Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_machine_learning_datastore_*: support skip_validation property #24078

Merged
merged 1 commit into from
Dec 12, 2023

Conversation

wuxu92
Copy link
Contributor

@wuxu92 wuxu92 commented Nov 30, 2023

This property is in the query string and used to skip server side access validation. This PR is to address some internal incident tickets.

swagger: https://github.com/Azure/azure-rest-api-specs/blob/30d711afc12628f35811e9f6eedeb7246e53264f/specification/machinelearningservices/resource-manager/Microsoft.MachineLearningServices/stable/2023-04-01/mfe.json#L5948

--- PASS: TestAccMachineLearningDataStoreFileShare_accountKeySkipValidation (421.39s)
--- PASS: TestAccMachineLearningDataStoreDataLakeGen2_skipValidation (423.02s)
--- PASS: TestAccMachineLearningDataStoreBlobStorage_accountKeySkipValidation (428.67s)
PASS

@@ -33,6 +34,7 @@ type MachineLearningDataStoreBlobStorageModel struct {
ServiceDataAuthIdentity string `tfschema:"service_data_auth_identity"`
AccountKey string `tfschema:"account_key"`
SharedAccessSignature string `tfschema:"shared_access_signature"`
SkipValidation bool `tfschema:"skip_validation"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is a QueryString option it's not returned from the API - meaning this'll flag as a diff at import time for users (which is being worked around in the tests through the ignore) - as such what's the benefit to making this user-configurable, rather than defaulting to true?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The flag should only be set in specific scenarios, such as when your workspace is in a virtual network. I'm uncertain if it is wise to have it set to true by default.

Copy link
Collaborator

@mybayern1974 mybayern1974 Nov 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A user is reporting issues failing to create some Machine Learning resources, and the RP team's recommendation is users can notify RP not to do any validation to address that, which can be done by setting this param in the query string. So RP team expects TF to expose that option to users.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mybayern1974 @wuxu92

Whilst I understand the Service Team have requested that we expose this field on the resource, this would run contrary to other resources in the provider - however from your description this sounds like an API bug, so I'm wondering if there's an issue tracking that?

From Terraform's side we disable validation where it's problematic (example) and don't expose additional configuration values for this as it's an implementation detail (how do users know when to enable it vs when not too, so why not enable it all the time?).

Given this field is being used to workaround a bug in the API (and not control a behavioural feature), we shouldn't expose a user-configurable flag for this field - either on the resource or within the features block - and should instead hard-code this to true where it's needed within the Provider (at least until the API issue is resolved). This allows the resource to "just work" for users, rather than requiring users to have an understanding of how the API works internally - and so when this field should/shouldn't be set.

As such, can we remove this toggle on the resource and hard-code this to true - and also add a comment with a summary of/link to the issue so we can track when this is fixed?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tombuildsstuff thanks for reviewing this PR. My team owns the API mentioned in this PR and we are working with @mybayern1974 and @wuxu92 to add this "skipValidation" support.

I want to clarify that "skipValidation" is not a workaround for a bug, it's a feature that Azure Machine Learning (AzureML) customers need. When receiving the request of creating new datastore AzureML service will try to validate the request by accessing the underlying storage account, and reject the request if the validation fails. However, for some scenarios (eg. datastore with network isolation) technically it's impossible for AzureML service to access underlying storage account and validation might fail. In these cases customer needs to set skipValidation=True to bypass validation so request of creating new datastore can succeed.

Hope above can explain why we need to create this PR. Please let me know if you have any other questions.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tawan0109 thanks for the additional context, but the guidance above remains valid here - this shouldn't be exposed as a user configurable toggle in Terraform and this should be hard-coded to true.

Whilst I understand the scenario here, since we're referencing the Storage Account ID within the Machine Learning resource, in Terraform that's almost certainly an interpolated value, meaning that the Storage Account is virtually guaranteed to be created before the Machine Learning Workspace/Data Stores etc.

As such whilst I can understand why the Azure API/CLI/ARM Templates are exposing this field - Terraform's dependency graph virtually guarantees that the Storage Account ID being specified for the Machine Learning resources exists - as such from our side this ends up being an implementation detail, and thus shouldn't be exposed as a user configurable toggle, and should instead be hard-coded to true.

