Azure Synapse Workspace

This page shows how to write Terraform and Azure Resource Manager for Synapse Workspace and write them securely.

azurerm_synapse_workspace (Terraform)

The Workspace in Synapse can be configured in Terraform with the resource name azurerm_synapse_workspace. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L6
resource "azurerm_synapse_workspace" "workspace_good" {
  name                                 = "example"
  sql_administrator_login              = "sqladminuser"
  sql_administrator_login_password     = "H@Sh1CoR3!"
  managed_virtual_network_enabled      = true
  tags = {
main.tf#L6
resource "azurerm_synapse_workspace" "workspace_good" {
  name                                 = "example"
  sql_administrator_login              = "sqladminuser"
  sql_administrator_login_password     = "H@Sh1CoR3!"
  managed_virtual_network_enabled      = true
  tags = {
synapse_workspace_test.tf#L26
resource "azurerm_synapse_workspace" "general" {
  name                                 = "example"
  resource_group_name                  = azurerm_resource_group.example.name
  location                             = azurerm_resource_group.example.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
  sql_administrator_login              = "sqladminuser"
synapse_github_setup.tf#L26
resource "azurerm_synapse_workspace" "synapse-experiments-ws" {
  name                                 = "synapsegitconfigws"
  resource_group_name                  = azurerm_resource_group.synapse-experiments-rg.name
  location                             = azurerm_resource_group.synapse-experiments-rg.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.synapse-experiments-fs.id
  sql_administrator_login              = "sqladminuser"
main.tf#L25
resource "azurerm_synapse_workspace" "example" {
  name                                 = "example"
  resource_group_name                  = azurerm_resource_group.example.name
  location                             = azurerm_resource_group.example.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
  sql_administrator_login              = "sqladminuser"
main.tf#L6
resource "azurerm_synapse_workspace" "workspace_good" {
  name                                 = "example"
  sql_administrator_login              = "sqladminuser"
  sql_administrator_login_password     = "H@Sh1CoR3!"
  managed_virtual_network_enabled      = true
  tags = {
main.tf#L1
resource "azurerm_synapse_workspace" "synapse_workspace" {
  name                                 = var.name
  resource_group_name                  = var.resource_group_name
  location                             = var.location
  storage_data_lake_gen2_filesystem_id = var.storage_data_lake_gen2_filesystem_id
  sql_administrator_login              = var.sql_administrator_login
mani.tf#L1
resource "azurerm_synapse_workspace" "synapse_workspace" {
  name                                 = var.name
  resource_group_name                  = var.resource_group_name
  location                             = var.location
  storage_data_lake_gen2_filesystem_id = var.storage_data_lake_gen2_filesystem_id
  sql_administrator_login              = var.sql_administrator_login
main.tf#L55
resource "azurerm_synapse_workspace" "example" {
  name                                 = "example"
  resource_group_name                  = azurerm_resource_group.example.name
  location                             = azurerm_resource_group.example.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
  sql_administrator_login              = "yourlogin"
main.tf#L51
resource "azurerm_synapse_workspace" "synapse" {
    name = var.synapse_workspace_name
    resource_group_name = module.resource_group.name
    location = module.resource_group.location
    storage_data_lake_gen2_filesystem_id = module.data_lake_gen2_filesystem.filesystem_id
    sql_administrator_login = var.synapse_sql_username

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for azurerm_synapse_workspace

There is 1 setting in azurerm_synapse_workspace that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure to enable the managed virtual network

It is better to enable the managed virtual network, which is disabled as the default.

Review your Azure Synapse settings

You can check if the azurerm_synapse_workspace setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

Explanation in Terraform Registry

Manages a Synapse Workspace.

Microsoft.Synapse/workspaces (Azure Resource Manager)

The workspaces in Microsoft.Synapse can be configured in Azure Resource Manager with the resource name Microsoft.Synapse/workspaces. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

TemplateForWorkspace.json
{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspaceName": {
ARMTemplateForWorkspace.json
{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspaceName": {
TemplateForWorkspace.json
{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspaceName": {
TemplateForWorkspace.json
{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspaceName": {
TemplateForWorkspace.json
{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspaceName": {
ARMTemplateForWorkspace.json
{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspaceName": {
template.json#L20
            "type": "Microsoft.Synapse/workspaces",
            "apiVersion": "2021-06-01",
            "name": "[parameters('workspaces_mgdcworkspace_name')]",
            "location": "westeurope",
            "identity": {
                "type": "SystemAssigned"
template-synapse-workspace.json#L21
            "type": "Microsoft.Synapse/workspaces",
            "apiVersion": "2019-06-01-preview",
            "name": "[parameters('workspaces_saw_name')]",
            "location": "westus2",
            "identity": {
                "principalId": null,
azuredeploy.json#L73
            "type": "Microsoft.Synapse/workspaces",
            "apiVersion": "2021-06-01",
            "name": "[parameters('WorkspaceName')]",
            "location": "westeurope",
            "identity": {
                "type": "SystemAssigned"
Template.json#L24
            "type": "Microsoft.Synapse/workspaces",
            "apiVersion": "2020-12-01",
            "tags": {},
            "location": "[parameters('location')]",
            "properties": {
                "defaultDataLakeStorage": {

Parameters

  • apiVersion required - string
  • identity optional
      • type optional - string

        The type of managed identity for the workspace.

