adding synapse managed vnet feature

Author: sjyang18

deploy/infra/groups/pipeline.bicep

@@ -84,6 +84,8 @@ param synapseMIStorageAccountRoles array = [
 ]
 
 param logAnalyticsWorkspaceId string
+param securityEnabled bool = false
+param preventDataExfiltration bool = false
 
 var namingPrefix = '${environmentCode}-${projectName}'
 var synapseResourceGroupNameVar = empty(synapseResourceGroupName) ? '${namingPrefix}-rg' : synapseResourceGroupName
@@ -129,8 +131,6 @@ module synapseHnsStorageAccount '../modules/storage.hns.bicep' = {
   }
 }
 
-
-
 module synapseWorkspace '../modules/synapse.workspace.bicep' = {
   name: '${namingPrefix}-workspace'
   params:{
@@ -153,6 +153,8 @@ module synapseWorkspace '../modules/synapse.workspace.bicep' = {
     gitRepoRootFolder: synapseGitRepoRootFolder
     gitRepoVstsTenantId: synapseGitRepoVstsTenantId
     gitRepoType: synapseGitRepoType
+    createManagedVnet: securityEnabled
+    preventDataExfiltration: preventDataExfiltration
   }
   dependsOn: [
     synapseHnsStorageAccount

deploy/infra/main.bicep

@@ -14,6 +14,12 @@ param environmentCode string
 @description('Environment will be used as Tag on the resource group')
 param environment string
 
+@description('Flag to set whether security resources such as Synapse managed vnet, NSG, etc are created or not')
+param securityEnabled bool = false
+
+@description('preventDataExfiltration for Synapse managed vnet')
+param preventDataExfiltration bool = false
+
 @description('Used for naming of the network resource group and its resources')
 param networkModulePrefix string = 'network'
 
@@ -105,6 +111,8 @@ module pipelineModule 'groups/pipeline.bicep' = {
     environmentCode: environmentCode
     environmentTag: environment
     logAnalyticsWorkspaceId: monitorModule.outputs.workspaceId
+    securityEnabled: securityEnabled
+    preventDataExfiltration: preventDataExfiltration
   }
   dependsOn: [
     networkModule

deploy/infra/modules/synapse.workspace.bicep

@@ -26,6 +26,49 @@ param synapseSqlAdminPasswordSecretName string = 'synapse-sqladmin-password'
 param utcValue string = utcNow()
 param workspaceId string = 'default'
 
+param createManagedVnet bool = false
+@allowed([
+  'default'
+  ''
+])
+param managedVirtualNetwork string = 'default'
+param preventDataExfiltration bool = false
+param managedVirtualNetworkSettings object = {
+  managedVirtualNetworkSettings : {
+    allowedAadTenantIdsForLinking: []
+    preventDataExfiltration: preventDataExfiltration
+  }
+  managedVirtualNetwork : managedVirtualNetwork
+}
+
+
+var defaultDataLakeStorageSettings = {
+  resourceId: hnsStorage.id
+  accountUrl: hnsStorage.properties.primaryEndpoints.dfs
+  filesystem: hnsStorageFileSystem
+}
+var createManagedPrivateEndpointSetting = {
+  createManagedPrivateEndpoint : preventDataExfiltration
+}
+var datalakeStorageSettings = createManagedVnet ? union(defaultDataLakeStorageSettings, createManagedPrivateEndpointSetting) : defaultDataLakeStorageSettings
+var synapseCommonProperties = {
+  defaultDataLakeStorage: datalakeStorageSettings
+  sqlAdministratorLogin: sqlAdminLogin
+  sqlAdministratorLoginPassword: sqlAdminLoginPassword
+  workspaceRepositoryConfiguration:(empty(gitRepoType))? {}: {
+    accountName: gitRepoAccountName
+    collaborationBranch: gitRepoCollaborationBranch
+    hostName: gitRepoHostName
+    lastCommitId: gitRepoLastCommitId
+    projectName: gitRepoVstsProjectName
+    repositoryName: gitRepoRepositoryName
+    rootFolder: gitRepoRootFolder
+    tenantId: gitRepoVstsTenantId
+    type: gitRepoType
+  }
+}
+var selectedSynapseProperties = createManagedVnet ? union(synapseCommonProperties, managedVirtualNetworkSettings) : synapseCommonProperties
+
 resource hnsStorage 'Microsoft.Storage/storageAccounts@2021-08-01' existing = {
   name: hnsStorageAccountName
 }
@@ -40,26 +83,7 @@ resource synapseWorspace 'Microsoft.Synapse/workspaces@2021-06-01' = {
   identity: {
     type: 'SystemAssigned'
   }
-  properties: {
-    defaultDataLakeStorage: {
-      resourceId: hnsStorage.id
-      accountUrl: hnsStorage.properties.primaryEndpoints.dfs
-      filesystem: hnsStorageFileSystem
-    }
-    sqlAdministratorLogin: sqlAdminLogin
-    sqlAdministratorLoginPassword: sqlAdminLoginPassword
-    workspaceRepositoryConfiguration:(empty(gitRepoType))? {}: {
-      accountName: gitRepoAccountName
-      collaborationBranch: gitRepoCollaborationBranch
-      hostName: gitRepoHostName
-      lastCommitId: gitRepoLastCommitId
-      projectName: gitRepoVstsProjectName
-      repositoryName: gitRepoRepositoryName
-      rootFolder: gitRepoRootFolder
-      tenantId: gitRepoVstsTenantId
-      type: gitRepoType
-    }
-  }
+  properties: selectedSynapseProperties
 }
 
 resource synapseWorkspaceFwRules 'Microsoft.Synapse/workspaces/firewallRules@2021-06-01' = {

deploy/install.sh

@@ -22,13 +22,22 @@ envCode=${envCode:-"${1}"}
 location=${location:-"${2}"}
 envTag=${envTag:-"synapse-${envCode}"}
 deploymentName=${3:-"${envTag}-deploy"}
+securityEnabled=${securityEnabled:-false}
+preventDataExfiltration=${preventDataExfiltration:-false}
 
 DEPLOYMENT_SCRIPT="az deployment sub create -l $location -n $deploymentName \
     -f ./deploy/infra/main.bicep \
     -p \
     location=$location \
     environmentCode=$envCode \
-    environment=$envTag"
+    environment=$envTag \
+    securityEnabled=$securityEnabled \
+    preventDataExfiltration=$preventDataExfiltration"
 $DEPLOYMENT_SCRIPT
-set +x
 
+if [[ $securityEnabled ]]
+then
+  ./deploy/enableSecurityFeatures.sh $envCode
+fi
+
+set +x