Azure Synapse Workspace
This page shows how to write Terraform and Azure Resource Manager for Synapse Workspace and write them securely.
azurerm_synapse_workspace (Terraform)
The Workspace in Synapse can be configured in Terraform with the resource name azurerm_synapse_workspace
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_synapse_workspace" "workspace_good" {
name = "example"
sql_administrator_login = "sqladminuser"
sql_administrator_login_password = "H@Sh1CoR3!"
managed_virtual_network_enabled = true
tags = {
resource "azurerm_synapse_workspace" "workspace_good" {
name = "example"
sql_administrator_login = "sqladminuser"
sql_administrator_login_password = "H@Sh1CoR3!"
managed_virtual_network_enabled = true
tags = {
resource "azurerm_synapse_workspace" "general" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
sql_administrator_login = "sqladminuser"
resource "azurerm_synapse_workspace" "synapse-experiments-ws" {
name = "synapsegitconfigws"
resource_group_name = azurerm_resource_group.synapse-experiments-rg.name
location = azurerm_resource_group.synapse-experiments-rg.location
storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.synapse-experiments-fs.id
sql_administrator_login = "sqladminuser"
resource "azurerm_synapse_workspace" "example" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
sql_administrator_login = "sqladminuser"
resource "azurerm_synapse_workspace" "workspace_good" {
name = "example"
sql_administrator_login = "sqladminuser"
sql_administrator_login_password = "H@Sh1CoR3!"
managed_virtual_network_enabled = true
tags = {
resource "azurerm_synapse_workspace" "synapse_workspace" {
name = var.name
resource_group_name = var.resource_group_name
location = var.location
storage_data_lake_gen2_filesystem_id = var.storage_data_lake_gen2_filesystem_id
sql_administrator_login = var.sql_administrator_login
resource "azurerm_synapse_workspace" "synapse_workspace" {
name = var.name
resource_group_name = var.resource_group_name
location = var.location
storage_data_lake_gen2_filesystem_id = var.storage_data_lake_gen2_filesystem_id
sql_administrator_login = var.sql_administrator_login
resource "azurerm_synapse_workspace" "example" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
sql_administrator_login = "yourlogin"
resource "azurerm_synapse_workspace" "synapse" {
name = var.synapse_workspace_name
resource_group_name = module.resource_group.name
location = module.resource_group.location
storage_data_lake_gen2_filesystem_id = module.data_lake_gen2_filesystem.filesystem_id
sql_administrator_login = var.synapse_sql_username
Security Best Practices for azurerm_synapse_workspace
There is 1 setting in azurerm_synapse_workspace that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to enable the managed virtual network
It is better to enable the managed virtual network, which is disabled as the default.
Parameters
-
aad_admin
optional computed - list of object -
connectivity_endpoints
optional computed - map from string to string -
id
optional computed - string -
identity
optional computed - list of object-
principal_id
- string -
tenant_id
- string -
type
- string
-
-
location
required - string -
managed_resource_group_name
optional computed - string -
managed_virtual_network_enabled
optional - bool -
name
required - string -
resource_group_name
required - string -
sql_administrator_login
required - string -
sql_administrator_login_password
required - string -
sql_identity_control_enabled
optional - bool -
storage_data_lake_gen2_filesystem_id
required - string -
tags
optional - map from string to string -
azure_devops_repo
list block-
account_name
required - string -
branch_name
required - string -
project_name
required - string -
repository_name
required - string -
root_folder
required - string
-
-
github_repo
list block-
account_name
required - string -
branch_name
required - string -
git_url
optional - string -
repository_name
required - string -
root_folder
required - string
-
-
timeouts
single block
Explanation in Terraform Registry
Manages a Synapse Workspace.
