Microsoft.Databricks workspaces 2024-09-01-preview
Bicep resource definition
The workspaces resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Databricks/workspaces resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Databricks/workspaces@2024-09-01-preview' = {
location: 'string'
name: 'string'
properties: {
accessConnector: {
id: 'string'
identityType: 'string'
userAssignedIdentityId: 'string'
}
authorizations: [
{
principalId: 'string'
roleDefinitionId: 'string'
}
]
createdBy: {}
defaultCatalog: {
initialName: 'string'
initialType: 'string'
}
defaultStorageFirewall: 'string'
encryption: {
entities: {
managedDisk: {
keySource: 'string'
keyVaultProperties: {
keyName: 'string'
keyVaultUri: 'string'
keyVersion: 'string'
}
rotationToLatestKeyVersionEnabled: bool
}
managedServices: {
keySource: 'string'
keyVaultProperties: {
keyName: 'string'
keyVaultUri: 'string'
keyVersion: 'string'
}
}
}
}
enhancedSecurityCompliance: {
automaticClusterUpdate: {
value: 'string'
}
complianceSecurityProfile: {
complianceStandards: [
'string'
]
value: 'string'
}
enhancedSecurityMonitoring: {
value: 'string'
}
}
managedDiskIdentity: {}
managedResourceGroupId: 'string'
parameters: {
amlWorkspaceId: {
value: 'string'
}
customPrivateSubnetName: {
value: 'string'
}
customPublicSubnetName: {
value: 'string'
}
customVirtualNetworkId: {
value: 'string'
}
enableNoPublicIp: {
value: bool
}
encryption: {
value: {
KeyName: 'string'
keySource: 'string'
keyvaulturi: 'string'
keyversion: 'string'
}
}
loadBalancerBackendPoolName: {
value: 'string'
}
loadBalancerId: {
value: 'string'
}
natGatewayName: {
value: 'string'
}
prepareEncryption: {
value: bool
}
publicIpName: {
value: 'string'
}
requireInfrastructureEncryption: {
value: bool
}
storageAccountName: {
value: 'string'
}
storageAccountSkuName: {
value: 'string'
}
vnetAddressPrefix: {
value: 'string'
}
}
publicNetworkAccess: 'string'
requiredNsgRules: 'string'
storageAccountIdentity: {}
uiDefinitionUri: 'string'
updatedBy: {}
}
sku: {
name: 'string'
tier: 'string'
}
tags: {
{customized property}: 'string'
}
}
Property values
AutomaticClusterUpdateDefinition
Name | Description | Value |
---|---|---|
value | 'Disabled' 'Enabled' |
ComplianceSecurityProfileDefinition
Name | Description | Value |
---|---|---|
complianceStandards | Compliance standards associated with the workspace. | String array containing any of: 'CYBER_ESSENTIAL_PLUS' 'HIPAA' 'NONE' 'PCI_DSS' |
value | 'Disabled' 'Enabled' |
CreatedBy
Name | Description | Value |
---|
DefaultCatalogProperties
Name | Description | Value |
---|---|---|
initialName | Specifies the initial Name of default catalog. If not specified, the name of the workspace will be used. | string |
initialType | Defines the initial type of the default catalog. Possible values (case-insensitive): HiveMetastore, UnityCatalog | 'HiveMetastore' 'UnityCatalog' |
Encryption
Name | Description | Value |
---|---|---|
KeyName | The name of KeyVault key. | string |
keySource | The encryption keySource (provider). Possible values (case-insensitive): Default, Microsoft.Keyvault | 'Default' 'Microsoft.Keyvault' |
keyvaulturi | The Uri of KeyVault. | string |
keyversion | The version of KeyVault key. | string |
EncryptionEntitiesDefinition
Name | Description | Value |
---|---|---|
managedDisk | Encryption properties for the databricks managed disks. | ManagedDiskEncryption |
managedServices | Encryption properties for the databricks managed services. | EncryptionV2 |
EncryptionV2
Name | Description | Value |
---|---|---|
keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Keyvault | 'Microsoft.Keyvault' (required) |
keyVaultProperties | Key Vault input properties for encryption. | EncryptionV2KeyVaultProperties |
EncryptionV2KeyVaultProperties
Name | Description | Value |
---|---|---|
keyName | The name of KeyVault key. | string (required) |
keyVaultUri | The Uri of KeyVault. | string (required) |
keyVersion | The version of KeyVault key. | string (required) |
EnhancedSecurityComplianceDefinition
Name | Description | Value |
---|---|---|
automaticClusterUpdate | Status of automated cluster updates feature. | AutomaticClusterUpdateDefinition |
complianceSecurityProfile | Status of Compliance Security Profile feature. | ComplianceSecurityProfileDefinition |
enhancedSecurityMonitoring | Status of Enhanced Security Monitoring feature. | EnhancedSecurityMonitoringDefinition |
EnhancedSecurityMonitoringDefinition
Name | Description | Value |
---|---|---|
value | 'Disabled' 'Enabled' |
ManagedDiskEncryption
Name | Description | Value |
---|---|---|
keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Keyvault | 'Microsoft.Keyvault' (required) |
keyVaultProperties | Key Vault input properties for encryption. | ManagedDiskEncryptionKeyVaultProperties (required) |
rotationToLatestKeyVersionEnabled | Indicate whether the latest key version should be automatically used for Managed Disk Encryption. | bool |
ManagedDiskEncryptionKeyVaultProperties
Name | Description | Value |
---|---|---|
keyName | The name of KeyVault key. | string (required) |
keyVaultUri | The URI of KeyVault. | string (required) |
keyVersion | The version of KeyVault key. | string (required) |
ManagedIdentityConfiguration
Name | Description | Value |
---|
Microsoft.Databricks/workspaces
Name | Description | Value |
---|---|---|
location | The geo-location where the resource lives | string (required) |
name | The resource name | string Constraints: Min length = 3 Max length = 64 (required) |
properties | The workspace properties. | WorkspaceProperties (required) |
sku | The SKU of the resource. | Sku |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
Sku
Name | Description | Value |
---|---|---|
name | The SKU name. | string (required) |
tier | The SKU tier. | string |
TrackedResourceTags
Name | Description | Value |
---|
WorkspaceCustomBooleanParameter
Name | Description | Value |
---|---|---|
value | The value which should be used for this field. | bool (required) |
WorkspaceCustomParameters
Name | Description | Value |
---|---|---|
amlWorkspaceId | The ID of a Azure Machine Learning workspace to link with Databricks workspace | WorkspaceCustomStringParameter |
customPrivateSubnetName | The name of the Private Subnet within the Virtual Network | WorkspaceCustomStringParameter |
customPublicSubnetName | The name of a Public Subnet within the Virtual Network | WorkspaceCustomStringParameter |
customVirtualNetworkId | The ID of a Virtual Network where this Databricks Cluster should be created | WorkspaceCustomStringParameter |
enableNoPublicIp | Boolean indicating whether the public IP should be disabled. Default value is true | WorkspaceNoPublicIPBooleanParameter |
encryption | Contains the encryption details for Customer-Managed Key (CMK) enabled workspace. | WorkspaceEncryptionParameter |
loadBalancerBackendPoolName | Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). | WorkspaceCustomStringParameter |
loadBalancerId | Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. | WorkspaceCustomStringParameter |
natGatewayName | Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. | WorkspaceCustomStringParameter |
prepareEncryption | Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. | WorkspaceCustomBooleanParameter |
publicIpName | Name of the Public IP for No Public IP workspace with managed vNet. | WorkspaceCustomStringParameter |
requireInfrastructureEncryption | A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. | WorkspaceCustomBooleanParameter |
storageAccountName | Default DBFS storage account name. | WorkspaceCustomStringParameter |
storageAccountSkuName | Storage account SKU name, ex: Standard_GRS, Standard_LRS. Refer https://aka.ms/storageskus for valid inputs. | WorkspaceCustomStringParameter |
vnetAddressPrefix | Address prefix for Managed virtual network. Default value for this input is 10.139. | WorkspaceCustomStringParameter |
WorkspaceCustomStringParameter
Name | Description | Value |
---|---|---|
value | The value which should be used for this field. | string (required) |
WorkspaceEncryptionParameter
Name | Description | Value |
---|---|---|
value | The value which should be used for this field. | Encryption |
WorkspaceNoPublicIPBooleanParameter
Name | Description | Value |
---|---|---|
value | The value which should be used for this field. | bool (required) |
WorkspaceProperties
Name | Description | Value |
---|---|---|
accessConnector | Access Connector Resource that is going to be associated with Databricks Workspace | WorkspacePropertiesAccessConnector |
authorizations | The workspace provider authorizations. | WorkspaceProviderAuthorization[] |
createdBy | Indicates the Object ID, PUID and Application ID of entity that created the workspace. | CreatedBy |
defaultCatalog | Properties for Default Catalog configuration during workspace creation. | DefaultCatalogProperties |
defaultStorageFirewall | Gets or Sets Default Storage Firewall configuration information | 'Disabled' 'Enabled' |
encryption | Encryption properties for databricks workspace | WorkspacePropertiesEncryption |
enhancedSecurityCompliance | Contains settings related to the Enhanced Security and Compliance Add-On. | EnhancedSecurityComplianceDefinition |
managedDiskIdentity | The details of Managed Identity of Disk Encryption Set used for Managed Disk Encryption | ManagedIdentityConfiguration |
managedResourceGroupId | The managed resource group Id. | string (required) |
parameters | The workspace's custom parameters. | WorkspaceCustomParameters |
publicNetworkAccess | The network access type for accessing workspace. Set value to disabled to access workspace only via private link. | 'Disabled' 'Enabled' |
requiredNsgRules | Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. Supported values are 'AllRules' and 'NoAzureDatabricksRules'. 'NoAzureServiceRules' value is for internal use only. | 'AllRules' 'NoAzureDatabricksRules' 'NoAzureServiceRules' |
storageAccountIdentity | The details of Managed Identity of Storage Account | ManagedIdentityConfiguration |
uiDefinitionUri | The blob URI where the UI definition file is located. | string |
updatedBy | Indicates the Object ID, PUID and Application ID of entity that last updated the workspace. | CreatedBy |
WorkspacePropertiesAccessConnector
Name | Description | Value |
---|---|---|
id | The resource ID of Azure Databricks Access Connector Resource. | string (required) |
identityType | The identity type of the Access Connector Resource. | 'SystemAssigned' 'UserAssigned' (required) |
userAssignedIdentityId | The resource ID of the User Assigned Identity associated with the Access Connector Resource. This is required for type 'UserAssigned' and not valid for type 'SystemAssigned'. | string |
WorkspacePropertiesEncryption
Name | Description | Value |
---|---|---|
entities | Encryption entities definition for the workspace. | EncryptionEntitiesDefinition (required) |
WorkspaceProviderAuthorization
Name | Description | Value |
---|---|---|
principalId | The provider's principal identifier. This is the identity that the provider will use to call ARM to manage the workspace resources. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
roleDefinitionId | The provider's role definition identifier. This role will define all the permissions that the provider must have on the workspace's container resource group. This role definition cannot have permission to delete the resource group. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
Quickstart samples
The following quickstart samples deploy this resource type.
Bicep File | Description |
---|---|
Azure Databricks All-in-one Templat VNetInjection-Pvtendpt | This template allows you to create a network security group, a virtual network and an Azure Databricks workspace with the virtual network, and Private Endpoint. |
Azure Databricks All-in-one Template for VNet Injection | This template allows you to create a network security group, a virtual network, a NAT gateway and an Azure Databricks workspace with the virtual network. |
Azure Databricks Workspace with custom Address Range | This template allows you to create an Azure Databricks workspace with a custom virtual network address range. |
Azure Databricks Workspace with VNet Injection | This template allows you to create an Azure Databricks workspace with a custom virtual network. |
AzureDatabricks Template for Default Storage Firewall | This template allows you to create a network security group, a virtual network, private endpoint, and a default storage firewall enabled Azure Databricks workspace with the virtual network and the system-assigned access connector. |
AzureDatabricks Template for VNet Injection with NAT Gateway | This template allows you to create a NAT gateway, network security group, a virtual network and an Azure Databricks workspace with the virtual network. |
AzureDatabricks Template for VNetInjection and Load Balancer | This template allows you to create a a load balancer, network security group, a virtual network and an Azure Databricks workspace with the virtual network. |
Deploy an Azure Databricks Workspace | This template allows you to create an Azure Databricks workspace. |
Deploy an Azure Databricks Workspace with all 3 forms of CMK | This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption. |
Deploy an Azure Databricks Workspace with Managed Disks CMK | This template allows you to create an Azure Databricks workspace with Managed Disks CMK. |
Deploy an Azure Databricks WS with CMK for DBFS encryption | This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption |
Deploy Azure Databricks Workspace with Managed Services CMK | This template allows you to create an Azure Databricks workspace with Managed Services CMK. |
Deploy the Sports Analytics on Azure Architecture | Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role. |
ARM template resource definition
The workspaces resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Databricks/workspaces resource, add the following JSON to your template.
{
"type": "Microsoft.Databricks/workspaces",
"apiVersion": "2024-09-01-preview",
"name": "string",
"location": "string",
"properties": {
"accessConnector": {
"id": "string",
"identityType": "string",
"userAssignedIdentityId": "string"
},
"authorizations": [
{
"principalId": "string",
"roleDefinitionId": "string"
}
],
"createdBy": {
},
"defaultCatalog": {
"initialName": "string",
"initialType": "string"
},
"defaultStorageFirewall": "string",
"encryption": {
"entities": {
"managedDisk": {
"keySource": "string",
"keyVaultProperties": {
"keyName": "string",
"keyVaultUri": "string",
"keyVersion": "string"
},
"rotationToLatestKeyVersionEnabled": "bool"
},
"managedServices": {
"keySource": "string",
"keyVaultProperties": {
"keyName": "string",
"keyVaultUri": "string",
"keyVersion": "string"
}
}
}
},
"enhancedSecurityCompliance": {
"automaticClusterUpdate": {
"value": "string"
},
"complianceSecurityProfile": {
"complianceStandards": [ "string" ],
"value": "string"
},
"enhancedSecurityMonitoring": {
"value": "string"
}
},
"managedDiskIdentity": {
},
"managedResourceGroupId": "string",
"parameters": {
"amlWorkspaceId": {
"value": "string"
},
"customPrivateSubnetName": {
"value": "string"
},
"customPublicSubnetName": {
"value": "string"
},
"customVirtualNetworkId": {
"value": "string"
},
"enableNoPublicIp": {
"value": "bool"
},
"encryption": {
"value": {
"KeyName": "string",
"keySource": "string",
"keyvaulturi": "string",
"keyversion": "string"
}
},
"loadBalancerBackendPoolName": {
"value": "string"
},
"loadBalancerId": {
"value": "string"
},
"natGatewayName": {
"value": "string"
},
"prepareEncryption": {
"value": "bool"
},
"publicIpName": {
"value": "string"
},
"requireInfrastructureEncryption": {
"value": "bool"
},
"storageAccountName": {
"value": "string"
},
"storageAccountSkuName": {
"value": "string"
},
"vnetAddressPrefix": {
"value": "string"
}
},
"publicNetworkAccess": "string",
"requiredNsgRules": "string",
"storageAccountIdentity": {
},
"uiDefinitionUri": "string",
"updatedBy": {
}
},
"sku": {
"name": "string",
"tier": "string"
},
"tags": {
"{customized property}": "string"
}
}
Property values
AutomaticClusterUpdateDefinition
Name | Description | Value |
---|---|---|
value | 'Disabled' 'Enabled' |
ComplianceSecurityProfileDefinition
Name | Description | Value |
---|---|---|
complianceStandards | Compliance standards associated with the workspace. | String array containing any of: 'CYBER_ESSENTIAL_PLUS' 'HIPAA' 'NONE' 'PCI_DSS' |
value | 'Disabled' 'Enabled' |
CreatedBy
Name | Description | Value |
---|
DefaultCatalogProperties
Name | Description | Value |
---|---|---|
initialName | Specifies the initial Name of default catalog. If not specified, the name of the workspace will be used. | string |
initialType | Defines the initial type of the default catalog. Possible values (case-insensitive): HiveMetastore, UnityCatalog | 'HiveMetastore' 'UnityCatalog' |
Encryption
Name | Description | Value |
---|---|---|
KeyName | The name of KeyVault key. | string |
keySource | The encryption keySource (provider). Possible values (case-insensitive): Default, Microsoft.Keyvault | 'Default' 'Microsoft.Keyvault' |
keyvaulturi | The Uri of KeyVault. | string |
keyversion | The version of KeyVault key. | string |
EncryptionEntitiesDefinition
Name | Description | Value |
---|---|---|
managedDisk | Encryption properties for the databricks managed disks. | ManagedDiskEncryption |
managedServices | Encryption properties for the databricks managed services. | EncryptionV2 |
EncryptionV2
Name | Description | Value |
---|---|---|
keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Keyvault | 'Microsoft.Keyvault' (required) |
keyVaultProperties | Key Vault input properties for encryption. | EncryptionV2KeyVaultProperties |
EncryptionV2KeyVaultProperties
Name | Description | Value |
---|---|---|
keyName | The name of KeyVault key. | string (required) |
keyVaultUri | The Uri of KeyVault. | string (required) |
keyVersion | The version of KeyVault key. | string (required) |
EnhancedSecurityComplianceDefinition
Name | Description | Value |
---|---|---|
automaticClusterUpdate | Status of automated cluster updates feature. | AutomaticClusterUpdateDefinition |
complianceSecurityProfile | Status of Compliance Security Profile feature. | ComplianceSecurityProfileDefinition |
enhancedSecurityMonitoring | Status of Enhanced Security Monitoring feature. | EnhancedSecurityMonitoringDefinition |
EnhancedSecurityMonitoringDefinition
Name | Description | Value |
---|---|---|
value | 'Disabled' 'Enabled' |
ManagedDiskEncryption
Name | Description | Value |
---|---|---|
keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Keyvault | 'Microsoft.Keyvault' (required) |
keyVaultProperties | Key Vault input properties for encryption. | ManagedDiskEncryptionKeyVaultProperties (required) |
rotationToLatestKeyVersionEnabled | Indicate whether the latest key version should be automatically used for Managed Disk Encryption. | bool |
ManagedDiskEncryptionKeyVaultProperties
Name | Description | Value |
---|---|---|
keyName | The name of KeyVault key. | string (required) |
keyVaultUri | The URI of KeyVault. | string (required) |
keyVersion | The version of KeyVault key. | string (required) |
