import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Manages a Databricks Workspace * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleWorkspace = new azure.databricks.Workspace("example", { * name: "databricks-test", * resourceGroupName: example.name, * location: example.location, * sku: "standard", * tags: { * Environment: "Production", * }, * }); * ``` * * > **Note:** You can use the Databricks Terraform Provider to manage resources within the Databricks Workspace. * * ## Example HCL Configurations * * * Databricks Workspace Secure Connectivity Cluster with Load Balancer * * Databricks Workspace Secure Connectivity Cluster without Load Balancer * * Databricks Workspace with Private Endpoint * * Databricks Workspace with Private Endpoint, Customer Managed Keys for Managed Services and Databricks File System Customer Managed Keys * * Databricks Workspace with Root Databricks File System Customer Managed Keys * * Databricks Workspace with Root Databricks File System Customer Managed Keys in a Different Subscription * * Databricks Workspace with Customer Managed Keys for Managed Services * * Databricks Workspace with Customer Managed Keys for Managed Services with Key Vault and Key in a Different Subscription * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.Databricks` - 2026-01-01 * * * `Microsoft.Network` - 2025-01-01, 2023-09-01 * * ## Import * * Databrick Workspaces can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:databricks/workspace:Workspace workspace1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Databricks/workspaces/workspace1 * ``` */ export declare class Workspace extends pulumi.CustomResource { /** * Get an existing Workspace resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: WorkspaceState, opts?: pulumi.CustomResourceOptions): Workspace; /** * Returns true if the given object is an instance of Workspace. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Workspace; /** * Access Connector ID to use when default storage account firewall is enabled. * * > **Note:** The `accessConnectorId` field is only required if `defaultStorageFirewallEnabled` is set to `true`. */ readonly accessConnectorId: pulumi.Output; /** * A `customParameters` block as documented below. */ readonly customParameters: pulumi.Output; /** * Is the workspace enabled for customer managed key encryption? If `true` this enables the Managed Identity for the managed storage account. Possible values are `true` or `false`. Defaults to `false`. This field is only valid if the Databricks Workspace `sku` is set to `premium`. */ readonly customerManagedKeyEnabled: pulumi.Output; /** * Disallow public access to default storage account. Defaults to `false`. */ readonly defaultStorageFirewallEnabled: pulumi.Output; /** * The ID of Managed Disk Encryption Set created by the Databricks Workspace. */ readonly diskEncryptionSetId: pulumi.Output; /** * An `enhancedSecurityCompliance` block as documented below. This feature is only valid if `sku` is set to `premium`. */ readonly enhancedSecurityCompliance: pulumi.Output; /** * Is the Databricks File System root file system enabled with a secondary layer of encryption with platform managed keys? Possible values are `true` or `false`. Defaults to `false`. This field is only valid if the Databricks Workspace `sku` is set to `premium`. Changing this forces a new resource to be created. */ readonly infrastructureEncryptionEnabled: pulumi.Output; /** * Resource ID of the Outbound Load balancer Backend Address Pool for Secure Cluster Connectivity (No Public IP) workspace with managed virtual network. Changing this forces a new resource to be created. */ readonly loadBalancerBackendAddressPoolId: pulumi.Output; /** * Specifies the supported Azure location where the resource has to be created. Changing this forces a new resource to be created. */ readonly location: pulumi.Output; /** * Resource ID of the Key Vault which contains the `managedDiskCmkKeyVaultKeyId` key. * * > **Note:** The `managedDiskCmkKeyVaultId` field is only required if the Key Vault exists in a different subscription than the Databricks Workspace. If the `managedDiskCmkKeyVaultId` field is not specified it is assumed that the `managedDiskCmkKeyVaultKeyId` is hosted in the same subscriptioin as the Databricks Workspace. * * > **Note:** If you are using multiple service principals to execute Terraform across subscriptions you will need to add an additional `azure.keyvault.AccessPolicy` resource granting the service principal access to the key vault in that subscription. */ readonly managedDiskCmkKeyVaultId: pulumi.Output; /** * Customer managed encryption properties for the Databricks Workspace managed disks. */ readonly managedDiskCmkKeyVaultKeyId: pulumi.Output; /** * Whether customer managed keys for disk encryption will automatically be rotated to the latest version. */ readonly managedDiskCmkRotationToLatestVersionEnabled: pulumi.Output; /** * A `managedDiskIdentity` block as documented below. */ readonly managedDiskIdentities: pulumi.Output; /** * The ID of the Managed Resource Group created by the Databricks Workspace. */ readonly managedResourceGroupId: pulumi.Output; /** * The name of the resource group where Azure should place the managed Databricks resources. Changing this forces a new resource to be created. * * > **Note:** Make sure that this field is unique if you have multiple Databrick Workspaces deployed in your subscription and choose to not have the `managedResourceGroupName` auto generated by the Azure Resource Provider. Having multiple Databrick Workspaces deployed in the same subscription with the same `manageResourceGroupName` may result in some resources that cannot be deleted. */ readonly managedResourceGroupName: pulumi.Output; /** * Resource ID of the Key Vault which contains the `managedServicesCmkKeyVaultKeyId` key. * * > **Note:** The `managedServicesCmkKeyVaultId` field is only required if the Key Vault exists in a different subscription than the Databricks Workspace. If the `managedServicesCmkKeyVaultId` field is not specified it is assumed that the `managedServicesCmkKeyVaultKeyId` is hosted in the same subscriptioin as the Databricks Workspace. * * > **Note:** If you are using multiple service principals to execute Terraform across subscriptions you will need to add an additional `azure.keyvault.AccessPolicy` resource granting the service principal access to the key vault in that subscription. */ readonly managedServicesCmkKeyVaultId: pulumi.Output; /** * Customer managed encryption properties for the Databricks Workspace managed resources(e.g. Notebooks and Artifacts). */ readonly managedServicesCmkKeyVaultKeyId: pulumi.Output; /** * Specifies the name of the Databricks Workspace resource. Changing this forces a new resource to be created. */ readonly name: pulumi.Output; /** * Does the data plane (clusters) to control plane communication happen over private link endpoint only or publicly? Possible values `AllRules`, `NoAzureDatabricksRules` or `NoAzureServiceRules`. Required when `publicNetworkAccessEnabled` is set to `false`. */ readonly networkSecurityGroupRulesRequired: pulumi.Output; /** * Allow public access for accessing workspace. Set value to `false` to access workspace only via private link endpoint. Possible values include `true` or `false`. Defaults to `true`. */ readonly publicNetworkAccessEnabled: pulumi.Output; /** * The name of the Resource Group in which the Databricks Workspace should exist. Changing this forces a new resource to be created. */ readonly resourceGroupName: pulumi.Output; /** * The `sku` to use for the Databricks Workspace. Possible values are `standard`, `premium`, or `trial`. * * > **Note:** Downgrading to a `trial sku` from a `standard` or `premium sku` will force a new resource to be created. */ readonly sku: pulumi.Output; /** * A `storageAccountIdentity` block as documented below. */ readonly storageAccountIdentities: pulumi.Output; /** * A mapping of tags to assign to the resource. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The unique identifier of the databricks workspace in Databricks control plane. */ readonly workspaceId: pulumi.Output; /** * The workspace URL which is of the format 'adb-{workspaceId}.{random}.azuredatabricks.net' */ readonly workspaceUrl: pulumi.Output; /** * Create a Workspace resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: WorkspaceArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Workspace resources. */ export interface WorkspaceState { /** * Access Connector ID to use when default storage account firewall is enabled. * * > **Note:** The `accessConnectorId` field is only required if `defaultStorageFirewallEnabled` is set to `true`. */ accessConnectorId?: pulumi.Input; /** * A `customParameters` block as documented below. */ customParameters?: pulumi.Input; /** * Is the workspace enabled for customer managed key encryption? If `true` this enables the Managed Identity for the managed storage account. Possible values are `true` or `false`. Defaults to `false`. This field is only valid if the Databricks Workspace `sku` is set to `premium`. */ customerManagedKeyEnabled?: pulumi.Input; /** * Disallow public access to default storage account. Defaults to `false`. */ defaultStorageFirewallEnabled?: pulumi.Input; /** * The ID of Managed Disk Encryption Set created by the Databricks Workspace. */ diskEncryptionSetId?: pulumi.Input; /** * An `enhancedSecurityCompliance` block as documented below. This feature is only valid if `sku` is set to `premium`. */ enhancedSecurityCompliance?: pulumi.Input; /** * Is the Databricks File System root file system enabled with a secondary layer of encryption with platform managed keys? Possible values are `true` or `false`. Defaults to `false`. This field is only valid if the Databricks Workspace `sku` is set to `premium`. Changing this forces a new resource to be created. */ infrastructureEncryptionEnabled?: pulumi.Input; /** * Resource ID of the Outbound Load balancer Backend Address Pool for Secure Cluster Connectivity (No Public IP) workspace with managed virtual network. Changing this forces a new resource to be created. */ loadBalancerBackendAddressPoolId?: pulumi.Input; /** * Specifies the supported Azure location where the resource has to be created. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * Resource ID of the Key Vault which contains the `managedDiskCmkKeyVaultKeyId` key. * * > **Note:** The `managedDiskCmkKeyVaultId` field is only required if the Key Vault exists in a different subscription than the Databricks Workspace. If the `managedDiskCmkKeyVaultId` field is not specified it is assumed that the `managedDiskCmkKeyVaultKeyId` is hosted in the same subscriptioin as the Databricks Workspace. * * > **Note:** If you are using multiple service principals to execute Terraform across subscriptions you will need to add an additional `azure.keyvault.AccessPolicy` resource granting the service principal access to the key vault in that subscription. */ managedDiskCmkKeyVaultId?: pulumi.Input; /** * Customer managed encryption properties for the Databricks Workspace managed disks. */ managedDiskCmkKeyVaultKeyId?: pulumi.Input; /** * Whether customer managed keys for disk encryption will automatically be rotated to the latest version. */ managedDiskCmkRotationToLatestVersionEnabled?: pulumi.Input; /** * A `managedDiskIdentity` block as documented below. */ managedDiskIdentities?: pulumi.Input[]>; /** * The ID of the Managed Resource Group created by the Databricks Workspace. */ managedResourceGroupId?: pulumi.Input; /** * The name of the resource group where Azure should place the managed Databricks resources. Changing this forces a new resource to be created. * * > **Note:** Make sure that this field is unique if you have multiple Databrick Workspaces deployed in your subscription and choose to not have the `managedResourceGroupName` auto generated by the Azure Resource Provider. Having multiple Databrick Workspaces deployed in the same subscription with the same `manageResourceGroupName` may result in some resources that cannot be deleted. */ managedResourceGroupName?: pulumi.Input; /** * Resource ID of the Key Vault which contains the `managedServicesCmkKeyVaultKeyId` key. * * > **Note:** The `managedServicesCmkKeyVaultId` field is only required if the Key Vault exists in a different subscription than the Databricks Workspace. If the `managedServicesCmkKeyVaultId` field is not specified it is assumed that the `managedServicesCmkKeyVaultKeyId` is hosted in the same subscriptioin as the Databricks Workspace. * * > **Note:** If you are using multiple service principals to execute Terraform across subscriptions you will need to add an additional `azure.keyvault.AccessPolicy` resource granting the service principal access to the key vault in that subscription. */ managedServicesCmkKeyVaultId?: pulumi.Input; /** * Customer managed encryption properties for the Databricks Workspace managed resources(e.g. Notebooks and Artifacts). */ managedServicesCmkKeyVaultKeyId?: pulumi.Input; /** * Specifies the name of the Databricks Workspace resource. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * Does the data plane (clusters) to control plane communication happen over private link endpoint only or publicly? Possible values `AllRules`, `NoAzureDatabricksRules` or `NoAzureServiceRules`. Required when `publicNetworkAccessEnabled` is set to `false`. */ networkSecurityGroupRulesRequired?: pulumi.Input; /** * Allow public access for accessing workspace. Set value to `false` to access workspace only via private link endpoint. Possible values include `true` or `false`. Defaults to `true`. */ publicNetworkAccessEnabled?: pulumi.Input; /** * The name of the Resource Group in which the Databricks Workspace should exist. Changing this forces a new resource to be created. */ resourceGroupName?: pulumi.Input; /** * The `sku` to use for the Databricks Workspace. Possible values are `standard`, `premium`, or `trial`. * * > **Note:** Downgrading to a `trial sku` from a `standard` or `premium sku` will force a new resource to be created. */ sku?: pulumi.Input; /** * A `storageAccountIdentity` block as documented below. */ storageAccountIdentities?: pulumi.Input[]>; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The unique identifier of the databricks workspace in Databricks control plane. */ workspaceId?: pulumi.Input; /** * The workspace URL which is of the format 'adb-{workspaceId}.{random}.azuredatabricks.net' */ workspaceUrl?: pulumi.Input; } /** * The set of arguments for constructing a Workspace resource. */ export interface WorkspaceArgs { /** * Access Connector ID to use when default storage account firewall is enabled. * * > **Note:** The `accessConnectorId` field is only required if `defaultStorageFirewallEnabled` is set to `true`. */ accessConnectorId?: pulumi.Input; /** * A `customParameters` block as documented below. */ customParameters?: pulumi.Input; /** * Is the workspace enabled for customer managed key encryption? If `true` this enables the Managed Identity for the managed storage account. Possible values are `true` or `false`. Defaults to `false`. This field is only valid if the Databricks Workspace `sku` is set to `premium`. */ customerManagedKeyEnabled?: pulumi.Input; /** * Disallow public access to default storage account. Defaults to `false`. */ defaultStorageFirewallEnabled?: pulumi.Input; /** * An `enhancedSecurityCompliance` block as documented below. This feature is only valid if `sku` is set to `premium`. */ enhancedSecurityCompliance?: pulumi.Input; /** * Is the Databricks File System root file system enabled with a secondary layer of encryption with platform managed keys? Possible values are `true` or `false`. Defaults to `false`. This field is only valid if the Databricks Workspace `sku` is set to `premium`. Changing this forces a new resource to be created. */ infrastructureEncryptionEnabled?: pulumi.Input; /** * Resource ID of the Outbound Load balancer Backend Address Pool for Secure Cluster Connectivity (No Public IP) workspace with managed virtual network. Changing this forces a new resource to be created. */ loadBalancerBackendAddressPoolId?: pulumi.Input; /** * Specifies the supported Azure location where the resource has to be created. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * Resource ID of the Key Vault which contains the `managedDiskCmkKeyVaultKeyId` key. * * > **Note:** The `managedDiskCmkKeyVaultId` field is only required if the Key Vault exists in a different subscription than the Databricks Workspace. If the `managedDiskCmkKeyVaultId` field is not specified it is assumed that the `managedDiskCmkKeyVaultKeyId` is hosted in the same subscriptioin as the Databricks Workspace. * * > **Note:** If you are using multiple service principals to execute Terraform across subscriptions you will need to add an additional `azure.keyvault.AccessPolicy` resource granting the service principal access to the key vault in that subscription. */ managedDiskCmkKeyVaultId?: pulumi.Input; /** * Customer managed encryption properties for the Databricks Workspace managed disks. */ managedDiskCmkKeyVaultKeyId?: pulumi.Input; /** * Whether customer managed keys for disk encryption will automatically be rotated to the latest version. */ managedDiskCmkRotationToLatestVersionEnabled?: pulumi.Input; /** * The name of the resource group where Azure should place the managed Databricks resources. Changing this forces a new resource to be created. * * > **Note:** Make sure that this field is unique if you have multiple Databrick Workspaces deployed in your subscription and choose to not have the `managedResourceGroupName` auto generated by the Azure Resource Provider. Having multiple Databrick Workspaces deployed in the same subscription with the same `manageResourceGroupName` may result in some resources that cannot be deleted. */ managedResourceGroupName?: pulumi.Input; /** * Resource ID of the Key Vault which contains the `managedServicesCmkKeyVaultKeyId` key. * * > **Note:** The `managedServicesCmkKeyVaultId` field is only required if the Key Vault exists in a different subscription than the Databricks Workspace. If the `managedServicesCmkKeyVaultId` field is not specified it is assumed that the `managedServicesCmkKeyVaultKeyId` is hosted in the same subscriptioin as the Databricks Workspace. * * > **Note:** If you are using multiple service principals to execute Terraform across subscriptions you will need to add an additional `azure.keyvault.AccessPolicy` resource granting the service principal access to the key vault in that subscription. */ managedServicesCmkKeyVaultId?: pulumi.Input; /** * Customer managed encryption properties for the Databricks Workspace managed resources(e.g. Notebooks and Artifacts). */ managedServicesCmkKeyVaultKeyId?: pulumi.Input; /** * Specifies the name of the Databricks Workspace resource. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * Does the data plane (clusters) to control plane communication happen over private link endpoint only or publicly? Possible values `AllRules`, `NoAzureDatabricksRules` or `NoAzureServiceRules`. Required when `publicNetworkAccessEnabled` is set to `false`. */ networkSecurityGroupRulesRequired?: pulumi.Input; /** * Allow public access for accessing workspace. Set value to `false` to access workspace only via private link endpoint. Possible values include `true` or `false`. Defaults to `true`. */ publicNetworkAccessEnabled?: pulumi.Input; /** * The name of the Resource Group in which the Databricks Workspace should exist. Changing this forces a new resource to be created. */ resourceGroupName: pulumi.Input; /** * The `sku` to use for the Databricks Workspace. Possible values are `standard`, `premium`, or `trial`. * * > **Note:** Downgrading to a `trial sku` from a `standard` or `premium sku` will force a new resource to be created. */ sku: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; }