The azure-native:databricks:Workspace resource, part of the Pulumi Azure Native provider, provisions an Azure Databricks workspace: the control plane container for clusters, notebooks, and data governance. This guide focuses on four capabilities: Unity Catalog and storage firewall setup, VNet injection with custom subnets, customer-managed key encryption for workspace and managed disks, and Enhanced Security & Compliance features.
Databricks workspaces reference Access Connectors, Key Vaults, VNets, and managed resource groups that must exist separately. The examples are intentionally small. Combine them with your own network infrastructure, encryption keys, and governance policies.
Create a workspace with Unity Catalog and storage firewall
Teams building data platforms often start by provisioning a workspace with Unity Catalog for centralized governance and storage firewall controls to restrict data access.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const workspace = new azure_native.databricks.Workspace("workspace", {
accessConnector: {
id: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector",
identityType: azure_native.databricks.IdentityType.SystemAssigned,
},
defaultCatalog: {
initialName: "",
initialType: azure_native.databricks.InitialType.UnityCatalog,
},
defaultStorageFirewall: azure_native.databricks.DefaultStorageFirewall.Enabled,
location: "westus",
managedResourceGroupId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
resourceGroupName: "rg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
workspace = azure_native.databricks.Workspace("workspace",
access_connector={
"id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector",
"identity_type": azure_native.databricks.IdentityType.SYSTEM_ASSIGNED,
},
default_catalog={
"initial_name": "",
"initial_type": azure_native.databricks.InitialType.UNITY_CATALOG,
},
default_storage_firewall=azure_native.databricks.DefaultStorageFirewall.ENABLED,
location="westus",
managed_resource_group_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
resource_group_name="rg",
workspace_name="myWorkspace")
package main
import (
databricks "github.com/pulumi/pulumi-azure-native-sdk/databricks/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewWorkspace(ctx, "workspace", &databricks.WorkspaceArgs{
AccessConnector: &databricks.WorkspacePropertiesAccessConnectorArgs{
Id: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector"),
IdentityType: pulumi.String(databricks.IdentityTypeSystemAssigned),
},
DefaultCatalog: &databricks.DefaultCatalogPropertiesArgs{
InitialName: pulumi.String(""),
InitialType: pulumi.String(databricks.InitialTypeUnityCatalog),
},
DefaultStorageFirewall: pulumi.String(databricks.DefaultStorageFirewallEnabled),
Location: pulumi.String("westus"),
ManagedResourceGroupId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG"),
ResourceGroupName: pulumi.String("rg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var workspace = new AzureNative.Databricks.Workspace("workspace", new()
{
AccessConnector = new AzureNative.Databricks.Inputs.WorkspacePropertiesAccessConnectorArgs
{
Id = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector",
IdentityType = AzureNative.Databricks.IdentityType.SystemAssigned,
},
DefaultCatalog = new AzureNative.Databricks.Inputs.DefaultCatalogPropertiesArgs
{
InitialName = "",
InitialType = AzureNative.Databricks.InitialType.UnityCatalog,
},
DefaultStorageFirewall = AzureNative.Databricks.DefaultStorageFirewall.Enabled,
Location = "westus",
ManagedResourceGroupId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
ResourceGroupName = "rg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.databricks.Workspace;
import com.pulumi.azurenative.databricks.WorkspaceArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspacePropertiesAccessConnectorArgs;
import com.pulumi.azurenative.databricks.inputs.DefaultCatalogPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var workspace = new Workspace("workspace", WorkspaceArgs.builder()
.accessConnector(WorkspacePropertiesAccessConnectorArgs.builder()
.id("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector")
.identityType("SystemAssigned")
.build())
.defaultCatalog(DefaultCatalogPropertiesArgs.builder()
.initialName("")
.initialType("UnityCatalog")
.build())
.defaultStorageFirewall("Enabled")
.location("westus")
.managedResourceGroupId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG")
.resourceGroupName("rg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
workspace:
type: azure-native:databricks:Workspace
properties:
accessConnector:
id: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector
identityType: SystemAssigned
defaultCatalog:
initialName: ""
initialType: UnityCatalog
defaultStorageFirewall: Enabled
location: westus
managedResourceGroupId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG
resourceGroupName: rg
workspaceName: myWorkspace
The accessConnector property links the workspace to an Access Connector resource that provides identity for Unity Catalog operations. The defaultCatalog property initializes Unity Catalog as the metadata layer. The defaultStorageFirewall property restricts storage access to authorized networks. The managedResourceGroupId specifies where Azure provisions workspace-managed infrastructure like storage accounts and network resources.
