Skip to content

Commit 1685d44

Browse files
wonnerWan Yang
wonner
and
Wan Yang
authored
[Synapse] Add new cmdlets related to SQL security on Synapse SQL pool and workspce (#13641)
* add support for threat detection * add support for vulnerability assessment * add support for enable data security * add support for TDE and data security * update help docs and test * update ChangeLog.md * add suppressions for session record Co-authored-by: Wan Yang <[email protected]>
1 parent 6aca453 commit 1685d44

File tree

45 files changed

+6960
-894
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

45 files changed

+6960
-894
lines changed

src/Synapse/Synapse.Test/ScenarioTests/SqlPoolTests.ps1

Lines changed: 46 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,8 @@ function Test-SynapseSqlPool
131131

132132
<#
133133
.SYNOPSIS
134-
Tests Synapse Workspace SQL Pool Auditing settings.
134+
Tests Synapse SQL Pool Security settings.
135+
Including SQL Pool Auditing settings, Advanced threat protection settings, Vulnerability assessment settings and Transparent Data Encryption.
135136
#>
136137
function Test-SynapseSqlPool-Security
137138
{
@@ -151,22 +152,62 @@ function Test-SynapseSqlPool-Security
151152
$sqlPoolName = [Microsoft.Azure.Test.HttpRecorder.HttpMockServer]::GetVariable("sqlPoolName", $sqlPoolName)
152153
$account = New-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageGen2AccountName -Location $location -SkuName Standard_LRS -Kind StorageV2
153154

154-
# Set SQL Auditing
155+
# Set SQL Pool Auditing
155156
Set-AzSynapseSqlPoolAudit -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Name $sqlPoolName -BlobStorageTargetState Enabled -StorageAccountResourceId $account.id -StorageKeyType Primary
156157

157-
# Get SQL Auditing
158+
# Get SQL Pool Auditing
158159
$auditing = Get-AzSynapseSqlPoolAudit -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Name $sqlPoolName
159160

160161
Assert-AreEqual $auditing.BlobStorageTargetState Enabled
161162
Assert-AreEqual $auditing.StorageAccountResourceId $account.id
162163

163-
# Remove SQL Auditing
164+
# Set SQL Pool Advanced threat protection
165+
$threatProtectionSet = Update-AzSynapseSqlPoolAdvancedThreatProtectionSetting -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Name $sqlPoolName -NotificationRecipientsEmails "[email protected];[email protected]" `
166+
-EmailAdmins $False -ExcludedDetectionType "Sql_Injection","Unsafe_Action" -StorageAccountName $storageGen2AccountName
167+
168+
Assert-AreEqual $threatProtectionSet.ThreatDetectionState Enabled
169+
Assert-AreEqual $threatProtectionSet.StorageAccountName $storageGen2AccountName
170+
171+
# Set SQL Pool Vulnerability assessment
172+
$vulnerabilityAssessmentSet = Update-AzSynapseSqlPoolVulnerabilityAssessmentSetting -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Name $sqlPoolName -StorageAccountName $storageGen2AccountName `
173+
-RecurringScansInterval Weekly -EmailAdmins $False -NotificationEmail "[email protected]","[email protected]"
174+
175+
Assert-AreEqual $vulnerabilityAssessmentSet.StorageAccountName $storageGen2AccountName
176+
Assert-AreEqual $vulnerabilityAssessmentSet.RecurringScansInterval Weekly
177+
178+
# Remove SQL Pool Vulnerability assessment
179+
Assert-True {Clear-AzSynapseSqlPoolVulnerabilityAssessmentSetting -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Name $sqlPoolName -PassThru}
180+
181+
# Verify that SQL Pool Vulnerability assessment was deleted
182+
$vulnerabilityAssessmentGet = Get-AzSynapseSqlPoolVulnerabilityAssessmentSetting -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Name $sqlPoolName
183+
184+
Assert-AreEqual $vulnerabilityAssessmentGet.RecurringScansInterval None
185+
186+
# Remove SQL Pool Advanced threat protection
187+
Assert-True {Clear-AzSynapseSqlPoolAdvancedThreatProtectionSetting -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Name $sqlPoolName -PassThru}
188+
189+
# Verify that SQL Pool Advanced threat protection was deleted
190+
$threatProtectionGet = Get-AzSynapseSqlPoolAdvancedThreatProtectionSetting -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Name $sqlPoolName
191+
192+
Assert-AreEqual $threatProtectionGet.ThreatDetectionState Disabled
193+
194+
# Remove SQL Pool Auditing
164195
Assert-True {Remove-AzSynapseSqlPoolAudit -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Name $sqlPoolName -PassThru}
165196

166-
# Verify that SQL Auditing was deleted
197+
# Verify that SQL Pool Auditing was deleted
167198
$auditing = Get-AzSynapseSqlPoolAudit -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Name $sqlPoolName
168199

169200
Assert-AreEqual $auditing.BlobStorageTargetState Disabled
201+
202+
# Set SQL Pool Transparent Data Encryption
203+
$tdeSet = Set-AzSynapseSqlPoolTransparentDataEncryption -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Name $sqlPoolName -State Enabled
204+
205+
Assert-AreEqual $tdeSet.State Enabled
206+
207+
# Get SQL Pool Transparent Data Encryption
208+
$tdeGet = Get-AzSynapseSqlPoolTransparentDataEncryption -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -Name $sqlPoolName
209+
210+
Assert-AreEqual $tdeGet.State Enabled
170211
}
171212
finally
172213
{

src/Synapse/Synapse.Test/ScenarioTests/WorkspaceTests.ps1

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -209,6 +209,16 @@ function Test-SynapseWorkspace-Security
209209

210210
Assert-AreEqual $auditing.BlobStorageTargetState Enabled
211211
Assert-AreEqual $auditing.StorageAccountResourceId $account.id
212+
213+
# Enable SQL Data Security
214+
$dataSecurityEnable = Enable-AzSynapseSqlAdvancedDataSecurity -WorkspaceName $workspaceName -DoNotConfigureVulnerabilityAssessment
215+
216+
Assert-True {$dataSecurityEnable.IsEnabled}
217+
218+
# Get SQL Data Security Policy
219+
$dataSecurityGet = Get-AzSynapseSqlAdvancedDataSecurityPolicy -WorkspaceName $workspaceName
220+
221+
Assert-True {$dataSecurityGet.IsEnabled}
212222

213223
# Set SQL Advanced threat protection
214224
$threatProtectionSet = Update-AzSynapseSqlAdvancedThreatProtectionSetting -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -NotificationRecipientsEmails "[email protected];[email protected]" `
@@ -240,6 +250,11 @@ function Test-SynapseWorkspace-Security
240250

241251
Assert-AreEqual $threatProtectionGet.ThreatDetectionState Disabled
242252

253+
# Disable SQL Data Security
254+
$dataSecurityDisable = Disable-AzSynapseSqlAdvancedDataSecurity -WorkspaceName $workspaceName
255+
256+
Assert-False {$dataSecurityDisable.IsEnabled}
257+
243258
# Remove SQL Auditing
244259
Assert-True {Remove-AzSynapseSqlAudit -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName -PassThru}
245260

0 commit comments

Comments
 (0)