adding synapse managed vnet feature

Author: sjyang18

deploy/addManagedPE.sh

@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+
+set +x
+if [[ -z "$1" ]]
+  then
+    echo "Environment Code value not supplied"
+    exit 1
+fi
+ENVCODE=$1
+
+create_synapase_managed_private_endpoint() {
+    local tmpfile=$(mktemp)
+    local synpaseWorkspace=$1
+    local peName=$2
+    local groupId=$3
+    local privateLinkResourceId=$4
+
+    echo "creating MPE if not exist for $peName"
+    # check if peName exists
+    local checkPeExists=$(az synapse managed-private-endpoints show \
+     --pe-name $peName -otsv --query "id" --workspace-name $synpaseWorkspace 2>/dev/null || echo '')
+    
+    if [[ -z $checkPeExists ]];
+    then
+        jq -n -r \
+        --arg groupId "$groupId" \
+        --arg privateLinkResourceId "$privateLinkResourceId" \
+        '{groupId:$groupId, privateLinkResourceId:$privateLinkResourceId}' > $tmpfile
+
+        az synapse managed-private-endpoints create \
+            --file @$tmpfile \
+            --pe-name $peName \
+            --workspace-name $1
+
+        sleep 60
+        local provisioningState=$(az synapse managed-private-endpoints show --pe-name $peName \
+            --workspace-name $synpaseWorkspace -o tsv --query "properties.provisioningState")
+        while [[ $provisioningState != "Succeeded" ]];
+        do
+            sleep 10
+            provisioningState=$(az synapse managed-private-endpoints show --pe-name $peName \
+            --workspace-name $synpaseWorkspace -o tsv --query "properties.provisioningState")
+            echo "provisioningState of $peName: $provisioningState"
+        done
+    fi    
+}
+
+approve_synapase_managed_private_endpoint() {
+    local resourceGroup=$1
+    local resourceName=$2
+    local resourceType=$3
+
+    local PE_CONNECTION=$(az network private-endpoint-connection list -g $resourceGroup -n $resourceName \
+                    --type $resourceType  --query "[0]" -ojson 2>/dev/null || echo '')
+    if [[ -n $PE_CONNECTION ]];
+    then
+        local PE_CONNECTION_ID=$(echo $PE_CONNECTION | jq -r '.id')
+        local PE_CONNECTION_APPROVAL_STATUS=$(echo $PE_CONNECTION | jq -r '.properties.privateLinkServiceConnectionState.status')
+
+        if [[ $PE_CONNECTION_APPROVAL_STATUS != "Approved" ]];
+        then
+            az network private-endpoint-connection approve \
+                --id $PE_CONNECTION_ID --description "Approved by script"
+            echo "$PE_CONNECTION_ID got approved"
+        fi
+    fi
+}
+
+# wait for SYNAPSE_STORAGE_ACCT showing up in azcli and approve its managed private endpoint first.
+SYNAPSE_STORAGE_ACCT=$(az storage account list --query "[?tags.store && tags.store == 'synapse'].name" -o tsv -g $ENVCODE-pipeline-rg)
+while [[ -z $SYNAPSE_STORAGE_ACCT ]];
+do
+   sleep 30
+   SYNAPSE_STORAGE_ACCT=$(az storage account list --query "[?tags.store && tags.store == 'synapse'].name" -o tsv -g $ENVCODE-pipeline-rg)
+done
+approve_synapase_managed_private_endpoint $ENVCODE-pipeline-rg $SYNAPSE_STORAGE_ACCT "Microsoft.Storage/storageAccounts"
+
+# Create Managed Private Endpoints (PE) if not exist
+PIPELINE_KV=$(az keyvault list --query "[?tags.usage && tags.usage == 'linkedService']" -ojson -g $ENVCODE-pipeline-rg)
+while [[ $PIPELINE_KV == '[]' ]];
+do
+   sleep 30
+   PIPELINE_KV=$(az keyvault list --query "[?tags.usage && tags.usage == 'linkedService']" -ojson -g $ENVCODE-pipeline-rg)
+done
+PIPELINE_KV_NAME=$(echo $PIPELINE_KV | jq -r '.[0].name')
+PIPELINE_KV_ID=$(echo $PIPELINE_KV | jq -r '.[0].id')
+create_synapase_managed_private_endpoint "$ENVCODE-pipeline-syn-ws" "$ENVCODE-mpe-pipeline-kv" "vault" "$PIPELINE_KV_ID"
+
+DATA_STORAGE_ACCT=$(az storage account list --query "[?tags.store && tags.store == 'raw']" -ojson -g $ENVCODE-data-rg)
+while [[ $DATA_STORAGE_ACCT == '[]' ]]
+do
+   sleep 30
+   DATA_STORAGE_ACCT=$(az storage account list --query "[?tags.store && tags.store == 'raw']" -ojson -g $ENVCODE-data-rg)
+done
+DATA_STORAGE_ACCT_NAME=$(echo $DATA_STORAGE_ACCT | jq -r '.[0].name')
+DATA_STORAGE_ACCT_ID=$(echo $DATA_STORAGE_ACCT | jq -r '.[0].id')
+create_synapase_managed_private_endpoint "$ENVCODE-pipeline-syn-ws" "$ENVCODE-mpe-data-raw" "dfs" "$DATA_STORAGE_ACCT_ID"
+
+DATA_KV=$(az keyvault list --query "[?tags.usage && tags.usage == 'general']" -ojson -g $ENVCODE-data-rg)
+while [[ $DATA_KV == '[]' ]];
+do
+    sleep 30
+    DATA_KV=$(az keyvault list --query "[?tags.usage && tags.usage == 'general']" -ojson -g $ENVCODE-data-rg)
+done
+DATA_KV_NAME=$(echo $DATA_KV | jq -r '.[0].name')
+DATA_KV_ID=$(echo $DATA_KV | jq -r '.[0].id')
+create_synapase_managed_private_endpoint "$ENVCODE-pipeline-syn-ws" "$ENVCODE-mpe-data-kv" "vault" "$DATA_KV_ID"
+
+
+# Approve remaining Managed Private Endpoints (PE)
+approve_synapase_managed_private_endpoint $ENVCODE-pipeline-rg $PIPELINE_KV_NAME "Microsoft.Keyvault/vaults"
+approve_synapase_managed_private_endpoint $ENVCODE-data-rg $DATA_STORAGE_ACCT_NAME "Microsoft.Storage/storageAccounts"
+approve_synapase_managed_private_endpoint $ENVCODE-data-rg $DATA_KV_NAME "Microsoft.Keyvault/vaults"

