The azure-native:databricks:Workspace resource, part of the Pulumi Azure Native provider, provisions an Azure Databricks workspace: the control plane container for clusters, notebooks, and data governance. This guide focuses on four capabilities: Unity Catalog and storage firewall setup, VNet injection with custom subnets, customer-managed key encryption for workspace and managed disks, and enhanced security and compliance controls.
Databricks workspaces depend on Access Connectors for Unity Catalog, Key Vaults for encryption, VNets for network injection, and managed resource groups that Azure creates automatically. The examples are intentionally small. Combine them with your own network topology, encryption keys, and governance policies.
Create a workspace with Unity Catalog and storage firewall
Teams building data platforms often start by provisioning a workspace with Unity Catalog for centralized governance and storage firewall controls to restrict data access.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const workspace = new azure_native.databricks.Workspace("workspace", {
accessConnector: {
id: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector",
identityType: azure_native.databricks.IdentityType.SystemAssigned,
},
defaultCatalog: {
initialName: "",
initialType: azure_native.databricks.InitialType.UnityCatalog,
},
defaultStorageFirewall: azure_native.databricks.DefaultStorageFirewall.Enabled,
location: "westus",
managedResourceGroupId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
resourceGroupName: "rg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
workspace = azure_native.databricks.Workspace("workspace",
access_connector={
"id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector",
"identity_type": azure_native.databricks.IdentityType.SYSTEM_ASSIGNED,
},
default_catalog={
"initial_name": "",
"initial_type": azure_native.databricks.InitialType.UNITY_CATALOG,
},
default_storage_firewall=azure_native.databricks.DefaultStorageFirewall.ENABLED,
location="westus",
managed_resource_group_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
resource_group_name="rg",
workspace_name="myWorkspace")
package main
import (
databricks "github.com/pulumi/pulumi-azure-native-sdk/databricks/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewWorkspace(ctx, "workspace", &databricks.WorkspaceArgs{
AccessConnector: &databricks.WorkspacePropertiesAccessConnectorArgs{
Id: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector"),
IdentityType: pulumi.String(databricks.IdentityTypeSystemAssigned),
},
DefaultCatalog: &databricks.DefaultCatalogPropertiesArgs{
InitialName: pulumi.String(""),
InitialType: pulumi.String(databricks.InitialTypeUnityCatalog),
},
DefaultStorageFirewall: pulumi.String(databricks.DefaultStorageFirewallEnabled),
Location: pulumi.String("westus"),
ManagedResourceGroupId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG"),
ResourceGroupName: pulumi.String("rg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var workspace = new AzureNative.Databricks.Workspace("workspace", new()
{
AccessConnector = new AzureNative.Databricks.Inputs.WorkspacePropertiesAccessConnectorArgs
{
Id = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector",
IdentityType = AzureNative.Databricks.IdentityType.SystemAssigned,
},
DefaultCatalog = new AzureNative.Databricks.Inputs.DefaultCatalogPropertiesArgs
{
InitialName = "",
InitialType = AzureNative.Databricks.InitialType.UnityCatalog,
},
DefaultStorageFirewall = AzureNative.Databricks.DefaultStorageFirewall.Enabled,
Location = "westus",
ManagedResourceGroupId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
ResourceGroupName = "rg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.databricks.Workspace;
import com.pulumi.azurenative.databricks.WorkspaceArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspacePropertiesAccessConnectorArgs;
import com.pulumi.azurenative.databricks.inputs.DefaultCatalogPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var workspace = new Workspace("workspace", WorkspaceArgs.builder()
.accessConnector(WorkspacePropertiesAccessConnectorArgs.builder()
.id("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector")
.identityType("SystemAssigned")
.build())
.defaultCatalog(DefaultCatalogPropertiesArgs.builder()
.initialName("")
.initialType("UnityCatalog")
.build())
.defaultStorageFirewall("Enabled")
.location("westus")
.managedResourceGroupId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG")
.resourceGroupName("rg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
workspace:
type: azure-native:databricks:Workspace
properties:
accessConnector:
id: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector
identityType: SystemAssigned
defaultCatalog:
initialName: ""
initialType: UnityCatalog
defaultStorageFirewall: Enabled
location: westus
managedResourceGroupId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG
resourceGroupName: rg
workspaceName: myWorkspace
The accessConnector property links the workspace to an Access Connector resource that manages Unity Catalog authentication. The defaultCatalog property initializes Unity Catalog as the metadata layer. The defaultStorageFirewall property restricts storage access to authorized networks. Azure creates the managed resource group automatically to hold workspace infrastructure.