Deploy into an existing VNet with custom subnets
Organizations with established network topologies inject Databricks workspaces into existing VNets to control routing, apply network security groups, and integrate with on-premises networks.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const workspace = new azure_native.databricks.Workspace("workspace", {
accessConnector: {
id: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector",
identityType: azure_native.databricks.IdentityType.UserAssigned,
userAssignedIdentityId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity",
},
defaultCatalog: {
initialName: "",
initialType: azure_native.databricks.InitialType.HiveMetastore,
},
defaultStorageFirewall: azure_native.databricks.DefaultStorageFirewall.Enabled,
location: "westus",
managedResourceGroupId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
parameters: {
customPrivateSubnetName: {
value: "myPrivateSubnet",
},
customPublicSubnetName: {
value: "myPublicSubnet",
},
customVirtualNetworkId: {
value: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork",
},
},
resourceGroupName: "rg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
workspace = azure_native.databricks.Workspace("workspace",
access_connector={
"id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector",
"identity_type": azure_native.databricks.IdentityType.USER_ASSIGNED,
"user_assigned_identity_id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity",
},
default_catalog={
"initial_name": "",
"initial_type": azure_native.databricks.InitialType.HIVE_METASTORE,
},
default_storage_firewall=azure_native.databricks.DefaultStorageFirewall.ENABLED,
location="westus",
managed_resource_group_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
parameters={
"custom_private_subnet_name": {
"value": "myPrivateSubnet",
},
"custom_public_subnet_name": {
"value": "myPublicSubnet",
},
"custom_virtual_network_id": {
"value": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork",
},
},
resource_group_name="rg",
workspace_name="myWorkspace")
package main
import (
databricks "github.com/pulumi/pulumi-azure-native-sdk/databricks/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewWorkspace(ctx, "workspace", &databricks.WorkspaceArgs{
AccessConnector: &databricks.WorkspacePropertiesAccessConnectorArgs{
Id: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector"),
IdentityType: pulumi.String(databricks.IdentityTypeUserAssigned),
UserAssignedIdentityId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity"),
},
DefaultCatalog: &databricks.DefaultCatalogPropertiesArgs{
InitialName: pulumi.String(""),
InitialType: pulumi.String(databricks.InitialTypeHiveMetastore),
},
DefaultStorageFirewall: pulumi.String(databricks.DefaultStorageFirewallEnabled),
Location: pulumi.String("westus"),
ManagedResourceGroupId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG"),
Parameters: &databricks.WorkspaceCustomParametersArgs{
CustomPrivateSubnetName: &databricks.WorkspaceCustomStringParameterArgs{
Value: pulumi.String("myPrivateSubnet"),
},
CustomPublicSubnetName: &databricks.WorkspaceCustomStringParameterArgs{
Value: pulumi.String("myPublicSubnet"),
},
CustomVirtualNetworkId: &databricks.WorkspaceCustomStringParameterArgs{
Value: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork"),
},
},
ResourceGroupName: pulumi.String("rg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var workspace = new AzureNative.Databricks.Workspace("workspace", new()
{
AccessConnector = new AzureNative.Databricks.Inputs.WorkspacePropertiesAccessConnectorArgs
{
Id = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector",
IdentityType = AzureNative.Databricks.IdentityType.UserAssigned,
UserAssignedIdentityId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity",
},
DefaultCatalog = new AzureNative.Databricks.Inputs.DefaultCatalogPropertiesArgs
{
InitialName = "",
InitialType = AzureNative.Databricks.InitialType.HiveMetastore,
},
DefaultStorageFirewall = AzureNative.Databricks.DefaultStorageFirewall.Enabled,
Location = "westus",
ManagedResourceGroupId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
Parameters = new AzureNative.Databricks.Inputs.WorkspaceCustomParametersArgs
{
CustomPrivateSubnetName = new AzureNative.Databricks.Inputs.WorkspaceCustomStringParameterArgs
{
Value = "myPrivateSubnet",
},
CustomPublicSubnetName = new AzureNative.Databricks.Inputs.WorkspaceCustomStringParameterArgs
{
Value = "myPublicSubnet",
},
CustomVirtualNetworkId = new AzureNative.Databricks.Inputs.WorkspaceCustomStringParameterArgs
{
Value = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork",
},
},
ResourceGroupName = "rg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.databricks.Workspace;
import com.pulumi.azurenative.databricks.WorkspaceArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspacePropertiesAccessConnectorArgs;
import com.pulumi.azurenative.databricks.inputs.DefaultCatalogPropertiesArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceCustomParametersArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceCustomStringParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var workspace = new Workspace("workspace", WorkspaceArgs.builder()
.accessConnector(WorkspacePropertiesAccessConnectorArgs.builder()
.id("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector")
.identityType("UserAssigned")
.userAssignedIdentityId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity")
.build())
.defaultCatalog(DefaultCatalogPropertiesArgs.builder()
.initialName("")
.initialType("HiveMetastore")
.build())
.defaultStorageFirewall("Enabled")
.location("westus")
.managedResourceGroupId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG")
.parameters(WorkspaceCustomParametersArgs.builder()
.customPrivateSubnetName(WorkspaceCustomStringParameterArgs.builder()
.value("myPrivateSubnet")
.build())
.customPublicSubnetName(WorkspaceCustomStringParameterArgs.builder()
.value("myPublicSubnet")
.build())
.customVirtualNetworkId(WorkspaceCustomStringParameterArgs.builder()
.value("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork")
.build())
.build())
.resourceGroupName("rg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
workspace:
type: azure-native:databricks:Workspace
properties:
accessConnector:
id: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/adbrg/providers/Microsoft.Databricks/accessConnectors/myAccessConnector
identityType: UserAssigned
userAssignedIdentityId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity
defaultCatalog:
initialName: ""
initialType: HiveMetastore
defaultStorageFirewall: Enabled
location: westus
managedResourceGroupId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG
parameters:
customPrivateSubnetName:
value: myPrivateSubnet
customPublicSubnetName:
value: myPublicSubnet
customVirtualNetworkId:
value: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork
resourceGroupName: rg
workspaceName: myWorkspace
The parameters block configures VNet injection. The customVirtualNetworkId points to your existing VNet. The customPrivateSubnetName and customPublicSubnetName specify where cluster nodes and load balancers deploy. Databricks creates network interfaces in these subnets and applies required NSG rules automatically.
