Open desjardins-mcroy opened 3 years ago
Hello,
FYI MS writes that if you have double encryption enabled (synapse workspace with CMK usage), then TDE is not an available option: SQL Transparent Data Encryption (TDE) is available for dedicated SQL Pools in workspaces not enabled for double encryption. In this type of workspace, a service-managed key is used to provide double encryption for the data in the dedicated SQL pools. TDE with the service-managed key can be enabled or disabled for individual dedicated SQL pools. https://docs.microsoft.com/en-us/azure/synapse-analytics/security/workspaces-encryption
But it is very strange, because on the resource, the TDE option is available, and can be enabled! Although it is disabled after the creation with encryption = false. Checking from within the pool shows the same,
I am still experimenting with the sql pool TF resource in this topic, and will put here my updates.
Hi!
On my end, Microsoft (through the product group) confirmed me that it's possible to use TDE with a CMK on Synapse. Also, wierdly enough, I was able to deploy a SQL pool with a CMK and TDE by adding an even bigger delay between the workspace deployment and the SQL pool deployment.
Kind regards,
Thank you for the reply and clarification! Indeed, manually I can enable, disable TDE on the resource in the portal - on CMK encrypted workspace as well as when I don't use CMK double encryption. However, it always gets to timeout on the portal too displaying an error in the notification bar - but the pool is still changing the TDE related setting. Notification I get: Failed to Enable TDE for database: AnalyticsSQLPool. The gateway did not receive a response from 'Microsoft.Synapse' within the specified time period.
With Terraform: In my case, where I do the same as you mention in the issue, although Terraform stops because of the above mentioned error, but the resource itself is still provisioned with TDE enabled. I used an already existing synapse workspace with enabled double encryption using CMK, so in this case I don't know where to put the time sleep, the sql pool is the only resource I am adding to the existing ones.
What I do now: don't specify this setting at all, resulting in a TDE disabled SQL pool, and I rely on the fact that the workspace itself has the CMK double encryption - so the SQL pool should be also encrypted at rest (just it is not the SQL built-in TDE)
Community Note
Terraform (and AzureRM Provider) Version
Terraform v1.0.8
Provider registry.terraform.io/hashicorp/azurerm v2.83.0
Affected Resource(s)
azurerm_synapse_workspace_key
azurerm_synapse_sql_pool
Terraform Configuration Files
Expected Behaviour
Even when the workspace is being deployed with a customer managed key, we should be able to deploy a SQL pool with TDE enabled without encountering any issues.
Actual Behaviour
When the Synapse workspace is deployed using a customer-managed key and we deploy a SQL pool with TDE enabled in the same deployment, we get the error message below. However, after getting the error, the SQL pool is marked as having TDE enabled in the portal . The state is not updated with the pool as being deployed. When we rerun the deployment it asks us to import the SQL pool in the state.
Steps to Reproduce
terraform apply
Important Factoids
azurerm_synapse_workspace_key
andazurerm_synapse_sql_pool
to allow some background tasks to complete, but then I saw taht the error is also linked to the database (SQL pool) . So it's not something we can control with a time_sleep.References
0000