Azure Synapse Workspace Key

This page shows how to write Terraform for Synapse Workspace Key and write them securely.

azurerm_synapse_workspace_key (Terraform)

The Workspace Key in Synapse can be configured in Terraform with the resource name azurerm_synapse_workspace_key. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


The following arguments are supported:

  • customer_managed_key_name - (Required) Specifies the name of the workspace key. Should match the name of the key in the synapse workspace.

  • customer_managed_key_versionless_id - (Required) The Azure Key Vault Key Versionless ID to be used as the Customer Managed Key (CMK) for double encryption

  • synapse_workspace_id - (Required) The ID of the Synapse Workspace where the encryption key should be configured.

  • active - (Required) Specifies if the workspace should be encrypted with this key.

-> Note: Only one key can actively encrypt a workspace. When performing a key rotation, setting a new key as the active key will disable existing keys.


The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Synapse Workspace.
  • read - (Defaults to 5 minutes) Used when retrieving the Synapse Workspace.
  • update - (Defaults to 30 minutes) Used when updating the Synapse Workspace.
  • delete - (Defaults to 30 minutes) Used when deleting the Synapse Workspace.


Synapse Workspace can be imported using the resource id, e.g.

terraform import azurerm_synapse_workspace_key.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Synapse/workspaces/workspace1/keys/key1

Explanation in Terraform Registry

Manages Synapse Workspace keys -> Note: Keys that are actively protecting a workspace cannot be deleted. When the keys resource is deleted, if the key is inactive it will be deleted, if it is active it will not be deleted.

Tips: Best Practices for The Other Azure Synapse Resources

In addition to the azurerm_synapse_workspace, Azure Synapse has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.



Ensure to enable the managed virtual network

It is better to enable the managed virtual network, which is disabled as the default.

Review your Azure Synapse settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Azure Resource Manager Example

Azure Resource Manager code does not have the related resource.

Frequently asked questions

What is Azure Synapse Workspace Key?

Azure Synapse Workspace Key is a resource for Synapse of Microsoft Azure. Settings can be wrote in Terraform.


Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.