Prepare a workspace for customer-managed encryption
Compliance requirements often mandate customer-managed keys for data encryption. Workspaces must be prepared for CMK before encryption can be enabled.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const workspace = new azure_native.databricks.Workspace("workspace", {
location: "westus",
managedResourceGroupId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
parameters: {
prepareEncryption: {
value: true,
},
},
resourceGroupName: "rg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
workspace = azure_native.databricks.Workspace("workspace",
location="westus",
managed_resource_group_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
parameters={
"prepare_encryption": {
"value": True,
},
},
resource_group_name="rg",
workspace_name="myWorkspace")
package main
import (
databricks "github.com/pulumi/pulumi-azure-native-sdk/databricks/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewWorkspace(ctx, "workspace", &databricks.WorkspaceArgs{
Location: pulumi.String("westus"),
ManagedResourceGroupId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG"),
Parameters: &databricks.WorkspaceCustomParametersArgs{
PrepareEncryption: &databricks.WorkspaceCustomBooleanParameterArgs{
Value: pulumi.Bool(true),
},
},
ResourceGroupName: pulumi.String("rg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var workspace = new AzureNative.Databricks.Workspace("workspace", new()
{
Location = "westus",
ManagedResourceGroupId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
Parameters = new AzureNative.Databricks.Inputs.WorkspaceCustomParametersArgs
{
PrepareEncryption = new AzureNative.Databricks.Inputs.WorkspaceCustomBooleanParameterArgs
{
Value = true,
},
},
ResourceGroupName = "rg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.databricks.Workspace;
import com.pulumi.azurenative.databricks.WorkspaceArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceCustomParametersArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceCustomBooleanParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var workspace = new Workspace("workspace", WorkspaceArgs.builder()
.location("westus")
.managedResourceGroupId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG")
.parameters(WorkspaceCustomParametersArgs.builder()
.prepareEncryption(WorkspaceCustomBooleanParameterArgs.builder()
.value(true)
.build())
.build())
.resourceGroupName("rg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
workspace:
type: azure-native:databricks:Workspace
properties:
location: westus
managedResourceGroupId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG
parameters:
prepareEncryption:
value: true
resourceGroupName: rg
workspaceName: myWorkspace
The prepareEncryption parameter provisions the infrastructure needed for CMK encryption without activating it. This creates the necessary storage accounts and configures permissions. After preparation completes, you enable encryption in a separate update operation.
Enable CMK encryption with Key Vault integration
After preparing a workspace, teams enable encryption by pointing to a Key Vault key. This encrypts workspace-managed storage at rest.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const workspace = new azure_native.databricks.Workspace("workspace", {
location: "westus",
managedResourceGroupId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
parameters: {
encryption: {
value: {
keyName: "myKeyName",
keySource: azure_native.databricks.KeySource.Microsoft_Keyvault,
keyVaultUri: "https://myKeyVault.vault.azure.net/",
keyVersion: "00000000000000000000000000000000",
},
},
prepareEncryption: {
value: true,
},
},
resourceGroupName: "rg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
workspace = azure_native.databricks.Workspace("workspace",
location="westus",
managed_resource_group_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
parameters={
"encryption": {
"value": {
"key_name": "myKeyName",
"key_source": azure_native.databricks.KeySource.MICROSOFT_KEYVAULT,
"key_vault_uri": "https://myKeyVault.vault.azure.net/",
"key_version": "00000000000000000000000000000000",
},
},
"prepare_encryption": {
"value": True,
},
},
resource_group_name="rg",
workspace_name="myWorkspace")
package main
import (
databricks "github.com/pulumi/pulumi-azure-native-sdk/databricks/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewWorkspace(ctx, "workspace", &databricks.WorkspaceArgs{
Location: pulumi.String("westus"),
ManagedResourceGroupId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG"),
Parameters: &databricks.WorkspaceCustomParametersArgs{
Encryption: &databricks.WorkspaceEncryptionParameterArgs{
Value: &databricks.EncryptionArgs{
KeyName: pulumi.String("myKeyName"),
KeySource: pulumi.String(databricks.KeySource_Microsoft_Keyvault),
KeyVaultUri: pulumi.String("https://myKeyVault.vault.azure.net/"),
KeyVersion: pulumi.String("00000000000000000000000000000000"),
},
},
PrepareEncryption: &databricks.WorkspaceCustomBooleanParameterArgs{
Value: pulumi.Bool(true),
},
},
ResourceGroupName: pulumi.String("rg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var workspace = new AzureNative.Databricks.Workspace("workspace", new()
{
Location = "westus",
ManagedResourceGroupId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
Parameters = new AzureNative.Databricks.Inputs.WorkspaceCustomParametersArgs
{
Encryption = new AzureNative.Databricks.Inputs.WorkspaceEncryptionParameterArgs
{
Value = new AzureNative.Databricks.Inputs.EncryptionArgs
{
KeyName = "myKeyName",
KeySource = AzureNative.Databricks.KeySource.Microsoft_Keyvault,
KeyVaultUri = "https://myKeyVault.vault.azure.net/",
KeyVersion = "00000000000000000000000000000000",
},
},
PrepareEncryption = new AzureNative.Databricks.Inputs.WorkspaceCustomBooleanParameterArgs
{
Value = true,
},
},
ResourceGroupName = "rg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.databricks.Workspace;
import com.pulumi.azurenative.databricks.WorkspaceArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceCustomParametersArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceEncryptionParameterArgs;
import com.pulumi.azurenative.databricks.inputs.EncryptionArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspaceCustomBooleanParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var workspace = new Workspace("workspace", WorkspaceArgs.builder()
.location("westus")
.managedResourceGroupId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG")
.parameters(WorkspaceCustomParametersArgs.builder()
.encryption(WorkspaceEncryptionParameterArgs.builder()
.value(EncryptionArgs.builder()
.keyName("myKeyName")
.keySource("Microsoft.Keyvault")
.keyVaultUri("https://myKeyVault.vault.azure.net/")
.keyVersion("00000000000000000000000000000000")
.build())
.build())
.prepareEncryption(WorkspaceCustomBooleanParameterArgs.builder()
.value(true)
.build())
.build())
.resourceGroupName("rg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
workspace:
type: azure-native:databricks:Workspace
properties:
location: westus
managedResourceGroupId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG
parameters:
encryption:
value:
keyName: myKeyName
keySource: Microsoft.Keyvault
keyVaultUri: https://myKeyVault.vault.azure.net/
keyVersion: '00000000000000000000000000000000'
prepareEncryption:
value: true
resourceGroupName: rg
workspaceName: myWorkspace
The encryption parameter activates CMK encryption. The keySource property specifies Microsoft.Keyvault as the key provider. The keyVaultUri, keyName, and keyVersion properties identify the encryption key. The workspace managed identity must have Get, WrapKey, and UnwrapKey permissions on the Key Vault key.
Encrypt managed disks with customer keys
Cluster VMs use managed disks for local storage. Teams can encrypt these disks with customer-managed keys separate from workspace storage encryption.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const workspace = new azure_native.databricks.Workspace("workspace", {
encryption: {
entities: {
managedDisk: {
keySource: azure_native.databricks.EncryptionKeySource.Microsoft_Keyvault,
keyVaultProperties: {
keyName: "test-cmk-key",
keyVaultUri: "https://test-vault-name.vault.azure.net/",
keyVersion: "00000000000000000000000000000000",
},
rotationToLatestKeyVersionEnabled: true,
},
},
},
location: "westus",
managedResourceGroupId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
resourceGroupName: "rg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
workspace = azure_native.databricks.Workspace("workspace",
