azurerm_machine_learning_datastore_*: support skip_validation property
#24078
Conversation
| @@ -33,6 +34,7 @@ type MachineLearningDataStoreBlobStorageModel struct { | |||
| ServiceDataAuthIdentity string `tfschema:"service_data_auth_identity"` | |||
| AccountKey string `tfschema:"account_key"` | |||
| SharedAccessSignature string `tfschema:"shared_access_signature"` | |||
| SkipValidation bool `tfschema:"skip_validation"` | |||
There was a problem hiding this comment.
Since this is a QueryString option it's not returned from the API - meaning this'll flag as a diff at import time for users (which is being worked around in the tests through the ignore) - as such what's the benefit to making this user-configurable, rather than defaulting to true?
There was a problem hiding this comment.
The flag should only be set in specific scenarios, such as when your workspace is in a virtual network. I'm uncertain if it is wise to have it set to true by default.
There was a problem hiding this comment.
A user is reporting issues failing to create some Machine Learning resources, and the RP team's recommendation is users can notify RP not to do any validation to address that, which can be done by setting this param in the query string. So RP team expects TF to expose that option to users.
There was a problem hiding this comment.
Whilst I understand the Service Team have requested that we expose this field on the resource, this would run contrary to other resources in the provider - however from your description this sounds like an API bug, so I'm wondering if there's an issue tracking that?
From Terraform's side we disable validation where it's problematic (example) and don't expose additional configuration values for this as it's an implementation detail (how do users know when to enable it vs when not too, so why not enable it all the time?).
Given this field is being used to workaround a bug in the API (and not control a behavioural feature), we shouldn't expose a user-configurable flag for this field - either on the resource or within the features block - and should instead hard-code this to true where it's needed within the Provider (at least until the API issue is resolved). This allows the resource to "just work" for users, rather than requiring users to have an understanding of how the API works internally - and so when this field should/shouldn't be set.
As such, can we remove this toggle on the resource and hard-code this to true - and also add a comment with a summary of/link to the issue so we can track when this is fixed?
There was a problem hiding this comment.
@tombuildsstuff thanks for reviewing this PR. My team owns the API mentioned in this PR and we are working with @mybayern1974 and @wuxu92 to add this "skipValidation" support.
I want to clarify that "skipValidation" is not a workaround for a bug, it's a feature that Azure Machine Learning (AzureML) customers need. When receiving the request of creating new datastore AzureML service will try to validate the request by accessing the underlying storage account, and reject the request if the validation fails. However, for some scenarios (eg. datastore with network isolation) technically it's impossible for AzureML service to access underlying storage account and validation might fail. In these cases customer needs to set skipValidation=True to bypass validation so request of creating new datastore can succeed.
Hope above can explain why we need to create this PR. Please let me know if you have any other questions.
There was a problem hiding this comment.
@tawan0109 thanks for the additional context, but the guidance above remains valid here - this shouldn't be exposed as a user configurable toggle in Terraform and this should be hard-coded to true.
Whilst I understand the scenario here, since we're referencing the Storage Account ID within the Machine Learning resource, in Terraform that's almost certainly an interpolated value, meaning that the Storage Account is virtually guaranteed to be created before the Machine Learning Workspace/Data Stores etc.
As such whilst I can understand why the Azure API/CLI/ARM Templates are exposing this field - Terraform's dependency graph virtually guarantees that the Storage Account ID being specified for the Machine Learning resources exists - as such from our side this ends up being an implementation detail, and thus shouldn't be exposed as a user configurable toggle, and should instead be hard-coded to true.
As such @wuxu92 can you remove this field from the resource and hard-code this field, as requested above?
Thanks!
There was a problem hiding this comment.
@tombuildsstuff understand that Terraform's dependency graph can guarantees storage account exists, please note that credentials of storage account are also included in the request of creating datastore, besides checking the existence of storage account, service also needs to validate if the credentials are correct and paths on storage account exist.
By default "skipValidation" is set to false on service side which means if customer does not specify this field in Terraform then validation always happen, which is what we want. As I mentioned above, in some cases validation cannot be applied so customer needs to have an option to skip the validation.
There was a problem hiding this comment.
Whilst I understand that, unfortunately this still isn't something we would expose as a user-configurable value - and as such this needs to be hard-coded to true.
There's both behavioural reasons for this (this would differ from other resources in the Provider [example]) and technical reasons for this (for example this would cause issues via import, as is being ignored in the tests here, which would be problematic for users).
It's worth noting that any requirements should be listed in the documentation for the Service, so (presuming those are documented) we can link to that as required from the documentation, as we do elsewhere.
There was a problem hiding this comment.
Thanks @tawan0109 's investigation, I have updated this PR to hard-coded skip_validation parmeter to true. Thanks a lot to @tombuildsstuff for the great review!
wuxu92
force-pushed
the
ml/skipvalidation
branch
from
82ec4db
to
73f1be7
Compare
wuxu92
force-pushed
the
ml/skipvalidation
branch
from
73f1be7
to
d8ae4b1
Compare
wuxu92
force-pushed
the
ml/skipvalidation
branch
from
d8ae4b1
to
ce26a0a
Compare
wuxu92
force-pushed
the
ml/skipvalidation
branch
from
ce26a0a
to
284ec03
Compare
github-actions
bot
added
size/XS
and removed
waiting-response
documentation
size/L
labels
<Actions>
<action
id="f410411e63aff4bb73a81c2aec1d373cf8a903e63b30dee2006b0030d8a94cc8">
<h3>Bump Terraform `azurerm` provider version</h3>
<details
id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24">
<summary>Update Terraform lock file</summary>
<p>"hashicorp/azurerm" updated from "3.84.0" to
"3.85.0" in file ".terraform.lock.hcl"</p>
<details>
<summary>3.85.0</summary>
<pre>Changelog retrieved
from:
	https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.85.0
FEATURES:

*
New Data Source: `azurerm_locations`
([#23324](hashicorp/terraform-provider-azurerm#23324
New Resource: `azurerm_iotcentral_organization`
([#23132](https://github.com/hashicorp/terraform-provider-azurerm/issues/23132))

ENHANCEMENTS:

*
provider: support for authenticating using Azure Kubernetes Service
Workload Identity
([#23965](hashicorp/terraform-provider-azurerm#23965
dependencies: updating to `v0.65.0` of
`github.com/hashicorp/go-azure-helpers`
([#24222](hashicorp/terraform-provider-azurerm#24222
dependencies: updating to `v0.20231214.1220802` of
`github.com/hashicorp/go-azure-sdk`
([#24246](hashicorp/terraform-provider-azurerm#24246
dependencies: updating to version `v0.20231214.1160726` of
`github.com/hashicorp/go-azure-sdk`
([#24241](hashicorp/terraform-provider-azurerm#24241
dependencies: update `security/automation` to use
`hashicorp/go-azure-sdk`
([#24156](hashicorp/terraform-provider-azurerm#24156
`dataprotection`: updating to API Version `2023-05-01`
([#24143](hashicorp/terraform-provider-azurerm#24143
`kusto`: removing the remnants of the old Resource ID Parsers now this
uses `hashicorp/go-azure-sdk`
([#24238](hashicorp/terraform-provider-azurerm#24238
Data Source: `azurerm_cognitive_account` - export the `identity` block
([#24214](hashicorp/terraform-provider-azurerm#24214
Data Source: `azurerm_monitor_workspace` - add support for the
`default_data_collection_endpoint_id` and
`default_data_collection_rule_id` properties
([#24153](hashicorp/terraform-provider-azurerm#24153
Data Source: `azurerm_shared_image_gallery` - add support for the
`image_names` property
([#24176](hashicorp/terraform-provider-azurerm#24176
`azurerm_dns_txt_record` - allow up to `4096` characters for the
property `record.value`
([#24169](hashicorp/terraform-provider-azurerm#24169
`azurerm_container_app` - support for the `workload_profile_name`
property
([#24219](hashicorp/terraform-provider-azurerm#24219
`azurerm_container_app` - suppot for the `init_container` block
([#23955](hashicorp/terraform-provider-azurerm#23955
`azurerm_hpc_cache_blob_nfs_target` - support for the
`verification_timer_in_seconds` and `write_back_timer_in_seconds`
properties
([#24207](hashicorp/terraform-provider-azurerm#24207
`azurerm_hpc_cache_nfs_target` - support for the
`verification_timer_in_seconds` and `write_back_timer_in_seconds`
properties
([#24208](hashicorp/terraform-provider-azurerm#24208
`azurerm_linux_web_app` - make `client_secret_setting_name` optional and
conflict with `client_secret_certificate_thumbprint`
([#21834](hashicorp/terraform-provider-azurerm#21834
`azurerm_linux_web_app_slot` - make `client_secret_setting_name`
optional and conflict with `client_secret_certificate_thumbprint`
([#21834](hashicorp/terraform-provider-azurerm#21834
`azurerm_linux_web_app` - fix a bug in `app_settings` where settings
could be lost
([#24221](hashicorp/terraform-provider-azurerm#24221
`azurerm_linux_web_app_slot` - fix a bug in `app_settings` where
settings could be lost
([#24221](hashicorp/terraform-provider-azurerm#24221
`azurerm_log_analytics_workspace` - add support for the
`immediate_data_purge_on_30_days_enabled` property
([#24015](hashicorp/terraform-provider-azurerm#24015
`azurerm_mssql_server` - support for other identity types for the key
vault key
([#24236](hashicorp/terraform-provider-azurerm#24236
`azurerm_machine_learning_datastore_blobstorage` - resource now skips
validation when being created
([#24078](hashicorp/terraform-provider-azurerm#24078
`azurerm_machine_learning_datastore_datalake_gen2` - resource now skips
validation when being created
([#24078](hashicorp/terraform-provider-azurerm#24078
`azurerm_machine_learning_datastore_fileshare` - resource now skips
validation when being created
([#24078](hashicorp/terraform-provider-azurerm#24078
`azurerm_monitor_workspace` - support for the
`default_data_collection_endpoint_id` and
`default_data_collection_rule_id` properties
([#24153](hashicorp/terraform-provider-azurerm#24153
`azurerm_redis_cache` - support for the
`storage_account_subscription_id` property
([#24101](hashicorp/terraform-provider-azurerm#24101
`azurerm_storage_blob` - support for the `source_content` type `Page`
([#24177](hashicorp/terraform-provider-azurerm#24177
`azurerm_web_application_firewall_policy` - support new values to the
`rule_group_name` property
([#24194](hashicorp/terraform-provider-azurerm#24194
`azurerm_windows_web_app` - make the `client_secret_setting_name`
property optional and conflicts with the
`client_secret_certificate_thumbprint` property
([#21834](hashicorp/terraform-provider-azurerm#21834
`azurerm_windows_web_app_slot` - make the `client_secret_setting_name`
property optional and conflicts with the
`client_secret_certificate_thumbprint` property
([#21834](hashicorp/terraform-provider-azurerm#21834
`azurerm_windows_web_app` - fix a bug in `app_settings` where settings
could be lost
([#24221](hashicorp/terraform-provider-azurerm#24221
`azurerm_windows_web_app_slot` - fix a bug in `app_settings` where
settings could be lost
([#24221](hashicorp/terraform-provider-azurerm#24221
`azurerm_cognitive_account` - add `ContentSafety` to the `kind` property
validation
([#24205](https://github.com/hashicorp/terraform-provider-azurerm/issues/24205))

BUG
FIXES:

* provider: fix an authentication issue with Azure
Storage when running in Azure China cloud
([#24246](hashicorp/terraform-provider-azurerm#24246
Data Source: `azurerm_role_definition` - fix bug where
`role_definition_id` and `scope` were being incorrectly set
([#24211](hashicorp/terraform-provider-azurerm#24211
`azurerm_batch_account` - fix bug where `UserAssigned, SystemAssigned`
could be passed to the resource even though it isn't supported
([#24204](hashicorp/terraform-provider-azurerm#24204
`azurerm_batch_pool` - fix bug where `settings_json` and
`protected_settings` were not being unmarshaled
([#24075](hashicorp/terraform-provider-azurerm#24075
`azurerm_bot_service_azure_bot` - fix bug where
`public_network_access_enabled` was being set as the value for `LuisKey`
([#24164](hashicorp/terraform-provider-azurerm#24164
`azurerm_cognitive_account_customer_managed_key` - `identity_client_id`
is no longer passed to the api when it is empty
([#24231](hashicorp/terraform-provider-azurerm#24231
`azurerm_linux_web_app_slot` - error when `service_plan_id` is identical
to the parent `service_plan_id`
([#23403](hashicorp/terraform-provider-azurerm#23403
`azurerm_management_group_template_deployment` - fixing a bug where
`template_spec_version_id` couldn't be updated
([#24072](hashicorp/terraform-provider-azurerm#24072
`azurerm_pim_active_role_assignment` - fix an importing issue by
filtering available role assignments based on the provided `scope`
([#24077](hashicorp/terraform-provider-azurerm#24077
`azurerm_pim_eligible_role_assignment` - fix an importing issue by
filtering available role assignments based on the provided `scope`
([#24077](hashicorp/terraform-provider-azurerm#24077
`azurerm_resource_group_template_deployment` - fixing a bug where
`template_spec_version_id` couldn't be updated
([#24072](hashicorp/terraform-provider-azurerm#24072
`azurerm_security_center_setting` - fix the casing for the
`setting_name` `Sentinel`
([#24210](hashicorp/terraform-provider-azurerm#24210
`azurerm_storage_account` - Fix crash when checking for
`routingInputs.PublishInternetEndpoints` and
`routingInputs.PublishMicrosoftEndpoints`
([#24228](hashicorp/terraform-provider-azurerm#24228
`azurerm_storage_share_file` - prevent panic when the file specified by
`source` is empty
([#24179](hashicorp/terraform-provider-azurerm#24179
`azurerm_subscription_template_deployment` - fixing a bug where
`template_spec_version_id` couldn't be updated
([#24072](hashicorp/terraform-provider-azurerm#24072
`azurerm_tenant_template_deployment` - fixing a bug where
`template_spec_version_id` couldn't be updated
([#24072](hashicorp/terraform-provider-azurerm#24072
`azurerm_virtual_machine` - prevent a panic by nil checking the first
element of `additional_capabilities`
([#24159](hashicorp/terraform-provider-azurerm#24159
`azurerm_windows_web_app_slot` - error when `service_plan_id` is
identical to the parent `service_plan_id`
([#23403](https://github.com/hashicorp/terraform-provider-azurerm/issues/23403))


</pre>
</details>
</details>
<a
href="https://infra.ci.jenkins.io/job/terraform-jobs/job/azure/job/main/942/">Jenkins
pipeline link</a>
</action>
</Actions>
---
<table>
<tr>
<td width="77">
<img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli
logo" width="50" height="50">
</td>
<td>
<p>
Created automatically by <a
href="https://www.updatecli.io/">Updatecli</a>
</p>
<details><summary>Options:</summary>
<br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p>
<ul>
<li>If you close this pull request, Updatecli will automatically reopen
it, the next time it runs.</li>
<li>If you close this pull request and delete the base branch, Updatecli
will automatically recreate it, erasing all previous commits made.</li>
</ul>
<p>
Feel free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/>
If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
</p>
</details>
</td>
</tr>
</table>
Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com>
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
This property is in the query string and used to skip server side access validation. This PR is to address some internal incident tickets.
swagger: https://github.com/Azure/azure-rest-api-specs/blob/30d711afc12628f35811e9f6eedeb7246e53264f/specification/machinelearningservices/resource-manager/Microsoft.MachineLearningServices/stable/2023-04-01/mfe.json#L5948