Deploy into an existing VNet with custom subnets
Organizations with established network topologies inject Databricks workspaces into existing VNets to control routing, apply network security groups, and integrate with on-premises networks.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const workspace = new azure_native.databricks.Workspace("workspace", {
accessConnector: {
id: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector",
identityType: azure_native.databricks.IdentityType.UserAssigned,
userAssignedIdentityId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity",
},
defaultCatalog: {
initialName: "",
initialType: azure_native.databricks.InitialType.HiveMetastore,
},
defaultStorageFirewall: azure_native.databricks.DefaultStorageFirewall.Enabled,
location: "westus",
managedResourceGroupId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
parameters: {
customPrivateSubnetName: {
value: "myPrivateSubnet",
},
customPublicSubnetName: {
value: "myPublicSubnet",
},
customVirtualNetworkId: {
value: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork",
},
},
resourceGroupName: "rg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
workspace = azure_native.databricks.Workspace("workspace",
access_connector={
"id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector",
"identity_type": azure_native.databricks.IdentityType.USER_ASSIGNED,
"user_assigned_identity_id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity",
},
default_catalog={
"initial_name": "",
"initial_type": azure_native.databricks.InitialType.HIVE_METASTORE,
},
default_storage_firewall=azure_native.databricks.DefaultStorageFirewall.ENABLED,
location="westus",
managed_resource_group_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
parameters={
"custom_private_subnet_name": {
"value": "myPrivateSubnet",
},
"custom_public_subnet_name": {
"value": "myPublicSubnet",
},
"custom_virtual_network_id": {
"value": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork",
},
},
resource_group_name="rg",
workspace_name="myWorkspace")
package main
import (
databricks "github.com/pulumi/pulumi-azure-native-sdk/databricks/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewWorkspace(ctx, "workspace", &databricks.WorkspaceArgs{
AccessConnector: &databricks.WorkspacePropertiesAccessConnectorArgs{
Id: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector"),
IdentityType: pulumi.String(databricks.IdentityTypeUserAssigned),
UserAssignedIdentityId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity"),
},
DefaultCatalog: &databricks.DefaultCatalogPropertiesArgs{
InitialName: pulumi.String(""),
InitialType: pulumi.String(databricks.InitialTypeHiveMetastore),
},
DefaultStorageFirewall: pulumi.String(databricks.DefaultStorageFirewallEnabled),
Location: pulumi.String("westus"),
ManagedResourceGroupId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG"),
Parameters: &databricks.WorkspaceCustomParametersArgs{
CustomPrivateSubnetName: &databricks.WorkspaceCustomStringParameterArgs{
Value: pulumi.String("myPrivateSubnet"),
},
CustomPublicSubnetName: &databricks.WorkspaceCustomStringParameterArgs{
Value: pulumi.String("myPublicSubnet"),
},
CustomVirtualNetworkId: &databricks.WorkspaceCustomStringParameterArgs{
Value: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork"),
},
},
ResourceGroupName: pulumi.String("rg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var workspace = new AzureNative.Databricks.Workspace("workspace", new()
{
AccessConnector = new AzureNative.Databricks.Inputs.WorkspacePropertiesAccessConnectorArgs
{
Id = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector",
IdentityType = AzureNative.Databricks.IdentityType.UserAssigned,
UserAssignedIdentityId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity",
},
DefaultCatalog = new AzureNative.Databricks.Inputs.DefaultCatalogPropertiesArgs
{
InitialName = "",
InitialType = AzureNative.Databricks.InitialType.HiveMetastore,
},
DefaultStorageFirewall = AzureNative.Databricks.DefaultStorageFirewall.Enabled,
Location = "westus",
ManagedResourceGroupId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
Parameters = new AzureNative.Databricks.Inputs.WorkspaceCustomParametersArgs
{
CustomPrivateSubnetName = new AzureNative.Databricks.Inputs.WorkspaceCustomStringParameterArgs
{
Value = "myPrivateSubnet",
},
CustomPublicSubnetName = new AzureNative.Databricks.Inputs.WorkspaceCustomStringParameterArgs
{
Value = "myPublicSubnet",
},
CustomVirtualNetworkId = new AzureNative.Databricks.Inputs.WorkspaceCustomStringParameterArgs
{
Value = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork",
},
},
ResourceGroupName = "rg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.databricks.Workspace;
import com.pulumi.azurenative.databricks.WorkspaceArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspacePropertiesAccessConnectorArgs;
import com.pulumi.azurenative.databricks.inputs.DefaultCatalogPropertiesArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceCustomParametersArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceCustomStringParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var workspace = new Workspace("workspace", WorkspaceArgs.builder()
