azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard
verified publisher icon MicrosoftDocs

Disk encryption set is not being created with Azure Databricks workspace

Open abhinavkumar7 opened this issue 1 year ago • 2 comments

[Enter feedback here] Referring to: https://learn.microsoft.com/en-us/azure/databricks/security/keys/cmk-managed-disks-azure/cmk-managed-disks-azure#--use-an-arm-template-azure-portal-or-cli

It is mentioned that:

When you create a workspace, a disk encryption set resource is also created within the managed resource group of your workspace. It has a system-assigned managed identity that is used to access your Key Vault. Before Azure Databricks compute can use this key to encrypt your data, you must retrieve the principal ID of the disk encryption set, then grant the identity the GET, WRAP, and UNWRAP key permissions to your Key Vault.

This is not true, when a workspace is created a Disk encryption set is not created. The Disk encryption set is only created when you attempt to enable CMK on Azure Databricks disk.

We're trying to enable CMK on Azure Databricks disk(existing workspace) through Terraform but it failed as initially the Disk encryption set wasn't available so we cannot grant it's principal permission on CMK.

Once the initial attempt failed through Terraform, we see that after that Disk encryption set was created.

Since it is wrongly mentioned that the Disk encryption set is created with workspace can you please either update the documentation so that we don't confuse with the same or even better actually create the Disk encryption set with the creation of workspace?

Initially I thought that this issue is related to Terraform, so I raised an Issue here. However, It appears to be an issue with Azure itself.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

abhinavkumar7 avatar Apr 26 '24 13:04 abhinavkumar7

@abhinavkumar7 Thanks for your feedback! We will investigate and update as appropriate.

TPavanBalaji avatar Apr 26 '24 15:04 TPavanBalaji

@abhinavkumar7 Thank you for bringing this to our attention. I've delegated this to content author, who will review it and offer their insightful opinions.

TPavanBalaji avatar Apr 29 '24 04:04 TPavanBalaji

Thanks for providing feedback that helps improve our documentation. We've created an internal work item (DOC-13811) to address your feedback. The timeline for resolution varies based on resourcing.

#please-close

kateglee-db avatar Apr 30 '24 00:04 kateglee-db