hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.6k stars 4.65k forks source link

Azure Synapse Workspace VNET #12596

Open gpthome opened 3 years ago

gpthome commented 3 years ago

Community Note

Terraform (and AzureRM Provider) Version

Terraform v0.14.9

Affected Resource(s)

Terraform Configuration Files

resource "azurerm_synapse_workspace" "mdap" {
  name                                 = "${module.config.app_resource_name_env_prefix_micro}syn"
  resource_group_name    = data.azurerm_resource_group.mdap.name
  location                             = data.azurerm_resource_group.mdap.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.mdap.id
  sql_administrator_login                     = var.mdap_sql_login_admin_id
  sql_administrator_login_password   = var.mdap_sql_login_admin_pwd
  sql_identity_control_enabled            = true
  managed_virtual_network_enabled = true
...
}

Expected Behaviour

Two private endpoints created when managed_virtual_network_enabled = true

Based on consulting with Microsoft, we decided we should enable the Azure Synapse Workspace VNET now to better position us for security going forward.

This Microsoft document says that When a workspace is created, Azure Synapse creates two Managed private endpoints in the workspace, one for dedicated SQL pool and one for serverless SQL pool.. These two Managed private endpoints are listed in Synapse Studio. Select Manage in the left navigation, then select Managed private endpoints to see them in the Studio.

Actual Behaviour

While the Azure portal does show Managed virtual network : Yes, I don't see any managed private endpoints in the portal or in Synapse Studio. Should those be auto-created as Microsoft describes?

Steps to Reproduce

The Synapse Workspace and Dedicated SQL Pool and Storage Accounts did already existed in the Resource Group. We enabled the managed_virtual_network_enabled and then apply. Several resources were destroyed and then recreated.

  1. terraform apply

References

https://docs.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints#managed-private-endpoints-for-dedicated-sql-pool-and-serverless-sql-pool

owenfarrell commented 3 years ago

@gpthome - I'm able to half-reproduce your report using the configuration below.

tl;dr - Taking Terraform out of the equation, and using the Azure CLI instead, generates the same results. So I think this is an Azure API issue more than anything.

When creating a new workspace with a managed virtual network, I'm seeing 2 managed private endpoints via Synapse studio. So everything looks good there. If you're not seeing managed private endpoints through Synapse Studio, perhaps you're running in to an RBAC issue?

$ az synapse managed-private-endpoints list --workspace-name <Synapse workspace name>
Command group 'synapse' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
[
  {
    "id": "/subscriptions/...
  },
  {
    "id": "/subscriptions/...
  }
]

Like you, I'm not seeing the private endpoint connections associated with the Synapse workspace itself.

$ az network private-endpoint-connection list --id <Synapse workspace resource id>
[]
$ az synapse workspace show --id <Synapse workspace resource id>
{
  ...
  "managedVirtualNetwork": "default",
  ...
  "privateEndpointConnections": [],
  ...
}

My Configuration

terraform {
  required_providers {
    azurerm = {
        version = "=2.52.0"
    }
  }
}

provider "azurerm" {
  features {}
}

resource "random_integer" "id" {
  min = 1
  max = 999999999999999
}

locals {
    random_integer = format("%15d", random_integer.id.result)
}

resource "azurerm_resource_group" "test" {
  name     = "acctestsw${local.random_integer}"
  location = "eastus"
}

resource "azurerm_storage_account" "test" {
  name                     = "acctestsw${local.random_integer}"
  resource_group_name      = azurerm_resource_group.test.name
  location                 = azurerm_resource_group.test.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "StorageV2"
  is_hns_enabled           = "true"
}

resource "azurerm_storage_data_lake_gen2_filesystem" "test" {
  name               = "acctest-${local.random_integer}"
  storage_account_id = azurerm_storage_account.test.id
}

resource "azurerm_synapse_workspace" "test" {
  name                                 = "acctest${local.random_integer}"
  resource_group_name                  = azurerm_resource_group.test.name
  location                             = azurerm_resource_group.test.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.test.id
  sql_administrator_login              = "sqladminuser"
  sql_administrator_login_password     = "H@Sh1CoR3!"
  managed_virtual_network_enabled      = true
}

resource "azurerm_synapse_firewall_rule" "test" {
  name                 = "AllowAll"
  synapse_workspace_id = azurerm_synapse_workspace.test.id
  start_ip_address     = "0.0.0.0"
  end_ip_address       = "255.255.255.255"
}

resource "azurerm_storage_account" "test_connect" {
  name                     = "acctestpe${local.random_integer}"
  resource_group_name      = azurerm_resource_group.test.name
  location                 = azurerm_resource_group.test.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "BlobStorage"
}

resource "azurerm_synapse_managed_private_endpoint" "test" {
  name                 = "example-endpoint"
  synapse_workspace_id = azurerm_synapse_workspace.test.id
  target_resource_id   = azurerm_storage_account.test_connect.id
  subresource_name     = "blob"

  depends_on = [azurerm_synapse_firewall_rule.test]
}