azurermSynapseWorkspace
Manages a Synapse Workspace.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_1",
{
account_kind: "StorageV2",
account_replication_type: "LRS",
account_tier: "Standard",
is_hns_enabled: "true",
location: azurermResourceGroupExample.location,
name: "examplestorageacc",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermStorageDataLakeGen2FilesystemExample =
new azurerm.storageDataLakeGen2Filesystem.StorageDataLakeGen2Filesystem(
this,
"example_2",
{
name: "example",
storage_account_id: azurermStorageAccountExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageDataLakeGen2FilesystemExample.overrideLogicalId("example");
const azurermSynapseWorkspaceExample =
new azurerm.synapseWorkspace.SynapseWorkspace(this, "example_3", {
aad_admin: [
{
login: "AzureAD Admin",
object_id: "00000000-0000-0000-0000-000000000000",
tenant_id: "00000000-0000-0000-0000-000000000000",
},
],
identity: [
{
type: "SystemAssigned",
},
],
location: azurermResourceGroupExample.location,
name: "example",
resource_group_name: azurermResourceGroupExample.name,
sql_administrator_login: "sqladminuser",
sql_administrator_login_password: "H@Sh1CoR3!",
storage_data_lake_gen2_filesystem_id:
azurermStorageDataLakeGen2FilesystemExample.id,
tags: {
Env: "production",
},
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSynapseWorkspaceExample.overrideLogicalId("example");
Example Usage - creating a workspace with Customer Managed Key and Azure AD Admin
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_1",
{
account_kind: "StorageV2",
account_replication_type: "LRS",
account_tier: "Standard",
is_hns_enabled: "true",
location: azurermResourceGroupExample.location,
name: "examplestorageacc",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermStorageDataLakeGen2FilesystemExample =
new azurerm.storageDataLakeGen2Filesystem.StorageDataLakeGen2Filesystem(
this,
"example_2",
{
name: "example",
storage_account_id: azurermStorageAccountExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageDataLakeGen2FilesystemExample.overrideLogicalId("example");
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_4",
{
location: azurermResourceGroupExample.location,
name: "example",
purge_protection_enabled: true,
resource_group_name: azurermResourceGroupExample.name,
sku_name: "standard",
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyDeployer =
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "deployer", {
key_permissions: ["Create", "Get", "Delete", "Purge", "GetRotationPolicy"],
key_vault_id: azurermKeyVaultExample.id,
object_id: dataAzurermClientConfigCurrent.objectId,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
});
const azurermKeyVaultKeyExample = new azurerm.keyVaultKey.KeyVaultKey(
this,
"example_6",
{
depends_on: [`\${${azurermKeyVaultAccessPolicyDeployer.fqn}}`],
key_opts: ["unwrapKey", "wrapKey"],
key_size: 2048,
key_type: "RSA",
key_vault_id: azurermKeyVaultExample.id,
name: "workspaceencryptionkey",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultKeyExample.overrideLogicalId("example");
const azurermSynapseWorkspaceExample =
new azurerm.synapseWorkspace.SynapseWorkspace(this, "example_7", {
customer_managed_key: [
{
key_name: "enckey",
key_versionless_id: azurermKeyVaultKeyExample.versionlessId,
},
],
identity: [
{
type: "SystemAssigned",
},
],
location: azurermResourceGroupExample.location,
name: "example",
resource_group_name: azurermResourceGroupExample.name,
sql_administrator_login: "sqladminuser",
sql_administrator_login_password: "H@Sh1CoR3!",
storage_data_lake_gen2_filesystem_id:
azurermStorageDataLakeGen2FilesystemExample.id,
tags: {
Env: "production",
},
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSynapseWorkspaceExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyWorkspacePolicy =
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(
this,
"workspace_policy",
{
key_permissions: ["Get", "WrapKey", "UnwrapKey"],
key_vault_id: azurermKeyVaultExample.id,
object_id: `\${${azurermSynapseWorkspaceExample.identity.fqn}[0].principal_id}`,
tenant_id: `\${${azurermSynapseWorkspaceExample.identity.fqn}[0].tenant_id}`,
}
);
const azurermSynapseWorkspaceKeyExample =
new azurerm.synapseWorkspaceKey.SynapseWorkspaceKey(this, "example_9", {
active: true,
customer_managed_key_name: "enckey",
customer_managed_key_versionless_id:
azurermKeyVaultKeyExample.versionlessId,
depends_on: [`\${${azurermKeyVaultAccessPolicyWorkspacePolicy.fqn}}`],
synapse_workspace_id: azurermSynapseWorkspaceExample.id,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSynapseWorkspaceKeyExample.overrideLogicalId("example");
const azurermSynapseWorkspaceAadAdminExample =
new azurerm.synapseWorkspaceAadAdmin.SynapseWorkspaceAadAdmin(
this,
"example_10",
{
depends_on: [`\${${azurermSynapseWorkspaceKeyExample.fqn}}`],
login: "AzureAD Admin",
object_id: "00000000-0000-0000-0000-000000000000",
synapse_workspace_id: azurermSynapseWorkspaceExample.id,
tenant_id: "00000000-0000-0000-0000-000000000000",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSynapseWorkspaceAadAdminExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
name
- (Required) Specifies the name which should be used for this synapse Workspace. Changing this forces a new resource to be created. -
resourceGroupName
- (Required) Specifies the name of the Resource Group where the synapse Workspace should exist. Changing this forces a new resource to be created. -
location
- (Required) Specifies the Azure Region where the synapse Workspace should exist. Changing this forces a new resource to be created. -
identity
- (Optional) Anidentity
block as defined below. -
storageDataLakeGen2FilesystemId
- (Required) Specifies the ID of storage data lake gen2 filesystem resource. Changing this forces a new resource to be created. -
sqlAdministratorLogin
- (Optional) Specifies The login name of the SQL administrator. Changing this forces a new resource to be created. If this is not providedaadAdmin
orcustomerManagedKey
must be provided. -
sqlAdministratorLoginPassword
- (Optional) The Password associated with thesqlAdministratorLogin
for the SQL administrator. If this is not providedaadAdmin
orcustomerManagedKey
must be provided.
