Error received while trying to create a synapse workspace using customer_managed_key_versionless_id property.

[DesaCh01]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.0.0
azurerm provider v2.64.0

Affected Resource(s)

azurerm_synapse_workspace

Terraform Configuration Files

resource "azurerm_synapse_workspace" "synapse" {
  depends_on = [azurerm_storage_data_lake_gen2_filesystem.gen2_filesystem, azurerm_key_vault_key.customer-key
  ]
  name                                 = "fidosynapse${var.environment}"
  resource_group_name                  = module.resource_group.name
  location                             = module.resource_group.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.gen2_filesystem.id
  sql_administrator_login              = "svcadmin"
  sql_administrator_login_password     = var.db_password
  managed_virtual_network_enabled      = true
  data_exfiltration_protection_enabled = true
  sql_identity_control_enabled         = true
  customer_managed_key_versionless_id  = azurerm_key_vault_key.customer-key.versionless_id
  aad_admin {
    login     = "AzureAD Admin"
    object_id = var.aad_login_object_id
    tenant_id = data.azurerm_client_config.current.tenant_id
  }
  
  tags = module.metadata.tags
}

Debug Output

Error: updating Synapse Workspace "synapse101" Sql Admin (Resource Group "app-terraform-dev-eastus2"): synapse.WorkspaceAadAdminsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="WorkspaceActivationRequired" Message="Workspace needs to be activated, by adding the managed identity in the KeyVault containing the customer managed key and activating the workspace through the keys subresource."
│
│ with azurerm_synapse_workspace.synapse,
│ on azure-synapse.tf line 6, in resource "azurerm_synapse_workspace" "synapse":
│ 6: resource "azurerm_synapse_workspace" "synapse" {
│
--->

Expected Behaviour

Synapse Workspace should have been created with encryption enabled by customer managed key.

Actual Behaviour

Raised the following error;

│ Error: updating Synapse Workspace "fidosynapse101" Sql Admin (Resource Group "app-terraform-dev-eastus2"): synapse.WorkspaceAadAdminsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="WorkspaceActivationRequired" Message="Workspace needs to be activated, by adding the managed identity in the KeyVault containing the customer managed key and activating the workspace through the keys subresource."
│
│ with azurerm_synapse_workspace.synapse,
│ on azure-synapse.tf line 6, in resource "azurerm_synapse_workspace" "synapse":
│ 6: resource "azurerm_synapse_workspace" "synapse" {

Steps to Reproduce

1. terraform apply

I can assign the key necessary permissions to Managed Identity only once the synapse workspace is deployed and I get the Synapse Workspace identity's principal ID. But, currently it erroring out while synapse workspace creation.

References

#11328 (comment)

https://docs.microsoft.com/en-us/azure/synapse-analytics/security/workspaces-encryption

[AliMBajwa]

The workspace IS created with an encryption key - but that key is not "activated".

If you go to your portal and click on your synapse workspace you'll see an orange banner that tells you to activate your workspace. After that - you can configure it with settings and other resources.

Currently - I get an error with the rest API to "activate" the workspace. Also the "az synapse workspace key update" cli command seems to be missing the "--is-active" flag (to match the rest API).

I've got support cases raised with MSOFT - hopefully they can identify the problem and resolve.

Edit: the above command should work with version 2.24 (2.24.2 to be specific) of the cli.

[AliMBajwa]

FYI : you'll get a similar error when trying to stand up a synapse SQL pool etc (assuming it doesn't first try to set an AAD admin).

[DesaCh01]

yes @AliMBajwa , I believe we cant setup any resources like Spark pool and SQL pool within Synapse unless its activated.

[sdebruyn]

I don't see how you can use this property in Terraform.

If you provide the key, then Microsoft expects you to manually give the managed identity the permission to use the key and then "activate" the workspace. You can't give access before Synapse is created because they don't allow user-assigned identities. So you can only give access after workspace creation.

But you can't use Terraform for that since the Apply just errors out at the stage of the "activation". The workspace is not in the state so Terraform just tries to recreate it the next time.

Could anyone provide a working example with Terraform using the property customer_managed_key_versionless_id?

[sdebruyn]

@allantargino How did you work around this issue in the acceptance test that you wrote for the provider? Is Synapse in your state file after the test run? Did the Apply phase in your test succeed without errors?

[AliMBajwa]

For anyone stumbling across this problem looking for a temp workaround:

You can do this all in an automated fashion (but you need to use a local-exec provisioner with CLI creds).

Terraform will create the workspace (but it wont be activated).
Then - it can then provision the KV Access policy for the workspace managed identity. Then - just set a hard dependency to the kv access policy for a null resource (which contains a local-exec provisioner - AZ CLI) which is what you use to activate the workspace.

Use the command:

"az synapse workspace key update --key-identifier xxx --is-active true --workspace-name xxx --resource-group xxx --name xxx"

Remember to NOT give the key version when giving your key-identifier.

Also note: I've only got it working with version 2.24.2 of the CLI. But it does not work with version 2.25.0
Also note2: You will probably want to set hard dependencies to the null resource with the activation script - for all workspace resources like sql pools, aad admin etc - they will all fail if the workspace isn't activated.

[allantargino]

Hi @sdebruyn and @AliMBajwa,

After some time I developed the feature (on #11328) I realized this behavior and this issue/discussion captures the exactly "chicken vs egg problem" we have in hands. I am assuming the acceptance test worked fine since it didn't create any additional resources that needed activation.

To solve this problem I was wonder if we could create a new resource named azurerm_synapse_workspace_key with the main goal of activating the workspace. Activating the workspace programmatically it is not a problem - If you inspect the REST calls the portal does when activating, you should see the usage of "Create/Update Key" operation as pointed by @AliMBajwa:
https://github.com/Azure/azure-sdk-for-go/blob/e1a5f307e106fced7ef33b9537ecceaf334a7732/services/synapse/mgmt/2021-03-01/synapse/synapseapi/interfaces.go#L127-L133

So that you can get Synapse's managed identity and add it to KV access policies, and then activate the workspace. All following Synapse terraform resources must depend on the azurerm_synapse_workspace_key resource.

Thoughts?

[sdebruyn]

@allantargino Yes, that is exactly what we need :) The chicken or the egg can be solved this way or if Synapse would ever allow you to use a user-assigned identity which you could give access before Synapse workspace creation. But I guess for now a separate resource is the only way forward.

[allantargino]

Yes! (Azure Data Factory already accepts it, for example, I used this pattern of used-assigned identity + CMK in the past)
Not sure if anyone wants to start developing it - I will have some free cycles by the end of the week, I can continue any work or start it.

[AliMBajwa]

@allantargino Sounds good - I'm stacked with assurance/go-live deadlines for a client so I won't be able to contribute code at this time - I'm more than happy to test though.

[sdebruyn]

@allantargino I don't have much time this week, but I can certainly help wherever needed. Feel free to ping me here

[djpirra]

Hi Team, any update on this? I was only able to manage to make it work using powershell.
Would be great to have terraform support on this.

Thank you

[DesaCh01]

Hello All,

Any update on this.

Thanks

[github-actions]

This functionality has been released in v2.77.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[djpirra]

Using these new properties already perform the activation of the workspace or just set the settings for double encryption and we still need to manual activate it?

[djpirra]

This functionality has been released in v2.77.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

Apparently this feature is not mentioned on the changes for v2.77.0

[chlsmith]

I don't see that in there. Anyone have a link showing it?

[jamescross91]

This still seems to be failing on 2.82.0

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.