encryption={
"entities": {
"managed_disk": {
"key_source": azure_native.databricks.EncryptionKeySource.MICROSOFT_KEYVAULT,
"key_vault_properties": {
"key_name": "test-cmk-key",
"key_vault_uri": "https://test-vault-name.vault.azure.net/",
"key_version": "00000000000000000000000000000000",
},
"rotation_to_latest_key_version_enabled": True,
},
},
},
location="westus",
managed_resource_group_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
resource_group_name="rg",
workspace_name="myWorkspace")
package main
import (
databricks "github.com/pulumi/pulumi-azure-native-sdk/databricks/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewWorkspace(ctx, "workspace", &databricks.WorkspaceArgs{
Encryption: &databricks.WorkspacePropertiesEncryptionArgs{
Entities: &databricks.EncryptionEntitiesDefinitionArgs{
ManagedDisk: &databricks.ManagedDiskEncryptionArgs{
KeySource: pulumi.String(databricks.EncryptionKeySource_Microsoft_Keyvault),
KeyVaultProperties: &databricks.ManagedDiskEncryptionKeyVaultPropertiesArgs{
KeyName: pulumi.String("test-cmk-key"),
KeyVaultUri: pulumi.String("https://test-vault-name.vault.azure.net/"),
KeyVersion: pulumi.String("00000000000000000000000000000000"),
},
RotationToLatestKeyVersionEnabled: pulumi.Bool(true),
},
},
},
Location: pulumi.String("westus"),
ManagedResourceGroupId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG"),
ResourceGroupName: pulumi.String("rg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var workspace = new AzureNative.Databricks.Workspace("workspace", new()
{
Encryption = new AzureNative.Databricks.Inputs.WorkspacePropertiesEncryptionArgs
{
Entities = new AzureNative.Databricks.Inputs.EncryptionEntitiesDefinitionArgs
{
ManagedDisk = new AzureNative.Databricks.Inputs.ManagedDiskEncryptionArgs
{
KeySource = AzureNative.Databricks.EncryptionKeySource.Microsoft_Keyvault,
KeyVaultProperties = new AzureNative.Databricks.Inputs.ManagedDiskEncryptionKeyVaultPropertiesArgs
{
KeyName = "test-cmk-key",
KeyVaultUri = "https://test-vault-name.vault.azure.net/",
KeyVersion = "00000000000000000000000000000000",
},
RotationToLatestKeyVersionEnabled = true,
},
},
},
Location = "westus",
ManagedResourceGroupId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
ResourceGroupName = "rg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.databricks.Workspace;
import com.pulumi.azurenative.databricks.WorkspaceArgs;
import com.pulumi.azurenative.databricks.inputs.WorkspacePropertiesEncryptionArgs;
import com.pulumi.azurenative.databricks.inputs.EncryptionEntitiesDefinitionArgs;
import com.pulumi.azurenative.databricks.inputs.ManagedDiskEncryptionArgs;
import com.pulumi.azurenative.databricks.inputs.ManagedDiskEncryptionKeyVaultPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var workspace = new Workspace("workspace", WorkspaceArgs.builder()
.encryption(WorkspacePropertiesEncryptionArgs.builder()
.entities(EncryptionEntitiesDefinitionArgs.builder()
.managedDisk(ManagedDiskEncryptionArgs.builder()
.keySource("Microsoft.Keyvault")
.keyVaultProperties(ManagedDiskEncryptionKeyVaultPropertiesArgs.builder()
.keyName("test-cmk-key")
.keyVaultUri("https://test-vault-name.vault.azure.net/")
.keyVersion("00000000000000000000000000000000")
.build())
.rotationToLatestKeyVersionEnabled(true)
.build())
.build())
.build())
.location("westus")
.managedResourceGroupId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG")
.resourceGroupName("rg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
workspace:
type: azure-native:databricks:Workspace
properties:
encryption:
entities:
managedDisk:
keySource: Microsoft.Keyvault
keyVaultProperties:
keyName: test-cmk-key
keyVaultUri: https://test-vault-name.vault.azure.net/
keyVersion: '00000000000000000000000000000000'
rotationToLatestKeyVersionEnabled: true
location: westus
managedResourceGroupId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG
resourceGroupName: rg
workspaceName: myWorkspace
The encryption.entities.managedDisk block configures disk encryption. The keyVaultProperties specify the Key Vault key for disk encryption. The rotationToLatestKeyVersionEnabled property automatically updates to new key versions when you rotate keys in Key Vault. This encryption applies to all cluster VM disks created in the workspace.
