From 0920b1c19a036e5ecd5d0bcc08b8ae51f1d1d2c3 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Thu, 13 Jun 2024 19:18:05 +0200 Subject: [PATCH] admin child template --- avm/res/synapse/workspace/README.md | 51 +++++ .../workspace/administrators/README.md | 91 +++++++++ .../workspace/administrators/main.bicep | 51 +++++ .../workspace/administrators/main.json | 106 ++++++++++ .../workspace/integration-runtime/main.json | 4 +- avm/res/synapse/workspace/key/main.json | 4 +- avm/res/synapse/workspace/main.bicep | 150 +++++++------- avm/res/synapse/workspace/main.json | 183 +++++++++++++++++- .../workspace/tests/e2e/max/main.test.bicep | 5 + 9 files changed, 561 insertions(+), 84 deletions(-) create mode 100644 avm/res/synapse/workspace/administrators/README.md create mode 100644 avm/res/synapse/workspace/administrators/main.bicep create mode 100644 avm/res/synapse/workspace/administrators/main.json diff --git a/avm/res/synapse/workspace/README.md b/avm/res/synapse/workspace/README.md index eb60880311..11a061bc45 100644 --- a/avm/res/synapse/workspace/README.md +++ b/avm/res/synapse/workspace/README.md @@ -27,6 +27,7 @@ This module deploys a Synapse Workspace. | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | | `Microsoft.Synapse/workspaces` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces) | +| `Microsoft.Synapse/workspaces/administrators` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces/administrators) | | `Microsoft.Synapse/workspaces/integrationRuntimes` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces/integrationRuntimes) | | `Microsoft.Synapse/workspaces/keys` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces/keys) | @@ -346,6 +347,11 @@ module workspace 'br/public:avm/res/synapse/workspace:' = { name: 'swmax001' sqlAdministratorLogin: 'synwsadmin' // Non-required parameters + administrator: { + administratorType: 'ServicePrincipal' + login: 'dep-msi-swmax' + sid: '' + } diagnosticSettings: [ { eventHubAuthorizationRuleResourceId: '' @@ -469,6 +475,13 @@ module workspace 'br/public:avm/res/synapse/workspace:' = { "value": "synwsadmin" }, // Non-required parameters + "administrator": { + "value": { + "administratorType": "ServicePrincipal", + "login": "dep-msi-swmax", + "sid": "" + } + }, "diagnosticSettings": { "value": [ { @@ -758,6 +771,7 @@ module workspace 'br/public:avm/res/synapse/workspace:' = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`accountUrl`](#parameter-accounturl) | string | The account URL of the data lake storage account. | +| [`administrator`](#parameter-administrator) | object | The Entra ID administrator for the synapse workspace. | | [`allowedAadTenantIdsForLinking`](#parameter-allowedaadtenantidsforlinking) | array | Allowed AAD Tenant IDs For Linking. | | [`azureADOnlyAuthentication`](#parameter-azureadonlyauthentication) | bool | Enable or Disable AzureADOnlyAuthentication on All Workspace sub-resource. | | [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | @@ -818,6 +832,43 @@ The account URL of the data lake storage account. - Type: string - Default: `[format('https://{0}.dfs.{1}', last(split(parameters('defaultDataLakeStorageAccountResourceId'), '/')), environment().suffixes.storage)]` +### Parameter: `administrator` + +The Entra ID administrator for the synapse workspace. + +- Required: No +- Type: object +- Default: `{}` + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`administratorType`](#parameter-administratoradministratortype) | string | Workspace active directory administrator type. | +| [`login`](#parameter-administratorlogin) | securestring | Login of the workspace active directory administrator. | +| [`sid`](#parameter-administratorsid) | securestring | Object ID of the workspace active directory administrator. | + +### Parameter: `administrator.administratorType` + +Workspace active directory administrator type. + +- Required: No +- Type: string + +### Parameter: `administrator.login` + +Login of the workspace active directory administrator. + +- Required: No +- Type: securestring + +### Parameter: `administrator.sid` + +Object ID of the workspace active directory administrator. + +- Required: No +- Type: securestring + ### Parameter: `allowedAadTenantIdsForLinking` Allowed AAD Tenant IDs For Linking. diff --git a/avm/res/synapse/workspace/administrators/README.md b/avm/res/synapse/workspace/administrators/README.md new file mode 100644 index 0000000000..09e79980ed --- /dev/null +++ b/avm/res/synapse/workspace/administrators/README.md @@ -0,0 +1,91 @@ +# Synapse Workspaces Administrators `[Microsoft.Synapse/workspaces/administrators]` + +This module deploys Synapse Workspaces Administrators. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Synapse/workspaces/administrators` | [2021-06-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Synapse/2021-06-01/workspaces/administrators) | + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`administrator`](#parameter-administrator) | object | The administrators definition. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`workspaceName`](#parameter-workspacename) | string | The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. | + +### Parameter: `administrator` + +The administrators definition. + +- Required: Yes +- Type: object + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`administratorType`](#parameter-administratoradministratortype) | string | Workspace active directory administrator type. | +| [`login`](#parameter-administratorlogin) | securestring | Login of the workspace active directory administrator. | +| [`sid`](#parameter-administratorsid) | securestring | Object ID of the workspace active directory administrator. | + +### Parameter: `administrator.administratorType` + +Workspace active directory administrator type. + +- Required: No +- Type: string + +### Parameter: `administrator.login` + +Login of the workspace active directory administrator. + +- Required: No +- Type: securestring + +### Parameter: `administrator.sid` + +Object ID of the workspace active directory administrator. + +- Required: No +- Type: securestring + +### Parameter: `workspaceName` + +The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed administrator. | +| `resourceGroupName` | string | The resource group of the deployed administrator. | +| `resourceId` | string | The resource ID of the deployed administrator. | + +## Cross-referenced modules + +_None_ + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/res/synapse/workspace/administrators/main.bicep b/avm/res/synapse/workspace/administrators/main.bicep new file mode 100644 index 0000000000..c953a42624 --- /dev/null +++ b/avm/res/synapse/workspace/administrators/main.bicep @@ -0,0 +1,51 @@ +metadata name = 'Synapse Workspaces Administrators' +metadata description = 'This module deploys Synapse Workspaces Administrators.' +metadata owner = 'Azure/module-maintainers' + +@description('Conditional. The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment.') +param workspaceName string + +@description('Required. The administrators definition.') +param administrator adminType + +resource workspace 'Microsoft.Synapse/workspaces@2021-06-01' existing = { + name: workspaceName +} + +resource synapse_workspace_administrator 'Microsoft.Synapse/workspaces/administrators@2021-06-01' = if (!empty(administrator)) { + name: 'activeDirectory' + parent: workspace + properties: { + administratorType: administrator.administratorType + login: administrator.login + sid: administrator.sid + tenantId: subscription().tenantId + } +} + +@description('The name of the deployed administrator.') +output name string = synapse_workspace_administrator.name + +@description('The resource ID of the deployed administrator.') +output resourceId string = synapse_workspace_administrator.id + +@description('The resource group of the deployed administrator.') +output resourceGroupName string = resourceGroup().name + +// ================ // +// Definitions // +// ================ // + +@export() +type adminType = { + @description('Optional. Workspace active directory administrator type.') + administratorType: string? + + @description('Optional. Login of the workspace active directory administrator.') + @secure() + login: string? + + @description('Optional. Object ID of the workspace active directory administrator.') + @secure() + sid: string? +} diff --git a/avm/res/synapse/workspace/administrators/main.json b/avm/res/synapse/workspace/administrators/main.json new file mode 100644 index 0000000000..3d67b52a87 --- /dev/null +++ b/avm/res/synapse/workspace/administrators/main.json @@ -0,0 +1,106 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.28.1.47646", + "templateHash": "1990066188266359857" + }, + "name": "Synapse Workspaces Administrators", + "description": "This module deploys Synapse Workspaces Administrators.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "adminType": { + "type": "object", + "properties": { + "administratorType": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Workspace active directory administrator type." + } + }, + "login": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Login of the workspace active directory administrator." + } + }, + "sid": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Object ID of the workspace active directory administrator." + } + } + }, + "metadata": { + "__bicep_export!": true + } + } + }, + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment." + } + }, + "administrator": { + "$ref": "#/definitions/adminType", + "metadata": { + "description": "Required. The administrators definition." + } + } + }, + "resources": { + "workspace": { + "existing": true, + "type": "Microsoft.Synapse/workspaces", + "apiVersion": "2021-06-01", + "name": "[parameters('workspaceName')]" + }, + "synapse_workspace_administrator": { + "condition": "[not(empty(parameters('administrator')))]", + "type": "Microsoft.Synapse/workspaces/administrators", + "apiVersion": "2021-06-01", + "name": "[format('{0}/{1}', parameters('workspaceName'), 'activeDirectory')]", + "properties": { + "administratorType": "[parameters('administrator').administratorType]", + "login": "[parameters('administrator').login]", + "sid": "[parameters('administrator').sid]", + "tenantId": "[subscription().tenantId]" + }, + "dependsOn": [ + "workspace" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed administrator." + }, + "value": "activeDirectory" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed administrator." + }, + "value": "[resourceId('Microsoft.Synapse/workspaces/administrators', parameters('workspaceName'), 'activeDirectory')]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the deployed administrator." + }, + "value": "[resourceGroup().name]" + } + } +} \ No newline at end of file diff --git a/avm/res/synapse/workspace/integration-runtime/main.json b/avm/res/synapse/workspace/integration-runtime/main.json index b3841376fc..50fe789258 100644 --- a/avm/res/synapse/workspace/integration-runtime/main.json +++ b/avm/res/synapse/workspace/integration-runtime/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.170.59819", - "templateHash": "12068224449891293218" + "version": "0.28.1.47646", + "templateHash": "12071965359188483950" }, "name": "Synapse Workspace Integration Runtimes", "description": "This module deploys a Synapse Workspace Integration Runtime.", diff --git a/avm/res/synapse/workspace/key/main.json b/avm/res/synapse/workspace/key/main.json index b6e8177754..14c8ac9883 100644 --- a/avm/res/synapse/workspace/key/main.json +++ b/avm/res/synapse/workspace/key/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.170.59819", - "templateHash": "15295521192306502787" + "version": "0.28.1.47646", + "templateHash": "17207449952619386820" }, "name": "Synapse Workspaces Keys", "description": "This module deploys a Synapse Workspaces Key.", diff --git a/avm/res/synapse/workspace/main.bicep b/avm/res/synapse/workspace/main.bicep index 4b1600cb01..45d84bf0f2 100644 --- a/avm/res/synapse/workspace/main.bicep +++ b/avm/res/synapse/workspace/main.bicep @@ -31,6 +31,10 @@ param defaultDataLakeStorageFilesystem string @description('Optional. Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace\'s primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account.') param defaultDataLakeStorageCreateManagedPrivateEndpoint bool = false +import { adminType } from 'administrators/main.bicep' +@description('Optional. The Entra ID administrator for the synapse workspace.') +param administrator adminType = {} + @description('Optional. The customer managed key definition.') param customerManagedKey customerManagedKeyType @@ -133,47 +137,43 @@ var builtInRoleNames = { ) } -resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = - if (enableTelemetry) { - name: '46d3xbcp.res.synapse-workspace.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - outputs: { - telemetry: { - type: 'String' - value: 'For more information, see https://aka.ms/avm/TelemetryInfo' - } +resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) { + name: '46d3xbcp.res.synapse-workspace.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' } } } } +} -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = - if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup( - split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], - split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4] - ) - - resource cMKKey 'keys@2023-02-01' existing = - if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } - } +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup( + split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], + split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4] + ) -resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = - if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { - name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) - scope: resourceGroup( - split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], - split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4] - ) + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' } +} + +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup( + split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], + split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4] + ) +} resource workspace 'Microsoft.Synapse/workspaces@2021-06-01' = { name: name @@ -246,51 +246,57 @@ module synapse_integrationRuntimes 'integration-runtime/main.bicep' = [ // Workspace encryption with customer managed keys // - Assign Synapse Workspace MSI access to encryption key -module workspace_cmk_rbac 'modules/nested_cmkRbac.bicep' = - if (encryptionActivateWorkspace) { - name: '${workspace.name}-cmk-rbac' - params: { - workspaceIndentityPrincipalId: workspace.identity.principalId - keyvaultName: !empty(customerManagedKey.?keyVaultResourceId) ? cMKKeyVault.name : '' - usesRbacAuthorization: !empty(customerManagedKey.?keyVaultResourceId) - ? cMKKeyVault.properties.enableRbacAuthorization - : true - } - scope: encryptionActivateWorkspace - ? resourceGroup( - split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], - split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4] - ) - : resourceGroup() +module workspace_cmk_rbac 'modules/nested_cmkRbac.bicep' = if (encryptionActivateWorkspace) { + name: '${workspace.name}-cmk-rbac' + params: { + workspaceIndentityPrincipalId: workspace.identity.principalId + keyvaultName: !empty(customerManagedKey.?keyVaultResourceId) ? cMKKeyVault.name : '' + usesRbacAuthorization: !empty(customerManagedKey.?keyVaultResourceId) + ? cMKKeyVault.properties.enableRbacAuthorization + : true } + scope: encryptionActivateWorkspace + ? resourceGroup( + split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], + split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4] + ) + : resourceGroup() +} // - Workspace encryption - Activate Workspace -module workspace_key 'key/main.bicep' = - if (encryptionActivateWorkspace) { - name: '${workspace.name}-cmk-activation' - params: { - name: customerManagedKey!.keyName - isActiveCMK: true - keyVaultResourceId: cMKKeyVault.id - workspaceName: workspace.name - } - dependsOn: [ - workspace_cmk_rbac - ] +module workspace_key 'key/main.bicep' = if (encryptionActivateWorkspace) { + name: '${workspace.name}-cmk-activation' + params: { + name: customerManagedKey!.keyName + isActiveCMK: true + keyVaultResourceId: cMKKeyVault.id + workspaceName: workspace.name } + dependsOn: [ + workspace_cmk_rbac + ] +} + +// - Workspace Entra ID Administrator +module workspace_administrator 'administrators/main.bicep' = if (!empty(administrator.login)) { + name: '${workspace.name}-administrator' + params: { + workspaceName: workspace.name + administrator: administrator + } +} // Resource Lock -resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = - if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' - ? 'Cannot delete resource or child resources.' - : 'Cannot delete or modify the resource or child resources.' - } - scope: workspace +resource workspace_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' + properties: { + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' + ? 'Cannot delete resource or child resources.' + : 'Cannot delete or modify the resource or child resources.' } + scope: workspace +} // RBAC resource workspace_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ diff --git a/avm/res/synapse/workspace/main.json b/avm/res/synapse/workspace/main.json index 44e8509171..7edf5e536e 100644 --- a/avm/res/synapse/workspace/main.json +++ b/avm/res/synapse/workspace/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.170.59819", - "templateHash": "9840642184886177634" + "version": "0.28.1.47646", + "templateHash": "13958416989180111099" }, "name": "Synapse Workspaces", "description": "This module deploys a Synapse Workspace.", @@ -434,6 +434,37 @@ } }, "nullable": true + }, + "adminType": { + "type": "object", + "properties": { + "administratorType": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Workspace active directory administrator type." + } + }, + "login": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Login of the workspace active directory administrator." + } + }, + "sid": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Object ID of the workspace active directory administrator." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "administrators/main.bicep" + } + } } }, "parameters": { @@ -498,6 +529,13 @@ "description": "Optional. Create managed private endpoint to the default storage account or not. If Yes is selected, a managed private endpoint connection request is sent to the workspace's primary Data Lake Storage Gen2 account for Spark pools to access data. This must be approved by an owner of the storage account." } }, + "administrator": { + "$ref": "#/definitions/adminType", + "defaultValue": {}, + "metadata": { + "description": "Optional. The Entra ID administrator for the synapse workspace." + } + }, "customerManagedKey": { "$ref": "#/definitions/customerManagedKeyType", "metadata": { @@ -818,8 +856,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.170.59819", - "templateHash": "12068224449891293218" + "version": "0.28.1.47646", + "templateHash": "12071965359188483950" }, "name": "Synapse Workspace Integration Runtimes", "description": "This module deploys a Synapse Workspace Integration Runtime.", @@ -916,8 +954,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.170.59819", - "templateHash": "23966606142695564" + "version": "0.28.1.47646", + "templateHash": "15762141115882405712" } }, "parameters": { @@ -1004,8 +1042,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.170.59819", - "templateHash": "15295521192306502787" + "version": "0.28.1.47646", + "templateHash": "17207449952619386820" }, "name": "Synapse Workspaces Keys", "description": "This module deploys a Synapse Workspaces Key.", @@ -1079,6 +1117,135 @@ "workspace_cmk_rbac" ] }, + "workspace_administrator": { + "condition": "[not(empty(parameters('administrator').login))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-administrator', parameters('name'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "workspaceName": { + "value": "[parameters('name')]" + }, + "administrator": { + "value": "[parameters('administrator')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.28.1.47646", + "templateHash": "1990066188266359857" + }, + "name": "Synapse Workspaces Administrators", + "description": "This module deploys Synapse Workspaces Administrators.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "adminType": { + "type": "object", + "properties": { + "administratorType": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Workspace active directory administrator type." + } + }, + "login": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Login of the workspace active directory administrator." + } + }, + "sid": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Object ID of the workspace active directory administrator." + } + } + }, + "metadata": { + "__bicep_export!": true + } + } + }, + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Synapse Workspace. Required if the template is used in a standalone deployment." + } + }, + "administrator": { + "$ref": "#/definitions/adminType", + "metadata": { + "description": "Required. The administrators definition." + } + } + }, + "resources": { + "workspace": { + "existing": true, + "type": "Microsoft.Synapse/workspaces", + "apiVersion": "2021-06-01", + "name": "[parameters('workspaceName')]" + }, + "synapse_workspace_administrator": { + "condition": "[not(empty(parameters('administrator')))]", + "type": "Microsoft.Synapse/workspaces/administrators", + "apiVersion": "2021-06-01", + "name": "[format('{0}/{1}', parameters('workspaceName'), 'activeDirectory')]", + "properties": { + "administratorType": "[parameters('administrator').administratorType]", + "login": "[parameters('administrator').login]", + "sid": "[parameters('administrator').sid]", + "tenantId": "[subscription().tenantId]" + }, + "dependsOn": [ + "workspace" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed administrator." + }, + "value": "activeDirectory" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed administrator." + }, + "value": "[resourceId('Microsoft.Synapse/workspaces/administrators', parameters('workspaceName'), 'activeDirectory')]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the deployed administrator." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "workspace" + ] + }, "workspace_privateEndpoints": { "copy": { "name": "workspace_privateEndpoints", diff --git a/avm/res/synapse/workspace/tests/e2e/max/main.test.bicep b/avm/res/synapse/workspace/tests/e2e/max/main.test.bicep index 682ca135f8..5ffe467092 100644 --- a/avm/res/synapse/workspace/tests/e2e/max/main.test.bicep +++ b/avm/res/synapse/workspace/tests/e2e/max/main.test.bicep @@ -77,6 +77,11 @@ module testDeployment '../../../main.bicep' = [ nestedDependencies.outputs.managedIdentityResourceId ] } + administrator: { + administratorType: 'ServicePrincipal' + login: 'dep-${namePrefix}-msi-${serviceShort}' + sid: nestedDependencies.outputs.managedIdentityResourceId + } roleAssignments: [ { roleDefinitionIdOrName: 'Owner'