL Pool Security Alert Policy and write them securely.
azurerm_synapse_sql_pool_security_alert_policy (Terraform)
The SQL Pool Security Alert Policy in Synapse can be configured in Terraform with the resource name azurerm_synapse_sql_pool_security_alert_policy. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are supported:
sql_pool_id- (Required) Specifies the ID of the Synapse SQL Pool. Changing this forces a new resource to be created.policy_state- (Required) Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific SQL pool. Allowed values are:Disabled,Enabled.disabled_alerts- (Optional) Specifies an array of alerts that are disabled. Allowed values are:Sql_Injection,Sql_Injection_Vulnerability,Access_Anomaly,Data_Exfiltration,Unsafe_Action.email_account_admins_enabled- (Optional) Boolean flag which specifies if the alert is sent to the account administrators or not. Defaults tofalse.email_addresses- (Optional) Specifies an array of e-mail addresses to which the alert is sent.retention_days- (Optional) Specifies the number of days to keep in the Threat Detection audit logs. Defaults to0.storage_account_access_key- (Optional) Specifies the identifier key of the Threat Detection audit storage account.storage_endpoint- (Optional) Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.
The following attributes are exported:
id- The ID of the Synapse SQL Pool Security Alert Policy.
Explanation in Terraform Registry
Manages a Security Alert Policy for a Synapse SQL Pool.
Tips: Best Practices for The Other Azure Synapse Resources
In addition to the azurerm_synapse_workspace, Azure Synapse has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_synapse_workspace
Ensure to enable the managed virtual network
It is better to enable the managed virtual network, which is disabled as the default.
Microsoft.Synapse/workspaces/sqlPools/securityAlertPolicies (Azure Resource Manager)
The workspaces/sqlPools/securityAlertPolicies in Microsoft.Synapse can be configured in Azure Resource Manager with the resource name Microsoft.Synapse/workspaces/sqlPools/securityAlertPolicies. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
apiVersionrequired - stringnamerequired - stringThe name of the security alert policy.
propertiesrequireddisabledAlertsoptional - arraySpecifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action
emailAccountAdminsoptional - booleanSpecifies that the alert is sent to the account administrators.
emailAddressesoptional - arraySpecifies an array of e-mail addresses to which the alert is sent.
retentionDaysoptional - integerSpecifies the number of days to keep in the Threat Detection audit logs.
staterequired - stringSpecifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific Sql pool.
storageAccountAccessKeyoptional - stringSpecifies the identifier key of the Threat Detection audit storage account.
storageEndpointoptional - stringSpecifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.
typerequired - string
