Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The workspaces resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Databricks/workspaces resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Databricks/workspaces@2025-10-01-preview' = {
scope: resourceSymbolicName or scope
location: 'string'
name: 'string'
properties: {
accessConnector: {
id: 'string'
identityType: 'string'
userAssignedIdentityId: 'string'
}
authorizations: [
{
principalId: 'string'
roleDefinitionId: 'string'
}
]
computeMode: 'string'
createdBy: {}
defaultCatalog: {
initialName: 'string'
initialType: 'string'
}
defaultStorageFirewall: 'string'
encryption: {
entities: {
managedDisk: {
keySource: 'string'
keyVaultProperties: {
keyName: 'string'
keyVaultUri: 'string'
keyVersion: 'string'
}
rotationToLatestKeyVersionEnabled: bool
}
managedServices: {
keySource: 'string'
keyVaultProperties: {
keyName: 'string'
keyVaultUri: 'string'
keyVersion: 'string'
}
}
}
}
enhancedSecurityCompliance: {
automaticClusterUpdate: {
value: 'string'
}
complianceSecurityProfile: {
complianceStandards: [
'string'
]
value: 'string'
}
enhancedSecurityMonitoring: {
value: 'string'
}
}
managedDiskIdentity: {}
managedResourceGroupId: 'string'
parameters: {
amlWorkspaceId: {
type: 'string'
value: 'string'
}
customPrivateSubnetName: {
type: 'string'
value: 'string'
}
customPublicSubnetName: {
type: 'string'
value: 'string'
}
customVirtualNetworkId: {
type: 'string'
value: 'string'
}
enableNoPublicIp: {
type: 'string'
value: bool
}
encryption: {
type: 'string'
value: {
KeyName: 'string'
keySource: 'string'
keyvaulturi: 'string'
keyversion: 'string'
}
}
loadBalancerBackendPoolName: {
type: 'string'
value: 'string'
}
loadBalancerId: {
type: 'string'
value: 'string'
}
natGatewayName: {
type: 'string'
value: 'string'
}
prepareEncryption: {
type: 'string'
value: bool
}
publicIpName: {
type: 'string'
value: 'string'
}
requireInfrastructureEncryption: {
type: 'string'
value: bool
}
storageAccountName: {
type: 'string'
value: 'string'
}
storageAccountSkuName: {
type: 'string'
value: 'string'
}
vnetAddressPrefix: {
type: 'string'
value: 'string'
}
}
publicNetworkAccess: 'string'
requiredNsgRules: 'string'
storageAccountIdentity: {}
uiDefinitionUri: 'string'
updatedBy: {}
}
sku: {
name: 'string'
tier: 'string'
}
tags: {
{customized property}: 'string'
}
}
Property Values
Microsoft.Databricks/workspaces
| Name | Description | Value |
|---|---|---|
| location | The geo-location where the resource lives | string (required) |
| name | The resource name | string Constraints: Min length = 3 Max length = 64 (required) |
| properties | The workspace properties. | WorkspaceProperties (required) |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
| sku | The SKU of the resource. | Sku |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
AutomaticClusterUpdateDefinition
| Name | Description | Value |
|---|---|---|
| value | 'Disabled' 'Enabled' |
ComplianceSecurityProfileDefinition
| Name | Description | Value |
|---|---|---|
| complianceStandards | Compliance standards associated with the workspace. | string[] |
| value | 'Disabled' 'Enabled' |
CreatedBy
| Name | Description | Value |
|---|
DefaultCatalogProperties
| Name | Description | Value |
|---|---|---|
| initialName | Specifies the initial Name of default catalog. If not specified, the name of the workspace will be used. | string |
| initialType | Defines the initial type of the default catalog. Possible values (case-insensitive): HiveMetastore, UnityCatalog | 'HiveMetastore' 'UnityCatalog' |
Encryption
| Name | Description | Value |
|---|---|---|
| KeyName | The name of KeyVault key. | string |
| keySource | The encryption keySource (provider). Possible values (case-insensitive): Default, Microsoft.Keyvault | 'Default' 'Microsoft.Keyvault' |
| keyvaulturi | The Uri of KeyVault. | string |
| keyversion | The version of KeyVault key. | string |
EncryptionEntitiesDefinition
| Name | Description | Value |
|---|---|---|
| managedDisk | Encryption properties for the databricks managed disks. Not allowed in Serverless ComputeMode workspace. | ManagedDiskEncryption |
| managedServices | Encryption properties for the databricks managed services. Supported in both Serverless and Hybrid ComputeMode. | EncryptionV2 |
EncryptionV2
| Name | Description | Value |
|---|---|---|
| keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Keyvault | 'Microsoft.Keyvault' (required) |
| keyVaultProperties | Key Vault input properties for encryption. | EncryptionV2KeyVaultProperties |
EncryptionV2KeyVaultProperties
| Name | Description | Value |
|---|---|---|
| keyName | The name of KeyVault key. | string (required) |
| keyVaultUri | The Uri of KeyVault. | string (required) |
| keyVersion | The version of KeyVault key. | string (required) |
EnhancedSecurityComplianceDefinition
| Name | Description | Value |
|---|---|---|
| automaticClusterUpdate | Status of automated cluster updates feature. | AutomaticClusterUpdateDefinition |
| complianceSecurityProfile | Status of Compliance Security Profile feature. | ComplianceSecurityProfileDefinition |
| enhancedSecurityMonitoring | Status of Enhanced Security Monitoring feature. | EnhancedSecurityMonitoringDefinition |
EnhancedSecurityMonitoringDefinition
| Name | Description | Value |
|---|---|---|
| value | 'Disabled' 'Enabled' |
ManagedDiskEncryption
| Name | Description | Value |
|---|---|---|
| keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Keyvault. Not allowed in Serverless ComputeMode workspace. | 'Microsoft.Keyvault' (required) |
| keyVaultProperties | Key Vault input properties for encryption. | ManagedDiskEncryptionKeyVaultProperties (required) |
| rotationToLatestKeyVersionEnabled | Indicate whether the latest key version should be automatically used for Managed Disk Encryption. | bool |
