Top / Microsoft Azure / Azure Synapse / Workspace Vulnerability Assessment

Azure Synapse Workspace Vulnerability Assessment

This page shows how to write Terraform and Azure Resource Manager for Synapse Workspace Vulnerability Assessment and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_synapse_workspace_vulnerability_assessment (Terraform)

The Workspace Vulnerability Assessment in Synapse can be configured in Terraform with the resource name azurerm_synapse_workspace_vulnerability_assessment. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are supported:

  • workspace_security_alert_policy_id - (Required) The ID of the security alert policy of the Synapse Workspace. Changing this forces a new resource to be created.

  • storage_container_path - (Required) A blob storage container path to hold the scan results (e.g. https://myStorage.blob.core.windows.net/VaScans/).

  • storage_account_access_key - (Optional) Specifies the identifier key of the storage account for vulnerability assessment scan results. If storage_container_sas_key isn't specified, storage_account_access_key is required.

  • storage_container_sas_key - (Optional) A shared access signature (SAS Key) that has write access to the blob container specified in storage_container_path parameter. If storage_account_access_key isn't specified, storage_container_sas_key is required.

  • recurring_scans - (Optional) The recurring scans settings. The recurring_scans block supports fields documented below.

recurring_scans supports the following:

  • enabled - (Optional) Boolean flag which specifies if recurring scans is enabled or disabled. Defaults to false.
  • email_subscription_admins_enabled - (Optional) Boolean flag which specifies if the schedule scan notification will be sent to the subscription administrators. Defaults to false.
  • emails - (Optional) Specifies an array of e-mail addresses to which the scan notification is sent.

The following attributes are exported:

  • id - The ID of the Synapse Workspace Vulnerability Assessment.

>> from Terraform Registry

Explanation in Terraform Registry

Manages the Vulnerability Assessment for a Synapse Workspace.

>> from Terraform Registry

Tips: Best Practices for The Other Azure Synapse Resources

In addition to the azurerm_synapse_workspace, Azure Synapse has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_synapse_workspace

Ensure to enable the managed virtual network

It is better to enable the managed virtual network, which is disabled as the default.

Review your Azure Synapse settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Synapse/workspaces/vulnerabilityAssessments (Azure Resource Manager)

The workspaces/vulnerabilityAssessments in Microsoft.Synapse can be configured in Azure Resource Manager with the resource name Microsoft.Synapse/workspaces/vulnerabilityAssessments. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

PutWorkspaceMangedSqlServerVulnerabilityAssessmentCreateStorageAccessKeyMin.json#L20
        "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
        "properties": {
          "storageContainerPath": "https://myStorage.blob.core.windows.net/vulnerability-assessment/",
          "recurringScans": {
            "isEnabled": true,
            "emailSubscriptionAdmins": false,
PutWorkspaceMangedSqlServerVulnerabilityAssessmentCreateStorageAccessKeyMin.json#L20
        "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
        "properties": {
          "storageContainerPath": "https://myStorage.blob.core.windows.net/vulnerability-assessment/",
          "recurringScans": {
            "isEnabled": true,
            "emailSubscriptionAdmins": false,
PutWorkspaceMangedSqlServerVulnerabilityAssessmentCreateContainerSasKeyMin.json#L20
        "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
        "properties": {
          "storageContainerPath": "https://myStorage.blob.core.windows.net/vulnerability-assessment/",
          "recurringScans": {
            "isEnabled": true,
            "emailSubscriptionAdmins": false,
PutWorkspaceMangedSqlServerVulnerabilityAssessmentCreateContainerSasKeyMin.json#L20
        "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
        "properties": {
          "storageContainerPath": "https://myStorage.blob.core.windows.net/vulnerability-assessment/",
          "recurringScans": {
            "isEnabled": true,
            "emailSubscriptionAdmins": false,
PutWorkspaceMangedSqlServerVulnerabilityAssessmentCreateContainerSasKeyMin.json#L20
        "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
        "properties": {
          "storageContainerPath": "https://myStorage.blob.core.windows.net/vulnerability-assessment/",
          "recurringScans": {
            "isEnabled": true,
            "emailSubscriptionAdmins": false,
PutWorkspaceMangedSqlServerVulnerabilityAssessmentCreateStorageAccessKeyMin.json#L20
        "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
        "properties": {
          "storageContainerPath": "https://myStorage.blob.core.windows.net/vulnerability-assessment/",
          "recurringScans": {
            "isEnabled": true,
            "emailSubscriptionAdmins": false,
PutWorkspaceMangedSqlServerVulnerabilityAssessmentCreateStorageAccessKeyMin.json#L20
        "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
        "properties": {
          "storageContainerPath": "https://myStorage.blob.core.windows.net/vulnerability-assessment/",
          "recurringScans": {
            "isEnabled": true,
            "emailSubscriptionAdmins": false,
PutWorkspaceMangedSqlServerVulnerabilityAssessmentCreateContainerSasKeyMin.json#L20
        "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
        "properties": {
          "storageContainerPath": "https://myStorage.blob.core.windows.net/vulnerability-assessment/",
          "recurringScans": {
            "isEnabled": true,
            "emailSubscriptionAdmins": false,
policy.json#L33
     "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
     "name": "default",
     "existenceCondition": {
      "field": "Microsoft.Synapse/workspaces/vulnerabilityAssessments/recurringScans.isEnabled",
      "equals": "True"
     }
policy.json#L33
     "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
     "name": "default",
     "existenceCondition": {
      "field": "Microsoft.Synapse/workspaces/vulnerabilityAssessments/recurringScans.isEnabled",
      "equals": "True"
     }

Parameters

  • apiVersion required - string
  • name required - string

    The name of the vulnerability assessment.

  • properties required
      • recurringScans optional
          • emails optional - array

            Specifies an array of e-mail addresses to which the scan notification is sent.

          • emailSubscriptionAdmins optional - boolean

            Specifies that the schedule scan notification will be is sent to the subscription administrators.

          • isEnabled optional - boolean

            Recurring scans state.

      • storageAccountAccessKey optional - string

        Specifies the identifier key of the storage account for vulnerability assessment scan results. If 'StorageContainerSasKey' isn't specified, storageAccountAccessKey is required.

      • storageContainerPath required - string

        A blob storage container path to hold the scan results (e.g. https://myStorage.blob.core.windows.net/VaScans/).

      • storageContainerSasKey optional - string

        A shared access signature (SAS Key) that has read and write access to the blob container specified in 'storageContainerPath' parameter. If 'storageAccountAccessKey' isn't specified, StorageContainerSasKey is required.

  • type required - string

>> from Azure Resource Manager Documentation

The Other Related Azure Synapse Resources

Frequently asked questions

What is Azure Synapse Workspace Vulnerability Assessment?

Azure Synapse Workspace Vulnerability Assessment is a resource for Synapse of Microsoft Azure. Settings can be wrote in Terraform.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents