synapse template

Author: brown9804

5_analytics-bigdata/README.md

@@ -15,6 +15,7 @@ Last updated: 2026-02-09
 ## Templates available
 
 - [Azure Data Factory](./data-factory)
+- [Azure Synapse Analytics (Workspace)](./synapse-analytics)
 
 <!-- START BADGE -->
 <div align="center">

5_analytics-bigdata/synapse-analytics/README.md

@@ -0,0 +1,98 @@
+# Terraform Template - Azure Synapse Analytics (Workspace)
+
+Costa Rica
+
+[![GitHub](https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff)](https://github.com/)
+[brown9804](https://github.com/brown9804)
+
+Last updated: 2026-02-11
+
+------------------------------------------
+
+> This template contains Terraform configurations to create an Azure Synapse Analytics workspace backed by an ADLS Gen2 filesystem.
+
+> [!IMPORTANT]
+> This template creates the Storage Account and filesystem via the AzAPI provider (management plane) to avoid key-based Storage data-plane operations (common in environments where shared keys are disabled by policy).
+
+> [!NOTE]
+> Synapse validates the default data lake storage using the DFS URL format: `https://<accountname>.dfs.core.windows.net/<filesystem>`. This template passes that format to `azurerm_synapse_workspace`.
+
+## File Descriptions
+
+- **main.tf**: Creates the Resource Group, Storage Account + filesystem (ADLS Gen2), and Synapse Workspace.
+- **variables.tf**: Defines the input variables used in the Terraform configuration.
+- **provider.tf**: Configures the AzureRM + AzAPI providers.
+- **terraform.tfvars**: Provides example values for the variables defined in `variables.tf`.
+- **outputs.tf**: Defines outputs such as the Synapse workspace ID.
+
+## Variables
+
+| Variable Name | Description | Type | Example Value |
+| --- | --- | --- | --- |
+| `resource_group_name` | Resource Group name to create/deploy into. | string | `"rg-analytics-dev"` |
+| `location` | Azure region for the deployment. | string | `"eastus"` |
+| `synapse_workspace_name` | Base Synapse workspace name. If suffix enabled, final is `<base>-<suffix>`. | string | `"synw-analytics-dev"` |
+| `managed_resource_group_name` | Base managed RG name for Synapse. If suffix enabled, final is `<base>-<suffix>`. | string | `"rg-synapse-managed-analytics-dev"` |
+| `storage_account_name` | Base storage account name. If suffix enabled, final is `<base><suffix>` (no dash). | string | `"stadlsanalyticsdev"` |
+| `filesystem_name` | ADLS Gen2 filesystem name (container). | string | `"synapse"` |
+| `sql_administrator_login` | Synapse SQL admin login. | string | `"sqladminuser"` |
+| `sql_administrator_password` | Synapse SQL admin password (prefer env var). | string | `"<set via TF_VAR_sql_administrator_password>"` |
+| `append_random_suffix` | Append a random suffix to avoid global collisions. | bool | `true` |
+| `random_suffix_length` | Length of the random suffix when enabled. | number | `6` |
+| `tags` | Tags applied to resources. | map(string) | `{ "env": "dev" }` |
+
+## Usage
+
+1. Authenticate:
+
+   ```sh
+   az login
+   ````
+
+   ```sh
+   az account show
+   # If needed:
+   az account set --subscription "<subscription-id-or-name>"
+   ```
+
+3. Provide the SQL admin password without committing it:
+
+   PowerShell:
+
+   ```powershell
+   $env:TF_VAR_sql_administrator_password = "<your-strong-password>"
+   ```
+
+4. Initialize:
+
+   ```sh
+   terraform init -upgrade
+   ```
+
+5. Validate and plan:
+
+   ```sh
+   terraform validate
+   terraform plan
+   ```
+
+6. Apply:
+
+   ```sh
+   terraform apply -auto-approve
+   ```
+
+> [!NOTE]
+> Synapse workspace names are globally unique. If you disable `append_random_suffix`, you may hit name collisions.
+
+> [!NOTE]
+> The SQL admin password must meet complexity rules (at least 3 of: upper/lower/digit/special). Use `TF_VAR_sql_administrator_password` to avoid committing secrets.
+
+<!-- START BADGE -->
+<div align="center">
+  <img src="https://img.shields.io/badge/Total%20views-1706-limegreen" alt="Total views">
+  <p>Refresh Date: 2026-02-11</p>
+</div>
+<!-- END BADGE -->
+
+````

