Support for User managed identity in adf linked service keyvault

[antgustech]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

I have the following terraform configuration:

resource "azurerm_data_factory" "this" {
  name                = "adf"
  resource_group_name = var.resource_group
  location            = var.location

  # Managed Identity which is alllowed to access keyvault.
  identity {
    type = "UserAssigned"
    identity_ids = [var.user_assigned_identity_id]
  }
}

resource "azurerm_data_factory_linked_service_key_vault" "this" {
  name            = "keyvault"
  data_factory_id = azurerm_data_factory.this.id
  key_vault_id    = var.keyvaultid
}

resource "azurerm_data_factory_credential_user_managed_identity" "test" {
  name            = "tf"
  description     = "Short description of this credential"
  data_factory_id = azurerm_data_factory.this.id
  identity_id     =   var.user_assigned_identity_id
}

Applying is fine. But there is no way as far as I can see to actually set the linked service to use User managed identity and use the tf credentials.

This is how it looks in azure. It seems to default to be set to "System Assigned Managed Identity":

And this is what is needed, the dropdown should be set to "User managed identity" and the tf credentials should be selected as well.

New or Affected Resource(s)/Data Source(s)

3.104.2

Potential Terraform Configuration

resource "azurerm_data_factory_linked_service_key_vault" "this" {
  name            = "keyvault"
  data_factory_id = azurerm_data_factory.this.id
  key_vault_id    = var.keyvaultid

  credential_user_managed_identity_id = credential_user_managed_identity.test.id
}

References

I think the issue is similar to: https://github.com/hashicorp/terraform-provider-azurerm/issues/24742

[antgustech]

I have made this temporary work around, maybe it can help someone else. You can use the custom linked service to provide any json definition that you want. This is how the key vault looks like with a user managed identity:

resource "azurerm_data_factory_credential_user_managed_identity" "test" {
  name            = "tf"
  description     = "Short description of this credential"
  data_factory_id = azurerm_data_factory.this.id
  identity_id     =  var.user_assigned_identity_id
}

# Ideally, azurerm_data_factory_linked_service_key_vault should have been used. Azurerm 3.104.2 and below does not support setting user managed identity so we use a custom linked service for now.
resource "azurerm_data_factory_linked_custom_service" "test" {
  name                 = "test"
  data_factory_id = azurerm_data_factory.this.id
  type                 = "AzureKeyVault"
  type_properties_json = <<JSON
{
  "baseUrl": "https://myvault.vault.azure.net/",
  "credential": {
    "referenceName": "${azurerm_data_factory_credential_user_managed_identity.test.name}",
    "type": "CredentialReference"
    }      
}
JSON
}

[Ramguru94]

In my use case, i need to have multiple key vault linked services which has its own managed identity as corresponding access policy over the keyvault to have isolation over the secrets across multiple key vaults liked inside ADF.