.accessConnector(WorkspacePropertiesAccessConnectorArgs.builder()
.id("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector")
.identityType("UserAssigned")
.userAssignedIdentityId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity")
.build())
.defaultCatalog(DefaultCatalogPropertiesArgs.builder()
.initialName("")
.initialType("HiveMetastore")
.build())
.defaultStorageFirewall("Enabled")
.location("westus")
.managedResourceGroupId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG")
.parameters(WorkspaceCustomParametersArgs.builder()
.customPrivateSubnetName(WorkspaceCustomStringParameterArgs.builder()
.value("myPrivateSubnet")
.build())
.customPublicSubnetName(WorkspaceCustomStringParameterArgs.builder()
.value("myPublicSubnet")
.build())
.customVirtualNetworkId(WorkspaceCustomStringParameterArgs.builder()
.value("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork")
.build())
.build())
.resourceGroupName("rg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
workspace:
type: azure-native:databricks:Workspace
properties:
accessConnector:
id: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector
identityType: UserAssigned
userAssignedIdentityId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity
defaultCatalog:
initialName: ""
initialType: HiveMetastore
defaultStorageFirewall: Enabled
location: westus
managedResourceGroupId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG
parameters:
customPrivateSubnetName:
value: myPrivateSubnet
customPublicSubnetName:
value: myPublicSubnet
customVirtualNetworkId:
value: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork
resourceGroupName: rg
workspaceName: myWorkspace
The parameters block configures VNet injection. The customVirtualNetworkId points to your existing VNet, while customPrivateSubnetName and customPublicSubnetName specify where Databricks places cluster nodes. Databricks creates network interfaces in these subnets and applies your network security group rules.
Prepare a workspace for customer-managed encryption
Compliance requirements often mandate customer-managed keys for data encryption. Databricks workspaces must be prepared for CMK before encryption can be enabled.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const workspace = new azure_native.databricks.Workspace("workspace", {
location: "westus",
managedResourceGroupId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
parameters: {
prepareEncryption: {
value: true,
},
},
resourceGroupName: "rg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
workspace = azure_native.databricks.Workspace("workspace",
location="westus",
managed_resource_group_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
parameters={
"prepare_encryption": {
"value": True,
},
},
resource_group_name="rg",
workspace_name="myWorkspace")
package main
import (
databricks "github.com/pulumi/pulumi-azure-native-sdk/databricks/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewWorkspace(ctx, "workspace", &databricks.WorkspaceArgs{
Location: pulumi.String("westus"),
ManagedResourceGroupId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG"),
Parameters: &databricks.WorkspaceCustomParametersArgs{
PrepareEncryption: &databricks.WorkspaceCustomBooleanParameterArgs{
Value: pulumi.Bool(true),
},
},
ResourceGroupName: pulumi.String("rg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var workspace = new AzureNative.Databricks.Workspace("workspace", new()
{
Location = "westus",
ManagedResourceGroupId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
Parameters = new AzureNative.Databricks.Inputs.WorkspaceCustomParametersArgs
{
PrepareEncryption = new AzureNative.Databricks.Inputs.WorkspaceCustomBooleanParameterArgs
{
Value = true,
},
},
ResourceGroupName = "rg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.databricks.Workspace;
import com.pulumi.azurenative.databricks.WorkspaceArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceCustomParametersArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceCustomBooleanParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var workspace = new Workspace("workspace", WorkspaceArgs.builder()
.location("westus")
.managedResourceGroupId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG")
.parameters(WorkspaceCustomParametersArgs.builder()
.prepareEncryption(WorkspaceCustomBooleanParameterArgs.builder()
.value(true)
.build())
.build())
.resourceGroupName("rg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
workspace:
type: azure-native:databricks:Workspace
properties:
location: westus
managedResourceGroupId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG
parameters:
prepareEncryption:
value: true
resourceGroupName: rg
workspaceName: myWorkspace
The prepareEncryption parameter provisions the infrastructure needed for CMK encryption without activating it. This creates the necessary storage accounts and configures permissions. After preparation completes, you can enable encryption in a separate update operation.
Enable customer-managed key encryption
After preparing a workspace for CMK, you activate encryption by pointing to a Key Vault key.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const workspace = new azure_native.databricks.Workspace("workspace", {
location: "westus",
managedResourceGroupId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
parameters: {
encryption: {
value: {
keyName: "myKeyName",
keySource: azure_native.databricks.KeySource.Microsoft_Keyvault,
keyVaultUri: "https://myKeyVault.vault.azure.net/",
keyVersion: "00000000000000000000000000000000",
},
},
prepareEncryption: {
value: true,
},
},
resourceGroupName: "rg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
workspace = azure_native.databricks.Workspace("workspace",
location="westus",
managed_resource_group_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
parameters={
"encryption": {
"value": {
"key_name": "myKeyName",
"key_source": azure_native.databricks.KeySource.MICROSOFT_KEYVAULT,
"key_vault_uri": "https://myKeyVault.vault.azure.net/",
"key_version": "00000000000000000000000000000000",
},
},
"prepare_encryption": {
"value": True,
},
},
resource_group_name="rg",
workspace_name="myWorkspace")
package main
import (
databricks "github.com/pulumi/pulumi-azure-native-sdk/databricks/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewWorkspace(ctx, "workspace", &databricks.WorkspaceArgs{
Location: pulumi.String("westus"),
ManagedResourceGroupId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG"),
Parameters: &databricks.WorkspaceCustomParametersArgs{
Encryption: &databricks.WorkspaceEncryptionParameterArgs{
Value: &databricks.EncryptionArgs{
KeyName: pulumi.String("myKeyName"),
KeySource: pulumi.String(databricks.KeySource_Microsoft_Keyvault),
KeyVaultUri: pulumi.String("https://myKeyVault.vault.azure.net/"),
KeyVersion: pulumi.String("00000000000000000000000000000000"),
},
},
PrepareEncryption: &databricks.WorkspaceCustomBooleanParameterArgs{
Value: pulumi.Bool(true),
},
},
ResourceGroupName: pulumi.String("rg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var workspace = new AzureNative.Databricks.Workspace("workspace", new()
{
Location = "westus",
ManagedResourceGroupId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
Parameters = new AzureNative.Databricks.Inputs.WorkspaceCustomParametersArgs
{
Encryption = new AzureNative.Databricks.Inputs.WorkspaceEncryptionParameterArgs
{
Value = new AzureNative.Databricks.Inputs.EncryptionArgs
{
KeyName = "myKeyName",
KeySource = AzureNative.Databricks.KeySource.Microsoft_Keyvault,
KeyVaultUri = "https://myKeyVault.vault.azure.net/",
KeyVersion = "00000000000000000000000000000000",
},
},
PrepareEncryption = new AzureNative.Databricks.Inputs.WorkspaceCustomBooleanParameterArgs
{
Value = true,
},
},
ResourceGroupName = "rg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.databricks.Workspace;
import com.pulumi.azurenative.databricks.WorkspaceArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceCustomParametersArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceEncryptionParameterArgs;
import com.pulumi.azurenative.databricks.inputs.EncryptionArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceCustomBooleanParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var workspace = new Workspace("workspace", WorkspaceArgs.builder()
.location("westus")
.managedResourceGroupId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG")
.parameters(WorkspaceCustomParametersArgs.builder()
.encryption(WorkspaceEncryptionParameterArgs.builder()
.value(EncryptionArgs.builder()
.keyName("myKeyName")
.keySource("Microsoft.Keyvault")
.keyVaultUri("https://myKeyVault.vault.azure.net/")
.keyVersion("00000000000000000000000000000000")
.build())
.build())
.prepareEncryption(WorkspaceCustomBooleanParameterArgs.builder()
.value(true)
.build())