-
aadAdmin
- (Optional) AnaadAdmin
block as defined below. Conflicts withcustomerManagedKey
. -
computeSubnetId
- (Optional) Subnet ID used for computes in workspace Changing this forces a new resource to be created. -
azureDevopsRepo
- (Optional) AnazureDevopsRepo
block as defined below. -
dataExfiltrationProtectionEnabled
- (Optional) Is data exfiltration protection enabled in this workspace? If set totrue
,managedVirtualNetworkEnabled
must also be set totrue
. Changing this forces a new resource to be created. -
customerManagedKey
- (Optional) AcustomerManagedKey
block as defined below. Conflicts withaadAdmin
. -
githubRepo
- (Optional) AgithubRepo
block as defined below. -
linkingAllowedForAadTenantIds
- (Optional) Allowed AAD Tenant Ids For Linking. -
managedResourceGroupName
- (Optional) Workspace managed resource group. Changing this forces a new resource to be created. -
managedVirtualNetworkEnabled
- (Optional) Is Virtual Network enabled for all computes in this workspace? Changing this forces a new resource to be created. -
publicNetworkAccessEnabled
- (Optional) Whether public network access is allowed for the Cognitive Account. Defaults totrue
. -
purviewId
- (Optional) The ID of purview account. -
sqlAadAdmin
- (Optional) AnsqlAadAdmin
block as defined below. -
sqlIdentityControlEnabled
- (Optional) Are pipelines (running as workspace's system assigned identity) allowed to access SQL pools? -
tags
- (Optional) A mapping of tags which should be assigned to the Synapse Workspace.
An aadAdmin
block supports the following:
-
login
- (Required) The login name of the Azure AD Administrator of this Synapse Workspace. -
objectId
- (Required) The object id of the Azure AD Administrator of this Synapse Workspace. -
tenantId
- (Required) The tenant id of the Azure AD Administrator of this Synapse Workspace.
An azureDevopsRepo
block supports the following:
-
accountName
- (Required) Specifies the Azure DevOps account name. -
branchName
- (Required) Specifies the collaboration branch of the repository to get code from. -
lastCommitId
- (Optional) The last commit ID. -
projectName
- (Required) Specifies the name of the Azure DevOps project. -
repositoryName
- (Required) Specifies the name of the git repository. -
rootFolder
- (Required) Specifies the root folder within the repository. Set to/
for the top level. -
tenantId
- (Optional) the ID of the tenant for the Azure DevOps account.
A customerManagedKey
block supports the following:
-
keyVersionlessId
- (Required) The Azure Key Vault Key Versionless ID to be used as the Customer Managed Key (CMK) for double encryption (e.g.https://exampleKeyvaultVaultAzureNet/type/cmk/
). -
keyName
- (Optional) An identifier for the key. Name needs to match the name of the key used with theazurermSynapseWorkspaceKey
resource. Defaults to "cmk" if not specified.
The identity
block supports the following:
-
type
- (Required) Specifies the type of Managed Service Identity that should be associated with this Synapse Workspace. Possible values aresystemAssigned
,userAssigned
andsystemAssigned,UserAssigned
(to enable both). -
identityIds
- (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Synapse Workspace.
\~> NOTE: This is required when type
is set to userAssigned
or systemAssigned,UserAssigned
.
A githubRepo
block supports the following:
-
accountName
- (Required) Specifies the GitHub account name. -
branchName
- (Required) Specifies the collaboration branch of the repository to get code from. -
lastCommitId
- (Optional) The last commit ID. -
repositoryName
- (Required) Specifies the name of the git repository. -
rootFolder
- (Required) Specifies the root folder within the repository. Set to/
for the top level. -
gitUrl
- (Optional) Specifies the GitHub Enterprise host name. For example: https://github.mydomain.com.
-> Note: You must log in to the Synapse UI to complete the authentication to the GitHub repository.
An sqlAadAdmin
block supports the following:
-
login
- (Required) The login name of the Azure AD Administrator of this Synapse Workspace SQL. -
objectId
- (Required) The object id of the Azure AD Administrator of this Synapse Workspace SQL. -
tenantId
- (Required) The tenant id of the Azure AD Administrator of this Synapse Workspace SQL.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
-
id
- The ID of the synapse Workspace. -
connectivityEndpoints
- A list of Connectivity endpoints for this Synapse Workspace.
The identity
block exports the following:
-
principalId
- The Principal ID for the Service Principal associated with the Managed Service Identity of this Synapse Workspace. -
tenantId
- The Tenant ID for the Service Principal associated with the Managed Service Identity of this Synapse Workspace.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Synapse Workspace.read
- (Defaults to 5 minutes) Used when retrieving the Synapse Workspace.update
- (Defaults to 30 minutes) Used when updating the Synapse Workspace.delete
- (Defaults to 30 minutes) Used when deleting the Synapse Workspace.
Import
Synapse Workspace can be imported using the resourceId
, e.g.