Error retrieving Synapse RoleAssignment using Azure DevOps to deploy Terraform

[dbgrl93]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.0.11

AzureRM Provider Version

3.6.0

Affected Resource(s)/Data Source(s)

azurerm_synapse_role_assignment

Terraform Configuration Files

resource "azurerm_synapse_workspace" "synapse_workspace" {
  count                                = var.create_synapse_workspace ? 1 : 0
  name                                 = var.synapse_workspace_name
  resource_group_name                  = var.resource_group_name
  location                             = var.location
  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.adls_gen2_filesystem_01[count.index].id
  sql_administrator_login              = var.sw[count.index].admin_name
  sql_administrator_login_password     = var.sw[count.index].admin_password
  identity { type = "SystemAssigned" }
  tags = var.tags
}

resource "azurerm_synapse_firewall_rule" "devOpsIP" {
  name                 = "AllowAll"
  synapse_workspace_id = azurerm_synapse_workspace.synapse_workspace[0].id
  start_ip_address     = "0.0.0.0"
  end_ip_address       = "255.255.255.255"
}

resource "azurerm_synapse_role_assignment" "synapse_role_assignment" {
  count                = var.create_synapse_workspace ? 1 : 0
  synapse_workspace_id = azurerm_synapse_workspace.synapse_workspace[0].id
  role_name            = var.sw[count.index].role_name
  principal_id         = var.sw[count.index].principal_id
  depends_on           = [azurerm_synapse_firewall_rule.devOpsIP]
}

Debug Output/Panic Output

When running a terraform plan through Azure DevOps, the following error comes up
 Error: retrieving Synapse RoleAssignment (Resource Group "syw-xxx-xxxxxxx-n"): accesscontrol.RoleAssignmentsClient#GetRoleAssignmentByID: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="ClientIpAddressNotAuthorized" Message="Client Ip address : XX.XXX.XXX.XXX"
│ 
│   with module.app_synapse.azurerm_synapse_role_assignment.synapse_role_assignment[0],
│   on terraform_synapse_module\main.tf line 54, in resource "azurerm_synapse_role_assignment" "synapse_role_assignment":
│   54: resource "azurerm_synapse_role_assignment" "synapse_role_assignment" {

Expected Behaviour

When running a terraform plan, it should be able to connect to the Synapse Workspace and create a plan to add the role assignments.

Actual Behaviour

This error comes up when running a terraform plan in Azure DevOps

│ Error: retrieving Synapse RoleAssignment (Resource Group "syw-ent-app58081-n-cus01"): accesscontrol.RoleAssignmentsClient#GetRoleAssignmentByID: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="ClientIpAddressNotAuthorized" Message="Client Ip address : XX.XXX.XXX.XXX"
│
│ with module.app_synapse.azurerm_synapse_role_assignment.synapse_role_assignment[0],
│ on terraform_synapse_module\main.tf line 54, in resource "azurerm_synapse_role_assignment" "synapse_role_assignment":
│ 54: resource "azurerm_synapse_role_assignment" "synapse_role_assignment" {
│

Steps to Reproduce

In Azure DevOps create a pipeline to run a terraform apply with the following configuration

resource "azurerm_synapse_workspace" "synapse_workspace" {
count = var.create_synapse_workspace ? 1 : 0
name = var.synapse_workspace_name
resource_group_name = var.resource_group_name
location = var.location
storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.adls_gen2_filesystem_01[count.index].id
sql_administrator_login = var.sw[count.index].admin_name
sql_administrator_login_password = var.sw[count.index].admin_password
identity { type = "SystemAssigned" }
tags = var.tags
}

resource "azurerm_synapse_firewall_rule" "devOpsIP" {
name = "AllowAll"
synapse_workspace_id = azurerm_synapse_workspace.synapse_workspace[0].id
start_ip_address = "0.0.0.0"
end_ip_address = "255.255.255.255"
}

resource "azurerm_synapse_role_assignment" "synapse_role_assignment" {
count = var.create_synapse_workspace ? 1 : 0
synapse_workspace_id = azurerm_synapse_workspace.synapse_workspace[0].id
role_name = var.sw[count.index].role_name
principal_id = var.sw[count.index].principal_id
depends_on = [azurerm_synapse_firewall_rule.devOpsIP]
}

Important Factoids

No response

References

No response

[ms-henglu]

Hi @dbgrl93 ,

Thank you for taking time to report this issue!

I think it's duplicated with #13510.

A workaround is adding a time_sleep after azurerm_synapse_firewall_rule is created, I believe 1 minute will be enough.
https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep

[mybayern1974]

@dbgrl93 per Heng's suggestion above I'm closing this issue as duplicate, and you can subscribe to #13510. Or feel free to suggest to reopen this issue if you assume it's talking about a different story from #13510.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.