As such @wuxu92 can you remove this field from the resource and hard-code this field, as requested above?

Thanks!

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tombuildsstuff understand that Terraform's dependency graph can guarantees storage account exists, please note that credentials of storage account are also included in the request of creating datastore, besides checking the existence of storage account, service also needs to validate if the credentials are correct and paths on storage account exist.

By default "skipValidation" is set to false on service side which means if customer does not specify this field in Terraform then validation always happen, which is what we want. As I mentioned above, in some cases validation cannot be applied so customer needs to have an option to skip the validation.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tawan0109

Whilst I understand that, unfortunately this still isn't something we would expose as a user-configurable value - and as such this needs to be hard-coded to true.

There's both behavioural reasons for this (this would differ from other resources in the Provider [example]) and technical reasons for this (for example this would cause issues via import, as is being ignored in the tests here, which would be problematic for users).

It's worth noting that any requirements should be listed in the documentation for the Service, so (presuming those are documented) we can link to that as required from the documentation, as we do elsewhere.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tawan0109 's investigation, I have updated this PR to hard-coded skip_validation parmeter to true. Thanks a lot to @tombuildsstuff for the great review!

Copy link
Member

@stephybun stephybun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @wuxu92 LGTM 👍

@stephybun stephybun merged commit 5b950fd into hashicorp:main Dec 12, 2023
23 checks passed
@github-actions github-actions bot added this to the v3.85.0 milestone Dec 12, 2023
@wuxu92 wuxu92 deleted the ml/skipvalidation branch December 12, 2023 09:11
stephybun added a commit that referenced this pull request Dec 13, 2023
dduportal pushed a commit to jenkins-infra/azure that referenced this pull request Dec 15, 2023
<Actions>
<action
id="f410411e63aff4bb73a81c2aec1d373cf8a903e63b30dee2006b0030d8a94cc8">
        <h3>Bump Terraform `azurerm` provider version</h3>
<details
id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24">
            <summary>Update Terraform lock file</summary>
<p>&#34;hashicorp/azurerm&#34; updated from &#34;3.84.0&#34; to
&#34;3.85.0&#34; in file &#34;.terraform.lock.hcl&#34;</p>
            <details>
                <summary>3.85.0</summary>
<pre>Changelog retrieved
from:&#xA;&#x9;https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.85.0&#xA;FEATURES:&#xA;&#xA;*
New Data Source: `azurerm_locations`
([#23324](hashicorp/terraform-provider-azurerm#23324
New Resource: `azurerm_iotcentral_organization`
([#23132](https://github.com/hashicorp/terraform-provider-azurerm/issues/23132))&#xA;&#xA;ENHANCEMENTS:&#xA;&#xA;*
provider: support for authenticating using Azure Kubernetes Service
Workload Identity
([#23965](hashicorp/terraform-provider-azurerm#23965
dependencies: updating to `v0.65.0` of
`github.com/hashicorp/go-azure-helpers`
([#24222](hashicorp/terraform-provider-azurerm#24222
dependencies: updating to `v0.20231214.1220802` of
`github.com/hashicorp/go-azure-sdk`
([#24246](hashicorp/terraform-provider-azurerm#24246
dependencies: updating to version `v0.20231214.1160726` of
`github.com/hashicorp/go-azure-sdk`
([#24241](hashicorp/terraform-provider-azurerm#24241
dependencies: update `security/automation` to use
`hashicorp/go-azure-sdk`
([#24156](hashicorp/terraform-provider-azurerm#24156
`dataprotection`: updating to API Version `2023-05-01`
([#24143](hashicorp/terraform-provider-azurerm#24143
`kusto`: removing the remnants of the old Resource ID Parsers now this
uses `hashicorp/go-azure-sdk`
([#24238](hashicorp/terraform-provider-azurerm#24238
Data Source: `azurerm_cognitive_account` - export the `identity` block
([#24214](hashicorp/terraform-provider-azurerm#24214
Data Source: `azurerm_monitor_workspace` - add support for the
`default_data_collection_endpoint_id` and
`default_data_collection_rule_id` properties
([#24153](hashicorp/terraform-provider-azurerm#24153
Data Source: `azurerm_shared_image_gallery` - add support for the
`image_names` property
([#24176](hashicorp/terraform-provider-azurerm#24176
`azurerm_dns_txt_record` - allow up to `4096` characters for the
property `record.value`
([#24169](hashicorp/terraform-provider-azurerm#24169
`azurerm_container_app` - support for the `workload_profile_name`
property
([#24219](hashicorp/terraform-provider-azurerm#24219
`azurerm_container_app` - suppot for the `init_container` block
([#23955](hashicorp/terraform-provider-azurerm#23955
`azurerm_hpc_cache_blob_nfs_target` - support for the
`verification_timer_in_seconds` and `write_back_timer_in_seconds`
properties
([#24207](hashicorp/terraform-provider-azurerm#24207
`azurerm_hpc_cache_nfs_target` - support for the
`verification_timer_in_seconds` and `write_back_timer_in_seconds`
properties
([#24208](hashicorp/terraform-provider-azurerm#24208
`azurerm_linux_web_app` - make `client_secret_setting_name` optional and
conflict with `client_secret_certificate_thumbprint`
([#21834](hashicorp/terraform-provider-azurerm#21834
`azurerm_linux_web_app_slot` - make `client_secret_setting_name`
optional and conflict with `client_secret_certificate_thumbprint`
([#21834](hashicorp/terraform-provider-azurerm#21834
`azurerm_linux_web_app` - fix a bug in `app_settings` where settings
could be lost
([#24221](hashicorp/terraform-provider-azurerm#24221
`azurerm_linux_web_app_slot` - fix a bug in `app_settings` where
settings could be lost
([#24221](hashicorp/terraform-provider-azurerm#24221
`azurerm_log_analytics_workspace` - add support for the
`immediate_data_purge_on_30_days_enabled` property
([#24015](hashicorp/terraform-provider-azurerm#24015
`azurerm_mssql_server` - support for other identity types for the key
vault key
([#24236](hashicorp/terraform-provider-azurerm#24236
`azurerm_machine_learning_datastore_blobstorage` - resource now skips
validation when being created
([#24078](hashicorp/terraform-provider-azurerm#24078
`azurerm_machine_learning_datastore_datalake_gen2` - resource now skips
validation when being created
([#24078](hashicorp/terraform-provider-azurerm#24078
`azurerm_machine_learning_datastore_fileshare` - resource now skips
validation when being created
([#24078](hashicorp/terraform-provider-azurerm#24078
`azurerm_monitor_workspace` - support for the
`default_data_collection_endpoint_id` and
`default_data_collection_rule_id` properties
([#24153](hashicorp/terraform-provider-azurerm#24153
`azurerm_redis_cache` - support for the
`storage_account_subscription_id` property
([#24101](hashicorp/terraform-provider-azurerm#24101
`azurerm_storage_blob` - support for the `source_content` type `Page`
([#24177](hashicorp/terraform-provider-azurerm#24177
`azurerm_web_application_firewall_policy` - support new values to the
`rule_group_name` property
([#24194](hashicorp/terraform-provider-azurerm#24194
`azurerm_windows_web_app` - make the `client_secret_setting_name`
property optional and conflicts with the
`client_secret_certificate_thumbprint` property
([#21834](hashicorp/terraform-provider-azurerm#21834
`azurerm_windows_web_app_slot` - make the `client_secret_setting_name`
property optional and conflicts with the
`client_secret_certificate_thumbprint` property
([#21834](hashicorp/terraform-provider-azurerm#21834
`azurerm_windows_web_app` - fix a bug in `app_settings` where settings
could be lost
([#24221](hashicorp/terraform-provider-azurerm#24221
`azurerm_windows_web_app_slot` - fix a bug in `app_settings` where
settings could be lost
([#24221](hashicorp/terraform-provider-azurerm#24221
`azurerm_cognitive_account` - add `ContentSafety` to the `kind` property
validation
([#24205](https://github.com/hashicorp/terraform-provider-azurerm/issues/24205))&#xA;&#xA;BUG
FIXES:&#xA;&#xA;* provider: fix an authentication issue with Azure
Storage when running in Azure China cloud
