Synapse resource met error ClientIpAddressNotAuthorized

[ms-henglu]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.14.7
+ provider registry.terraform.io/hashicorp/azuread v1.4.0
+ provider registry.terraform.io/hashicorp/azurerm v2.78.0

Affected Resource(s)

azurerm_synapse_linked_service

• azurerm_XXXXX

Terraform Configuration Files

resource "azurerm_resource_group" "example" {
  name     = "example"
  location = "West Europe"
}

resource "azurerm_storage_account" "example" {
  name                     = "example"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_kind             = "BlobStorage"
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_storage_data_lake_gen2_filesystem" "example" {
  name               = "example"
  storage_account_id = azurerm_storage_account.example.id
}

resource "azurerm_synapse_workspace" "example" {
  name                                 = "example"
  resource_group_name                  = azurerm_resource_group.example.name
  location                             = azurerm_resource_group.example.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
  sql_administrator_login              = "sqladminuser"
  sql_administrator_login_password     = "H@Sh1CoR3!"
  managed_virtual_network_enabled      = true
}

resource "azurerm_synapse_firewall_rule" "example" {
  name                 = "allowAll"
  synapse_workspace_id = azurerm_synapse_workspace.example.id
  start_ip_address     = "0.0.0.0"
  end_ip_address       = "255.255.255.255"
}

resource "azurerm_synapse_linked_service" "example" {
  name                 = "example"
  synapse_workspace_id = azurerm_synapse_workspace.example.id
  type                 = "AzureBlobStorage"
  type_properties_json = <<JSON
{
  "connectionString": "${azurerm_storage_account.test.primary_connection_string}"
}
JSON

  depends_on = [
    azurerm_synapse_firewall_rule.example,
  ]
}

Debug Output

 Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="ClientIpAddressNotAuthorized" Message="Client Ip address : 54.212.120.140"

Panic Output

Expected Behaviour

Deploy successfully.

Actual Behaviour

Met error ClientIpAddressNotAuthorized

Steps to Reproduce

1. terraform apply

Important Factoids

The cause is that firewall is not taking effect immediately after firewall creation. Firewall has a cache and will refresh every 1 minute, so if requests sent before firewall refreshes, it will meet ClientIpAddressNotAuthorized.

References

• #0000

[github-actions]

This functionality has been released in v2.83.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[jjgriff93]

Still facing this issue on 2.83 so don't believe this has been fixed.

module.synapse.azurerm_synapse_spark_pool.synapse_spark_pool: Creation complete after 38s [id=/subscriptions/XXXXXXXXXXXXXXXXXXXX/resourceGroups/XXXXX/providers/Microsoft.Synapse/workspaces/XXXXX/bigDataPools/XXXXXXX]
╷
│ Error: checking for presence of existing Linked Service: (Name "dataset-storage" / Workspace Name "XXXXXX" / Resource Group "XXXXXXXXX"): artifacts.LinkedServiceClient#GetLinkedService: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="ClientIpAddressNotAuthorized" Message="Client Ip address : XXXXXX
│ with module.synapse.azurerm_synapse_linked_service.data_storage,
│ on modules/synapse/main.tf line 75, in resource "azurerm_synapse_linked_service" "data_storage":
│ 75: resource "azurerm_synapse_linked_service" "data_storage" {

[DevMan01]

Still facing this issue in 3.3.0.
Work around involves trying to deploy again, which gives Synapse a chance to apply a firewall rule for the appropriate host. Or adding a "time_sleep" resource type as a dependency to the firewall, and any azurerm_synapse_role_assignments thereafter.

The root of the problem is the firewall just takes a bit to take affect. And when you try to apply roles at the very end, you get a 403 because you're not permitted yet. So, a delay is a decent workaround until some kind of a fw health check can be implemented.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.