Azure databricks creation fails if key vault(having the encryption key) is in different subscription

0anilyadav0 · May 3, 2023, 6:13pm

Creation of Databricks fails as keyvault used for encryption is in different subscription. Any suggestion to tackle this scenario?

terraform {
required_providers {
azurerm = {
source = “hashicorp/azurerm”
version = “3.54.0”
}
}
}

provider “azurerm” {
features {}
}

variable “RG_Name” {
type = string
description = “Resource group name”
default=“hbl-azure-ci-decommissioned-devuat-tfe-test-RG”
}

variable “ADB_Name” {
type = string
description = “Azure Databricks name”
default=“adb01”
}
variable “virtual_network_id” {
type = string
description = “Virtual Network ID”
default=“/subscriptions/XXXXXXXXXXXX/resourceGroups/hbl-azure-ci-decommissioned-devuat-tfe-test-RG/providers/Microsoft.Network/virtualNetworks/databricks_vnet_test”
}

variable “public_subnet_name” {
type = string
description = “Host/Public Subnet Name”
default=“public_sub”
}

variable “private_subnet_name” {
type = string
description = “Container/Private Subnet Name”
default=“private_sub”
}

variable “key_vault_key_id” {

type = string

description = “Key vault key ID, for Encryption”

default=“/subscriptions/xxxxx/resourceGroups/Redhat_AHB_Testing_RG/providers/Microsoft.KeyVault/vaults/azaykv009/keys/key01”

#“https://azaykv009.vault.azure.net/keys/key01/6dfee175180342ce9b338ad6fd8b22ed”

}

data “azurerm_key_vault_key” “key01” {
name = “key01”
key_vault_id = “/subscriptions/xxxxxxxx/resourceGroups/Redhat_AHB_Testing_RG/providers/Microsoft.KeyVault/vaults/azaykv009”
}

variable “Permissions_Assigned” {
default = false
type = bool
description = “Make this true in 2nd execution after assigning permission to all the 3 identitys”
}

data “azurerm_client_config” “current” {}

data “azurerm_resource_group” “Resource_Group” {
name = var.RG_Name
}

resource “azurerm_databricks_workspace” “Azure_databricks” {
name = var.ADB_Name
resource_group_name = data.azurerm_resource_group.Resource_Group.name
location = data.azurerm_resource_group.Resource_Group.location
sku = “premium”
managed_services_cmk_key_vault_key_id = data.azurerm_key_vault_key.key01.id #var.key_vault_key_id
managed_disk_cmk_key_vault_key_id = data.azurerm_key_vault_key.key01.id #var.key_vault_key_id
customer_managed_key_enabled = true
infrastructure_encryption_enabled = true
public_network_access_enabled = false
network_security_group_rules_required = “NoAzureDatabricksRules”
custom_parameters {
no_public_ip = true
public_subnet_name = var.public_subnet_name
public_subnet_network_security_group_association_id = “{var.virtual_network_id}/subnets/adbpublic-subnet" private_subnet_name = var.private_subnet_name private_subnet_network_security_group_association_id = "{var.virtual_network_id}/subnets/adbprivate-subnet”
storage_account_name = “${var.ADB_Name}stg”
storage_account_sku_name = “Standard_LRS”
virtual_network_id = var.virtual_network_id
}

}

Topic		Replies	Views
Error when trying to create storage_customer_manged_key from keyvault key in other subscription Terraform azure	0	616	July 22, 2021
Add subscription id parameter to azurerm_key_vault_secret Terraform	6	1023	April 15, 2020
Key Vault using wrong provider for refresh with multiple providers Azure	0	1080	January 21, 2022
Subscription ID is replaced when working with multiple subscriptions Azure	4	2694	October 31, 2022
Same resource provider different configuration for re-authentication Terraform Providers azure	0	232	March 23, 2022