azurermSynapseWorkspace

Manages a Synapse Workspace.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
  this,
  "example_1",
  {
    account_kind: "StorageV2",
    account_replication_type: "LRS",
    account_tier: "Standard",
    is_hns_enabled: "true",
    location: azurermResourceGroupExample.location,
    name: "examplestorageacc",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermStorageDataLakeGen2FilesystemExample =
  new azurerm.storageDataLakeGen2Filesystem.StorageDataLakeGen2Filesystem(
    this,
    "example_2",
    {
      name: "example",
      storage_account_id: azurermStorageAccountExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageDataLakeGen2FilesystemExample.overrideLogicalId("example");
const azurermSynapseWorkspaceExample =
  new azurerm.synapseWorkspace.SynapseWorkspace(this, "example_3", {
    aad_admin: [
      {
        login: "AzureAD Admin",
        object_id: "00000000-0000-0000-0000-000000000000",
        tenant_id: "00000000-0000-0000-0000-000000000000",
      },
    ],
    identity: [
      {
        type: "SystemAssigned",
      },
    ],
    location: azurermResourceGroupExample.location,
    name: "example",
    resource_group_name: azurermResourceGroupExample.name,
    sql_administrator_login: "sqladminuser",
    sql_administrator_login_password: "H@Sh1CoR3!",
    storage_data_lake_gen2_filesystem_id:
      azurermStorageDataLakeGen2FilesystemExample.id,
    tags: {
      Env: "production",
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSynapseWorkspaceExample.overrideLogicalId("example");

Example Usage - creating a workspace with Customer Managed Key and Azure AD Admin

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
  this,
  "example_1",
  {
    account_kind: "StorageV2",
    account_replication_type: "LRS",
    account_tier: "Standard",
    is_hns_enabled: "true",
    location: azurermResourceGroupExample.location,
    name: "examplestorageacc",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermStorageDataLakeGen2FilesystemExample =
  new azurerm.storageDataLakeGen2Filesystem.StorageDataLakeGen2Filesystem(
    this,
    "example_2",
    {
      name: "example",
      storage_account_id: azurermStorageAccountExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageDataLakeGen2FilesystemExample.overrideLogicalId("example");
const dataAzurermClientConfigCurrent =
  new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
    this,
    "current",
    {}
  );
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
  this,
  "example_4",
  {
    location: azurermResourceGroupExample.location,
    name: "example",
    purge_protection_enabled: true,
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "standard",
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyDeployer =
  new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "deployer", {
    key_permissions: ["Create", "Get", "Delete", "Purge", "GetRotationPolicy"],
    key_vault_id: azurermKeyVaultExample.id,
    object_id: dataAzurermClientConfigCurrent.objectId,
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  });
const azurermKeyVaultKeyExample = new azurerm.keyVaultKey.KeyVaultKey(
  this,
  "example_6",
  {
    depends_on: [`\${${azurermKeyVaultAccessPolicyDeployer.fqn}}`],
    key_opts: ["unwrapKey", "wrapKey"],
    key_size: 2048,
    key_type: "RSA",
    key_vault_id: azurermKeyVaultExample.id,
    name: "workspaceencryptionkey",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultKeyExample.overrideLogicalId("example");
const azurermSynapseWorkspaceExample =
  new azurerm.synapseWorkspace.SynapseWorkspace(this, "example_7", {
    customer_managed_key: [
      {
        key_name: "enckey",
        key_versionless_id: azurermKeyVaultKeyExample.versionlessId,
      },
    ],
    identity: [
      {
        type: "SystemAssigned",
      },
    ],
    location: azurermResourceGroupExample.location,
    name: "example",
    resource_group_name: azurermResourceGroupExample.name,
    sql_administrator_login: "sqladminuser",
    sql_administrator_login_password: "H@Sh1CoR3!",
    storage_data_lake_gen2_filesystem_id:
      azurermStorageDataLakeGen2FilesystemExample.id,
    tags: {
      Env: "production",
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSynapseWorkspaceExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyWorkspacePolicy =
  new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(
    this,
    "workspace_policy",
    {
      key_permissions: ["Get", "WrapKey", "UnwrapKey"],
      key_vault_id: azurermKeyVaultExample.id,
      object_id: `\${${azurermSynapseWorkspaceExample.identity.fqn}[0].principal_id}`,
      tenant_id: `\${${azurermSynapseWorkspaceExample.identity.fqn}[0].tenant_id}`,
    }
  );
const azurermSynapseWorkspaceKeyExample =
  new azurerm.synapseWorkspaceKey.SynapseWorkspaceKey(this, "example_9", {
    active: true,
    customer_managed_key_name: "enckey",
    customer_managed_key_versionless_id:
      azurermKeyVaultKeyExample.versionlessId,
    depends_on: [`\${${azurermKeyVaultAccessPolicyWorkspacePolicy.fqn}}`],
    synapse_workspace_id: azurermSynapseWorkspaceExample.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSynapseWorkspaceKeyExample.overrideLogicalId("example");
const azurermSynapseWorkspaceAadAdminExample =
  new azurerm.synapseWorkspaceAadAdmin.SynapseWorkspaceAadAdmin(
    this,
    "example_10",
    {
      depends_on: [`\${${azurermSynapseWorkspaceKeyExample.fqn}}`],
      login: "AzureAD Admin",
      object_id: "00000000-0000-0000-0000-000000000000",
      synapse_workspace_id: azurermSynapseWorkspaceExample.id,
      tenant_id: "00000000-0000-0000-0000-000000000000",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSynapseWorkspaceAadAdminExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

