Control: Azure Synapse workspaces should use private link
Description
Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced.
Usage
Run the control in your terminal:
powerpipe control run terraform_azure_compliance.control.synapse_workspace_private_link_usedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_azure_compliance.control.synapse_workspace_private_link_used --shareSQL
This control uses a named query:
with synapse_workspaces as ( select '${azurerm_synapse_workspace.' || name || '.id}' as sw_id, * from terraform_resource where type = 'azurerm_synapse_workspace'), synapse_workspace_private_link as ( select * from terraform_resource where type = 'azurerm_synapse_managed_private_endpoint')select a.address as resource, case when (s.attributes_std ->> 'synapse_workspace_id') is not null then 'ok' else 'alarm' end as status, split_part(a.address, '.', 2) || case when (s.attributes_std ->> 'synapse_workspace_id') is not null then ' uses private link' else ' not uses private link' end || '.' reason , a.path || ':' || a.start_linefrom synapse_workspaces as a left join synapse_workspace_private_link as s on a.sw_id = (s.attributes_std ->> 'synapse_workspace_id');