Microsoft.Synapse/workspaces (Azure Resource Manager)
The workspaces in Microsoft.Synapse can be configured in Azure Resource Manager with the resource name Microsoft.Synapse/workspaces
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2021-06-01",
"name": "[parameters('workspaces_mgdcworkspace_name')]",
"location": "westeurope",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2019-06-01-preview",
"name": "[parameters('workspaces_saw_name')]",
"location": "westus2",
"identity": {
"principalId": null,
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2021-06-01",
"name": "[parameters('WorkspaceName')]",
"location": "westeurope",
"identity": {
"type": "SystemAssigned"
"type": "Microsoft.Synapse/workspaces",
"apiVersion": "2020-12-01",
"tags": {},
"location": "[parameters('location')]",
"properties": {
"defaultDataLakeStorage": {
Parameters
apiVersion
required - stringidentity
optionaltype
optional - stringThe type of managed identity for the workspace.
userAssignedIdentities
optional - undefinedThe User Assigned Managed Identities.
location
required - stringThe geo-location where the resource lives
name
required - stringThe name of the workspace.
properties
requiredazureADOnlyAuthentication
optional - booleanEnable or Disable AzureADOnlyAuthentication on All Workspace subresource
connectivityEndpoints
optional - stringConnectivity endpoints
cspWorkspaceAdminProperties
optionalinitialWorkspaceAdminObjectId
optional - stringAAD object ID of initial workspace admin
defaultDataLakeStorage
optionalaccountUrl
optional - stringAccount URL
createManagedPrivateEndpoint
optional - booleanCreate managed private endpoint to this storage account or not
filesystem
optional - stringFilesystem name
resourceId
optional - stringARM resource Id of this storage account
encryption
optionalcmk
optionalkekIdentity
optionaluserAssignedIdentity
optional - stringUser assigned identity resource Id
useSystemAssignedIdentity
optional - objectBoolean specifying whether to use system assigned identity or not
key
optionalkeyVaultUrl
optional - stringWorkspace Key sub-resource key vault url
name
optional - stringWorkspace Key sub-resource name
managedResourceGroupName
optional - stringWorkspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'
managedVirtualNetwork
optional - stringSetting this to 'default' will ensure that all compute for this workspace is in a virtual network managed on behalf of the user.
managedVirtualNetworkSettings
optionalallowedAadTenantIdsForLinking
optional - arrayAllowed Aad Tenant Ids For Linking
linkedAccessCheckOnTargetResource
optional - booleanLinked Access Check On Target Resource
preventDataExfiltration
optional - booleanPrevent Data Exfiltration
privateEndpointConnections
optional arrayproperties
optionalprivateEndpoint
optionalprivateLinkServiceConnectionState
optionaldescription
optional - stringThe private link service connection description.
status
optional - stringThe private link service connection status.
publicNetworkAccess
optional - stringEnable or Disable public network access to workspace.
purviewConfiguration
optionalpurviewResourceId
optional - stringPurview Resource ID
sqlAdministratorLogin
optional - stringLogin for workspace SQL active directory administrator
sqlAdministratorLoginPassword
optional - stringSQL administrator login password
virtualNetworkProfile
optionalcomputeSubnetId
optional - stringSubnet ID used for computes in workspace
workspaceRepositoryConfiguration
optionalaccountName
optional - stringAccount name
collaborationBranch
optional - stringCollaboration branch
hostName
optional - stringGitHub Enterprise host name. For example: https://github.mydomain.com
lastCommitId
optional - stringThe last commit ID
projectName
optional - stringVSTS project name
repositoryName
optional - stringRepository name
rootFolder
optional - stringRoot folder to use in the repository
tenantId
optional - stringThe VSTS tenant ID
type
optional - stringType of workspace repositoryID configuration. Example WorkspaceVSTSConfiguration, WorkspaceGitHubConfiguration
tags
optional - stringResource tags.
type
required - string
Frequently asked questions
What is Azure Synapse Workspace?
Azure Synapse Workspace is a resource for Synapse of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Synapse Workspace?
For Terraform, the SnidermanIndustries/checkov-fork, melscoop-test/check and infracost/infracost source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the lordozb/github-4, nisinha/cicd and batorfi/synapsews source code examples are useful. See the Azure Resource Manager Example section for further details.