Azure Synapse Role Assignment
This page shows how to write Terraform and Azure Resource Manager for Synapse Role Assignment and write them securely.
azurerm_synapse_role_assignment (Terraform)
The Role Assignment in Synapse can be configured in Terraform with the resource name azurerm_synapse_role_assignment
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_synapse_role_assignment" "synapseadmins" {
synapse_workspace_id = azurerm_synapse_workspace.synapseworkspace.id
role_name = "Synapse Administrator"
principal_id = var.tf-ado-syn-admins
depends_on = [azurerm_synapse_firewall_rule.open-fwr]
resource "azurerm_synapse_role_assignment" "azurermsynapseroleassignment" {
synapse_workspace_id = azurerm_synapse_workspace.synworkspace.id
role_name = "Synapse SQL Administrator"
principal_id = data.azurerm_client_config.current.object_id
depends_on = [azurerm_synapse_firewall_rule.synapsefirewall]
Parameters
-
id
optional computed - string -
principal_id
required - string -
role_name
required - string -
synapse_workspace_id
required - string -
timeouts
single block
Explanation in Terraform Registry
Manages a Synapse Role Assignment.
Tips: Best Practices for The Other Azure Synapse Resources
In addition to the azurerm_synapse_workspace, Azure Synapse has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_synapse_workspace
Ensure to enable the managed virtual network
It is better to enable the managed virtual network, which is disabled as the default.
Microsoft.Synapse/workspaces (Azure Resource Manager)
The workspaces in Microsoft.Synapse can be configured in Azure Resource Manager with the resource name Microsoft.Synapse/workspaces
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2021-06-01",
"name": "[parameters('workspaces_mgdcworkspace_name')]",
"location": "westeurope",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2019-06-01-preview",
"name": "[parameters('workspaces_saw_name')]",
"location": "westus2",
"identity": {
"principalId": null,
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2021-06-01",
"name": "[parameters('WorkspaceName')]",
"location": "westeurope",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2020-12-01",
"tags": {},
"location": "[parameters('location')]",
"properties": {
"defaultDataLakeStorage": {
Parameters
apiVersion
required - stringidentity
optionaltype
optional - stringThe type of managed identity for the workspace.
userAssignedIdentities
optional - undefinedThe User Assigned Managed Identities.
location
required - stringThe geo-location where the resource lives
name
required - stringThe name of the workspace.
properties
requiredazureADOnlyAuthentication
optional - booleanEnable or Disable AzureADOnlyAuthentication on All Workspace subresource
connectivityEndpoints
optional - stringConnectivity endpoints
cspWorkspaceAdminProperties
optionalinitialWorkspaceAdminObjectId
optional - stringAAD object ID of initial workspace admin
defaultDataLakeStorage
optionalaccountUrl
optional - stringAccount URL
createManagedPrivateEndpoint
optional - booleanCreate managed private endpoint to this storage account or not
filesystem
optional - stringFilesystem name
resourceId
optional - stringARM resource Id of this storage account
encryption
optionalcmk
optionalkekIdentity
optionaluserAssignedIdentity
optional - stringUser assigned identity resource Id
useSystemAssignedIdentity
optional - objectBoolean specifying whether to use system assigned identity or not
key
optionalkeyVaultUrl
optional - stringWorkspace Key sub-resource key vault url
name
optional - stringWorkspace Key sub-resource name
managedResourceGroupName
optional - stringWorkspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'
managedVirtualNetwork
optional - stringSetting this to 'default' will ensure that all compute for this workspace is in a virtual network managed on behalf of the user.
managedVirtualNetworkSettings
optionalallowedAadTenantIdsForLinking
optional - arrayAllowed Aad Tenant Ids For Linking
linkedAccessCheckOnTargetResource
optional - booleanLinked Access Check On Target Resource
preventDataExfiltration
optional - booleanPrevent Data Exfiltration
privateEndpointConnections
optional arrayproperties
optionalprivateEndpoint
optionalprivateLinkServiceConnectionState
optionaldescription
optional - stringThe private link service connection description.
status
optional - stringThe private link service connection status.
publicNetworkAccess
optional - stringEnable or Disable public network access to workspace.
purviewConfiguration
optionalpurviewResourceId
optional - stringPurview Resource ID
sqlAdministratorLogin
optional - stringLogin for workspace SQL active directory administrator
sqlAdministratorLoginPassword
optional - stringSQL administrator login password
virtualNetworkProfile
optionalcomputeSubnetId
optional - stringSubnet ID used for computes in workspace
workspaceRepositoryConfiguration
optionalaccountName
optional - stringAccount name
collaborationBranch
optional - stringCollaboration branch
hostName
optional - stringGitHub Enterprise host name. For example: https://github.mydomain.com
lastCommitId
optional - stringThe last commit ID
projectName
optional - stringVSTS project name
repositoryName
optional - stringRepository name
rootFolder
optional - stringRoot folder to use in the repository
tenantId
optional - stringThe VSTS tenant ID
type
optional - stringType of workspace repositoryID configuration. Example WorkspaceVSTSConfiguration, WorkspaceGitHubConfiguration
tags
optional - stringResource tags.
type
required - string
Frequently asked questions
What is Azure Synapse Role Assignment?
Azure Synapse Role Assignment is a resource for Synapse of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Synapse Role Assignment?
For Terraform, the joe-plumb/mdw-azure-terraform and sugeshsuseelan/terraform-repo source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the lordozb/github-4, nisinha/cicd and batorfi/synapsews source code examples are useful. See the Azure Resource Manager Example section for further details.