Azure Synapse SQL Pool Security Alert Policy
This page shows how to write Terraform and Azure Resource Manager for Synapse SQL Pool Security Alert Policy and write them securely.
azurerm_synapse_sql_pool_security_alert_policy (Terraform)
The SQL Pool Security Alert Policy in Synapse can be configured in Terraform with the resource name azurerm_synapse_sql_pool_security_alert_policy
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are supported:
sql_pool_id
- (Required) Specifies the ID of the Synapse SQL Pool. Changing this forces a new resource to be created.policy_state
- (Required) Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific SQL pool. Allowed values are:Disabled
,Enabled
.disabled_alerts
- (Optional) Specifies an array of alerts that are disabled. Allowed values are:Sql_Injection
,Sql_Injection_Vulnerability
,Access_Anomaly
,Data_Exfiltration
,Unsafe_Action
.email_account_admins_enabled
- (Optional) Boolean flag which specifies if the alert is sent to the account administrators or not. Defaults tofalse
.email_addresses
- (Optional) Specifies an array of e-mail addresses to which the alert is sent.retention_days
- (Optional) Specifies the number of days to keep in the Threat Detection audit logs. Defaults to0
.storage_account_access_key
- (Optional) Specifies the identifier key of the Threat Detection audit storage account.storage_endpoint
- (Optional) Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.
The following attributes are exported:
id
- The ID of the Synapse SQL Pool Security Alert Policy.
Explanation in Terraform Registry
Manages a Security Alert Policy for a Synapse SQL Pool.
Tips: Best Practices for The Other Azure Synapse Resources
In addition to the azurerm_synapse_workspace, Azure Synapse has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_synapse_workspace
Ensure to enable the managed virtual network
It is better to enable the managed virtual network, which is disabled as the default.
Microsoft.Synapse/workspaces/sqlPools/securityAlertPolicies (Azure Resource Manager)
The workspaces/sqlPools/securityAlertPolicies in Microsoft.Synapse can be configured in Azure Resource Manager with the resource name Microsoft.Synapse/workspaces/sqlPools/securityAlertPolicies
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
apiVersion
required - stringname
required - stringThe name of the security alert policy.
properties
requireddisabledAlerts
optional - arraySpecifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action
emailAccountAdmins
optional - booleanSpecifies that the alert is sent to the account administrators.
emailAddresses
optional - arraySpecifies an array of e-mail addresses to which the alert is sent.
retentionDays
optional - integerSpecifies the number of days to keep in the Threat Detection audit logs.
state
required - stringSpecifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific Sql pool.
storageAccountAccessKey
optional - stringSpecifies the identifier key of the Threat Detection audit storage account.
storageEndpoint
optional - stringSpecifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.
type
required - string