The documentation example for Azure Synapse does not work

[abhirockzz]

Tried to use this example to setup Azure Synapse Analytics. It does not work out of the box - requires some changes for it work correctly.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

$ terraform -v

Terraform v1.0.1
on darwin_amd64

AzureRM Provider

azurerm = {
      source = "hashicorp/azurerm"
      version = "~>2.0"
}

Affected Resource(s)

• azurerm_synapse_workspace
• azurerm_synapse_spark_pool

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behaviour

Azure Synapse Analytics service (along with other required Azure resources) should have been created.

Actual Behaviour

Get the following error:

Error: Error checking for existence of existing File System "synapsecontainer" (Account "foosynapsestorageaccount"): datalakestore.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: error response cannot be parsed: "" error: EOF │ │   with azurerm_storage_data_lake_gen2_filesystem.example, │   on main.tf line 29, in resource "azurerm_storage_data_lake_gen2_filesystem" "example": │   29: resource "azurerm_storage_data_lake_gen2_filesystem" "example" {

Steps to Reproduce

Use terraform apply on this example.

The failure could be due to lack of roles (Storage Blob Data Contributor) on the Storage account. Adding the below fixes the issue. If this can be confirmed, it might just be a case of updating the documentation?

resource "azurerm_role_assignment" "example" {
  scope                = azurerm_storage_account.synapse.id
  role_definition_name = "Storage Blob Data Contributor"
  principal_id         = data.azurerm_client_config.example.object_id
}

Important Factoids

References

• 0000

[owenfarrell]

@abhirockzz - Based on the error message you posted above, it looks like the issue is actually with the azurerm_storage_data_lake_gen2_filesystem resource (which the Synapse workspace depends on).

I suspect this boils down to your specific Azure RBAC configuration.

• If the user (or service principal) running Terraform is an Owner at the subscription level, then that principal will inherit Owner permissions on the storage account and the above azurerm_role_assignment resource is not necessary.
• If the user running Terraform does not inherit sufficient permissions from the subscription (maybe your user is a Storage Account Contributor?), then custom role assignments like you have here may be necessary.

The Terraform Version you provided above doesn't include the AzureRM Provider version, so it's tough to firmly reproduce this. But I just ran the below configuration on v2.78.0 using a service principal that is an Owner at the subscription level and everything provisioned nicely.

Hope this helps!

provider "azurerm" {
  features {}
}

resource "random_integer" "id" {
  min = 1
  max = 999999999999999
}

locals {
    random_integer = format("%15d", random_integer.id.result)
}

resource "azurerm_resource_group" "test" {
  name     = "acctestsw${local.random_integer}"
  location = "eastus"
}

resource "azurerm_storage_account" "test" {
  name                     = "acctestsw${local.random_integer}"
  resource_group_name      = azurerm_resource_group.test.name
  location                 = azurerm_resource_group.test.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "StorageV2"
  is_hns_enabled           = "true"
}

resource "azurerm_storage_data_lake_gen2_filesystem" "test" {
  name               = "acctest-${local.random_integer}"
  storage_account_id = azurerm_storage_account.test.id
}

resource "azurerm_synapse_workspace" "test" {
  name                                 = "acctest-${local.random_integer}"
  resource_group_name                  = azurerm_resource_group.test.name
  location                             = azurerm_resource_group.test.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.test.id
  sql_administrator_login              = "sqladminuser"
  sql_administrator_login_password     = "H@Sh1CoR3!"
  managed_virtual_network_enabled      = true
}

[rcskosir]

Thanks for opening this issue. This was a problem in the 2.x version of the provider which is no longer actively maintained. If this is still an issue with the 3.x version of the provider please do let us know by opening a new issue, thanks!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.