.build())
.resourceGroupName("rg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
workspace:
type: azure-native:databricks:Workspace
properties:
location: westus
managedResourceGroupId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG
parameters:
encryption:
value:
keyName: myKeyName
keySource: Microsoft.Keyvault
keyVaultUri: https://myKeyVault.vault.azure.net/
keyVersion: '00000000000000000000000000000000'
prepareEncryption:
value: true
resourceGroupName: rg
workspaceName: myWorkspace
The encryption parameter activates CMK by specifying keyName, keyVaultUri, and keyVersion from your Key Vault. This encrypts workspace-managed storage at rest. The workspace must have been prepared with prepareEncryption set to true before this configuration can succeed.
Encrypt managed disks with customer-managed keys
Cluster-attached managed disks can be encrypted with customer-managed keys separately from workspace storage, providing granular control over encryption boundaries.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const workspace = new azure_native.databricks.Workspace("workspace", {
encryption: {
entities: {
managedDisk: {
keySource: azure_native.databricks.EncryptionKeySource.Microsoft_Keyvault,
keyVaultProperties: {
keyName: "test-cmk-key",
keyVaultUri: "https://test-vault-name.vault.azure.net/",
keyVersion: "00000000000000000000000000000000",
},
rotationToLatestKeyVersionEnabled: true,
},
},
},
location: "westus",
managedResourceGroupId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
resourceGroupName: "rg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
workspace = azure_native.databricks.Workspace("workspace",
encryption={
"entities": {
"managed_disk": {
"key_source": azure_native.databricks.EncryptionKeySource.MICROSOFT_KEYVAULT,
"key_vault_properties": {
"key_name": "test-cmk-key",
"key_vault_uri": "https://test-vault-name.vault.azure.net/",
"key_version": "00000000000000000000000000000000",
},
"rotation_to_latest_key_version_enabled": True,
},
},
},
location="westus",
managed_resource_group_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
resource_group_name="rg",
workspace_name="myWorkspace")
package main
import (
databricks "github.com/pulumi/pulumi-azure-native-sdk/databricks/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewWorkspace(ctx, "workspace", &databricks.WorkspaceArgs{
Encryption: &databricks.WorkspacePropertiesEncryptionArgs{
Entities: &databricks.EncryptionEntitiesDefinitionArgs{
ManagedDisk: &databricks.ManagedDiskEncryptionArgs{
KeySource: pulumi.String(databricks.EncryptionKeySource_Microsoft_Keyvault),
KeyVaultProperties: &databricks.ManagedDiskEncryptionKeyVaultPropertiesArgs{
KeyName: pulumi.String("test-cmk-key"),
KeyVaultUri: pulumi.String("https://test-vault-name.vault.azure.net/"),
KeyVersion: pulumi.String("00000000000000000000000000000000"),
},
RotationToLatestKeyVersionEnabled: pulumi.Bool(true),
},
},
},
Location: pulumi.String("westus"),
ManagedResourceGroupId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG"),
ResourceGroupName: pulumi.String("rg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var workspace = new AzureNative.Databricks.Workspace("workspace", new()
{
Encryption = new AzureNative.Databricks.Inputs.WorkspacePropertiesEncryptionArgs
{
Entities = new AzureNative.Databricks.Inputs.EncryptionEntitiesDefinitionArgs
{
ManagedDisk = new AzureNative.Databricks.Inputs.ManagedDiskEncryptionArgs
{
KeySource = AzureNative.Databricks.EncryptionKeySource.Microsoft_Keyvault,
KeyVaultProperties = new AzureNative.Databricks.Inputs.ManagedDiskEncryptionKeyVaultPropertiesArgs
{
KeyName = "test-cmk-key",
KeyVaultUri = "https://test-vault-name.vault.azure.net/",
KeyVersion = "00000000000000000000000000000000",
},
RotationToLatestKeyVersionEnabled = true,
},
},
},
Location = "westus",
