Closed Skubakoob closed 1 year ago
Thanks for opening this issue. This was a problem in the 2.x version of the provider which is no longer actively maintained. If this is still an issue with the 3.x version of the provider please do let us know by opening a new issue, thanks!
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Is there an existing issue for this?
Community Note
Terraform Version
1.4.5
AzureRM Provider Version
2.9.9
Affected Resource(s)/Data Source(s)
azurerm_synapse_role_assignment
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
When an Azure function is given correct permissions via terraform to the synapse storage account and the sql role within the synapse workspace, the azure function should be able to query the synapse workspace via the serverless sql pool using azure ad managed identity connection string
Actual Behaviour
In most cases, the azure function cannot access the synapse workspace when these roles are assigned via terraform. The roles are correctly created and visible.
Interestingly, assigning permissions via terraform will sometimes (though, quite rarely) work, though I've not been able to pinpoint any factor that influences this. I.e. timing, sequencing, etc. of the creation of these roles. Initially I thought it may be to timing and sequencing - i.e. the SQL Admin role is added too soon after the storage account permissions but this doesn't seem to be the case.
When the exact same roles are assigned manually, the azure function can connect without any issue.
The error when the SQL connection fails is "Login failed for user ''
After deployment, if the azure function cannot access the workspace, deleting the role assignment within the workspace then re-adding it manually fixes the issue (though terraform will of course then complain about it not being in control of that role)
If I try to remove the role then re-run terraform to re-create it, then again it will run through and appear to be created correctly but whether the azure function can access the workspace or not seems to be a roll of the dice (heavily favouring not working!)
Steps to Reproduce
No response
Important Factoids
No response
References
No response