([#24246](hashicorp/terraform-provider-azurerm#24246
Data Source: `azurerm_role_definition` - fix bug where
`role_definition_id` and `scope` were being incorrectly set
([#24211](hashicorp/terraform-provider-azurerm#24211
`azurerm_batch_account` - fix bug where `UserAssigned, SystemAssigned`
could be passed to the resource even though it isn&#39;t supported
([#24204](hashicorp/terraform-provider-azurerm#24204
`azurerm_batch_pool` - fix bug where `settings_json` and
`protected_settings` were not being unmarshaled
([#24075](hashicorp/terraform-provider-azurerm#24075
`azurerm_bot_service_azure_bot` - fix bug where
`public_network_access_enabled` was being set as the value for `LuisKey`
([#24164](hashicorp/terraform-provider-azurerm#24164
`azurerm_cognitive_account_customer_managed_key` - `identity_client_id`
is no longer passed to the api when it is empty
([#24231](hashicorp/terraform-provider-azurerm#24231
`azurerm_linux_web_app_slot` - error when `service_plan_id` is identical
to the parent `service_plan_id`
([#23403](hashicorp/terraform-provider-azurerm#23403
`azurerm_management_group_template_deployment` - fixing a bug where
`template_spec_version_id` couldn&#39;t be updated
([#24072](hashicorp/terraform-provider-azurerm#24072
`azurerm_pim_active_role_assignment` - fix an importing issue by
filtering available role assignments based on the provided `scope`
([#24077](hashicorp/terraform-provider-azurerm#24077
`azurerm_pim_eligible_role_assignment` - fix an importing issue by
filtering available role assignments based on the provided `scope`
([#24077](hashicorp/terraform-provider-azurerm#24077
`azurerm_resource_group_template_deployment` - fixing a bug where
`template_spec_version_id` couldn&#39;t be updated
([#24072](hashicorp/terraform-provider-azurerm#24072
`azurerm_security_center_setting` - fix the casing for the
`setting_name` `Sentinel`
([#24210](hashicorp/terraform-provider-azurerm#24210
`azurerm_storage_account` - Fix crash when checking for
`routingInputs.PublishInternetEndpoints` and
`routingInputs.PublishMicrosoftEndpoints`
([#24228](hashicorp/terraform-provider-azurerm#24228
`azurerm_storage_share_file` - prevent panic when the file specified by
`source` is empty
([#24179](hashicorp/terraform-provider-azurerm#24179
`azurerm_subscription_template_deployment` - fixing a bug where
`template_spec_version_id` couldn&#39;t be updated
([#24072](hashicorp/terraform-provider-azurerm#24072
`azurerm_tenant_template_deployment` - fixing a bug where
`template_spec_version_id` couldn&#39;t be updated
([#24072](hashicorp/terraform-provider-azurerm#24072
`azurerm_virtual_machine` - prevent a panic by nil checking the first
element of `additional_capabilities`
([#24159](hashicorp/terraform-provider-azurerm#24159
`azurerm_windows_web_app_slot` - error when `service_plan_id` is
identical to the parent `service_plan_id`
([#23403](https://github.com/hashicorp/terraform-provider-azurerm/issues/23403))&#xA;&#xA;&#xA;</pre>
            </details>
        </details>
<a
href="https://infra.ci.jenkins.io/job/terraform-jobs/job/azure/job/main/942/">Jenkins
pipeline link</a>
    </action>
</Actions>

---

<table>
  <tr>
    <td width="77">
<img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli
logo" width="50" height="50">
    </td>
    <td>
      <p>
Created automatically by <a
href="https://www.updatecli.io/">Updatecli</a>
      </p>
      <details><summary>Options:</summary>
        <br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p>
        <ul>
<li>If you close this pull request, Updatecli will automatically reopen
it, the next time it runs.</li>
<li>If you close this pull request and delete the base branch, Updatecli
will automatically recreate it, erasing all previous commits made.</li>
        </ul>
        <p>
Feel free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/>
If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
        </p>
      </details>
    </td>
  </tr>
</table>

Co-authored-by: Jenkins Infra Bot (updatecli) <[email protected]>
Copy link

github-actions bot commented May 3, 2024

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants