azure-synapseazure-bicep
There is a way to set up Synapse Administrators with a BICEP module?
I would like to set Synapse access control with a bicep module but I can't find a proper resource to use.
Please, can someone point me in the right direction?
UPDATE: basend on evgeny answer, I tryed in this way but it seems not working:
resource syRBAC1 'Microsoft.Synapse/workspaces/administrators@2021-06-01' = {
name: 'activeDirectory'
parent: synapse_workspace
properties: {
administratorType: 'Synapse SQL Administrator'
login: 'mylogin@mycompany.com'
sid: ELSCId
tenantId: TenantId
}
}
It does not produce any error but it does not change any change into the access control list.
Probably it sets only this:
Solution
Since I came across the same problem and bicep does not offer a way to assign the role (yet) I added an AzureCLI task to my pipeline and grant the role via az synapse role assignment create after the deployment.
Output defined in the bicep file to pass the name of the newly created synapse workspace along to the AzureCLI task:
output synapse_workspace_name string = synapse_workspace.name
Tasks in the deployment pipeline's yml file :
// deployment task via "main.bicep" file
- task: AzureResourceManagerTemplateDeployment@3
inputs:
connectedServiceName: $(ServiceConnectionName)
location: $(DeploymentDefaultLocation)
resourceGroupName: $(ResourceGroupName)
csmFile: main.bicep
overrideParameters: >
-aad_admin_developer_group_object_id $(AadAdminDeveloperGroupObjectId)
deploymentOutputs: deployment_output
// Grant "Synapse Administrator"
- task: AzureCLI@1
displayName: 'Assign role "Synapse Administrator" on the newly created Synapse workspace to the developer AAD-Group'
inputs:
azureSubscription: 'my_subscription'
scriptLocation: 'inlineScript'
inlineScript: 'az synapse role assignment create --workspace-name $(deployment_output.synapse_workspace_name.value) --role "Synapse Administrator" --assignee $(AadAdminDeveloperGroupObjectId)'