Azure Synapse Role Assignment
This page shows how to write Terraform and Azure Resource Manager for Synapse Role Assignment and write them securely.
azurerm_synapse_role_assignment (Terraform)
The Role Assignment in Synapse can be configured in Terraform with the resource name azurerm_synapse_role_assignment. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_synapse_role_assignment" "synapseadmins" {
synapse_workspace_id = azurerm_synapse_workspace.synapseworkspace.id
role_name = "Synapse Administrator"
principal_id = var.tf-ado-syn-admins
depends_on = [azurerm_synapse_firewall_rule.open-fwr]
resource "azurerm_synapse_role_assignment" "azurermsynapseroleassignment" {
synapse_workspace_id = azurerm_synapse_workspace.synworkspace.id
role_name = "Synapse SQL Administrator"
principal_id = data.azurerm_client_config.current.object_id
depends_on = [azurerm_synapse_firewall_rule.synapsefirewall]
Parameters
-
idoptional computed - string -
principal_idrequired - string -
role_namerequired - string -
synapse_workspace_idrequired - string -
timeoutssingle block
Explanation in Terraform Registry
Manages a Synapse Role Assignment.
Tips: Best Practices for The Other Azure Synapse Resources
In addition to the azurerm_synapse_workspace, Azure Synapse has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_synapse_workspace
Ensure to enable the managed virtual network
It is better to enable the managed virtual network, which is disabled as the default.
Microsoft.Synapse/workspaces (Azure Resource Manager)
The workspaces in Microsoft.Synapse can be configured in Azure Resource Manager with the resource name Microsoft.Synapse/workspaces. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2021-06-01",
"name": "[parameters('workspaces_mgdcworkspace_name')]",
"location": "westeurope",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2019-06-01-preview",
"name": "[parameters('workspaces_saw_name')]",
"location": "westus2",
"identity": {
"principalId": null,
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2021-06-01",
"name": "[parameters('WorkspaceName')]",
"location": "westeurope",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2020-12-01",
"tags": {},
"location": "[parameters('location')]",
"properties": {
"defaultDataLakeStorage": {
Parameters
apiVersionrequired - stringidentityoptionaltypeoptional - stringThe type of managed identity for the workspace.
userAssignedIdentitiesoptional - undefinedThe User Assigned Managed Identities.
locationrequired - stringThe geo-location where the resource lives
namerequired - stringThe name of the workspace.
propertiesrequiredazureADOnlyAuthenticationoptional - booleanEnable or Disable AzureADOnlyAuthentication on All Workspace subresource
connectivityEndpointsoptional - stringConnectivity endpoints
cspWorkspaceAdminPropertiesoptionalinitialWorkspaceAdminObjectIdoptional - stringAAD object ID of initial workspace admin
defaultDataLakeStorageoptionalaccountUrloptional - stringAccount URL
createManagedPrivateEndpointoptional - booleanCreate managed private endpoint to this storage account or not
filesystemoptional - stringFilesystem name
resourceIdoptional - stringARM resource Id of this storage account
encryptionoptionalcmkoptionalkekIdentityoptionaluserAssignedIdentityoptional - stringUser assigned identity resource Id
useSystemAssignedIdentityoptional - objectBoolean specifying whether to use system assigned identity or not
keyoptionalkeyVaultUrloptional - stringWorkspace Key sub-resource key vault url
nameoptional - stringWorkspace Key sub-resource name
managedResourceGroupNameoptional - stringWorkspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'
managedVirtualNetworkoptional - stringSetting this to 'default' will ensure that all compute for this workspace is in a virtual network managed on behalf of the user.
managedVirtualNetworkSettingsoptionalallowedAadTenantIdsForLinkingoptional - arrayAllowed Aad Tenant Ids For Linking
linkedAccessCheckOnTargetResourceoptional - booleanLinked Access Check On Target Resource
preventDataExfiltrationoptional - booleanPrevent Data Exfiltration
privateEndpointConnectionsoptional arraypropertiesoptionalprivateEndpointoptionalprivateLinkServiceConnectionStateoptionaldescriptionoptional - stringThe private link service connection description.
statusoptional - stringThe private link service connection status.
publicNetworkAccessoptional - stringEnable or Disable public network access to workspace.
purviewConfigurationoptionalpurviewResourceIdoptional - stringPurview Resource ID
sqlAdministratorLoginoptional - stringLogin for workspace SQL active directory administrator
sqlAdministratorLoginPasswordoptional - stringSQL administrator login password
virtualNetworkProfileoptionalcomputeSubnetIdoptional - stringSubnet ID used for computes in workspace
workspaceRepositoryConfigurationoptionalaccountNameoptional - stringAccount name
collaborationBranchoptional - stringCollaboration branch
hostNameoptional - stringGitHub Enterprise host name. For example: https://github.mydomain.com
lastCommitIdoptional - stringThe last commit ID
projectNameoptional - stringVSTS project name
repositoryNameoptional - stringRepository name
rootFolderoptional - stringRoot folder to use in the repository
tenantIdoptional - stringThe VSTS tenant ID
typeoptional - stringType of workspace repositoryID configuration. Example WorkspaceVSTSConfiguration, WorkspaceGitHubConfiguration
tagsoptional - stringResource tags.
typerequired - string
Frequently asked questions
What is Azure Synapse Role Assignment?
Azure Synapse Role Assignment is a resource for Synapse of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Synapse Role Assignment?
For Terraform, the joe-plumb/mdw-azure-terraform and sugeshsuseelan/terraform-repo source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the lordozb/github-4, nisinha/cicd and batorfi/synapsews source code examples are useful. See the Azure Resource Manager Example section for further details.