deploy/infra/groups/pipeline.bicep

@@ -84,6 +84,8 @@ param synapseMIStorageAccountRoles array = [
 ]
 
 param logAnalyticsWorkspaceId string
+param securityEnabled bool = false
+param preventDataExfiltration bool = false
 
 var namingPrefix = '${environmentCode}-${projectName}'
 var synapseResourceGroupNameVar = empty(synapseResourceGroupName) ? '${namingPrefix}-rg' : synapseResourceGroupName
@@ -129,8 +131,6 @@ module synapseHnsStorageAccount '../modules/storage.hns.bicep' = {
   }
 }
 
-
-
 module synapseWorkspace '../modules/synapse.workspace.bicep' = {
   name: '${namingPrefix}-workspace'
   params:{
@@ -153,6 +153,8 @@ module synapseWorkspace '../modules/synapse.workspace.bicep' = {
     gitRepoRootFolder: synapseGitRepoRootFolder
     gitRepoVstsTenantId: synapseGitRepoVstsTenantId
     gitRepoType: synapseGitRepoType
+    createManagedVnet: securityEnabled
+    preventDataExfiltration: preventDataExfiltration
   }
   dependsOn: [
     synapseHnsStorageAccount

deploy/infra/main.bicep

@@ -14,6 +14,12 @@ param environmentCode string
 @description('Environment will be used as Tag on the resource group')
 param environment string
 
+@description('Flag to set whether security resources such as Synapse managed vnet, NSG, etc are created or not')
+param securityEnabled bool = false
+
+@description('preventDataExfiltration for Synapse managed vnet')
+param preventDataExfiltration bool = false
+
 @description('Used for naming of the network resource group and its resources')
 param networkModulePrefix string = 'network'
 
@@ -105,6 +111,8 @@ module pipelineModule 'groups/pipeline.bicep' = {
     environmentCode: environmentCode
     environmentTag: environment
     logAnalyticsWorkspaceId: monitorModule.outputs.workspaceId
+    securityEnabled: securityEnabled
+    preventDataExfiltration: preventDataExfiltration
   }
   dependsOn: [
     networkModule

