Error deploying Azure Synapse on private network with Terraform

Question

I am deploying Synapse with Terraform and I get an error whenever I want to deploy the Synapse resource, both through Terraform and through the Azure portal.

I am deploying to a private resource group where I have been allowed to deploy resources with internet access. Due to security regulations, the company has a policy that resources cannot be created with access to the Internet.

This tag: " managed_resource_group_name: - (Optional) Workspace managed resource group. Changing this forces a new resource to be created. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/synapse_workspace "

Is there a way to prevent Azure from automatically creating this management resource group? I can't deploy it because the Azure Policy directive that I can't point to the internet skips.

I have tried to put the same name as the resource group with the exemption or comment option but it is not possible, it creates the resource group automatically with a random name.

Thanks

What I am hoping is to find a way to create Synapse without having to create a management resource pool, or else place it in the same resource pool where I am allowed to deploy resources with internet access.

Answer 1

Find a way to create Synapse without having to create a management resource pool:

Synapse resource cannot be deployed without creating a management resource group.

When you create a Synapse workspace, the management resource group will be automatically created which is used to control the multiple resources associated to the Synapse Workspace's.

Try using Azure Private Link to make Synapse Workspace available discreetly over a private network connection rather than the internet.

Or you can try configuring Synapse Workspace's networking to be integrated with your organization's virtual network. So that it will control the communication between the Azure services.

You can deploy a synapse workspace into a specific resource group using resource_group_name argument as given in the doc.

I tried deploying a sample template taken from the registry and was deployed successfully in a specific accessible resource group as shown.

provider "azurerm"{
features{}
}
data "azurerm_resource_group" "example" {
  name     = "caroline"
}

resource "azurerm_storage_account" "example" {
  name                     = "jaanustorageacc"
  resource_group_name      = data.azurerm_resource_group.example.name
  location                 = data.azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "StorageV2"
  is_hns_enabled           = "true"
}

resource "azurerm_storage_data_lake_gen2_filesystem" "example" {
  name               = "xxxx"
  storage_account_id = azurerm_storage_account.example.id
}

resource "azurerm_synapse_workspace" "example" {
  name                                 = "jaanuexample"
  resource_group_name                  = data.azurerm_resource_group.example.name
  location                             = data.azurerm_resource_group.example.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
  sql_administrator_login              = "admin"
  sql_administrator_login_password     = "xxx"
  identity {
    type = "SystemAssigned"
  }
}

Deployment succeeded:

Note: You need to work with your organization's Azure administrators, and it is essential if you have special limits or requirements connected to your organization's security policy.