5_analytics-bigdata/synapse-analytics/main.tf

@@ -0,0 +1,110 @@
+# main.tf
+# Creates an Azure Synapse Analytics workspace backed by an ADLS Gen2 filesystem.
+# Storage resources are created via AzAPI (management plane) to avoid key-based data-plane operations.
+
+resource "azurerm_resource_group" "rg" {
+  name     = var.resource_group_name
+  location = var.location
+
+  tags = var.tags
+}
+
+resource "random_string" "suffix" {
+  length  = var.random_suffix_length
+  upper   = false
+  special = false
+  numeric = true
+
+  keepers = {
+    resource_group_name = var.resource_group_name
+    location            = var.location
+    workspace_base      = var.synapse_workspace_name
+    storage_base        = var.storage_account_name
+    managed_rg_base     = var.managed_resource_group_name
+  }
+}
+
+locals {
+  suffix                 = var.append_random_suffix ? random_string.suffix.result : ""
+  synapse_workspace_name = var.append_random_suffix ? "${var.synapse_workspace_name}-${local.suffix}" : var.synapse_workspace_name
+  managed_rg_name        = var.append_random_suffix ? "${var.managed_resource_group_name}-${local.suffix}" : var.managed_resource_group_name
+
+  # Storage Account names must be lowercase alphanumeric and cannot contain dashes.
+  storage_account_name = var.append_random_suffix ? "${var.storage_account_name}${local.suffix}" : var.storage_account_name
+
+  # azurerm_synapse_workspace expects the Data Lake Gen2 filesystem id in DFS URL form.
+  # Format: https://<accountname>.dfs.core.windows.net/<filesystem>
+  dfs_filesystem_id = "https://${local.storage_account_name}.dfs.core.windows.net/${var.filesystem_name}"
+}
+
+resource "azapi_resource" "storage_account" {
+  type      = "Microsoft.Storage/storageAccounts@2021-04-01"
+  name      = local.storage_account_name
+  location  = azurerm_resource_group.rg.location
+  parent_id = azurerm_resource_group.rg.id
+
+  body = jsonencode({
+    kind = "StorageV2"
+    sku = {
+      name = "Standard_LRS"
+    }
+    properties = {
+      isHnsEnabled             = true
+      minimumTlsVersion        = "TLS1_2"
+      supportsHttpsTrafficOnly = true
+
+      # Often enforced by org policy; also avoids Terraform needing to use shared keys.
+      allowSharedKeyAccess  = false
+      allowBlobPublicAccess = false
+    }
+    tags = var.tags
+  })
+
+  response_export_values = [
+    "id",
+    "name"
+  ]
+}
+
+resource "azapi_resource" "filesystem" {
+  type = "Microsoft.Storage/storageAccounts/blobServices/containers@2022-09-01"
+  name = var.filesystem_name
+
+  parent_id = "${azapi_resource.storage_account.id}/blobServices/default"
+
+  body = jsonencode({
+    properties = {
+      publicAccess = "None"
+    }
+  })
+
+  response_export_values = [
+    "id",
+    "name"
+  ]
+
+  depends_on = [
+    azapi_resource.storage_account
+  ]
+}
+
+resource "azurerm_synapse_workspace" "ws" {
+  name                                 = local.synapse_workspace_name
+  resource_group_name                  = azurerm_resource_group.rg.name
+  location                             = azurerm_resource_group.rg.location
+  managed_resource_group_name          = local.managed_rg_name
+  storage_data_lake_gen2_filesystem_id = local.dfs_filesystem_id
+
+  sql_administrator_login          = var.sql_administrator_login
+  sql_administrator_login_password = var.sql_administrator_password
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = var.tags
+
+  depends_on = [
+    azapi_resource.filesystem
+  ]
+}

5_analytics-bigdata/synapse-analytics/outputs.tf

@@ -0,0 +1,31 @@
+# outputs.tf
+
+output "resource_group_id" {
+  description = "The ID of the resource group."
+  value       = azurerm_resource_group.rg.id
+}
+
+output "storage_account_id" {
+  description = "The resource ID of the Storage Account backing Synapse."
+  value       = azapi_resource.storage_account.id
+}
+
+output "filesystem_id" {
+  description = "The ARM resource ID of the ADLS Gen2 filesystem (container)."
+  value       = azapi_resource.filesystem.id
+}
+
+output "filesystem_dfs_url" {
+  description = "The DFS URL format used by Synapse for the default data lake storage filesystem."
+  value       = "https://${azapi_resource.storage_account.name}.dfs.core.windows.net/${azapi_resource.filesystem.name}"
+}
+
+output "synapse_workspace_id" {
+  description = "The resource ID of the Synapse workspace."
+  value       = azurerm_synapse_workspace.ws.id
+}
+
+output "synapse_workspace_name" {
+  description = "The name of the Synapse workspace."
+  value       = azurerm_synapse_workspace.ws.name
+}

5_analytics-bigdata/synapse-analytics/provider.tf

@@ -0,0 +1,38 @@
+# provider.tf
+# This file configures the Azure providers to interact with Azure resources.
+
+terraform {
+  required_version = ">= 1.8, < 2.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.116"
+    }
+
+    azapi = {
+      source  = "Azure/azapi"
+      version = "~> 1.13"
+    }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.6"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+
+  # Uses the current Azure CLI context (az login + az account set)
+  skip_provider_registration = false
+}
+
+provider "azapi" {
+  # Uses the current Azure CLI context (az login + az account set)
+}

5_analytics-bigdata/synapse-analytics/terraform.tfvars

@@ -0,0 +1,27 @@
+resource_group_name = "rg-analytics-dev"
+location            = "eastus"
+
+# Synapse workspace names are globally unique.
+# This template appends a random suffix by default to reduce collisions.
+synapse_workspace_name      = "synw-analytics-dev"
+managed_resource_group_name = "rg-synapse-managed-analytics-dev"
+
+# Storage account names must be lowercase alphanumeric and globally unique.
+# This template appends a random suffix by default (without dashes).
+storage_account_name = "stadlsanalyticsdev"
+filesystem_name      = "synapse"
+
+sql_administrator_login = "sqladminuser"
+
+# Do NOT commit real passwords. Prefer using:
+#   $env:TF_VAR_sql_administrator_password = "<your-strong-password>"
+sql_administrator_password = "ChangeMe123!"
+
+append_random_suffix = true
+random_suffix_length = 6
+
+tags = {
+  env  = "dev"
+  area = "analytics-bigdata"
+  iac  = "terraform"
+}