ManagedResourceGroupId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
ResourceGroupName = "rg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.databricks.Workspace;
import com.pulumi.azurenative.databricks.WorkspaceArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspacePropertiesEncryptionArgs;
import com.pulumi.azurenative.databricks.inputs.EncryptionEntitiesDefinitionArgs;
import com.pulumi.azurenative.databricks.inputs.ManagedDiskEncryptionArgs;
import com.pulumi.azurenative.databricks.inputs.ManagedDiskEncryptionKeyVaultPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var workspace = new Workspace("workspace", WorkspaceArgs.builder()
.encryption(WorkspacePropertiesEncryptionArgs.builder()
.entities(EncryptionEntitiesDefinitionArgs.builder()
.managedDisk(ManagedDiskEncryptionArgs.builder()
.keySource("Microsoft.Keyvault")
.keyVaultProperties(ManagedDiskEncryptionKeyVaultPropertiesArgs.builder()
.keyName("test-cmk-key")
.keyVaultUri("https://test-vault-name.vault.azure.net/")
.keyVersion("00000000000000000000000000000000")
.build())
.rotationToLatestKeyVersionEnabled(true)
.build())
.build())
.build())
.location("westus")
.managedResourceGroupId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG")
.resourceGroupName("rg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
workspace:
type: azure-native:databricks:Workspace
properties:
encryption:
entities:
managedDisk:
keySource: Microsoft.Keyvault
keyVaultProperties:
keyName: test-cmk-key
keyVaultUri: https://test-vault-name.vault.azure.net/
keyVersion: '00000000000000000000000000000000'
rotationToLatestKeyVersionEnabled: true
location: westus
managedResourceGroupId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG
resourceGroupName: rg
workspaceName: myWorkspace
The encryption.entities.managedDisk block configures CMK for cluster storage volumes. The keyVaultProperties specify which Key Vault key to use. The rotationToLatestKeyVersionEnabled property automatically updates to new key versions when you rotate keys in Key Vault.
Enable compliance and security monitoring
Regulated industries require automatic cluster updates, compliance standard enforcement, and enhanced security monitoring to meet audit requirements.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const workspace = new azure_native.databricks.Workspace("workspace", {
enhancedSecurityCompliance: {
automaticClusterUpdate: {
value: azure_native.databricks.AutomaticClusterUpdateValue.Enabled,
},
complianceSecurityProfile: {
complianceStandards: [
azure_native.databricks.ComplianceStandard.PCI_DSS,
azure_native.databricks.ComplianceStandard.HIPAA,
],
value: azure_native.databricks.ComplianceSecurityProfileValue.Enabled,
},
enhancedSecurityMonitoring: {
value: azure_native.databricks.EnhancedSecurityMonitoringValue.Enabled,
},
},
location: "eastus2",
managedResourceGroupId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
resourceGroupName: "rg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
workspace = azure_native.databricks.Workspace("workspace",
enhanced_security_compliance={
"automatic_cluster_update": {
"value": azure_native.databricks.AutomaticClusterUpdateValue.ENABLED,
},
"compliance_security_profile": {
"compliance_standards": [
azure_native.databricks.ComplianceStandard.PC_I_DSS,
azure_native.databricks.ComplianceStandard.HIPAA,
],
"value": azure_native.databricks.ComplianceSecurityProfileValue.ENABLED,
},
"enhanced_security_monitoring": {
"value": azure_native.databricks.EnhancedSecurityMonitoringValue.ENABLED,
},
},
location="eastus2",
managed_resource_group_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
resource_group_name="rg",
workspace_name="myWorkspace")
package main
import (
databricks "github.com/pulumi/pulumi-azure-native-sdk/databricks/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewWorkspace(ctx, "workspace", &databricks.WorkspaceArgs{