ManagedDiskEncryptionKeyVaultProperties
| Name | Description | Value |
|---|---|---|
| keyName | The name of KeyVault key. | string (required) |
| keyVaultUri | The URI of KeyVault. | string (required) |
| keyVersion | The version of KeyVault key. | string (required) |
ManagedIdentityConfiguration
| Name | Description | Value |
|---|
Sku
| Name | Description | Value |
|---|---|---|
| name | The SKU name. | string (required) |
| tier | The SKU tier. | string |
TrackedResourceTags
| Name | Description | Value |
|---|
WorkspaceCustomBooleanParameter
| Name | Description | Value |
|---|---|---|
| type | The type of variable that this is | 'Bool' 'Object' 'String' |
| value | The value which should be used for this field. | bool (required) |
WorkspaceCustomParameters
| Name | Description | Value |
|---|---|---|
| amlWorkspaceId | The ID of a Azure Machine Learning workspace to link with Databricks workspace. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| customPrivateSubnetName | The name of the Private Subnet within the Virtual Network. Required in Hybrid ComputeMode. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| customPublicSubnetName | The name of a Public Subnet within the Virtual Network. Required in Hybrid ComputeMode. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| customVirtualNetworkId | The ID of a Virtual Network where this Databricks Cluster should be created. Required in Hybrid ComputeMode. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| enableNoPublicIp | Boolean indicating whether the public IP should be disabled. Default value is true. Not allowed in Serverless ComputeMode workspace. | WorkspaceNoPublicIPBooleanParameter |
| encryption | Contains the encryption details for Customer-Managed Key (CMK) enabled workspace.Not allowed in Serverless ComputeMode workspace. | WorkspaceEncryptionParameter |
| loadBalancerBackendPoolName | Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| loadBalancerId | Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| natGatewayName | Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| prepareEncryption | Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomBooleanParameter |
| publicIpName | Name of the Public IP for No Public IP workspace with managed vNet. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| requireInfrastructureEncryption | A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomBooleanParameter |
| storageAccountName | Default DBFS storage account name. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| storageAccountSkuName | Storage account SKU name, ex: Standard_GRS, Standard_LRS. Refer https://aka.ms/storageskus for valid inputs. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| vnetAddressPrefix | Address prefix for Managed virtual network. Default value for this input is 10.139. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
WorkspaceCustomStringParameter
| Name | Description | Value |
|---|---|---|
| type | The type of variable that this is | 'Bool' 'Object' 'String' |
| value | The value which should be used for this field. | string (required) |
WorkspaceEncryptionParameter
| Name | Description | Value |
|---|---|---|
| type | The type of variable that this is | 'Bool' 'Object' 'String' |
| value | The value which should be used for this field. | Encryption |
WorkspaceNoPublicIPBooleanParameter
| Name | Description | Value |
|---|---|---|
| type | The type of variable that this is | 'Bool' 'Object' 'String' |
| value | The value which should be used for this field. | bool (required) |
WorkspaceProperties
| Name | Description | Value |
|---|---|---|
| accessConnector | Access Connector Resource that is going to be associated with Databricks Workspace. Not allowed in Serverless ComputeMode workspace. | WorkspacePropertiesAccessConnector |
| authorizations | The workspace provider authorizations. | WorkspaceProviderAuthorization[] |
| computeMode | The workspace compute mode. Required on create, cannot be changed. Possible values include: 'Serverless', 'Hybrid' | 'Hybrid' 'Serverless' (required) |
| createdBy | Indicates the Object ID, PUID and Application ID of entity that created the workspace. | CreatedBy |
| defaultCatalog | Properties for Default Catalog configuration during workspace creation. Not allowed in Serverless ComputeMode workspace. | DefaultCatalogProperties |
| defaultStorageFirewall | Gets or Sets Default Storage Firewall configuration information. Not allowed in Serverless ComputeMode workspace. | 'Disabled' 'Enabled' |
| encryption | Encryption properties for databricks workspace. Supported in both Serverless and Hybrid ComputeMode workspace. | WorkspacePropertiesEncryption |
| enhancedSecurityCompliance | Contains settings related to the Enhanced Security and Compliance Add-On. Supported in both Serverless and Hybrid ComputeMode workspace. | EnhancedSecurityComplianceDefinition |
| managedDiskIdentity | The details of Managed Identity of Disk Encryption Set used for Managed Disk Encryption. Only returned in Hybrid ComputeMode workspace. | ManagedIdentityConfiguration |
| managedResourceGroupId | The managed resource group Id. Required in Hybrid ComputeMode workspace. Not allowed in Serverless ComputeMode workspace. | string |
| parameters | The workspace's custom parameters. | WorkspaceCustomParameters |
| publicNetworkAccess | The network access type for accessing workspace. Set value to disabled to access workspace only via private link. Used to config frontend Only private link for Serverless ComputeMode workspace. | 'Disabled' 'Enabled' |
| requiredNsgRules | Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. Supported values are 'AllRules' and 'NoAzureDatabricksRules'. 'NoAzureServiceRules' value is for internal use only. Not allowed in Serverless ComputeMode workspace. | 'AllRules' 'NoAzureDatabricksRules' 'NoAzureServiceRules' |
| storageAccountIdentity | The details of Managed Identity of Storage Account. Only returned in Hybrid ComputeMode workspace. | ManagedIdentityConfiguration |
| uiDefinitionUri | The blob URI where the UI definition file is located. | string |
| updatedBy | Indicates the Object ID, PUID and Application ID of entity that last updated the workspace. | CreatedBy |
WorkspacePropertiesAccessConnector
| Name | Description | Value |
|---|---|---|
| id | The resource ID of Azure Databricks Access Connector Resource. | string (required) |
| identityType | The identity type of the Access Connector Resource. | 'SystemAssigned' 'UserAssigned' (required) |
| userAssignedIdentityId | The resource ID of the User Assigned Identity associated with the Access Connector Resource. This is required for type 'UserAssigned' and not valid for type 'SystemAssigned'. | string |
WorkspacePropertiesEncryption
| Name | Description | Value |
|---|---|---|
| entities | Encryption entities definition for the workspace. | EncryptionEntitiesDefinition (required) |
WorkspaceProviderAuthorization
| Name | Description | Value |
|---|---|---|
| principalId | The provider's principal identifier. This is the identity that the provider will use to call ARM to manage the workspace resources. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
| roleDefinitionId | The provider's role definition identifier. This role will define all the permissions that the provider must have on the workspace's container resource group. This role definition cannot have permission to delete the resource group. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description |
|---|---|
| Azure Databricks Workspace | AVM Resource Module for Azure Databricks Workspace |
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description |
|---|---|
| Azure Databricks All-in-one Templat VNetInjection-Pvtendpt | This template allows you to create a network security group, a virtual network and an Azure Databricks workspace with the virtual network, and Private Endpoint. |
| Azure Databricks Workspace with custom Address Range | This template allows you to create an Azure Databricks workspace with a custom virtual network address range. |
| Azure Databricks Workspace with VNet Injection | This template allows you to create an Azure Databricks workspace with a custom virtual network. |
| AzureDatabricks Template for Default Storage Firewall | This template allows you to create a network security group, a virtual network, private endpoint, and a default storage firewall enabled Azure Databricks workspace with the virtual network and the system-assigned access connector. |
| AzureDatabricks Template for VNet Injection with NAT Gateway | This template allows you to create a NAT gateway, network security group, a virtual network and an Azure Databricks workspace with the virtual network. |
| AzureDatabricks Template for VNetInjection and Load Balancer | This template allows you to create a a load balancer, network security group, a virtual network and an Azure Databricks workspace with the virtual network. |
| Deploy an Azure Databricks Workspace | This template allows you to create an Azure Databricks workspace. |
| Deploy an Azure Databricks Workspace with all 3 forms of CMK | This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption. |
| Deploy an Azure Databricks Workspace with Managed Disks CMK | This template allows you to create an Azure Databricks workspace with Managed Disks CMK. |
| Deploy an Azure Databricks WS with CMK for DBFS encryption | This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption |
| Deploy Azure Databricks Workspace with Managed Services CMK | This template allows you to create an Azure Databricks workspace with Managed Services CMK. |
| Deploy the Sports Analytics on Azure Architecture | Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role. |
ARM template resource definition
The workspaces resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Databricks/workspaces resource, add the following JSON to your template.
{
"type": "Microsoft.Databricks/workspaces",
"apiVersion": "2025-10-01-preview",
"name": "string",
"location": "string",
"properties": {
"accessConnector": {
"id": "string",
"identityType": "string",
"userAssignedIdentityId": "string"
},
"authorizations": [
{
"principalId": "string",
"roleDefinitionId": "string"
}
],
"computeMode": "string",
"createdBy": {
},
"defaultCatalog": {
"initialName": "string",
"initialType": "string"
},
"defaultStorageFirewall": "string",
"encryption": {
"entities": {
"managedDisk": {
"keySource": "string",
"keyVaultProperties": {
"keyName": "string",
"keyVaultUri": "string",
"keyVersion": "string"
},
"rotationToLatestKeyVersionEnabled": "bool"
},
"managedServices": {
"keySource": "string",
"keyVaultProperties": {
"keyName": "string",
"keyVaultUri": "string",
"keyVersion": "string"
}
}
}
},
"enhancedSecurityCompliance": {
"automaticClusterUpdate": {
"value": "string"
},
"complianceSecurityProfile": {
"complianceStandards": [ "string" ],
"value": "string"
},
"enhancedSecurityMonitoring": {
"value": "string"
}
},
"managedDiskIdentity": {
},
"managedResourceGroupId": "string",
"parameters": {
"amlWorkspaceId": {
"type": "string",
"value": "string"
},
"customPrivateSubnetName": {
"type": "string",
"value": "string"
},
"customPublicSubnetName": {
"type": "string",
"value": "string"
},
"customVirtualNetworkId": {
"type": "string",
"value": "string"
},
"enableNoPublicIp": {
"type": "string",
"value": "bool"
},
"encryption": {
"type": "string",
"value": {
"KeyName": "string",
"keySource": "string",
"keyvaulturi": "string",
"keyversion": "string"
}
},
"loadBalancerBackendPoolName": {
"type": "string",
"value": "string"
},
"loadBalancerId": {
"type": "string",
"value": "string"
},
"natGatewayName": {