ManagedIdentityConfiguration
Name | Description | Value |
---|
Microsoft.Databricks/workspaces
Name | Description | Value |
---|---|---|
apiVersion | The api version | '2024-09-01-preview' |
location | The geo-location where the resource lives | string (required) |
name | The resource name | string Constraints: Min length = 3 Max length = 64 (required) |
properties | The workspace properties. | WorkspaceProperties (required) |
sku | The SKU of the resource. | Sku |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
type | The resource type | 'Microsoft.Databricks/workspaces' |
Sku
Name | Description | Value |
---|---|---|
name | The SKU name. | string (required) |
tier | The SKU tier. | string |
TrackedResourceTags
Name | Description | Value |
---|
WorkspaceCustomBooleanParameter
Name | Description | Value |
---|---|---|
value | The value which should be used for this field. | bool (required) |
WorkspaceCustomParameters
Name | Description | Value |
---|---|---|
amlWorkspaceId | The ID of a Azure Machine Learning workspace to link with Databricks workspace | WorkspaceCustomStringParameter |
customPrivateSubnetName | The name of the Private Subnet within the Virtual Network | WorkspaceCustomStringParameter |
customPublicSubnetName | The name of a Public Subnet within the Virtual Network | WorkspaceCustomStringParameter |
customVirtualNetworkId | The ID of a Virtual Network where this Databricks Cluster should be created | WorkspaceCustomStringParameter |
enableNoPublicIp | Boolean indicating whether the public IP should be disabled. Default value is true | WorkspaceNoPublicIPBooleanParameter |
encryption | Contains the encryption details for Customer-Managed Key (CMK) enabled workspace. | WorkspaceEncryptionParameter |
loadBalancerBackendPoolName | Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). | WorkspaceCustomStringParameter |
loadBalancerId | Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. | WorkspaceCustomStringParameter |
natGatewayName | Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. | WorkspaceCustomStringParameter |
prepareEncryption | Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. | WorkspaceCustomBooleanParameter |
publicIpName | Name of the Public IP for No Public IP workspace with managed vNet. | WorkspaceCustomStringParameter |
requireInfrastructureEncryption | A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. | WorkspaceCustomBooleanParameter |
storageAccountName | Default DBFS storage account name. | WorkspaceCustomStringParameter |
storageAccountSkuName | Storage account SKU name, ex: Standard_GRS, Standard_LRS. Refer https://aka.ms/storageskus for valid inputs. | WorkspaceCustomStringParameter |
vnetAddressPrefix | Address prefix for Managed virtual network. Default value for this input is 10.139. | WorkspaceCustomStringParameter |
WorkspaceCustomStringParameter
Name | Description | Value |
---|---|---|
value | The value which should be used for this field. | string (required) |
WorkspaceEncryptionParameter
Name | Description | Value |
---|---|---|
value | The value which should be used for this field. | Encryption |
WorkspaceNoPublicIPBooleanParameter
Name | Description | Value |
---|---|---|
value | The value which should be used for this field. | bool (required) |
WorkspaceProperties
Name | Description | Value |
---|---|---|
accessConnector | Access Connector Resource that is going to be associated with Databricks Workspace | WorkspacePropertiesAccessConnector |
authorizations | The workspace provider authorizations. | WorkspaceProviderAuthorization[] |
createdBy | Indicates the Object ID, PUID and Application ID of entity that created the workspace. | CreatedBy |
defaultCatalog | Properties for Default Catalog configuration during workspace creation. | DefaultCatalogProperties |
defaultStorageFirewall | Gets or Sets Default Storage Firewall configuration information | 'Disabled' 'Enabled' |
encryption | Encryption properties for databricks workspace | WorkspacePropertiesEncryption |
enhancedSecurityCompliance | Contains settings related to the Enhanced Security and Compliance Add-On. | EnhancedSecurityComplianceDefinition |
managedDiskIdentity | The details of Managed Identity of Disk Encryption Set used for Managed Disk Encryption | ManagedIdentityConfiguration |
managedResourceGroupId | The managed resource group Id. | string (required) |
parameters | The workspace's custom parameters. | WorkspaceCustomParameters |
publicNetworkAccess | The network access type for accessing workspace. Set value to disabled to access workspace only via private link. | 'Disabled' 'Enabled' |
requiredNsgRules | Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. Supported values are 'AllRules' and 'NoAzureDatabricksRules'. 'NoAzureServiceRules' value is for internal use only. | 'AllRules' 'NoAzureDatabricksRules' 'NoAzureServiceRules' |
storageAccountIdentity | The details of Managed Identity of Storage Account | ManagedIdentityConfiguration |
uiDefinitionUri | The blob URI where the UI definition file is located. | string |
updatedBy | Indicates the Object ID, PUID and Application ID of entity that last updated the workspace. | CreatedBy |