EnhancedSecurityCompliance: &databricks.EnhancedSecurityComplianceDefinitionArgs{
AutomaticClusterUpdate: &databricks.AutomaticClusterUpdateDefinitionArgs{
Value: pulumi.String(databricks.AutomaticClusterUpdateValueEnabled),
},
ComplianceSecurityProfile: &databricks.ComplianceSecurityProfileDefinitionArgs{
ComplianceStandards: pulumi.StringArray{
pulumi.String(databricks.ComplianceStandard_PCI_DSS),
pulumi.String(databricks.ComplianceStandardHIPAA),
},
Value: pulumi.String(databricks.ComplianceSecurityProfileValueEnabled),
},
EnhancedSecurityMonitoring: &databricks.EnhancedSecurityMonitoringDefinitionArgs{
Value: pulumi.String(databricks.EnhancedSecurityMonitoringValueEnabled),
},
},
Location: pulumi.String("eastus2"),
ManagedResourceGroupId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG"),
ResourceGroupName: pulumi.String("rg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var workspace = new AzureNative.Databricks.Workspace("workspace", new()
{
EnhancedSecurityCompliance = new AzureNative.Databricks.Inputs.EnhancedSecurityComplianceDefinitionArgs
{
AutomaticClusterUpdate = new AzureNative.Databricks.Inputs.AutomaticClusterUpdateDefinitionArgs
{
Value = AzureNative.Databricks.AutomaticClusterUpdateValue.Enabled,
},
ComplianceSecurityProfile = new AzureNative.Databricks.Inputs.ComplianceSecurityProfileDefinitionArgs
{
ComplianceStandards = new[]
{
AzureNative.Databricks.ComplianceStandard.PCI_DSS,
AzureNative.Databricks.ComplianceStandard.HIPAA,
},
Value = AzureNative.Databricks.ComplianceSecurityProfileValue.Enabled,
},
EnhancedSecurityMonitoring = new AzureNative.Databricks.Inputs.EnhancedSecurityMonitoringDefinitionArgs
{
Value = AzureNative.Databricks.EnhancedSecurityMonitoringValue.Enabled,
},
},
Location = "eastus2",
ManagedResourceGroupId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
ResourceGroupName = "rg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.databricks.Workspace;
import com.pulumi.azurenative.databricks.WorkspaceArgs;
import com.pulumi.azurenative.databricks.inputs.EnhancedSecurityComplianceDefinitionArgs;
import com.pulumi.azurenative.databricks.inputs.AutomaticClusterUpdateDefinitionArgs;
import com.pulumi.azurenative.databricks.inputs.ComplianceSecurityProfileDefinitionArgs;
import com.pulumi.azurenative.databricks.inputs.EnhancedSecurityMonitoringDefinitionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var workspace = new Workspace("workspace", WorkspaceArgs.builder()
.enhancedSecurityCompliance(EnhancedSecurityComplianceDefinitionArgs.builder()
.automaticClusterUpdate(AutomaticClusterUpdateDefinitionArgs.builder()
.value("Enabled")
.build())
.complianceSecurityProfile(ComplianceSecurityProfileDefinitionArgs.builder()
.complianceStandards(
"PCI_DSS",
"HIPAA")
.value("Enabled")
.build())
.enhancedSecurityMonitoring(EnhancedSecurityMonitoringDefinitionArgs.builder()
.value("Enabled")
.build())
.build())
.location("eastus2")
.managedResourceGroupId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG")
.resourceGroupName("rg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
workspace:
type: azure-native:databricks:Workspace
properties:
enhancedSecurityCompliance:
automaticClusterUpdate:
value: Enabled
complianceSecurityProfile:
complianceStandards:
- PCI_DSS
- HIPAA
value: Enabled
enhancedSecurityMonitoring:
value: Enabled
location: eastus2
managedResourceGroupId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG
resourceGroupName: rg
workspaceName: myWorkspace
The enhancedSecurityCompliance block activates the Enhanced Security & Compliance Add-On. The automaticClusterUpdate property forces clusters to use the latest Databricks runtime. The complianceSecurityProfile property enforces PCI-DSS and HIPAA controls. The enhancedSecurityMonitoring property enables security event logging.