"type": "string",
"value": "string"
},
"prepareEncryption": {
"type": "string",
"value": "bool"
},
"publicIpName": {
"type": "string",
"value": "string"
},
"requireInfrastructureEncryption": {
"type": "string",
"value": "bool"
},
"storageAccountName": {
"type": "string",
"value": "string"
},
"storageAccountSkuName": {
"type": "string",
"value": "string"
},
"vnetAddressPrefix": {
"type": "string",
"value": "string"
}
},
"publicNetworkAccess": "string",
"requiredNsgRules": "string",
"storageAccountIdentity": {
},
"uiDefinitionUri": "string",
"updatedBy": {
}
},
"sku": {
"name": "string",
"tier": "string"
},
"tags": {
"{customized property}": "string"
}
}
Property Values
Microsoft.Databricks/workspaces
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2025-10-01-preview' |
| location | The geo-location where the resource lives | string (required) |
| name | The resource name | string Constraints: Min length = 3 Max length = 64 (required) |
| properties | The workspace properties. | WorkspaceProperties (required) |
| sku | The SKU of the resource. | Sku |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| type | The resource type | 'Microsoft.Databricks/workspaces' |
AutomaticClusterUpdateDefinition
| Name | Description | Value |
|---|---|---|
| value | 'Disabled' 'Enabled' |
ComplianceSecurityProfileDefinition
| Name | Description | Value |
|---|---|---|
| complianceStandards | Compliance standards associated with the workspace. | string[] |
| value | 'Disabled' 'Enabled' |
CreatedBy
| Name | Description | Value |
|---|
DefaultCatalogProperties
| Name | Description | Value |
|---|---|---|
| initialName | Specifies the initial Name of default catalog. If not specified, the name of the workspace will be used. | string |
| initialType | Defines the initial type of the default catalog. Possible values (case-insensitive): HiveMetastore, UnityCatalog | 'HiveMetastore' 'UnityCatalog' |
Encryption
| Name | Description | Value |
|---|---|---|
| KeyName | The name of KeyVault key. | string |
| keySource | The encryption keySource (provider). Possible values (case-insensitive): Default, Microsoft.Keyvault | 'Default' 'Microsoft.Keyvault' |
| keyvaulturi | The Uri of KeyVault. | string |
| keyversion | The version of KeyVault key. | string |
EncryptionEntitiesDefinition
| Name | Description | Value |
|---|---|---|
| managedDisk | Encryption properties for the databricks managed disks. Not allowed in Serverless ComputeMode workspace. | ManagedDiskEncryption |
| managedServices | Encryption properties for the databricks managed services. Supported in both Serverless and Hybrid ComputeMode. | EncryptionV2 |
EncryptionV2
| Name | Description | Value |
|---|---|---|
| keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Keyvault | 'Microsoft.Keyvault' (required) |
| keyVaultProperties | Key Vault input properties for encryption. | EncryptionV2KeyVaultProperties |
EncryptionV2KeyVaultProperties
| Name | Description | Value |
|---|---|---|
| keyName | The name of KeyVault key. | string (required) |
| keyVaultUri | The Uri of KeyVault. | string (required) |
| keyVersion | The version of KeyVault key. | string (required) |
EnhancedSecurityComplianceDefinition
| Name | Description | Value |
|---|---|---|
| automaticClusterUpdate | Status of automated cluster updates feature. | AutomaticClusterUpdateDefinition |
| complianceSecurityProfile | Status of Compliance Security Profile feature. | ComplianceSecurityProfileDefinition |
| enhancedSecurityMonitoring | Status of Enhanced Security Monitoring feature. | EnhancedSecurityMonitoringDefinition |
EnhancedSecurityMonitoringDefinition
| Name | Description | Value |
|---|---|---|
| value | 'Disabled' 'Enabled' |
ManagedDiskEncryption
| Name | Description | Value |
|---|---|---|
| keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Keyvault. Not allowed in Serverless ComputeMode workspace. | 'Microsoft.Keyvault' (required) |
| keyVaultProperties | Key Vault input properties for encryption. | ManagedDiskEncryptionKeyVaultProperties (required) |
| rotationToLatestKeyVersionEnabled | Indicate whether the latest key version should be automatically used for Managed Disk Encryption. | bool |
ManagedDiskEncryptionKeyVaultProperties
| Name | Description | Value |
|---|---|---|
| keyName | The name of KeyVault key. | string (required) |
| keyVaultUri | The URI of KeyVault. | string (required) |
| keyVersion | The version of KeyVault key. | string (required) |
ManagedIdentityConfiguration
| Name | Description | Value |
|---|
Sku
| Name | Description | Value |
|---|---|---|
| name | The SKU name. | string (required) |
| tier | The SKU tier. | string |
TrackedResourceTags
| Name | Description | Value |
|---|
WorkspaceCustomBooleanParameter
| Name | Description | Value |
|---|---|---|
| type | The type of variable that this is | 'Bool' 'Object' 'String' |
| value | The value which should be used for this field. | bool (required) |
WorkspaceCustomParameters
| Name | Description | Value |
|---|---|---|
| amlWorkspaceId | The ID of a Azure Machine Learning workspace to link with Databricks workspace. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| customPrivateSubnetName | The name of the Private Subnet within the Virtual Network. Required in Hybrid ComputeMode. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| customPublicSubnetName | The name of a Public Subnet within the Virtual Network. Required in Hybrid ComputeMode. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| customVirtualNetworkId | The ID of a Virtual Network where this Databricks Cluster should be created. Required in Hybrid ComputeMode. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| enableNoPublicIp | Boolean indicating whether the public IP should be disabled. Default value is true. Not allowed in Serverless ComputeMode workspace. | WorkspaceNoPublicIPBooleanParameter |