WorkspacePropertiesAccessConnector
Name | Description | Value |
---|---|---|
id | The resource ID of Azure Databricks Access Connector Resource. | string (required) |
identityType | The identity type of the Access Connector Resource. | 'SystemAssigned' 'UserAssigned' (required) |
userAssignedIdentityId | The resource ID of the User Assigned Identity associated with the Access Connector Resource. This is required for type 'UserAssigned' and not valid for type 'SystemAssigned'. | string |
WorkspacePropertiesEncryption
Name | Description | Value |
---|---|---|
entities | Encryption entities definition for the workspace. | EncryptionEntitiesDefinition (required) |
WorkspaceProviderAuthorization
Name | Description | Value |
---|---|---|
principalId | The provider's principal identifier. This is the identity that the provider will use to call ARM to manage the workspace resources. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
roleDefinitionId | The provider's role definition identifier. This role will define all the permissions that the provider must have on the workspace's container resource group. This role definition cannot have permission to delete the resource group. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Azure Databricks All-in-one Templat VNetInjection-Pvtendpt |
This template allows you to create a network security group, a virtual network and an Azure Databricks workspace with the virtual network, and Private Endpoint. |
Azure Databricks All-in-one Template for VNet Injection |
This template allows you to create a network security group, a virtual network, a NAT gateway and an Azure Databricks workspace with the virtual network. |
Azure Databricks Workspace with custom Address Range |
This template allows you to create an Azure Databricks workspace with a custom virtual network address range. |
Azure Databricks Workspace with VNet Injection |
This template allows you to create an Azure Databricks workspace with a custom virtual network. |
AzureDatabricks Template for Default Storage Firewall |
This template allows you to create a network security group, a virtual network, private endpoint, and a default storage firewall enabled Azure Databricks workspace with the virtual network and the system-assigned access connector. |
AzureDatabricks Template for VNet Injection with NAT Gateway |
This template allows you to create a NAT gateway, network security group, a virtual network and an Azure Databricks workspace with the virtual network. |
AzureDatabricks Template for VNetInjection and Load Balancer |
This template allows you to create a a load balancer, network security group, a virtual network and an Azure Databricks workspace with the virtual network. |
AzureDatabricks Template with Default Storage Firewall |
This template allows you to create an Default Storage Firewall enabled Azure Databricks workspace with Privateendpoint, all three forms of CMK, and User-Assigned Access Connector. |
Deploy an Azure Databricks Workspace |
This template allows you to create an Azure Databricks workspace. |
Deploy an Azure Databricks Workspace with all 3 forms of CMK |
This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption. |
Deploy an Azure Databricks Workspace with Managed Disks CMK |
This template allows you to create an Azure Databricks workspace with Managed Disks CMK. |
Deploy an Azure Databricks Workspace with PE,CMK all forms |
This template allows you to create an Azure Databricks workspace with PrivateEndpoint and managed services and CMK with DBFS encryption. |
Deploy an Azure Databricks WS with CMK for DBFS encryption |
This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption |
Deploy Azure Databricks Workspace with Managed Services CMK |
This template allows you to create an Azure Databricks workspace with Managed Services CMK. |
Deploy the Sports Analytics on Azure Architecture |
Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role. |
Terraform (AzAPI provider) resource definition
The workspaces resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Databricks/workspaces resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Databricks/workspaces@2024-09-01-preview"
name = "string"
location = "string"
sku = {
name = "string"
tier = "string"
}
tags = {
{customized property} = "string"
}
body = jsonencode({
properties = {
accessConnector = {
id = "string"
identityType = "string"
userAssignedIdentityId = "string"
}
authorizations = [
{
principalId = "string"
roleDefinitionId = "string"
}
]
createdBy = {
}
defaultCatalog = {
initialName = "string"
initialType = "string"
}
defaultStorageFirewall = "string"
encryption = {
entities = {
managedDisk = {
keySource = "string"
keyVaultProperties = {
keyName = "string"
keyVaultUri = "string"
keyVersion = "string"
}
rotationToLatestKeyVersionEnabled = bool
}
managedServices = {
keySource = "string"
keyVaultProperties = {
keyName = "string"
keyVaultUri = "string"
keyVersion = "string"
}
}
}
}
enhancedSecurityCompliance = {
automaticClusterUpdate = {
value = "string"
}
complianceSecurityProfile = {
complianceStandards = [
"string"
]
value = "string"
}
enhancedSecurityMonitoring = {
value = "string"
}
}
managedDiskIdentity = {
}
managedResourceGroupId = "string"
parameters = {
amlWorkspaceId = {
value = "string"
}
customPrivateSubnetName = {
value = "string"
}
customPublicSubnetName = {
value = "string"
}
customVirtualNetworkId = {
value = "string"
}
enableNoPublicIp = {
value = bool
}
encryption = {
value = {
KeyName = "string"
keySource = "string"
keyvaulturi = "string"
keyversion = "string"
}
}
loadBalancerBackendPoolName = {
value = "string"
}
loadBalancerId = {
value = "string"
}
natGatewayName = {
value = "string"
}
prepareEncryption = {
value = bool
}
publicIpName = {
value = "string"
}
requireInfrastructureEncryption = {
value = bool
}
storageAccountName = {
value = "string"
}
storageAccountSkuName = {
value = "string"
}
vnetAddressPrefix = {
value = "string"
}
}
publicNetworkAccess = "string"
requiredNsgRules = "string"
storageAccountIdentity = {
}
uiDefinitionUri = "string"
updatedBy = {
}
}
})
}
Property values
AutomaticClusterUpdateDefinition
Name | Description | Value |
---|---|---|
value | 'Disabled' 'Enabled' |
ComplianceSecurityProfileDefinition
Name | Description | Value |
---|---|---|
complianceStandards | Compliance standards associated with the workspace. | String array containing any of: 'CYBER_ESSENTIAL_PLUS' 'HIPAA' 'NONE' 'PCI_DSS' |
value | 'Disabled' 'Enabled' |
CreatedBy
Name | Description | Value |
---|
DefaultCatalogProperties
Name | Description | Value |
---|---|---|
initialName | Specifies the initial Name of default catalog. If not specified, the name of the workspace will be used. | string |
initialType | Defines the initial type of the default catalog. Possible values (case-insensitive): HiveMetastore, UnityCatalog | 'HiveMetastore' 'UnityCatalog' |
Encryption
Name | Description | Value |
---|---|---|
KeyName | The name of KeyVault key. | string |
keySource | The encryption keySource (provider). Possible values (case-insensitive): Default, Microsoft.Keyvault | 'Default' 'Microsoft.Keyvault' |
keyvaulturi | The Uri of KeyVault. | string |
keyversion | The version of KeyVault key. | string |
EncryptionEntitiesDefinition
Name | Description | Value |
---|---|---|
managedDisk | Encryption properties for the databricks managed disks. | ManagedDiskEncryption |
managedServices | Encryption properties for the databricks managed services. | EncryptionV2 |
EncryptionV2
Name | Description | Value |
---|---|---|
keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Keyvault | 'Microsoft.Keyvault' (required) |
keyVaultProperties | Key Vault input properties for encryption. | EncryptionV2KeyVaultProperties |
EncryptionV2KeyVaultProperties
Name | Description | Value |
---|---|---|
keyName | The name of KeyVault key. | string (required) |
keyVaultUri | The Uri of KeyVault. | string (required) |
keyVersion | The version of KeyVault key. | string (required) |
EnhancedSecurityComplianceDefinition
Name | Description | Value |
---|---|---|
automaticClusterUpdate | Status of automated cluster updates feature. | AutomaticClusterUpdateDefinition |
complianceSecurityProfile | Status of Compliance Security Profile feature. | ComplianceSecurityProfileDefinition |
enhancedSecurityMonitoring | Status of Enhanced Security Monitoring feature. | EnhancedSecurityMonitoringDefinition |
EnhancedSecurityMonitoringDefinition
Name | Description | Value |
---|---|---|
value | 'Disabled' 'Enabled' |
ManagedDiskEncryption
Name | Description | Value |
---|---|---|
keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Keyvault | 'Microsoft.Keyvault' (required) |
keyVaultProperties | Key Vault input properties for encryption. | ManagedDiskEncryptionKeyVaultProperties (required) |
rotationToLatestKeyVersionEnabled | Indicate whether the latest key version should be automatically used for Managed Disk Encryption. | bool |
ManagedDiskEncryptionKeyVaultProperties
Name | Description | Value |
---|---|---|
keyName | The name of KeyVault key. | string (required) |
keyVaultUri | The URI of KeyVault. | string (required) |
keyVersion | The version of KeyVault key. | string (required) |
ManagedIdentityConfiguration
Name | Description | Value |
---|
Microsoft.Databricks/workspaces
Name | Description | Value |
---|---|---|
location | The geo-location where the resource lives | string (required) |
name | The resource name | string Constraints: Min length = 3 Max length = 64 (required) |
properties | The workspace properties. | WorkspaceProperties (required) |
sku | The SKU of the resource. | Sku |
tags | Resource tags | Dictionary of tag names and values. |
type | The resource type | "Microsoft.Databricks/workspaces@2024-09-01-preview" |
Sku
Name | Description | Value |
---|---|---|
name | The SKU name. | string (required) |
tier | The SKU tier. | string |
TrackedResourceTags
Name | Description | Value |
---|
WorkspaceCustomBooleanParameter
Name | Description | Value |
---|---|---|
value | The value which should be used for this field. | bool (required) |
WorkspaceCustomParameters
Name | Description | Value |
---|---|---|
amlWorkspaceId | The ID of a Azure Machine Learning workspace to link with Databricks workspace | WorkspaceCustomStringParameter |
customPrivateSubnetName | The name of the Private Subnet within the Virtual Network | WorkspaceCustomStringParameter |
customPublicSubnetName | The name of a Public Subnet within the Virtual Network | WorkspaceCustomStringParameter |
customVirtualNetworkId | The ID of a Virtual Network where this Databricks Cluster should be created | WorkspaceCustomStringParameter |
enableNoPublicIp | Boolean indicating whether the public IP should be disabled. Default value is true | WorkspaceNoPublicIPBooleanParameter |
encryption | Contains the encryption details for Customer-Managed Key (CMK) enabled workspace. | WorkspaceEncryptionParameter |
loadBalancerBackendPoolName | Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). | WorkspaceCustomStringParameter |
loadBalancerId | Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. | WorkspaceCustomStringParameter |
natGatewayName | Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. | WorkspaceCustomStringParameter |
prepareEncryption | Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. | WorkspaceCustomBooleanParameter |
publicIpName | Name of the Public IP for No Public IP workspace with managed vNet. | WorkspaceCustomStringParameter |
requireInfrastructureEncryption | A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. | WorkspaceCustomBooleanParameter |
storageAccountName | Default DBFS storage account name. | WorkspaceCustomStringParameter |
storageAccountSkuName | Storage account SKU name, ex: Standard_GRS, Standard_LRS. Refer https://aka.ms/storageskus for valid inputs. | WorkspaceCustomStringParameter |
vnetAddressPrefix | Address prefix for Managed virtual network. Default value for this input is 10.139. | WorkspaceCustomStringParameter |
WorkspaceCustomStringParameter
Name | Description | Value |
---|---|---|
value | The value which should be used for this field. | string (required) |
WorkspaceEncryptionParameter
Name | Description | Value |
---|---|---|
value | The value which should be used for this field. | Encryption |
WorkspaceNoPublicIPBooleanParameter
Name | Description | Value |
---|---|---|
value | The value which should be used for this field. | bool (required) |
WorkspaceProperties
Name | Description | Value |
---|---|---|
accessConnector | Access Connector Resource that is going to be associated with Databricks Workspace | WorkspacePropertiesAccessConnector |
authorizations | The workspace provider authorizations. | WorkspaceProviderAuthorization[] |
createdBy | Indicates the Object ID, PUID and Application ID of entity that created the workspace. | CreatedBy |
defaultCatalog | Properties for Default Catalog configuration during workspace creation. | DefaultCatalogProperties |
defaultStorageFirewall | Gets or Sets Default Storage Firewall configuration information | 'Disabled' 'Enabled' |
encryption | Encryption properties for databricks workspace | WorkspacePropertiesEncryption |
enhancedSecurityCompliance | Contains settings related to the Enhanced Security and Compliance Add-On. | EnhancedSecurityComplianceDefinition |
managedDiskIdentity | The details of Managed Identity of Disk Encryption Set used for Managed Disk Encryption | ManagedIdentityConfiguration |
managedResourceGroupId | The managed resource group Id. | string (required) |
parameters | The workspace's custom parameters. | WorkspaceCustomParameters |
publicNetworkAccess | The network access type for accessing workspace. Set value to disabled to access workspace only via private link. | 'Disabled' 'Enabled' |
requiredNsgRules | Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. Supported values are 'AllRules' and 'NoAzureDatabricksRules'. 'NoAzureServiceRules' value is for internal use only. | 'AllRules' 'NoAzureDatabricksRules' 'NoAzureServiceRules' |
storageAccountIdentity | The details of Managed Identity of Storage Account | ManagedIdentityConfiguration |
uiDefinitionUri | The blob URI where the UI definition file is located. | string |
updatedBy | Indicates the Object ID, PUID and Application ID of entity that last updated the workspace. | CreatedBy |
WorkspacePropertiesAccessConnector
Name | Description | Value |
---|---|---|
id | The resource ID of Azure Databricks Access Connector Resource. | string (required) |
identityType | The identity type of the Access Connector Resource. | 'SystemAssigned' 'UserAssigned' (required) |
userAssignedIdentityId | The resource ID of the User Assigned Identity associated with the Access Connector Resource. This is required for type 'UserAssigned' and not valid for type 'SystemAssigned'. | string |
WorkspacePropertiesEncryption
Name | Description | Value |
---|---|---|
entities | Encryption entities definition for the workspace. | EncryptionEntitiesDefinition (required) |
WorkspaceProviderAuthorization
Name | Description | Value |
---|---|---|
principalId | The provider's principal identifier. This is the identity that the provider will use to call ARM to manage the workspace resources. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
roleDefinitionId | The provider's role definition identifier. This role will define all the permissions that the provider must have on the workspace's container resource group. This role definition cannot have permission to delete the resource group. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |