both RGs explained

Author: brown9804

5_analytics-bigdata/synapse-analytics/README.md

@@ -11,6 +11,9 @@ Last updated: 2026-02-11
 
 > This template contains Terraform configurations to create an Azure Synapse Analytics workspace backed by an ADLS Gen2 filesystem.
 
+> [!IMPORTANT]
+> Azure Synapse always uses a **managed resource group** (configured by `managed_resource_group_name`). This is created and managed by the Synapse service itself and is required for the workspace to operate. You will see **two resource groups** in Azure: your main RG plus the Synapse-managed RG.
+
 > [!IMPORTANT]
 > This template creates the Storage Account and filesystem via the AzAPI provider (management plane) to avoid key-based Storage data-plane operations (common in environments where shared keys are disabled by policy).
 
@@ -32,7 +35,7 @@ Last updated: 2026-02-11
 | `resource_group_name` | Resource Group name to create/deploy into. | string | `"rg-analytics-dev"` |
 | `location` | Azure region for the deployment. | string | `"eastus"` |
 | `synapse_workspace_name` | Base Synapse workspace name. If suffix enabled, final is `<base>-<suffix>`. | string | `"synw-analytics-dev"` |
-| `managed_resource_group_name` | Base managed RG name for Synapse. If suffix enabled, final is `<base>-<suffix>`. | string | `"rg-synapse-managed-analytics-dev"` |
+| `managed_resource_group_name` | Optional base managed RG name for Synapse. If omitted, auto-generated. | string | `null` |
 | `storage_account_name` | Base storage account name. If suffix enabled, final is `<base><suffix>` (no dash). | string | `"stadlsanalyticsdev"` |
 | `filesystem_name` | ADLS Gen2 filesystem name (container). | string | `"synapse"` |
 | `sql_administrator_login` | Synapse SQL admin login. | string | `"sqladminuser"` |

5_analytics-bigdata/synapse-analytics/main.tf

@@ -2,11 +2,24 @@
 # Creates an Azure Synapse Analytics workspace backed by an ADLS Gen2 filesystem.
 # Storage resources are created via AzAPI (management plane) to avoid key-based data-plane operations.
 
-resource "azurerm_resource_group" "rg" {
-  name     = var.resource_group_name
-  location = var.location
+data "azurerm_client_config" "current" {}
 
-  tags = var.tags
+# Resource group creation is idempotent in ARM (PUT). This will create the RG if it doesn't exist,
+# or update tags if it already exists.
+resource "azapi_resource" "resource_group" {
+  type      = "Microsoft.Resources/resourceGroups@2022-09-01"
+  name      = var.resource_group_name
+  location  = var.location
+  parent_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
+
+  body = jsonencode({
+    tags = var.tags
+  })
+
+  response_export_values = [
+    "id",
+    "name"
+  ]
 }
 
 resource "random_string" "suffix" {
@@ -20,14 +33,19 @@ resource "random_string" "suffix" {
     location            = var.location
     workspace_base      = var.synapse_workspace_name
     storage_base        = var.storage_account_name
-    managed_rg_base     = var.managed_resource_group_name
+    managed_rg_base     = coalesce(var.managed_resource_group_name, "rg-synapse-managed-${var.synapse_workspace_name}")
   }
 }
 
 locals {
+  rg_id    = azapi_resource.resource_group.id
+  rg_name  = var.resource_group_name
+  location = var.location
+
   suffix                 = var.append_random_suffix ? random_string.suffix.result : ""
   synapse_workspace_name = var.append_random_suffix ? "${var.synapse_workspace_name}-${local.suffix}" : var.synapse_workspace_name
-  managed_rg_name        = var.append_random_suffix ? "${var.managed_resource_group_name}-${local.suffix}" : var.managed_resource_group_name
+  managed_rg_base        = coalesce(var.managed_resource_group_name, "rg-synapse-managed-${var.synapse_workspace_name}")
+  managed_rg_name        = var.append_random_suffix ? "${local.managed_rg_base}-${local.suffix}" : local.managed_rg_base
 
   # Storage Account names must be lowercase alphanumeric and cannot contain dashes.
   storage_account_name = var.append_random_suffix ? "${var.storage_account_name}${local.suffix}" : var.storage_account_name
@@ -40,8 +58,8 @@ locals {
 resource "azapi_resource" "storage_account" {
   type      = "Microsoft.Storage/storageAccounts@2021-04-01"
   name      = local.storage_account_name
-  location  = azurerm_resource_group.rg.location
-  parent_id = azurerm_resource_group.rg.id
+  location  = local.location
+  parent_id = local.rg_id
 
   body = jsonencode({
     kind = "StorageV2"
@@ -90,8 +108,8 @@ resource "azapi_resource" "filesystem" {
 
 resource "azurerm_synapse_workspace" "ws" {
   name                                 = local.synapse_workspace_name
-  resource_group_name                  = azurerm_resource_group.rg.name
-  location                             = azurerm_resource_group.rg.location
+  resource_group_name                  = local.rg_name
+  location                             = local.location
   managed_resource_group_name          = local.managed_rg_name
   storage_data_lake_gen2_filesystem_id = local.dfs_filesystem_id
 

5_analytics-bigdata/synapse-analytics/outputs.tf

@@ -2,7 +2,7 @@
 
 output "resource_group_id" {
   description = "The ID of the resource group."
-  value       = azurerm_resource_group.rg.id
+  value       = local.rg_id
 }
 
 output "storage_account_id" {

5_analytics-bigdata/synapse-analytics/terraform.tfvars

@@ -3,8 +3,10 @@ location            = "eastus"
 
 # Synapse workspace names are globally unique.
 # This template appends a random suffix by default to reduce collisions.
-synapse_workspace_name      = "synw-analytics-dev"
-managed_resource_group_name = "rg-synapse-managed-analytics-dev"
+synapse_workspace_name = "synw-analytics-dev"
+
+# Optional. If omitted, the template auto-generates a Synapse managed RG name.
+# managed_resource_group_name = "rg-synapse-managed-analytics-dev"
 
 # Storage account names must be lowercase alphanumeric and globally unique.
 # This template appends a random suffix by default (without dashes).

5_analytics-bigdata/synapse-analytics/variables.tf

@@ -2,7 +2,7 @@
 # This file defines the input variables used in the Terraform configuration.
 
 variable "resource_group_name" {
-  description = "The name of the Azure Resource Group to create and deploy Synapse into."
+  description = "The name of the Azure Resource Group to deploy Synapse into. If create_resource_group is true, Terraform will create this resource group."
   type        = string
 
   validation {
@@ -36,15 +36,18 @@ variable "synapse_workspace_name" {
 }
 
 variable "managed_resource_group_name" {
-  description = "Base name of the managed resource group for Synapse. If append_random_suffix is true, the final name will be '<base>-<suffix>'."
+  description = "Optional base name of the Synapse managed resource group. If null/omitted, the template auto-generates a name. If append_random_suffix is true, the final name will be '<base>-<suffix>'."
   type        = string
+  default     = null
 
   validation {
     condition = (
-      length(trimspace(var.managed_resource_group_name)) > 0
-      && length(var.managed_resource_group_name) <= (var.append_random_suffix ? (90 - 1 - var.random_suffix_length) : 90)
+      var.managed_resource_group_name == null ? true : (
+        length(try(trimspace(var.managed_resource_group_name), "")) > 0
+        && length(try(var.managed_resource_group_name, "")) <= (var.append_random_suffix ? (90 - 1 - var.random_suffix_length) : 90)
+      )
     )
-    error_message = "managed_resource_group_name must be 1-90 chars and leave room for '-<suffix>' when append_random_suffix is true."
+    error_message = "managed_resource_group_name must be 1-90 chars (or null to auto-generate) and leave room for '-<suffix>' when append_random_suffix is true."
   }
 }