Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner
    • Lighthouse and Partner Admin Link
      • Microsoft Cloud Partner Program
      • Combining Lighthouse and PAL
      • Minimal Lighthouse definition
      • Using service principals
      • Privileged Identity Management
    • Useful Links
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Microsoft Fabric
  3. Theory

Table of Contents

  • Introduction
  • Fabric Administration
  • Workspace-Level Git Integration
  • Natural Division
  • Next

Theory

Should you automate everything in Microsoft Fabric using Terraform? Probably not...

Introduction

Note that I don’t think that Terraform is necessarily the best way to completely define all aspects of a Fabric environment. There is a natural split between the declarative automation that I would use for the more static admin tasks for Fabric that require a higher level of privilege - those covered in the Microsoft Fabric documentation for admins - and the wider set of resources that make up the elements within a Fabric workspace for the other roles and the tailored experiences for other personas such as Data Engineer, Data Scientist, and Business Analyst. These are covered in the fuller set of Microsoft Fabric documentation.

I would therefore advocate a hybrid configuration, using the Terraform provider for Microsoft Fabric to manage platform-level resources and administrative configurations, and the Git integration for the workspace-scoped resources.

Note that both are in their early stages at the time of writing. Not all resources are supported, or are supported in preview.

Fabric Administration

Terraform is an ideal approach for Fabric Admins who need repeatable, scalable, and policy-compliant deployments with automated and declarative configuration via workload identities. Includes:

  • Capacities: Provisioning and configuring Fabric capacities.
  • Workspaces: Creating and managing workspaces, including metadata and access controls.
  • RBAC Assignments: Managing role-based access control at the workspace or capacity level.
  • Lakehouses and Shortcuts: Defining and deploying foundational data structures.
  • Network Integrations: Setting up secure access and connectivity.
  • Automation: Using GitHub Actions or Azure DevOps pipelines to automate deployments and enforce consistency across environments

This approach allows admins to enforce governance and consistency using Terraform, which may already be in use for other cloud platforms as it has wide provider support. As an example, the reference repo shows a combination of azuread, azurerm and fabric providers. Other common providers are those for azapi, aws and gcp, plus the various general providers such as random.

Workspace-Level Git Integration

This approach allows Data Engineers and Analysts to work fluidly and independently. The Git integration in Fabric is workspace-scoped and supports a wide range of items, including:

  • Data Engineering: Notebooks, Lakehouses, Spark Job Definitions.
  • Data Factory: Pipelines, Dataflows, Copy Jobs.
  • Real-Time Intelligence: Eventstreams, KQL databases, Dashboards.
  • Power BI: Reports, Semantic Models, Paginated Reports.
  • Data Warehouse: Warehouses and mirrored catalogs

This model allows engineers and analysts to:

  • Version control their work directly from the Fabric UI.
  • Branch and merge using GitHub or Azure DevOps.
  • Collaborate without stepping on each other’s changes.
  • Sync changes between Git and Fabric workspaces.

However, Git integration does not currently support all Fabric items, and configuration drift is possible if not managed carefully.

Natural Division

The table below shows an example split of resources

Responsibility Area Terraform (Admin) Git Integration (Engineer/Analyst)
Workspace creation & config ✅ Yes ❌ No
Capacity management ✅ Yes ❌ No
RBAC and security ✅ Yes ❌ No
Pipelines, Notebooks, Reports ❌ No (not granular) ✅ Yes (workspace-level)
Version control & collaboration ⚠️ Limited (via IaC repo) ✅ Full Git support
Deployment automation ✅ Yes (CI/CD with IaC) ✅ Yes (via Git commits & PRs)
State management ✅ Declarative state ⚠️ Partial (sync only supported items)

Next

OK, hopefully that make sense in setting the context for what we will be automating.

These labs will guide you through setting up the prerequisites, such as ensuring you have a Fabric license and capacity, installing the Fabric extension for Azure CLI, and configuring a storage account for Terraform state with enforced RBAC. You’ll also learn how to configure an app registration for user context, test Terraform configurations locally in a test workspace, and push your configurations into a GitHub repository. Additionally, we’ll cover creating an OpenID Connect managed identity for the Fabric provider and understanding the GitHub workflow for deploying your infrastructure as code. By the end of these labs, you’ll have a solid foundation for managing Microsoft Fabric platform resources using Terraform and the Fabric CLI.

Next up we’ll check you have a few pre-requisites in place and then we can get cracking.

Previous Theory Prereqs