databricks
[ISSUE] Issue creating private workspace prior to registering DNS record
Expected Behavior
Expect the workspace to be successfully created and terraform apply to complete successfully when creating a workspace with front end PrivateLink
Actual Behavior
Although the workspace is created successfully, the apply fails because there is a health check at the end that calls the /api/2.0/token/list API. Since the hostname itself needs to be first registered in the DNS to point to the private IP of the endpoint, the check fails saying that the endpoint is not reachable.
Error: cannot create mws workspaces: workspace https://aso-workspace.cloud.databricks.com/ is not yet reachable: Get "https://aso-workspace.cloud.databricks.com/api/2.0/token/list": context deadline exceeded - rate limited: context deadline exceeded
If I created the DNS record prior to trying to create the workspace, the apply completes successfully.
Steps to Reproduce
- Run 'terraform apply' to create workspace with PrivateLink for the front-end
Terraform and provider versions
Terraform v1.2.7
- provider registry.terraform.io/databricks/databricks v1.1.0
- provider registry.terraform.io/hashicorp/aws v4.24.0
This is where the issue arises, as the provider verifies that the workspace is reachable https://github.com/databricks/terraform-provider-databricks/blob/master/mws/resource_mws_workspaces.go#L179
@alexott we can add a parameter to relax this check, what do you think?
we can, but we still need to perform some check to make sure that workspace is created & reachable. Maybe we need to check if workspace is with private link, and use some other URL?
Can we just call the Account API to check if the status of the workspace is RUNNING? https://accounts.cloud.databricks.com/api/2.0 /accounts/{account_id}/workspaces/{workspace_id}
https://docs.databricks.com/dev-tools/api/latest/account.html#operation/get-workspace
[image: email_signature_logo_sm]
Alysson Souza
Specialist Solutions Architect - Cloud Infra & Security
Mobile: +61 420533927
On Thu, Sep 29, 2022 at 2:41 PM Alex Ott @.***> wrote:
we can, but we still need to perform some check to make sure that workspace is created & reachable. Maybe we need to check if workspace is with private link, and use some other URL?
— Reply to this email directly, view it on GitHub https://github.com/databricks/terraform-provider-databricks/issues/1645#issuecomment-1262221180, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2OTJM5FSXK7BPIN4QFP4TTWAWE7JANCNFSM6AAAAAAQYXHINU . You are receiving this because you authored the thread.Message ID: @.*** com>
Issue is not only make sure that workspace is running, but also that DNS is propagated...
I don't think this is an issue for private workspaces. There won't be a public DNS record to propagate because the IP is private. Customers will need to register on their own DNS servers or use something like Route53 hosted zones to register before accessing the workspace.
At least the above is my understanding, or am I missing something?
[image: email_signature_logo_sm]
Alysson Souza
Specialist Solutions Architect - Cloud Infra & Security
Mobile: +61 420533927
On Thu, Sep 29, 2022 at 5:02 PM Alex Ott @.***> wrote:
Issue is not only make sure that workspace is running, but also that DNS is propagated...
— Reply to this email directly, view it on GitHub https://github.com/databricks/terraform-provider-databricks/issues/1645#issuecomment-1262410755, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2OTJM5NNBVY73EZ2CHZ4K3WAWVO7ANCNFSM6AAAAAAQYXHINU . You are receiving this because you authored the thread.Message ID: @.*** com>
I'm okay with adding skip_dns_verify, but i'd rather wait for provider split, which will use the Go SDK.
Hi, I'm also running into this issue, was skip_dns_verify (or another solution) implemented?
