[AVM Module Issue]: Databricks cannot use same Key Vault for both encryption options #4430
Open
1 task done
Assignees
Labels
Class: Resource Module 📦
This is a resource module
Needs: Triage 🔍
Maintainers need to triage still
Type: AVM 🅰️ ✌️ Ⓜ️
This is an AVM related issue
Type: Bug 🐛
Something isn't working
Comments
Gossef
added
Needs: Triage 🔍
|
Important The "Needs: Triage 🔍" label must be removed once the triage process is complete! Tip For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation. |
microsoft-github-policy-service
bot
added
the
Type: Bug 🐛
|
@Gossef, thanks for submitting this issue for the Important A member of the @Azure/avm-res-databricks-workspace-module-owners-bicep or @Azure/avm-res-databricks-workspace-module-contributors-bicep team will review it soon! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Check for previous/existing GitHub issues
Issue Type?
Bug
Module Name
avm/res/databricks/workspace
(Optional) Module Version
No response
Description
We're trying to deploy a Databricks Workspace with all encryption options enabled. However since we use the same Key Vault for the encryption keys, we're getting deployment errors.
I think the issue is coming from this codeblock in the module itself:
`resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) {
name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/'))
scope: resourceGroup(
split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2],
split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]
)
resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) {
name: customerManagedKey.?keyName ?? 'dummyKey'
}
}
resource cMKManagedDiskKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = if (!empty(customerManagedKeyManagedDisk.?keyVaultResourceId)) {
name: last(split((customerManagedKeyManagedDisk.?keyVaultResourceId ?? 'dummyVault'), '/'))
scope: resourceGroup(
split((customerManagedKeyManagedDisk.?keyVaultResourceId ?? '//'), '/')[2],
split((customerManagedKeyManagedDisk.?keyVaultResourceId ?? '////'), '/')[4]
)
resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKeyManagedDisk.?keyVaultResourceId) && !empty(customerManagedKeyManagedDisk.?keyName)) {
name: customerManagedKeyManagedDisk.?keyName ?? 'dummyKey'
}
}`
It gives 2 reference (existing) resources the same name if the two keys use the same KV which throws this error:
| 11:18:26 - The deployment 'data_bricks_1117_11-02-2025' failed with
| error(s). Showing 1 out of 1 error(s). Status Message: Deployment
| template validation failed: 'The resource
| 'Microsoft.KeyVault/vaults/kv-medlix-test-westeu' at line '1' and column
| '29225' is defined multiple times in a template. Please see
| https://aka.ms/arm-syntax-resources for usage details.'.
| (Code:InvalidTemplate) CorrelationId:
| 5bd05eb6-ff59-4d48-9253-376b8b277a04
These are the parameters passed to the module:
` customerManagedKeyManagedDisk: {
keyName: encryptionKeyGenerationForDisk.outputs.encryptionKeyName
keyVaultResourceId: keyVault.id
autoRotationEnabled: true
userAssignedIdentityResourceId: keyVaultManagedId.id
}
So what should we do here? I'd expect the reference resource to get some sort of unique name, but in this case it's not unique if you want to use both Managed Disks and Managed Services as encryption options with (a) key(s) from the same Key Vault.
As a secondary question: when we try to use a different Key Vault, it throws a permission denied error because Databricks doesn't have access to said Key Vault. How would we handle that?
(Optional) Correlation Id
No response
The text was updated successfully, but these errors were encountered: