Add a new 'cmkUri' param to azuredeploy.json. It creates a new 'encryption' variable, that is passed into workspace/azuredeploy.json, which then applies it to the newly created Synapse workspace. The default empty string for 'cmkUri' results in an empty dict for 'encryption', which leaves things unchanged from how they are now. Otherwise, the customer-managed key (CMK) will be applied. Note that it assumes the user will pass in the full key identifier from the Key Vault which includes the version. It strips off this version, since that's required by Synapse. Here's an example expected cmkUri:
Add a new 'cmkUri' param to azuredeploy.json. It creates a new 'encryption' variable, that is passed into workspace/azuredeploy.json, which then applies it to the newly created Synapse workspace. The default empty string for 'cmkUri' results in an empty dict for 'encryption', which leaves things unchanged from how they are now. Otherwise, the customer-managed key (CMK) will be applied. Note that it assumes the user will pass in the full key identifier from the Key Vault which includes the version. It strips off this version, since that's required by Synapse. Here's an example expected cmkUri:
https://rbakeyvault123.vault.azure.net/keys/rbaKey2/dc32dc998c036efb893dca001a029522
which gets passed into the Synapse workspace resource deployment properties as:
"encryption": "cmk": { "key": { "name": "default", "keyVaultUrl": "https://rbakeyvault123.vault.azure.net/keys/rbaKey2" } } }