      • userAssignedIdentities optional - undefined

        The User Assigned Managed Identities.

  • location required - string

    The geo-location where the resource lives

  • name required - string

    The name of the workspace.

  • properties required
      • azureADOnlyAuthentication optional - boolean

        Enable or Disable AzureADOnlyAuthentication on All Workspace subresource

      • connectivityEndpoints optional - string

        Connectivity endpoints

      • cspWorkspaceAdminProperties optional
          • initialWorkspaceAdminObjectId optional - string

            AAD object ID of initial workspace admin

      • defaultDataLakeStorage optional
          • accountUrl optional - string

            Account URL

          • createManagedPrivateEndpoint optional - boolean

            Create managed private endpoint to this storage account or not

          • filesystem optional - string

            Filesystem name

          • resourceId optional - string

            ARM resource Id of this storage account

      • encryption optional
          • cmk optional
              • kekIdentity optional
                  • userAssignedIdentity optional - string

                    User assigned identity resource Id

                  • useSystemAssignedIdentity optional - object

                    Boolean specifying whether to use system assigned identity or not

              • key optional
                  • keyVaultUrl optional - string

                    Workspace Key sub-resource key vault url

                  • name optional - string

                    Workspace Key sub-resource name

      • managedResourceGroupName optional - string

        Workspace managed resource group. The resource group name uniquely identifies the resource group within the user subscriptionId. The resource group name must be no longer than 90 characters long, and must be alphanumeric characters (Char.IsLetterOrDigit()) and '-', '_', '(', ')' and'.'. Note that the name cannot end with '.'

      • managedVirtualNetwork optional - string

        Setting this to 'default' will ensure that all compute for this workspace is in a virtual network managed on behalf of the user.

      • managedVirtualNetworkSettings optional
          • allowedAadTenantIdsForLinking optional - array

            Allowed Aad Tenant Ids For Linking

          • linkedAccessCheckOnTargetResource optional - boolean

            Linked Access Check On Target Resource

          • preventDataExfiltration optional - boolean

            Prevent Data Exfiltration

      • privateEndpointConnections optional array
          • properties optional
              • privateEndpoint optional
                • privateLinkServiceConnectionState optional
                    • description optional - string

                      The private link service connection description.

                    • status optional - string

                      The private link service connection status.

        • publicNetworkAccess optional - string

          Enable or Disable public network access to workspace.

        • purviewConfiguration optional
            • purviewResourceId optional - string

              Purview Resource ID

        • sqlAdministratorLogin optional - string

          Login for workspace SQL active directory administrator

        • sqlAdministratorLoginPassword optional - string

          SQL administrator login password

        • virtualNetworkProfile optional
            • computeSubnetId optional - string

              Subnet ID used for computes in workspace

        • workspaceRepositoryConfiguration optional
            • accountName optional - string

              Account name

            • collaborationBranch optional - string

              Collaboration branch

            • hostName optional - string

              GitHub Enterprise host name. For example: https://github.mydomain.com

            • lastCommitId optional - string

              The last commit ID

            • projectName optional - string

              VSTS project name

            • repositoryName optional - string

              Repository name

            • rootFolder optional - string

              Root folder to use in the repository

            • tenantId optional - string

              The VSTS tenant ID

            • type optional - string

              Type of workspace repositoryID configuration. Example WorkspaceVSTSConfiguration, WorkspaceGitHubConfiguration

    • tags optional - string

      Resource tags.

    • type required - string

    Frequently asked questions

    What is Azure Synapse Workspace?

    Azure Synapse Workspace is a resource for Synapse of Microsoft Azure. Settings can be wrote in Terraform.

    Where can I find the example code for the Azure Synapse Workspace?

    For Terraform, the SnidermanIndustries/checkov-fork, melscoop-test/check and infracost/infracost source code examples are useful. See the Terraform Example section for further details.

    For Azure Resource Manager, the lordozb/github-4, nisinha/cicd and batorfi/synapsews source code examples are useful. See the Azure Resource Manager Example section for further details.