search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.54k stars 4.61k forks source link

Unable to deploy a TDE-enabled SQL pool with a Synapse workspace encrypted with a CMK #14000

Open desjardins-mcroy opened 2 years ago

desjardins-mcroy commented 2 years ago

Community Note

Terraform (and AzureRM Provider) Version

Affected Resource(s)

Terraform Configuration Files

resource "azurerm_synapse_workspace_key" "this" {
  count                               = var.enabled && var.enable_customer_managed_key_support ? 1 : 0
  active                              = var.enable_customer_managed_key_support ? true : false
  customer_managed_key_versionless_id = local.customer_managed_key_versionless_id
  synapse_workspace_id                = concat(azurerm_synapse_workspace.this.*.id, [""])[0]
  cusomter_managed_key_name = var.customer_managed_key_name
  depends_on                = [azurerm_role_assignment.this_kv]
}

...

resource "azurerm_synapse_sql_pool" "this" {
  for_each             = try(local.sql_pools, {})
  name                 = try(each.value.name, null)
  synapse_workspace_id = concat(azurerm_synapse_workspace.this.*.id, [""])[0]
  sku_name             = try(each.value.sku_name, "DW100c")
  create_mode          = try(each.value.create_mode, "Default")
  collation            = try(each.value.collation, "SQL_LATIN1_GENERAL_CP1_CI_AS")
  data_encrypted       = try(each.value.data_encrypted, true)
  tags                 = merge(local.tags, each.value.pool_tags)
  timeouts {
    create = "60m"
    read   = "60m"
    update = "60m"
    delete = "2h"
  }
  depends_on = [time_sleep.this_sql]
}

Expected Behaviour

Even when the workspace is being deployed with a customer managed key, we should be able to deploy a SQL pool with TDE enabled without encountering any issues.

Actual Behaviour

When the Synapse workspace is deployed using a customer-managed key and we deploy a SQL pool with TDE enabled in the same deployment, we get the error message below. However, after getting the error, the SQL pool is marked as having TDE enabled in the portal . The state is not updated with the pool as being deployed. When we rerun the deployment it asks us to import the SQL pool in the state. 

╷
│ Error: setting `data_encrypted`: synapse.SQLPoolTransparentDataEncryptionsClient#CreateOrUpdate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="40627" Message="Operation on server '****' and database '*****' is in progress.  Please wait a few minutes before trying again." Details=[{"code":"40627","message":"Operation on server '******' and database '******' is in progress.  Please wait a few minutes before trying again.","severity":"20","target":null}] InnerError={"multi":[]}
│ 
│   with module.transformation_synapse_analytics.azurerm_synapse_sql_pool.this["*****************"],
│   on ./tf-module-synapse/main.tf line 106, in resource "azurerm_synapse_sql_pool" "this":
│  106: resource "azurerm_synapse_sql_pool" "this" {
│

Steps to Reproduce

  1. Configure a deployment with a Synapse workspace with a CMK and a SQL pool with TDE enabled.
  2. terraform apply

Important Factoids

References

murdibb commented 2 years ago

Hello,

FYI MS writes that if you have double encryption enabled (synapse workspace with CMK usage), then TDE is not an available option: SQL Transparent Data Encryption (TDE) is available for dedicated SQL Pools in workspaces not enabled for double encryption. In this type of workspace, a service-managed key is used to provide double encryption for the data in the dedicated SQL pools. TDE with the service-managed key can be enabled or disabled for individual dedicated SQL pools. https://docs.microsoft.com/en-us/azure/synapse-analytics/security/workspaces-encryption

But it is very strange, because on the resource, the TDE option is available, and can be enabled! Although it is disabled after the creation with encryption = false. Checking from within the pool shows the same,

I am still experimenting with the sql pool TF resource in this topic, and will put here my updates.

desjardins-mcroy commented 2 years ago

Hi!

On my end, Microsoft (through the product group) confirmed me that it's possible to use TDE with a CMK on Synapse. Also, wierdly enough, I was able to deploy a SQL pool with a CMK and TDE by adding an even bigger delay between the workspace deployment and the SQL pool deployment.

Kind regards,

murdibb commented 2 years ago

Thank you for the reply and clarification! Indeed, manually I can enable, disable TDE on the resource in the portal - on CMK encrypted workspace as well as when I don't use CMK double encryption. However, it always gets to timeout on the portal too displaying an error in the notification bar - but the pool is still changing the TDE related setting. Notification I get: Failed to Enable TDE for database: AnalyticsSQLPool. The gateway did not receive a response from 'Microsoft.Synapse' within the specified time period.

With Terraform: In my case, where I do the same as you mention in the issue, although Terraform stops because of the above mentioned error, but the resource itself is still provisioned with TDE enabled. I used an already existing synapse workspace with enabled double encryption using CMK, so in this case I don't know where to put the time sleep, the sql pool is the only resource I am adding to the existing ones.

What I do now: don't specify this setting at all, resulting in a TDE disabled SQL pool, and I rely on the fact that the workspace itself has the CMK double encryption - so the SQL pool should be also encrypted at rest (just it is not the SQL built-in TDE)