deploy/infra/modules/privateendpoints.bicep

@@ -0,0 +1,60 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+param environmentCode string
+param location string
+param subnetId string
+param privateLinkServiceId string
+param privateDnsZoneName string
+param groupIds array
+
+resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = {
+  name: privateDnsZoneName
+}
+
+resource privateDnsZoneLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' existing = {
+  parent: privateDnsZone
+  name: privateDnsZoneName
+}
+
+resource privateEndpoints 'Microsoft.Network/privateEndpoints@2021-05-01' = {
+  name: guid(environmentCode, privateLinkServiceId, groupIds[0])
+  location: location
+  dependsOn: [
+    privateDnsZoneLink
+  ]
+  properties: {
+    subnet: {
+      id: subnetId
+    }
+    privateLinkServiceConnections: [
+      {
+        name: guid(environmentCode, privateLinkServiceId, groupIds[0])
+        properties: {
+          privateLinkServiceId: privateLinkServiceId
+          groupIds: groupIds
+          privateLinkServiceConnectionState: {
+            status: 'Approved'
+            description: 'Auto-Approved'
+            actionsRequired: 'None'
+          }
+        }
+      }
+    ]
+  }
+}
+
+resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = {
+  parent: privateEndpoints
+  name: guid(environmentCode, privateLinkServiceId, groupIds[0])
+  properties: {
+    privateDnsZoneConfigs: [
+      {
+        name: privateDnsZone.name
+        properties: {
+          privateDnsZoneId: privateDnsZone.id
+        }
+      }
+    ]
+  }
+}

deploy/infra/modules/privatelink.bicep

@@ -0,0 +1,23 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+param privateDnsZoneName string
+param customVnetId string
+
+resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
+  name: privateDnsZoneName
+  location: 'global'
+}
+
+resource privateDnsZoneLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
+  parent: privateDnsZone
+  name: privateDnsZoneName
+  location: 'global'
+  properties : {
+    registrationEnabled: false
+    virtualNetwork: {
+      id: customVnetId
+    }
+  }
+}
+

deploy/infra/modules/synapse.workspace.bicep

@@ -26,6 +26,46 @@ param synapseSqlAdminPasswordSecretName string = 'synapse-sqladmin-password'
 param utcValue string = utcNow()
 param workspaceId string = 'default'
 
+param createManagedVnet bool = false
+@allowed([
+  'default'
+  ''
+])
+param managedVirtualNetwork string = 'default'
+param preventDataExfiltration bool = false
+param managedVirtualNetworkSettings object = {
+  managedVirtualNetworkSettings : {
+    allowedAadTenantIdsForLinking: []
+    preventDataExfiltration: preventDataExfiltration
+  }
+  managedVirtualNetwork : managedVirtualNetwork
+}
+
+var defaultDataLakeStorageSettings = {
+  resourceId: hnsStorage.id
+  accountUrl: hnsStorage.properties.primaryEndpoints.dfs
+  filesystem: hnsStorageFileSystem
+  createManagedPrivateEndpoint: createManagedVnet
+}
+
+var synapseCommonProperties = {
+  defaultDataLakeStorage: defaultDataLakeStorageSettings
+  sqlAdministratorLogin: sqlAdminLogin
+  sqlAdministratorLoginPassword: sqlAdminLoginPassword
+  workspaceRepositoryConfiguration:(empty(gitRepoType))? {}: {
+    accountName: gitRepoAccountName
+    collaborationBranch: gitRepoCollaborationBranch
+    hostName: gitRepoHostName
+    lastCommitId: gitRepoLastCommitId
+    projectName: gitRepoVstsProjectName
+    repositoryName: gitRepoRepositoryName
+    rootFolder: gitRepoRootFolder
+    tenantId: gitRepoVstsTenantId
+    type: gitRepoType
+  }
+}
+var selectedSynapseProperties = createManagedVnet ? union(synapseCommonProperties, managedVirtualNetworkSettings) : synapseCommonProperties
+
 resource hnsStorage 'Microsoft.Storage/storageAccounts@2021-08-01' existing = {
   name: hnsStorageAccountName
 }
@@ -40,26 +80,7 @@ resource synapseWorspace 'Microsoft.Synapse/workspaces@2021-06-01' = {
   identity: {
     type: 'SystemAssigned'
   }
-  properties: {
-    defaultDataLakeStorage: {
-      resourceId: hnsStorage.id
-      accountUrl: hnsStorage.properties.primaryEndpoints.dfs
-      filesystem: hnsStorageFileSystem
-    }
-    sqlAdministratorLogin: sqlAdminLogin
-    sqlAdministratorLoginPassword: sqlAdminLoginPassword
-    workspaceRepositoryConfiguration:(empty(gitRepoType))? {}: {
-      accountName: gitRepoAccountName
-      collaborationBranch: gitRepoCollaborationBranch
-      hostName: gitRepoHostName
-      lastCommitId: gitRepoLastCommitId
-      projectName: gitRepoVstsProjectName
-      repositoryName: gitRepoRepositoryName
-      rootFolder: gitRepoRootFolder
-      tenantId: gitRepoVstsTenantId
-      type: gitRepoType
-    }
-  }
+  properties: selectedSynapseProperties
 }
 
 resource synapseWorkspaceFwRules 'Microsoft.Synapse/workspaces/firewallRules@2021-06-01' = {