| encryption | Contains the encryption details for Customer-Managed Key (CMK) enabled workspace.Not allowed in Serverless ComputeMode workspace. | WorkspaceEncryptionParameter |
| loadBalancerBackendPoolName | Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| loadBalancerId | Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| natGatewayName | Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| prepareEncryption | Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomBooleanParameter |
| publicIpName | Name of the Public IP for No Public IP workspace with managed vNet. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| requireInfrastructureEncryption | A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomBooleanParameter |
| storageAccountName | Default DBFS storage account name. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| storageAccountSkuName | Storage account SKU name, ex: Standard_GRS, Standard_LRS. Refer https://aka.ms/storageskus for valid inputs. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| vnetAddressPrefix | Address prefix for Managed virtual network. Default value for this input is 10.139. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
WorkspaceCustomStringParameter
| Name | Description | Value |
|---|---|---|
| type | The type of variable that this is | 'Bool' 'Object' 'String' |
| value | The value which should be used for this field. | string (required) |
WorkspaceEncryptionParameter
| Name | Description | Value |
|---|---|---|
| type | The type of variable that this is | 'Bool' 'Object' 'String' |
| value | The value which should be used for this field. | Encryption |
WorkspaceNoPublicIPBooleanParameter
| Name | Description | Value |
|---|---|---|
| type | The type of variable that this is | 'Bool' 'Object' 'String' |
| value | The value which should be used for this field. | bool (required) |
WorkspaceProperties
| Name | Description | Value |
|---|---|---|
| accessConnector | Access Connector Resource that is going to be associated with Databricks Workspace. Not allowed in Serverless ComputeMode workspace. | WorkspacePropertiesAccessConnector |
| authorizations | The workspace provider authorizations. | WorkspaceProviderAuthorization[] |
| computeMode | The workspace compute mode. Required on create, cannot be changed. Possible values include: 'Serverless', 'Hybrid' | 'Hybrid' 'Serverless' (required) |
| createdBy | Indicates the Object ID, PUID and Application ID of entity that created the workspace. | CreatedBy |
| defaultCatalog | Properties for Default Catalog configuration during workspace creation. Not allowed in Serverless ComputeMode workspace. | DefaultCatalogProperties |
| defaultStorageFirewall | Gets or Sets Default Storage Firewall configuration information. Not allowed in Serverless ComputeMode workspace. | 'Disabled' 'Enabled' |
| encryption | Encryption properties for databricks workspace. Supported in both Serverless and Hybrid ComputeMode workspace. | WorkspacePropertiesEncryption |
| enhancedSecurityCompliance | Contains settings related to the Enhanced Security and Compliance Add-On. Supported in both Serverless and Hybrid ComputeMode workspace. | EnhancedSecurityComplianceDefinition |
| managedDiskIdentity | The details of Managed Identity of Disk Encryption Set used for Managed Disk Encryption. Only returned in Hybrid ComputeMode workspace. | ManagedIdentityConfiguration |
| managedResourceGroupId | The managed resource group Id. Required in Hybrid ComputeMode workspace. Not allowed in Serverless ComputeMode workspace. | string |
| parameters | The workspace's custom parameters. | WorkspaceCustomParameters |
| publicNetworkAccess | The network access type for accessing workspace. Set value to disabled to access workspace only via private link. Used to config frontend Only private link for Serverless ComputeMode workspace. | 'Disabled' 'Enabled' |
| requiredNsgRules | Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. Supported values are 'AllRules' and 'NoAzureDatabricksRules'. 'NoAzureServiceRules' value is for internal use only. Not allowed in Serverless ComputeMode workspace. | 'AllRules' 'NoAzureDatabricksRules' 'NoAzureServiceRules' |
| storageAccountIdentity | The details of Managed Identity of Storage Account. Only returned in Hybrid ComputeMode workspace. | ManagedIdentityConfiguration |
| uiDefinitionUri | The blob URI where the UI definition file is located. | string |
| updatedBy | Indicates the Object ID, PUID and Application ID of entity that last updated the workspace. | CreatedBy |
WorkspacePropertiesAccessConnector
| Name | Description | Value |
|---|---|---|
| id | The resource ID of Azure Databricks Access Connector Resource. | string (required) |
| identityType | The identity type of the Access Connector Resource. | 'SystemAssigned' 'UserAssigned' (required) |
| userAssignedIdentityId | The resource ID of the User Assigned Identity associated with the Access Connector Resource. This is required for type 'UserAssigned' and not valid for type 'SystemAssigned'. | string |
WorkspacePropertiesEncryption
| Name | Description | Value |
|---|---|---|
| entities | Encryption entities definition for the workspace. | EncryptionEntitiesDefinition (required) |
WorkspaceProviderAuthorization
| Name | Description | Value |
|---|---|---|
| principalId | The provider's principal identifier. This is the identity that the provider will use to call ARM to manage the workspace resources. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
| roleDefinitionId | The provider's role definition identifier. This role will define all the permissions that the provider must have on the workspace's container resource group. This role definition cannot have permission to delete the resource group. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Azure Databricks All-in-one Templat VNetInjection-Pvtendpt |
This template allows you to create a network security group, a virtual network and an Azure Databricks workspace with the virtual network, and Private Endpoint. |
| Azure Databricks Workspace with custom Address Range |
This template allows you to create an Azure Databricks workspace with a custom virtual network address range. |
| Azure Databricks Workspace with VNet Injection |
This template allows you to create an Azure Databricks workspace with a custom virtual network. |
| AzureDatabricks Template for Default Storage Firewall |
This template allows you to create a network security group, a virtual network, private endpoint, and a default storage firewall enabled Azure Databricks workspace with the virtual network and the system-assigned access connector. |
| AzureDatabricks Template for VNet Injection with NAT Gateway |
This template allows you to create a NAT gateway, network security group, a virtual network and an Azure Databricks workspace with the virtual network. |
| AzureDatabricks Template for VNetInjection and Load Balancer |
This template allows you to create a a load balancer, network security group, a virtual network and an Azure Databricks workspace with the virtual network. |
| AzureDatabricks Template with Default Storage Firewall |
This template allows you to create an Default Storage Firewall enabled Azure Databricks workspace with Privateendpoint, all three forms of CMK, and User-Assigned Access Connector. |
| Deploy an Azure Databricks Workspace |
This template allows you to create an Azure Databricks workspace. |
| Deploy an Azure Databricks Workspace with all 3 forms of CMK |
This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption. |
| Deploy an Azure Databricks Workspace with Managed Disks CMK |
This template allows you to create an Azure Databricks workspace with Managed Disks CMK. |
| Deploy an Azure Databricks Workspace with PE,CMK all forms |
This template allows you to create an Azure Databricks workspace with PrivateEndpoint and managed services and CMK with DBFS encryption. |
| Deploy an Azure Databricks WS with CMK for DBFS encryption |
This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption |
| Deploy Azure Databricks Workspace with Managed Services CMK |
This template allows you to create an Azure Databricks workspace with Managed Services CMK. |
| Deploy the Sports Analytics on Azure Architecture |
Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role. |
Terraform (AzAPI provider) resource definition
The workspaces resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Databricks/workspaces resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Databricks/workspaces@2025-10-01-preview"
name = "string"
parent_id = "string"
location = "string"
tags = {
{customized property} = "string"
}
body = {
properties = {
accessConnector = {
id = "string"
identityType = "string"
userAssignedIdentityId = "string"
}
authorizations = [
{
principalId = "string"
roleDefinitionId = "string"
}
]
computeMode = "string"
createdBy = {
}
defaultCatalog = {
initialName = "string"
initialType = "string"
}
defaultStorageFirewall = "string"
encryption = {
entities = {
managedDisk = {
keySource = "string"
keyVaultProperties = {
keyName = "string"
keyVaultUri = "string"
keyVersion = "string"
}
rotationToLatestKeyVersionEnabled = bool
}
managedServices = {
keySource = "string"
keyVaultProperties = {
keyName = "string"
keyVaultUri = "string"
keyVersion = "string"
}
}
}
}
enhancedSecurityCompliance = {
automaticClusterUpdate = {
value = "string"
}
complianceSecurityProfile = {
complianceStandards = [
"string"
]
value = "string"
}
enhancedSecurityMonitoring = {
value = "string"
}
}
managedDiskIdentity = {
}
managedResourceGroupId = "string"
parameters = {
amlWorkspaceId = {
type = "string"
value = "string"
}
customPrivateSubnetName = {
type = "string"
value = "string"
}
customPublicSubnetName = {
type = "string"
value = "string"
}
customVirtualNetworkId = {
type = "string"
value = "string"
}
enableNoPublicIp = {
type = "string"
value = bool
}
encryption = {
type = "string"
value = {
KeyName = "string"
keySource = "string"
keyvaulturi = "string"
keyversion = "string"
}
}
loadBalancerBackendPoolName = {
type = "string"
value = "string"
}
loadBalancerId = {
type = "string"
value = "string"
}
natGatewayName = {
type = "string"
value = "string"
}
prepareEncryption = {
type = "string"
value = bool
}
publicIpName = {
type = "string"
value = "string"
}
requireInfrastructureEncryption = {
type = "string"
value = bool
}
storageAccountName = {
type = "string"
value = "string"
}
storageAccountSkuName = {
type = "string"
value = "string"
}
vnetAddressPrefix = {
type = "string"
value = "string"
}
}
publicNetworkAccess = "string"
requiredNsgRules = "string"
storageAccountIdentity = {
}
uiDefinitionUri = "string"
updatedBy = {
}
}
sku = {
name = "string"
tier = "string"
}
}
}
Property Values
Microsoft.Databricks/workspaces
| Name | Description | Value |
|---|---|---|
| location | The geo-location where the resource lives | string (required) |
| name | The resource name | string Constraints: Min length = 3 Max length = 64 (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| properties | The workspace properties. | WorkspaceProperties (required) |
| sku | The SKU of the resource. | Sku |
| tags | Resource tags | Dictionary of tag names and values. |
| type | The resource type | "Microsoft.Databricks/workspaces@2025-10-01-preview" |
AutomaticClusterUpdateDefinition
| Name | Description | Value |
|---|---|---|
| value | 'Disabled' 'Enabled' |
ComplianceSecurityProfileDefinition
| Name | Description | Value |
|---|---|---|
| complianceStandards | Compliance standards associated with the workspace. | string[] |
| value | 'Disabled' 'Enabled' |
CreatedBy
| Name | Description | Value |
|---|
DefaultCatalogProperties
| Name | Description | Value |
|---|---|---|
| initialName | Specifies the initial Name of default catalog. If not specified, the name of the workspace will be used. | string |
| initialType | Defines the initial type of the default catalog. Possible values (case-insensitive): HiveMetastore, UnityCatalog | 'HiveMetastore' 'UnityCatalog' |
Encryption
| Name | Description | Value |
|---|---|---|
| KeyName | The name of KeyVault key. | string |
| keySource | The encryption keySource (provider). Possible values (case-insensitive): Default, Microsoft.Keyvault | 'Default' 'Microsoft.Keyvault' |
| keyvaulturi | The Uri of KeyVault. | string |
| keyversion | The version of KeyVault key. | string |
EncryptionEntitiesDefinition
| Name | Description | Value |
|---|---|---|
| managedDisk | Encryption properties for the databricks managed disks. Not allowed in Serverless ComputeMode workspace. | ManagedDiskEncryption |
| managedServices | Encryption properties for the databricks managed services. Supported in both Serverless and Hybrid ComputeMode. | EncryptionV2 |
EncryptionV2
| Name | Description | Value |
|---|---|---|
| keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Keyvault | 'Microsoft.Keyvault' (required) |
| keyVaultProperties | Key Vault input properties for encryption. | EncryptionV2KeyVaultProperties |
EncryptionV2KeyVaultProperties
| Name | Description | Value |
|---|---|---|
| keyName | The name of KeyVault key. | string (required) |
| keyVaultUri | The Uri of KeyVault. | string (required) |
| keyVersion | The version of KeyVault key. | string (required) |
EnhancedSecurityComplianceDefinition
| Name | Description | Value |
|---|---|---|
| automaticClusterUpdate | Status of automated cluster updates feature. | AutomaticClusterUpdateDefinition |
| complianceSecurityProfile | Status of Compliance Security Profile feature. | ComplianceSecurityProfileDefinition |
| enhancedSecurityMonitoring | Status of Enhanced Security Monitoring feature. | EnhancedSecurityMonitoringDefinition |
EnhancedSecurityMonitoringDefinition
| Name | Description | Value |
|---|---|---|
| value | 'Disabled' 'Enabled' |
ManagedDiskEncryption
| Name | Description | Value |
|---|---|---|
| keySource | The encryption keySource (provider). Possible values (case-insensitive): Microsoft.Keyvault. Not allowed in Serverless ComputeMode workspace. | 'Microsoft.Keyvault' (required) |
| keyVaultProperties | Key Vault input properties for encryption. | ManagedDiskEncryptionKeyVaultProperties (required) |
| rotationToLatestKeyVersionEnabled | Indicate whether the latest key version should be automatically used for Managed Disk Encryption. | bool |
ManagedDiskEncryptionKeyVaultProperties
| Name | Description | Value |
|---|---|---|
| keyName | The name of KeyVault key. | string (required) |
| keyVaultUri | The URI of KeyVault. | string (required) |
| keyVersion | The version of KeyVault key. | string (required) |
ManagedIdentityConfiguration
| Name | Description | Value |
|---|
Sku
| Name | Description | Value |
|---|---|---|
| name | The SKU name. | string (required) |
| tier | The SKU tier. | string |
TrackedResourceTags
| Name | Description | Value |
|---|
WorkspaceCustomBooleanParameter
| Name | Description | Value |
|---|---|---|
| type | The type of variable that this is | 'Bool' 'Object' 'String' |
| value | The value which should be used for this field. | bool (required) |
WorkspaceCustomParameters
| Name | Description | Value |
|---|---|---|
| amlWorkspaceId | The ID of a Azure Machine Learning workspace to link with Databricks workspace. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| customPrivateSubnetName | The name of the Private Subnet within the Virtual Network. Required in Hybrid ComputeMode. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| customPublicSubnetName | The name of a Public Subnet within the Virtual Network. Required in Hybrid ComputeMode. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| customVirtualNetworkId | The ID of a Virtual Network where this Databricks Cluster should be created. Required in Hybrid ComputeMode. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| enableNoPublicIp | Boolean indicating whether the public IP should be disabled. Default value is true. Not allowed in Serverless ComputeMode workspace. | WorkspaceNoPublicIPBooleanParameter |
| encryption | Contains the encryption details for Customer-Managed Key (CMK) enabled workspace.Not allowed in Serverless ComputeMode workspace. | WorkspaceEncryptionParameter |
| loadBalancerBackendPoolName | Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| loadBalancerId | Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| natGatewayName | Name of the NAT gateway for Secure Cluster Connectivity (No Public IP) workspace subnets. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| prepareEncryption | Prepare the workspace for encryption. Enables the Managed Identity for managed storage account. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomBooleanParameter |
| publicIpName | Name of the Public IP for No Public IP workspace with managed vNet. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| requireInfrastructureEncryption | A boolean indicating whether or not the DBFS root file system will be enabled with secondary layer of encryption with platform managed keys for data at rest. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomBooleanParameter |
| storageAccountName | Default DBFS storage account name. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| storageAccountSkuName | Storage account SKU name, ex: Standard_GRS, Standard_LRS. Refer https://aka.ms/storageskus for valid inputs. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
| vnetAddressPrefix | Address prefix for Managed virtual network. Default value for this input is 10.139. Not allowed in Serverless ComputeMode workspace. | WorkspaceCustomStringParameter |
WorkspaceCustomStringParameter
| Name | Description | Value |
|---|---|---|
| type | The type of variable that this is | 'Bool' 'Object' 'String' |
| value | The value which should be used for this field. | string (required) |
WorkspaceEncryptionParameter
| Name | Description | Value |
|---|---|---|
| type | The type of variable that this is | 'Bool' 'Object' 'String' |
| value | The value which should be used for this field. | Encryption |
WorkspaceNoPublicIPBooleanParameter
| Name | Description | Value |
|---|---|---|
| type | The type of variable that this is | 'Bool' 'Object' 'String' |
| value | The value which should be used for this field. | bool (required) |
WorkspaceProperties
| Name | Description | Value |
|---|---|---|
| accessConnector | Access Connector Resource that is going to be associated with Databricks Workspace. Not allowed in Serverless ComputeMode workspace. | WorkspacePropertiesAccessConnector |
| authorizations | The workspace provider authorizations. | WorkspaceProviderAuthorization[] |
| computeMode | The workspace compute mode. Required on create, cannot be changed. Possible values include: 'Serverless', 'Hybrid' | 'Hybrid' 'Serverless' (required) |
| createdBy | Indicates the Object ID, PUID and Application ID of entity that created the workspace. | CreatedBy |
| defaultCatalog | Properties for Default Catalog configuration during workspace creation. Not allowed in Serverless ComputeMode workspace. | DefaultCatalogProperties |
| defaultStorageFirewall | Gets or Sets Default Storage Firewall configuration information. Not allowed in Serverless ComputeMode workspace. | 'Disabled' 'Enabled' |
| encryption | Encryption properties for databricks workspace. Supported in both Serverless and Hybrid ComputeMode workspace. | WorkspacePropertiesEncryption |
| enhancedSecurityCompliance | Contains settings related to the Enhanced Security and Compliance Add-On. Supported in both Serverless and Hybrid ComputeMode workspace. | EnhancedSecurityComplianceDefinition |
| managedDiskIdentity | The details of Managed Identity of Disk Encryption Set used for Managed Disk Encryption. Only returned in Hybrid ComputeMode workspace. | ManagedIdentityConfiguration |
| managedResourceGroupId | The managed resource group Id. Required in Hybrid ComputeMode workspace. Not allowed in Serverless ComputeMode workspace. | string |
| parameters | The workspace's custom parameters. | WorkspaceCustomParameters |
| publicNetworkAccess | The network access type for accessing workspace. Set value to disabled to access workspace only via private link. Used to config frontend Only private link for Serverless ComputeMode workspace. | 'Disabled' 'Enabled' |
| requiredNsgRules | Gets or sets a value indicating whether data plane (clusters) to control plane communication happen over private endpoint. Supported values are 'AllRules' and 'NoAzureDatabricksRules'. 'NoAzureServiceRules' value is for internal use only. Not allowed in Serverless ComputeMode workspace. | 'AllRules' 'NoAzureDatabricksRules' 'NoAzureServiceRules' |
| storageAccountIdentity | The details of Managed Identity of Storage Account. Only returned in Hybrid ComputeMode workspace. | ManagedIdentityConfiguration |
| uiDefinitionUri | The blob URI where the UI definition file is located. | string |
| updatedBy | Indicates the Object ID, PUID and Application ID of entity that last updated the workspace. | CreatedBy |
WorkspacePropertiesAccessConnector
| Name | Description | Value |
|---|---|---|
| id | The resource ID of Azure Databricks Access Connector Resource. | string (required) |
| identityType | The identity type of the Access Connector Resource. | 'SystemAssigned' 'UserAssigned' (required) |
| userAssignedIdentityId | The resource ID of the User Assigned Identity associated with the Access Connector Resource. This is required for type 'UserAssigned' and not valid for type 'SystemAssigned'. | string |
WorkspacePropertiesEncryption
| Name | Description | Value |
|---|---|---|
| entities | Encryption entities definition for the workspace. | EncryptionEntitiesDefinition (required) |
WorkspaceProviderAuthorization
| Name | Description | Value |
|---|---|---|
| principalId | The provider's principal identifier. This is the identity that the provider will use to call ARM to manage the workspace resources. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
| roleDefinitionId | The provider's role definition identifier. This role will define all the permissions that the provider must have on the workspace's container resource group. This role definition cannot have permission to delete the resource group. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
Usage Examples
Terraform Samples
A basic example of deploying Databricks Workspace.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "eastus2"
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
data "azapi_resource_id" "workspace_resource_group" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
parent_id = azapi_resource.resourceGroup.parent_id
name = "databricks-rg-${var.resource_name}"
}
resource "azapi_resource" "workspace" {
type = "Microsoft.Databricks/workspaces@2023-02-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
properties = {
managedResourceGroupId = data.azapi_resource_id.workspace_resource_group.id
parameters = {
prepareEncryption = {
value = true
}
requireInfrastructureEncryption = {
value = true
}
}
publicNetworkAccess = "Enabled"
}
sku = {
name = "premium"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description |
|---|---|
| Azure Databricks Workspace | AVM Resource Module for Azure Databricks Workspace |