Enable compliance features for regulated workloads
Regulated industries require automatic cluster updates, compliance monitoring, and adherence to standards like PCI-DSS and HIPAA.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const workspace = new azure_native.databricks.Workspace("workspace", {
enhancedSecurityCompliance: {
automaticClusterUpdate: {
value: azure_native.databricks.AutomaticClusterUpdateValue.Enabled,
},
complianceSecurityProfile: {
complianceStandards: [
azure_native.databricks.ComplianceStandard.PCI_DSS,
azure_native.databricks.ComplianceStandard.HIPAA,
],
value: azure_native.databricks.ComplianceSecurityProfileValue.Enabled,
},
enhancedSecurityMonitoring: {
value: azure_native.databricks.EnhancedSecurityMonitoringValue.Enabled,
},
},
location: "eastus2",
managedResourceGroupId: "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
resourceGroupName: "rg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
workspace = azure_native.databricks.Workspace("workspace",
enhanced_security_compliance={
"automatic_cluster_update": {
"value": azure_native.databricks.AutomaticClusterUpdateValue.ENABLED,
},
"compliance_security_profile": {
"compliance_standards": [
azure_native.databricks.ComplianceStandard.PC_I_DSS,
azure_native.databricks.ComplianceStandard.HIPAA,
],
"value": azure_native.databricks.ComplianceSecurityProfileValue.ENABLED,
},
"enhanced_security_monitoring": {
"value": azure_native.databricks.EnhancedSecurityMonitoringValue.ENABLED,
},
},
location="eastus2",
managed_resource_group_id="/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
resource_group_name="rg",
workspace_name="myWorkspace")
package main
import (
databricks "github.com/pulumi/pulumi-azure-native-sdk/databricks/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewWorkspace(ctx, "workspace", &databricks.WorkspaceArgs{
EnhancedSecurityCompliance: &databricks.EnhancedSecurityComplianceDefinitionArgs{
AutomaticClusterUpdate: &databricks.AutomaticClusterUpdateDefinitionArgs{
Value: pulumi.String(databricks.AutomaticClusterUpdateValueEnabled),
},
ComplianceSecurityProfile: &databricks.ComplianceSecurityProfileDefinitionArgs{
ComplianceStandards: pulumi.StringArray{
pulumi.String(databricks.ComplianceStandard_PCI_DSS),
pulumi.String(databricks.ComplianceStandardHIPAA),
},
Value: pulumi.String(databricks.ComplianceSecurityProfileValueEnabled),
},
EnhancedSecurityMonitoring: &databricks.EnhancedSecurityMonitoringDefinitionArgs{
Value: pulumi.String(databricks.EnhancedSecurityMonitoringValueEnabled),
},
},
Location: pulumi.String("eastus2"),
ManagedResourceGroupId: pulumi.String("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG"),
ResourceGroupName: pulumi.String("rg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var workspace = new AzureNative.Databricks.Workspace("workspace", new()
{
EnhancedSecurityCompliance = new AzureNative.Databricks.Inputs.EnhancedSecurityComplianceDefinitionArgs
{
AutomaticClusterUpdate = new AzureNative.Databricks.Inputs.AutomaticClusterUpdateDefinitionArgs
{
Value = AzureNative.Databricks.AutomaticClusterUpdateValue.Enabled,
},
ComplianceSecurityProfile = new AzureNative.Databricks.Inputs.ComplianceSecurityProfileDefinitionArgs
{
ComplianceStandards = new[]
{
AzureNative.Databricks.ComplianceStandard.PCI_DSS,
AzureNative.Databricks.ComplianceStandard.HIPAA,
},
Value = AzureNative.Databricks.ComplianceSecurityProfileValue.Enabled,
},
EnhancedSecurityMonitoring = new AzureNative.Databricks.Inputs.EnhancedSecurityMonitoringDefinitionArgs
{
Value = AzureNative.Databricks.EnhancedSecurityMonitoringValue.Enabled,
},
},
Location = "eastus2",
ManagedResourceGroupId = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG",
ResourceGroupName = "rg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.databricks.Workspace;
import com.pulumi.azurenative.databricks.WorkspaceArgs;
import com.pulumi.azurenative.databricks.inputs.EnhancedSecurityComplianceDefinitionArgs;
import com.pulumi.azurenative.databricks.inputs.AutomaticClusterUpdateDefinitionArgs;
import com.pulumi.azurenative.databricks.inputs.ComplianceSecurityProfileDefinitionArgs;
import com.pulumi.azurenative.databricks.inputs.EnhancedSecurityMonitoringDefinitionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var workspace = new Workspace("workspace", WorkspaceArgs.builder()
.enhancedSecurityCompliance(EnhancedSecurityComplianceDefinitionArgs.builder()
.automaticClusterUpdate(AutomaticClusterUpdateDefinitionArgs.builder()
.value("Enabled")
.build())
.complianceSecurityProfile(ComplianceSecurityProfileDefinitionArgs.builder()
.complianceStandards(
"PCI_DSS",
"HIPAA")
.value("Enabled")
.build())
.enhancedSecurityMonitoring(EnhancedSecurityMonitoringDefinitionArgs.builder()
.value("Enabled")
.build())
.build())
.location("eastus2")
.managedResourceGroupId("/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG")
.resourceGroupName("rg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
workspace:
type: azure-native:databricks:Workspace
properties:
enhancedSecurityCompliance:
automaticClusterUpdate:
value: Enabled
complianceSecurityProfile:
complianceStandards:
- PCI_DSS
- HIPAA
value: Enabled
enhancedSecurityMonitoring:
value: Enabled
location: eastus2
managedResourceGroupId: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myManagedRG
resourceGroupName: rg
workspaceName: myWorkspace
The enhancedSecurityCompliance block activates the Enhanced Security & Compliance Add-On. The automaticClusterUpdate property forces clusters to use the latest Databricks runtime versions. The complianceSecurityProfile property enables monitoring for specific compliance standards. The enhancedSecurityMonitoring property activates security event logging and threat detection.
