Search code examples
azureterraformterraform-provider-azureazure-synapse

Assigning Synapse workspace to Storage Container using Terraform

I'm trying to create a Synapse Workspace using Terraform. The workspace deploys successfully, but when testing the connection to the WorkSpaceDefaultStorage in Synapse studio I receive the following error:

ADLS Gen2 operation failed for: Storage operation '' on container 'testconnection' get failed with 'Operation returned an invalid status code 'Forbidden''.

The code for the Synapse workspace deployment:


resource "azurerm_storage_account" "sa" {
  name                     = var.storage_account_name
  location                 = azurerm_resource_group.rg.location
  resource_group_name      = azurerm_resource_group.rg.name
  account_tier             = "Standard"
  account_replication_type = "GRS"
  account_kind             = "StorageV2"
  is_hns_enabled           = true
}

resource "azurerm_storage_data_lake_gen2_filesystem" "adlfs" {
  name               = var.azure_data_lake_name
  storage_account_id = azurerm_storage_account.sa.id
}

resource "azurerm_synapse_workspace" "synapseworkspace" {
  name                                 = var.synapse_workspace_name
  resource_group_name                  = azurerm_resource_group.rg.name
  location                             = azurerm_resource_group.rg.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.adlfs.id
  sql_administrator_login              = var.synapse_sql_admin_user
  sql_administrator_login_password     = var.synapse_sql_admin_password

  managed_resource_group_name = var.synapse_managed_resource_group_name

  aad_admin {
    login     = var.azure_ad_admin_login
    object_id = data.azurerm_client_config.current.object_id
    tenant_id = data.azurerm_client_config.current.tenant_id
  }

  identity {
    type = "SystemAssigned"
  }

  # Add tags
  tags = {
    source = "terraform"
  }

}

resource "azurerm_synapse_firewall_rule" "synapsefirewall" {
  name                 = "AllowAll"
  synapse_workspace_id = azurerm_synapse_workspace.synapseworkspace.id
  start_ip_address     = "0.0.0.0"
  end_ip_address       = "255.255.255.255"
}

I am assuming the error can easily be fixed using role management in the Azure portal, but solving it using Terraform would be the best option.

Solution

  • Try the following?

    I found it's not enough for the app and account to be added as owners. I would go into your storage account > IAM > Add role assignment, and add the special permissions for this type of request:

    • Storage Blob Data Contributor
    • Storage Queue Data Contributor

    Cited from: Azure Blob Storage "Authorization Permission Mismatch" error for get request with AD token

    With the terraform module azurerm_role_assignment you can assigns a given Principal (User or Group) to a given Role. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment

    For Azure Synapse Workspace specifically, the principal identity can be retrieved using azurerm_synapse_workspace.synapseworkspace.identity[0].principal_id

    And assigned to a role:

    # Create storage account
 resource "azurerm_storage_account" "sa" {
 ...
 }

# Create synapse workspace
 resource "azurerm_synapse_workspace" "synapseworkspace" {
 ...
 }

# Grant Synapse Workspace access to storage as Storage Blob Data Contributor
resource "azurerm_role_assignment" "synapsedatacontributor" {
  role_definition_name = "Storage Blob Data Contributor"
  scope                = azurerm_storage_account.sa.id
  principal_id         = azurerm_synapse_workspace.synapseworkspace.identity[0].principal_id
}