4-Workspace Layout
Every environment (DEV, UAT, PROD) uses four Fabric workspaces. This separation is not arbitrary -- it is a direct consequence of a fundamental Microsoft Fabric constraint: Terraform-created items and git-synced items cannot coexist in the same workspace.
Workspace Architecture
graph TD
subgraph env["Per Environment (DEV / UAT / PROD)"]
G["Gold Workspace<br/><small>Gold Warehouse<br/>Terraform only, NO git connection</small>"]
B["Bronze Workspace<br/><small>Lakehouse_Bronze + Shortcuts<br/>Terraform + deploy scripts</small>"]
S["Semantic Workspace<br/><small>8 TMDL Semantic Models<br/>fabric-cicd deploy</small>"]
R["Reports Workspace<br/><small>22+ .pbir Reports<br/>fabric-cicd deploy</small>"]
end
subgraph flow["Data Flow"]
direction LR
B2["Bronze"] --> G2["Gold"] --> S2["Semantic"] --> R2["Reports"]
end
style G fill:#1b4332,color:#fff
style B fill:#2d6a4f,color:#fff
style S fill:#40916c,color:#fff
style R fill:#52b788,color:#fff
Workspace Details
| Workspace | Naming Pattern | Contents | Management Method | Git Connection |
|---|---|---|---|---|
| Gold | \{ENV\}-Gold | Gold Warehouse (Gold_Warehouse) | Terraform only | None -- Terraform and git sync conflict |
| Bronze | \{ENV\}-Bronze | Lakehouse_Bronze, Dataverse/AX/SP shortcuts | Terraform + deploy_shortcuts.py | None for DEV/UAT/PROD |
| Semantic | \{ENV\}-Semantic | 8 TMDL semantic models (DirectLake + import) | fabric-cicd via fabric-deploy.yml | None -- content deployed by pipeline |
| Reports | \{ENV\}-Reports | 22+ Power BI .pbir reports | fabric-cicd via fabric-deploy.yml | None -- content deployed by pipeline |
Why Terraform and Git Sync Cannot Coexist
This constraint is the root cause of the 4-workspace design. Three specific Fabric platform behaviors make mixing impossible:
-
SPNs cannot
CommitToGit-- Terraform uses an SPN to create resources, but SPNs cannot commit those resources to git. This means Terraform-created items like warehouses cannot be represented in a git-connected workspace. -
PreferRemoteremoves everything -- When initializing a git connection withPreferRemote, Fabric removes ALL workspace items not represented in the git folder. A Terraform-created warehouse would be deleted. -
.platformlogicalId mismatch -- Terraform assigns item IDs that differ from git sync logicalIds. Pre-committing.platformfiles for Terraform-created items does not work because the IDs are workspace-specific.
The clean solution: keep Gold (Terraform-only) completely separate from workspaces that need git sync or fabric-cicd deployment.
Feature Branch Workspaces
Feature branches get a different workspace configuration. Unlike DEV/UAT/PROD (which are deployment targets), feature workspaces are edit environments where developers create and modify content through the Fabric UI.
graph TD
subgraph feat["Feature Environment (FEAT-{name})"]
FG["Gold Workspace<br/><small>Gold Warehouse<br/>Terraform only</small>"]
FB["Bronze Workspace<br/><small>Lakehouse via git sync<br/>Git-connected to feature branch</small>"]
FS["Semantic Workspace<br/><small>TMDL models<br/>Git-connected, UI-editable</small>"]
FR["Reports Workspace<br/><small>.pbir reports<br/>Git-connected, UI-editable</small>"]
end
style FG fill:#1b4332,color:#fff
style FB fill:#774936,color:#fff
style FS fill:#774936,color:#fff
style FR fill:#774936,color:#fff
| Workspace | Feature Branch Behavior |
|---|---|
| Gold | Terraform-only (same as prod environments). Own warehouse with isolated data. |
| Bronze | Git-connected to feature/\{name\}. Lakehouse created via git sync from .platform files. Shortcuts deployed from shortcuts.metadata.json. |
| Semantic | Git-connected to feature/\{name\}. Developers edit semantic models directly in the Fabric UI and commit via Source Control panel. |
| Reports | Git-connected to feature/\{name\}. Developers create/edit reports in Fabric UI and commit via Source Control panel. |
The key difference: DEV/UAT/PROD workspaces are read-only for humans (all changes go through pipelines), while feature workspaces are human-editable (bidirectional git sync via Fabric UI).
Environment Matrix
The full workspace inventory across all environment types:
| Environment | Gold | Bronze | Semantic | Reports | Total |
|---|---|---|---|---|---|
| DEV | DEV-Gold | DEV-Bronze | DEV-Semantic | DEV-Reports | 4 |
| UAT | UAT-Gold | UAT-Bronze | UAT-Semantic | UAT-Reports | 4 |
| PROD | PROD-Gold | PROD-Bronze | PROD-Semantic | PROD-Reports | 4 |
| Feature (per developer) | FEAT-{name}-Datalake | FEAT-{name}-Datalake | FEAT-{name}-Semantic | FEAT-{name}-Reports | 3-4 |
| CI | CI-Gold | -- | -- | -- | 1 |
Feature environments are tiered -- developers provision only the layers they need. A semantic-only feature creates just Semantic + Reports workspaces using the shared DEV Gold Warehouse. A full-stack feature creates all 4 workspaces with isolated data.
Role Assignments
Workspace roles follow a two-tier model: Leads get Admin, Developers get Viewer (read-only — all changes go through PRs). SPNs get Admin or Contributor depending on their function. Business users do NOT get direct workspace roles. See Workspace Roles for the full per-workspace role matrix.
Workspace App (Report Access)
The Workspace App is the business user's entry point, published from the Reports workspace with tab-level audience control per Entra ID group. Business users access reports exclusively through the app — they do NOT get direct workspace roles.
For the full app access model, environment-specific audience configuration, and section-to-group mapping, see Workspace Roles — App Access Model.