Last reviewed: May 2026
Build the AWS services on the DP-600 exam with plain Terraform — one block at a time, each tied back to an exam domain. The same code works on OpenTofu.
By the end of this lab you'll have provisioned, with plain Terraform, the Microsoft Fabric capacity that underpins every Fabric workload — an F-SKU capacity sized for development (F2), an ADLS Gen2 storage account for OneLake shortcut targets, a Log Analytics workspace for capacity diagnostics, and the role assignments wiring it all to your Terraform principal. Fabric workspaces (Lakehouses, Warehouses, Notebooks) are created inside the capacity via the Fabric portal or REST API — that's not in Terraform's scope today.
Drop the snippets into a single main.tf, run terraform init, then terraform apply step-by-step.
>= 1.5 or OpenTofu >= 1.6.az login).Fabric capacity is the single biggest cost line in this lab:
terraform destroy or via the portal).The DP-600 cost-anti-pattern question 100% of the time involves "why is my Fabric bill $262 even though no one is using it?" — because the capacity bills 24/7 unless paused. Always destroy or pause when not actively using.
Standard Azure opener. Fabric capacities are region-bound — pick a region your data sources are in to avoid cross-region transfer charges (Fabric reads from OneLake, which physically lives in the capacity's region).
terraform {
required_version = ">= 1.5"
required_providers {
azurerm = { source = "hashicorp/azurerm", version = "~> 4.0" }
random = { source = "hashicorp/random", version = "~> 3.6" }
}
}
provider "azurerm" {
features {}
}
resource "random_id" "suffix" {
byte_length = 3
}
data "azurerm_client_config" "current" {}
locals {
tags = {
Project = "certlabpro-dp-600"
ManagedBy = "terraform"
}
}
resource "azurerm_resource_group" "main" {
name = "certlabpro-dp-600-rg"
location = "eastus"
tags = local.tags
}Microsoft Fabric's OneLake feature provides a unified data lake across Fabric workspaces. Fabric items (Lakehouses, Warehouses) physically store their data in OneLake — but Fabric also supports shortcuts that reference data in external storage (ADLS Gen2, S3, GCS, Dataverse) as if it lived in OneLake. The shortcut pattern is the DP-600 hot topic for Implement and manage a data analytics solution — federate without copying.
We provision an ADLS Gen2 account here with hierarchical namespace enabled (the required setting for OneLake shortcuts). You'd create the actual shortcut inside the Fabric portal pointing at this account once it exists.
resource "azurerm_storage_account" "lake" {
name = "dp600lake${random_id.suffix.hex}"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
account_tier = "Standard"
account_replication_type = "LRS"
account_kind = "StorageV2"
is_hns_enabled = true # required for OneLake shortcuts
https_traffic_only_enabled = true
min_tls_version = "TLS1_2"
allow_nested_items_to_be_public = false
tags = local.tags
}
resource "azurerm_storage_container" "bronze" {
name = "bronze"
storage_account_id = azurerm_storage_account.lake.id
container_access_type = "private"
}
resource "azurerm_storage_container" "silver" {
name = "silver"
storage_account_id = azurerm_storage_account.lake.id
container_access_type = "private"
}
resource "azurerm_storage_container" "gold" {
name = "gold"
storage_account_id = azurerm_storage_account.lake.id
container_access_type = "private"
}The Fabric capacity is the billing unit for all Fabric workloads. Workspaces in the Fabric portal get associated with a capacity, and that's what determines pricing and quota.
We provision the smallest production-grade capacity (F2). The administration_members list names who can administer the capacity in the Fabric admin portal — for the lab we use the current Terraform principal. The administrator role is separate from workspace-level permissions; capacity admins control billing, capacity-wide settings, and which workspaces can use it.
DP-600 tests capacity sizing as a cost-optimization theme: choose the smallest SKU that meets your workload's RU/s needs, scale up for peak, scale down or pause off-hours. F-SKUs are pay-as-you-go (per-hour billing); the older P-SKUs from Power BI Premium are reserved-capacity (yearly commitment).
resource "azurerm_fabric_capacity" "main" {
name = "fab-dp600-${random_id.suffix.hex}"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
administration_members = [
data.azurerm_client_config.current.object_id,
]
sku {
name = "F2" # smallest Fabric SKU; F-series is pay-as-you-go
tier = "Fabric"
}
tags = local.tags
}DP-600's Maintain and optimize analytics solutions domain tests capacity health monitoring as the primary diagnostic surface — capacity throttling, query duration spikes, refresh failures all surface as Log Analytics signals. We provision the workspace and a Diagnostic Setting on the Fabric capacity that ships every metric and log category into it.
With this final piece, the Fabric foundation is complete: capacity sized for the workload, ADLS Gen2 ready as a shortcut target, capacity diagnostics flowing to Log Analytics. Fabric workspaces, Lakehouses, Warehouses, semantic models, and notebooks are all created inside the capacity via the Fabric portal or REST API — that's the application layer this lab doesn't try to do in Terraform.
resource "azurerm_log_analytics_workspace" "main" {
name = "log-dp600"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
sku = "PerGB2018"
retention_in_days = 30
tags = local.tags
}
resource "azurerm_monitor_diagnostic_setting" "fabric" {
name = "diag"
target_resource_id = azurerm_fabric_capacity.main.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.main.id
metric {
category = "AllMetrics"
enabled = true
}
}terraform destroy tears down everything. Critical reminder: the Fabric capacity bills 24/7 — even one day of leaving F2 running is ~$8.70. Destroy promptly. Alternative: the capacity supports a pause/resume operation via the Azure portal that stops billing without destroying the resource — useful if you want to keep the lab around but only pay when actively using it.
DP-600 covers many Fabric workloads this lab can't fit in plain Terraform — Lakehouses (managed by Fabric, not provisionable via azurerm), Warehouses, KQL Databases (Eventhouses), notebooks, Data Pipelines (Data Factory inside Fabric), semantic models (Power BI), dataflows Gen2, and the Microsoft Fabric REST API for workspace creation.
The Fabric Workspace API is starting to land in the fabric Terraform provider (separate from azurerm), but it's still maturing. For DP-600 lab purposes, the capacity provisioning above gets you to the point where you can open the Fabric portal, create a workspace bound to this capacity, and build Lakehouses + notebooks + warehouses inside it — the same way every DP-600 candidate practices.
For service-by-service coverage, see the Browse and Editorial sections of this cert page.