Support for user managed identity for data factory linked services

[RaphHaddad]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Linked Service are currently able to be created via Terraform using the resources: prefixed by azurerm_data_factory_linked_service_.

However, the Terraform resources do not expose the ability to authenticate using a manually created user-assigned managed identity, as per this Microsoft documentation: https://learn.microsoft.com/en-us/azure/data-factory/credentials?tabs=data-factory#using-credentials

This can be achieved by using the Terraform resource azapi_resource, however, this is not ideal as there already exists linked services resources within the Terraform API.

An example of how to achieve this is here: https://learn.microsoft.com/en-us/azure/templates/microsoft.datafactory/factories/linkedservices?pivots=deployment-language-terraform

resource "azapi_resource" "data_factory_linked_keyvault" {
    type        = "Microsoft.DataFactory/factories/linkedservices@2018-06-01"
    name        = "ls_kv"
    parent_id   = module.data_factory.data_factory.id
    body = jsonencode({
        properties = {
            description = "Link Service to default keyvault"
            type = "AzureKeyVault"
            typeProperties = {
                credential = {
                    referenceName = "user_assigned_id"
                    type = "CredentialReference"
                }
                baseUrl = "https://${local.key_vault_name}.vault.azure.net/"
            }
        }
    })
}

New or Affected Resource(s)/Data Source(s)

azurerm_data_factory_linked_service_xxxx

Potential Terraform Configuration

resource "azurerm_data_factory_linked_service_key_vault" "data_factory_linked_key_vault" {
    name                   = "ls_kv"
    data_factory_id        = azurerm_data_factory.data_factory.id
    key_vault_id           = var.linked_key_vault.id
    use_managed_identity   = true
    user_assigned_identity = "user_assigned_id"
}

### References

_No response_

[PascalWHPelzer]

I can see that "use_managed_identity" has been implemented in a number of linked service resources ... but I am missing this in the linked service keyvault. Any thoughts/ETA on this?

[alexivanov-danone]

We are also very interested in this!

[orangesharing]

hi Team - we are also looking forward to having the UAMI supported in "azurerm_data_factory_linked_service_key_vault"

[dimitrijap]

Hi Guys - This would be of huge help to us as well, any info/thoughts if it will be implemented?

[WhyDidIChooseIT]

@rcskosir - Do we have any update on when this is going to be scheduled for?

Thanks.

[rcskosir]

:wave: Thanks for reaching out, unfortunately I do not have an ETA on this enhancement. Any future work via the team or the community should end up linked here via a PR.

[ssvarian]

This is really important in our environment as we create multiple Linked services using managed identity and we had use the arm templates just for this piece and unable to do this in terraform

[antgustech]

I just created a similar thread here: https://github.com/hashicorp/terraform-provider-azurerm/issues/26155

We will have to resort to using system identity until this has support.

Edit:

I have made this temporary work around, maybe it can help someone else. You can use the custom linked service to provide any json definition that you want. This is how the key vault looks like with a user managed identity:

resource "azurerm_data_factory_credential_user_managed_identity" "test" {
  name            = "tf"
  description     = "Short description of this credential"
  data_factory_id = azurerm_data_factory.this.id
  identity_id     =  var.user_assigned_identity_id
}

# Ideally, azurerm_data_factory_linked_service_key_vault should have been used. Azurerm 3.104.2 and below does not support setting user managed identity so we use a custom linked service for now.
resource "azurerm_data_factory_linked_custom_service" "test" {
  name                 = "test"
  data_factory_id = azurerm_data_factory.this.id
  type                 = "AzureKeyVault"
  type_properties_json = <<JSON
{
  "baseUrl": "https://myvault.vault.azure.net/",
  "credential": {
    "referenceName": "${azurerm_data_factory_credential_user_managed_identity.test.name}",
    "type": "CredentialReference"
    }      
}
JSON
}