Beyond these examples
These snippets focus on specific workspace-level features: Unity Catalog and storage firewall configuration, VNet injection and custom subnet placement, customer-managed key encryption for workspace and managed disks, and enhanced security and compliance controls. They’re intentionally minimal rather than full data platform deployments.
The examples may reference pre-existing infrastructure such as Access Connectors for Unity Catalog, Azure Key Vault with encryption keys, VNets and subnets for network injection, and managed resource groups that Azure creates automatically. They focus on configuring the workspace rather than provisioning everything around it.
To keep things focused, common workspace patterns are omitted, including:
- Private endpoint connections (privateEndpointConnections)
- Workspace provider authorizations (authorizations)
- Public network access controls (publicNetworkAccess)
- NSG rule requirements (requiredNsgRules)
- SKU selection and pricing tiers
- Tags and resource metadata
These omissions are intentional: the goal is to illustrate how each workspace feature is wired, not provide drop-in data platform modules. See the Databricks Workspace resource reference for all available configuration options.
Let's deploy Azure Databricks Workspaces
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Encryption & Key Management
How do I enable Customer-Managed Key (CMK) encryption for my workspace?
CMK encryption requires a two-step process. First, create the workspace with
prepareEncryption set to true in the parameters. Then, update the workspace with the encryption configuration, specifying keyName, keyVaultUri, keyVersion, and keySource as Microsoft.Keyvault.What's the difference between workspace encryption and managed disk encryption?
Workspace encryption is configured via
parameters.encryption and encrypts workspace data. Managed disk encryption is configured via encryption.entities.managedDisk and encrypts cluster-attached disks. Both use Azure Key Vault but target different storage layers.How do I revert from Customer-Managed Keys to Microsoft-managed encryption?
Update
parameters.encryption.value.keySource to Default. This switches the workspace back to Microsoft-managed keys.Can I enable automatic key rotation for managed disk encryption?
Yes, set
rotationToLatestKeyVersionEnabled to true in the managedDisk encryption configuration. This automatically rotates to the latest key version in your Key Vault.Networking & VNet Integration
How do I deploy my workspace into a custom virtual network?
Configure the
parameters with customVirtualNetworkId, customPrivateSubnetName, and customPublicSubnetName. The VNet must be in the same region as the workspace.What does the defaultStorageFirewall property control?
Setting
defaultStorageFirewall to Enabled restricts access to the workspace’s default storage account. This is used with private endpoints for enhanced security.What's the difference between publicNetworkAccess and requiredNsgRules?
publicNetworkAccess controls access to the control plane (set to disabled for private link only). requiredNsgRules controls data plane to control plane communication over private endpoints (values: AllRules or NoAzureDatabricksRules).Identity & Access Configuration
What identity types can I use with the access connector?
The
accessConnector supports two identity types: SystemAssigned (Azure manages the identity) and UserAssigned (you provide a managed identity via userAssignedIdentityId).What are the default catalog options for Unity Catalog?
Set
defaultCatalog.initialType to either UnityCatalog (for Unity Catalog metastore) or HiveMetastore (for legacy Hive metastore). Leave initialName empty for default naming.Workspace Configuration
What properties can't be changed after workspace creation?
The
location, resourceGroupName, and workspaceName properties are immutable and cannot be changed after the workspace is created.What is the managedResourceGroupId used for?
The
managedResourceGroupId is required and specifies where Databricks creates managed resources like storage accounts and virtual networks for the workspace.How do I enable Enhanced Security and Compliance features?
Configure
enhancedSecurityCompliance with automaticClusterUpdate, complianceSecurityProfile (with standards like PCI_DSS or HIPAA), and enhancedSecurityMonitoring, all set to Enabled.