terraform-provider-azurerm: Error received while trying to create a synapse workspace using customer_managed_key_versionless_id property.

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.0.0 azurerm provider v2.64.0

Affected Resource(s)

azurerm_synapse_workspace

Terraform Configuration Files

resource "azurerm_synapse_workspace" "synapse" {
  depends_on = [azurerm_storage_data_lake_gen2_filesystem.gen2_filesystem, azurerm_key_vault_key.customer-key
  ]
  name                                 = "fidosynapse${var.environment}"
  resource_group_name                  = module.resource_group.name
  location                             = module.resource_group.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.gen2_filesystem.id
  sql_administrator_login              = "svcadmin"
  sql_administrator_login_password     = var.db_password
  managed_virtual_network_enabled      = true
  data_exfiltration_protection_enabled = true
  sql_identity_control_enabled         = true
  customer_managed_key_versionless_id  = azurerm_key_vault_key.customer-key.versionless_id
  aad_admin {
    login     = "AzureAD Admin"
    object_id = var.aad_login_object_id
    tenant_id = data.azurerm_client_config.current.tenant_id
  }
  
  tags = module.metadata.tags
}

Debug Output

Error: updating Synapse Workspace “synapse101” Sql Admin (Resource Group “app-terraform-dev-eastus2”): synapse.WorkspaceAadAdminsClient#CreateOrUpdate: Failure sending request: StatusCode=0 – Original Error: Code=“WorkspaceActivationRequired” Message=“Workspace needs to be activated, by adding the managed identity in the KeyVault containing the customer managed key and activating the workspace through the keys subresource.” │ │ with azurerm_synapse_workspace.synapse, │ on azure-synapse.tf line 6, in resource “azurerm_synapse_workspace” “synapse”: │ 6: resource “azurerm_synapse_workspace” “synapse” { │ —>

Expected Behaviour

Synapse Workspace should have been created with encryption enabled by customer managed key.

Actual Behaviour

Raised the following error;

│ Error: updating Synapse Workspace “fidosynapse101” Sql Admin (Resource Group “app-terraform-dev-eastus2”): synapse.WorkspaceAadAdminsClient#CreateOrUpdate: Failure sending request: StatusCode=0 – Original Error: Code=“WorkspaceActivationRequired” Message=“Workspace needs to be activated, by adding the managed identity in the KeyVault containing the customer managed key and activating the workspace through the keys subresource.” │ │ with azurerm_synapse_workspace.synapse, │ on azure-synapse.tf line 6, in resource “azurerm_synapse_workspace” “synapse”: │ 6: resource “azurerm_synapse_workspace” “synapse” {

Steps to Reproduce

terraform apply

I can assign the key necessary permissions to Managed Identity only once the synapse workspace is deployed and I get the Synapse Workspace identity’s principal ID. But, currently it erroring out while synapse workspace creation.

References

https://github.com/terraform-providers/terraform-provider-azurerm/pull/11328#issuecomment-867274557

https://docs.microsoft.com/en-us/azure/synapse-analytics/security/workspaces-encryption

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 7
Comments: 19 (7 by maintainers)

Commits related to this issue

Synapse Workspace Activation with CMK (#13179) Fixes: #12348 Added new synapse_workspace_key resource type to support activation of a workspace encryption key Updated synapse_workspace to support... — committed to hashicorp/terraform-provider-azurerm by MoAhuja 3 years ago

Most upvoted comments

Hi @sdebruyn and @AliMBajwa,

After some time I developed the feature (on #11328) I realized this behavior and this issue/discussion captures the exactly “chicken vs egg problem” we have in hands. I am assuming the acceptance test worked fine since it didn’t create any additional resources that needed activation.

To solve this problem I was wonder if we could create a new resource named azurerm_synapse_workspace_key with the main goal of activating the workspace. Activating the workspace programmatically it is not a problem - If you inspect the REST calls the portal does when activating, you should see the usage of “Create/Update Key” operation as pointed by @AliMBajwa: https://github.com/Azure/azure-sdk-for-go/blob/e1a5f307e106fced7ef33b9537ecceaf334a7732/services/synapse/mgmt/2021-03-01/synapse/synapseapi/interfaces.go#L127-L133

So that you can get Synapse’s managed identity and add it to KV access policies, and then activate the workspace. All following Synapse terraform resources must depend on the azurerm_synapse_workspace_key resource.

Thoughts?

allantargino on Jun 30, 2021

Yes! (Azure Data Factory already accepts it, for example, I used this pattern of used-assigned identity + CMK in the past) Not sure if anyone wants to start developing it - I will have some free cycles by the end of the week, I can continue any work or start it.

allantargino on Jun 30, 2021