0

I try to create a linked_service using this terraform command: azurerm_data_factory_linked_service_azure_sql_database.

The documentation says that we can use use_managed_identity (I use it as a boolean). I try to cobine it with credential_name which uses the outcome of this command azurerm_data_factory_credential_user_managed_identity

Imho documentation is quite poor and I couldn't find proper resources online.

In the same block i try to specify the connection string but I believe that I misconfigured it:

it looks like this:

resource "azurerm_data_factory_linked_service_azure_sql_database" "linked_service_for_xxxxx_database" {
  name                          = "linked_service_for_xxxxxx_database"
  data_factory_id               = var.azure_data_factory_id (I created an adf instance and it depends on it)
  use_managed_identity          = true (should be boolean?)
  credential_name               = var.user_assigned_managed_identity_id (output of: azurerm_data_factory_credential_user_managed_identity)
  integration_runtime_name      = var.integration_runtime_name (outpout of: azurerm_data_factory_integration_runtime_azure)

  connection_string = "data source=${var.xxxxx_sql_server_name (fully qualified domain name??)};Initial Catalog=${var.xxxx_sql_db_name};encrypt=True;connection timeout=30;"
}

I want the linked service to be of Authentication type: User-assigned managed Identity and use the credentials that I created above.

Fun fact: I have this configuration which does not give me errors during init & plan (I haven't run apply yet)

resource "azurerm_data_factory_linked_service_data_lake_storage_gen2" "linked_service_for_azure_data_lake_storage" {
  name                      = "linked_service_for_azure_data_lake_storage"
  data_factory_id           = var.azure_data_factory_id
  url                       = "https://${var.adls_account_name}.dfs.core.windows.net"
  use_managed_identity      = var.user_assigned_managed_identity_id (I was expecting it to be bool but ....)
  integration_runtime_name  = var.integration_runtime_name
}
Improve this question
0

1 Answer 1

Reset to default
2

I configure use_managed_identity and credential_name while provisioning azurerm_data_factory_linked_service_azure_sql_database using terraform

I can see two main issues in the configuration you shared, i.e., The credential_name attribute expects a credential name, but you are passing the ID of a user-assigned managed identity.

Secondly, The use_managed_identity field is a boolean, but you are passing a managed identity ID.

These are two fixes need to make in the configuration you shared. I tried a demo configuration with necessary changes as expected so that you will be able to reproduce this requirement you're looking for.

Demo configuration:

resource "azurerm_data_factory" "adf" {
  name                = "adf-demo-vksb"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.umi.id]  
  }
}

resource "azurerm_user_assigned_identity" "umi" {
  name                = "umi-adf"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
}

resource "azurerm_role_assignment" "sql_role" {
  scope                = azurerm_mssql_server.sql.id
  role_definition_name = "Contributor"
  principal_id         = azurerm_user_assigned_identity.umi.principal_id
}

resource "azurerm_mssql_server" "sql" {
  name                         = "sqlserver-demo-dev"
  resource_group_name          = azurerm_resource_group.rg.name
  location                     = azurerm_resource_group.rg.location
  administrator_login          = "adminuser"
  administrator_login_password = "SecurePassword123!"
  version                      = "12.0"
}

resource "azurerm_mssql_database" "db" {
  name                = "sqldb-demo"
  server_id          = azurerm_mssql_server.sql.id
  collation          = "SQL_Latin1_General_CP1_CI_AS"
  license_type       = "LicenseIncluded"
  max_size_gb        = 2
  sku_name           = "Basic"
}

resource "azurerm_data_factory_integration_runtime_azure" "runtime" {
  name            = "integration-runtime-demo"
  data_factory_id = azurerm_data_factory.adf.id
  location        = azurerm_resource_group.rg.location
}

resource "azurerm_data_factory_credential_user_managed_identity" "adf_credential" {
  name            = "adf-credential-mi"
  data_factory_id = azurerm_data_factory.adf.id
  identity_id     = azurerm_user_assigned_identity.umi.id
}

resource "azurerm_data_factory_linked_service_azure_sql_database" "linked_service" {
  name                          = "linked-service-sql"
  data_factory_id               = azurerm_data_factory.adf.id
  use_managed_identity          = true
  credential_name               = azurerm_data_factory_credential_user_managed_identity.adf_credential.name
  integration_runtime_name      = azurerm_data_factory_integration_runtime_azure.runtime.name

  connection_string = "Data Source=${azurerm_mssql_server.sql.fully_qualified_domain_name};Initial Catalog=${azurerm_mssql_database.db.name};Encrypt=True;Connection Timeout=30;"
}

resource "azurerm_data_factory_linked_service_data_lake_storage_gen2" "linked_service_adls" {
  name                      = "linked-service-adls"
  data_factory_id           = azurerm_data_factory.adf.id
  url                       = "https://${var.adls_account_name}.dfs.core.windows.net"
  use_managed_identity      = true
  integration_runtime_name  = azurerm_data_factory_integration_runtime_azure.runtime.name
}

Deployment:

enter image description here

enter image description here

enter image description here

Refer:

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_factory_linked_service_azure_sql_database

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_factory_credential_user_assigned_managed_identity

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

How is it possible for the azurerm_data_factory_linked_service_data_lake_storage_gen2 to use a managed identity without specifying the credentials for it (ex: credential_name). In the ADF UI, there is a credentials section for the datalake linked service. Im gonna test your answer and then accept it
For azurerm_data_factory_linked_service_data_lake_storage_gen2, set use_managed_identity = true, ensure ADF’s Managed Identity has "Storage Blob Data Contributor" access on ADLS Gen2, and no credential_name is required.
Sure, I ll try it out and I ll let you know. Thanks!!
I have a side question. I currently have several envs: dev-accept-prod. If I create the Linked_services via tf then each time I deploy adf code json-linked-services to other envs then the (json linked services) will overwrite the ones from terraform?
Yes, deploying ADF JSON-linked services will overwrite the ones created via Terraform, so to avoid conflicts, either manage all linked services through Terraform or exclude them from ADF ARM template deployments. @Potis23

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.