name - (Required) Specifies the name which should be used for this synapse Workspace. Changing this forces a new resource to be created.
resourceGroupName - (Required) Specifies the name of the Resource Group where the synapse Workspace should exist. Changing this forces a new resource to be created.
location - (Required) Specifies the Azure Region where the synapse Workspace should exist. Changing this forces a new resource to be created.
identity - (Optional) An identity block as defined below.
storageDataLakeGen2FilesystemId - (Required) Specifies the ID of storage data lake gen2 filesystem resource. Changing this forces a new resource to be created.
sqlAdministratorLogin - (Optional) Specifies The login name of the SQL administrator. Changing this forces a new resource to be created. If this is not provided aadAdmin or customerManagedKey must be provided.
sqlAdministratorLoginPassword - (Optional) The Password associated with the sqlAdministratorLogin for the SQL administrator. If this is not provided aadAdmin or customerManagedKey must be provided.

aadAdmin - (Optional) An aadAdmin block as defined below. Conflicts with customerManagedKey.
computeSubnetId - (Optional) Subnet ID used for computes in workspace Changing this forces a new resource to be created.
azureDevopsRepo - (Optional) An azureDevopsRepo block as defined below.
dataExfiltrationProtectionEnabled - (Optional) Is data exfiltration protection enabled in this workspace? If set to true, managedVirtualNetworkEnabled must also be set to true. Changing this forces a new resource to be created.
customerManagedKey - (Optional) A customerManagedKey block as defined below. Conflicts with aadAdmin.
githubRepo - (Optional) A githubRepo block as defined below.
linkingAllowedForAadTenantIds - (Optional) Allowed AAD Tenant Ids For Linking.
managedResourceGroupName - (Optional) Workspace managed resource group. Changing this forces a new resource to be created.
managedVirtualNetworkEnabled - (Optional) Is Virtual Network enabled for all computes in this workspace? Changing this forces a new resource to be created.
publicNetworkAccessEnabled - (Optional) Whether public network access is allowed for the Cognitive Account. Defaults to true.
purviewId - (Optional) The ID of purview account.
sqlAadAdmin - (Optional) An sqlAadAdmin block as defined below.
sqlIdentityControlEnabled - (Optional) Are pipelines (running as workspace's system assigned identity) allowed to access SQL pools?
tags - (Optional) A mapping of tags which should be assigned to the Synapse Workspace.

An aadAdmin block supports the following:

login - (Required) The login name of the Azure AD Administrator of this Synapse Workspace.
objectId - (Required) The object id of the Azure AD Administrator of this Synapse Workspace.
tenantId - (Required) The tenant id of the Azure AD Administrator of this Synapse Workspace.

An azureDevopsRepo block supports the following:

accountName - (Required) Specifies the Azure DevOps account name.
branchName - (Required) Specifies the collaboration branch of the repository to get code from.
lastCommitId - (Optional) The last commit ID.
projectName - (Required) Specifies the name of the Azure DevOps project.
repositoryName - (Required) Specifies the name of the git repository.
rootFolder - (Required) Specifies the root folder within the repository. Set to / for the top level.
tenantId - (Optional) the ID of the tenant for the Azure DevOps account.

A customerManagedKey block supports the following:

keyVersionlessId - (Required) The Azure Key Vault Key Versionless ID to be used as the Customer Managed Key (CMK) for double encryption (e.g. https://exampleKeyvaultVaultAzureNet/type/cmk/).
keyName - (Optional) An identifier for the key. Name needs to match the name of the key used with the azurermSynapseWorkspaceKey resource. Defaults to "cmk" if not specified.

The identity block supports the following:

type - (Required) Specifies the type of Managed Service Identity that should be associated with this Synapse Workspace. Possible values are systemAssigned, userAssigned and systemAssigned,UserAssigned (to enable both).
identityIds - (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Synapse Workspace.

\~> NOTE: This is required when type is set to userAssigned or systemAssigned,UserAssigned.

A githubRepo block supports the following:

accountName - (Required) Specifies the GitHub account name.
branchName - (Required) Specifies the collaboration branch of the repository to get code from.
lastCommitId - (Optional) The last commit ID.
repositoryName - (Required) Specifies the name of the git repository.
rootFolder - (Required) Specifies the root folder within the repository. Set to / for the top level.
gitUrl - (Optional) Specifies the GitHub Enterprise host name. For example: https://github.mydomain.com.

-> Note: You must log in to the Synapse UI to complete the authentication to the GitHub repository.

An sqlAadAdmin block supports the following:

login - (Required) The login name of the Azure AD Administrator of this Synapse Workspace SQL.
objectId - (Required) The object id of the Azure AD Administrator of this Synapse Workspace SQL.
tenantId - (Required) The tenant id of the Azure AD Administrator of this Synapse Workspace SQL.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

id - The ID of the synapse Workspace.
connectivityEndpoints - A list of Connectivity endpoints for this Synapse Workspace.

The identity block exports the following:

principalId - The Principal ID for the Service Principal associated with the Managed Service Identity of this Synapse Workspace.
tenantId - The Tenant ID for the Service Principal associated with the Managed Service Identity of this Synapse Workspace.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

create - (Defaults to 30 minutes) Used when creating the Synapse Workspace.
read - (Defaults to 5 minutes) Used when retrieving the Synapse Workspace.
update - (Defaults to 30 minutes) Used when updating the Synapse Workspace.
delete - (Defaults to 30 minutes) Used when deleting the Synapse Workspace.

Import

Synapse Workspace can be imported using the resourceId, e.g.

terraform import azurerm_synapse_workspace.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Synapse/workspaces/workspace1