Open gpthome opened 3 years ago
@gpthome - I'm able to half-reproduce your report using the configuration below.
tl;dr - Taking Terraform out of the equation, and using the Azure CLI instead, generates the same results. So I think this is an Azure API issue more than anything.
When creating a new workspace with a managed virtual network, I'm seeing 2 managed private endpoints via Synapse studio. So everything looks good there. If you're not seeing managed private endpoints through Synapse Studio, perhaps you're running in to an RBAC issue?
$ az synapse managed-private-endpoints list --workspace-name <Synapse workspace name>
Command group 'synapse' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
[
{
"id": "/subscriptions/...
},
{
"id": "/subscriptions/...
}
]
Like you, I'm not seeing the private endpoint connections associated with the Synapse workspace itself.
$ az network private-endpoint-connection list --id <Synapse workspace resource id>
[]
$ az synapse workspace show --id <Synapse workspace resource id>
{
...
"managedVirtualNetwork": "default",
...
"privateEndpointConnections": [],
...
}
terraform {
required_providers {
azurerm = {
version = "=2.52.0"
}
}
}
provider "azurerm" {
features {}
}
resource "random_integer" "id" {
min = 1
max = 999999999999999
}
locals {
random_integer = format("%15d", random_integer.id.result)
}
resource "azurerm_resource_group" "test" {
name = "acctestsw${local.random_integer}"
location = "eastus"
}
resource "azurerm_storage_account" "test" {
name = "acctestsw${local.random_integer}"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
account_tier = "Standard"
account_replication_type = "LRS"
account_kind = "StorageV2"
is_hns_enabled = "true"
}
resource "azurerm_storage_data_lake_gen2_filesystem" "test" {
name = "acctest-${local.random_integer}"
storage_account_id = azurerm_storage_account.test.id
}
resource "azurerm_synapse_workspace" "test" {
name = "acctest${local.random_integer}"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.test.id
sql_administrator_login = "sqladminuser"
sql_administrator_login_password = "H@Sh1CoR3!"
managed_virtual_network_enabled = true
}
resource "azurerm_synapse_firewall_rule" "test" {
name = "AllowAll"
synapse_workspace_id = azurerm_synapse_workspace.test.id
start_ip_address = "0.0.0.0"
end_ip_address = "255.255.255.255"
}
resource "azurerm_storage_account" "test_connect" {
name = "acctestpe${local.random_integer}"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
account_tier = "Standard"
account_replication_type = "LRS"
account_kind = "BlobStorage"
}
resource "azurerm_synapse_managed_private_endpoint" "test" {
name = "example-endpoint"
synapse_workspace_id = azurerm_synapse_workspace.test.id
target_resource_id = azurerm_storage_account.test_connect.id
subresource_name = "blob"
depends_on = [azurerm_synapse_firewall_rule.test]
}
Community Note
Terraform (and AzureRM Provider) Version
Terraform v0.14.9
Affected Resource(s)
azurerm_synapse_workspace
Terraform Configuration Files
Expected Behaviour
Two private endpoints created when managed_virtual_network_enabled = true
Based on consulting with Microsoft, we decided we should enable the Azure Synapse Workspace VNET now to better position us for security going forward.
This Microsoft document says that When a workspace is created, Azure Synapse creates two Managed private endpoints in the workspace, one for dedicated SQL pool and one for serverless SQL pool.. These two Managed private endpoints are listed in Synapse Studio. Select Manage in the left navigation, then select Managed private endpoints to see them in the Studio.
Actual Behaviour
While the Azure portal does show Managed virtual network : Yes, I don't see any managed private endpoints in the portal or in Synapse Studio. Should those be auto-created as Microsoft describes?
Steps to Reproduce
The Synapse Workspace and Dedicated SQL Pool and Storage Accounts did already existed in the Resource Group. We enabled the managed_virtual_network_enabled and then apply. Several resources were destroyed and then recreated.
terraform apply
References
https://docs.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints#managed-private-endpoints-for-dedicated-sql-pool-and-serverless-sql-pool