Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update-AzDatabricksWorkspace doesn't work as expected while enabling encryption. #21324

Closed
bobby86 opened this issue Mar 25, 2023 · 1 comment · Fixed by #21726 or #21742
Closed

Update-AzDatabricksWorkspace doesn't work as expected while enabling encryption. #21324

bobby86 opened this issue Mar 25, 2023 · 1 comment · Fixed by #21726 or #21742
Assignees
@lijinpei2008
Labels
Azure PS Team bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Data Bricks Tracking We will track status and follow internally

Comments

@bobby86
Copy link

bobby86 commented Mar 25, 2023

Description

Azure Databricks workspace is in failed state after enabling DBFS Encryption using Az PowerShell module and script below.
I have tried to enable the encryption for other dev workspace thru GUI, Azure portal, using the key from the same key vault and got the validation error (refer to snap01838).
For recovering the workspace, I have followed the MSFT troubleshooting guidelines (refer to snap01841).
When attempted in GUI, got an error that managed resource group name doesn’t match. (I have created the ADB workspace thru PowerShell and used our default naming convention for the managed resource group.
When attempted the recovery thru PowerShell script below, got a different error and we are not able to locate the failed deployment details.
a MSFT support ticket was raised for this issue and the support engineer reproduced the issue and asked us to follow up with the AZ PowerShell development team.

snap01822
snap01836
snap01838
snap01841

Issue script & Debug output

# enable Workspace encryption script
# Variables
$nmADBWSP = '*' # ADB Workspace Name
$nmWSPRG = '*' # ADB Workspace ResourceGroupName
$nmDSPRG = '*' # Key Vault ResourceGroupName
$nmKYV = '*' #Key Vault Name

# Configure customer-managed keys for DBFS encryption following: https://learn.microsoft.com/en-us/azure/databricks/security/keys/customer-managed-keys-dbfs/cmk-dbfs-powershell
# Prepare workspace for cutomer managed key encryption
$Wsp = Get-AzDatabricksWorkspace -ResourceGroupName $nmWSPRG -Name $nmADBWSP
#$updWsp = Update-AzDatabricksWorkspace -ResourceGroupName $nmWSPRG -Name $nmADBWSP -PrepareEncryption #doesn't work throws invalid EncryptionKeySource error (refer to snap01822).
$updWsp = Update-AzDatabricksWorkspace -ResourceGroupName $nmWSPRG -Name $nmADBWSP -PrepareEncryption -EncryptionKeySource 'Microsoft.Keyvault'

# retrieve Key Vault details
$kyvDev = Get-AzKeyVault -ResourceGroupName $nmDSPRG -VaultName $nmKYV
# Configure the Key Vault access policy
Set-AzKeyVaultAccessPolicy -VaultName $kyvDev.VaultName -ObjectId $updWsp.StorageAccountIdentityPrincipalId `
  -PermissionsToKeys wrapkey, unwrapkey, get
# Create a new key for the encryption
$key1 = Add-AzKeyVaultKey -VaultName $kyvDev.VaultName -Name "$nmADBWSP-DBFS" -Destination 'Software'
# Update DBFS encryption Key
Update-AzDatabricksWorkspace -ResourceGroupName $nmWSPRG -Name $nmADBWSP -EncryptionKeySource Microsoft.Keyvault `
  -EncryptionKeyName $key1.Name `
  -EncryptionKeyVersion $key1.Version `
  -EncryptionKeyVaultUri $kyvDev.VaultUri # throws error (refer to snap01836).

# recover Workspace script
# Variables
$nmADBWSP = '*' # ADB Workspace Name
$nmWSPRG = '*' # ResourceGroupName to deploy the ADB Workspace
$nmADBRG = '*' # ManagedResourceGroupName
$nmLctn = 'eastus2' # Deployment location
$nmSku = 'premium' # ADB Workspace SKU
$AdbWspArgs = @{
  Name                     = $nmADBWSP
  ResourceGroupName        = $nmWSPRG
  ManagedResourceGroupName = $nmADBRG
  Location                 = $nmLctn
  Sku                      = $nmSku
}
$Wsp = New-AzDatabricksWorkspace @AdbWspArgs ;

Environment data

PowerShell code was run in VS Code:
Version: 1.76.2 (user setup)
Commit: ee2b180d582a7f601fa6ecfdad8d9fd269ab1884
Date: 2023-03-14T17:55:54.936Z
Electron: 19.1.11
Chromium: 102.0.5005.196
Node.js: 16.14.2
V8: 10.2.154.26-electron.0
OS: Windows_NT x64 10.0.19044
Sandboxed: No
 
pwsh terminal-HostVersion
Name             : ConsoleHost
Version          : 7.3.0

Module versions

Az PowerShell module used and their versions:
Az.Accounts  2.12.1
Az.Databricks 1.5.0
Az.KeyVault 4.9.2

Error output

enable encryption Errors in the attached screenshots
workspace recovery error:
New-AzDatabricksWorkspace_CreateExpanded: /usr/local/share/powershell/Modules/Az.Databricks/1.5.0/custom/New-AzDatabricksWorkspace.ps1:299
Line |299 |              Az.Databricks.internal\New-AzDatabricksWorkspace @PSBound|              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The operation to create appliance failed. Please check operations of deployment '*' under resource group '/subscriptions/*/resourceGroups/*'.
     | Error message: 'At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.'
@bobby86 bobby86 added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Mar 25, 2023
@ghost ghost added customer-reported and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Mar 25, 2023
@isra-fel
Copy link
Member

Hi @lijinpei2008 please look into this issue. Thanks.

@dolauli dolauli added the Tracking We will track status and follow internally label Apr 28, 2023
This was linked to pull requests May 8, 2023
[DataBricks] Fix issue Update-AzDatabricksWorkspace doesn't work as expected while … #21726
Merged
Migrate Databricks from generation to main #21742
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lijinpei2008 lijinpei2008

Labels
Azure PS Team bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Data Bricks Tracking We will track status and follow internally
Projects
None yet
Milestone
No milestone
4 participants
@isra-fel @dolauli @bobby86 @lijinpei2008