azurerm_synapse_workspace UserAssigned Identity

[Official-James]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

azurerm_synapse_workspace does not support UserAssigned type in the identity block

New or Affected Resource(s)

azurerm_synapse_workspace is affected when trying to use UserAssigned type rather than System Assigned

• azurerm_synapse_workspace

Potential Terraform Configuration

  identity {
    type         = "UserAssigned"
    principal_id = azurerm_user_assigned_identity.NAME.principal_id
    tenant_id    = azurerm_user_assigned_identity.NAME.tenant_id
  }

Current Error when using UserAssigned

Can't configure a value for "identity": its value will be decided automatically based on the result of applying this configuration.

[zhcli]

hello @aristosvo , should we use this preview API https://github.com/Azure/azure-sdk-for-go/tree/main/services/preview/synapse/mgmt/2021-06-01-preview/synapse to enable the user assigned managed identity?

[caioqueirozkr]

I have the same issue, need to assign a UAI to the synapse workspace, once i will use this identity to be added to a AAD Group that have the Directory Readers role assigned, this role is needed to allow this identity to create LOGINS in Synapse from Azure Active Directory.

Once i am using IaC, i can't use System Assigned identity (because its created with a new ID everytime i recreate the synapse) and i will need to add this ID to the group everytime it is recreated.

[Matthew0x]

I got the same issue in 2023. User-assigned Identity is a valid RBAC management model and is supported by e.g. Azure ML. Currently Terraform requires System-managed Identity, always.

The User-assigned Identity can be added to the System-managed Identity (in mixed mode), although providing duplicated RBAC permissions seems to be the case. Hence it's not optimal, especially in setups making use of complicated dependencies (chained TF deployments).