Beyond these examples
These snippets focus on specific workspace-level features: Unity Catalog and storage firewall configuration, VNet injection and custom subnet placement, customer-managed key encryption for workspace storage and managed disks, and Enhanced Security & Compliance Add-On. They’re intentionally minimal rather than full data platform deployments.
The examples may reference pre-existing infrastructure such as Access Connectors for Unity Catalog, Azure Key Vault with encryption keys, VNets and subnets for network injection, and managed resource groups. They focus on configuring the workspace rather than provisioning everything around it.
To keep things focused, common workspace patterns are omitted, including:
- Private endpoint connections (privateEndpointConnections)
- Workspace provider authorizations
- Public network access controls (publicNetworkAccess)
- NSG rule requirements (requiredNsgRules)
- SKU selection and pricing tiers
These omissions are intentional: the goal is to illustrate how each workspace feature is wired, not provide drop-in data platform modules. See the Databricks Workspace resource reference for all available configuration options.
Let's deploy Azure Databricks Workspaces
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Encryption & Key Management
How do I enable customer-managed key encryption for my workspace?
CMK encryption requires a two-step process. First, create the workspace with
parameters.prepareEncryption.value set to true. Then, update the workspace with parameters.encryption containing your Key Vault details (keyName, keyVaultUri, keyVersion, and keySource set to Microsoft.Keyvault).What's the difference between the two encryption settings?
parameters.encryption configures customer-managed key encryption for DBFS (Databricks File System), while encryption.entities.managedDisk configures CMK for managed disks attached to clusters. You can use one or both depending on your encryption requirements.How do I revert from customer-managed keys to Microsoft-managed keys?
Update
parameters.encryption.value.keySource to Default to switch back to Microsoft-managed encryption.What does rotationToLatestKeyVersionEnabled do for managed disk encryption?
When set to
true in encryption.entities.managedDisk, it automatically rotates to the latest key version in your Key Vault, ensuring managed disks always use the current key.Networking & VNet Injection
How do I inject my workspace into a custom VNet?
Configure three parameters: set
parameters.customVirtualNetworkId to your VNet resource ID, parameters.customPrivateSubnetName to your private subnet name, and parameters.customPublicSubnetName to your public subnet name.Identity & Access
What identity types can I use with the access connector?
You can use
SystemAssigned or UserAssigned identity types. For UserAssigned, you must also specify userAssignedIdentityId pointing to your managed identity resource.Catalog & Storage
What catalog types are available for my workspace?
You can set
defaultCatalog.initialType to either UnityCatalog or HiveMetastore depending on your data governance needs.What does defaultStorageFirewall do?
When set to
Enabled, it configures firewall rules for the default storage account associated with the workspace.Resource Lifecycle
What properties can't be changed after workspace creation?
Three properties are immutable:
location, resourceGroupName, and workspaceName. You cannot modify these after the workspace is created.Security & Compliance
How do I enable Enhanced Security and Compliance features?
Configure
enhancedSecurityCompliance with three sub-properties: automaticClusterUpdate.value (set to Enabled), complianceSecurityProfile with your compliance standards (like PCI_DSS or HIPAA), and enhancedSecurityMonitoring.value (set to Enabled).