azurerm_machine_learning_workspace - support service_side_encryption_enabled property

[teowa]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

azurerm_machine_learning_workspace - support service_side_encryption_enabled property

• REST API
• Azure doc

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevant documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

Test can pass except two are not related in the PR

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_machine_learning_workspace - support service_side_encryption_enabled property [GH-00000]

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #30177

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the provider.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[WodansSon]

@teowa, thanks for opening this PR, I have given it a look and while it mostly LGTM, I think there are some issues that need to be addressed or clarified. I have left a few comments, have a look when you get a chance. Thanks! 🚀

[WodansSon]

Since this new field is RequiredWith the existing field encryption, wouldn't this be a breaking change? Users that already have existing instances with encryption defined would now get a an error stating the service_side_encryption_enabled is required? If so, wouldn't that also potentially lead to customer data loss since both of these fields are marked as ForceNew? Looking at the learn documentation it looks like the two are not required to be linked together:

[teowa]

Hi @WodansSon , the RequiredWith here means if service_side_encryption_enabled is set, encryption block must be specified. From Azure Portal, the Use service-side encryption option can only be enabled after Encrypt data using a customer managed key is selected.

[WodansSon]

Is this correct? Since the existing encryption field actually has the CMK implementation and this is for enabling service side encryption, which infers that the certificate which is used for the encryption will be supplied by the service? We should also add a critical note stating that When you use service-side encryption, Azure charges will continue to accrue during the soft delete retention period.

[teowa]

service_side_encryption_enabled indicates that the infrastructure needed for implementing a customer-managed key (CMK) is no longer present in the customer's subscription. You can find more information at this link.

Previously, when using a customer-managed key, Azure Machine Learning creates a secondary resource group in your subscription which contains additonal resources. With this preview, this is no longer needed and all service metadata will be encrypted service-side.

---

note added

[WodansSon]

I think we need more tests for this specifically, the existing test cases only test the positive test case, where service_side_encryption_enabled is always true. We need to have tests that verify that you can have the service_side_encryption_enabled false and the encryption filed with a user defined CMK(default, classic mode). service_side_encryption_enabled true without the encryption field being defined, etc.

[teowa]

Test added for service_side_encryption_enabled false and the encryption filed with a user defined CMK.
This case is not allowed: service_side_encryption_enabled true without the encryption field being defined,

[teowa]

Hi @WodansSon , thank you for reviewing this. I have updated the code; could you please take another look?
All tests are passing except for the _requiresImport tests, which will be addressed in #30653. Also, TestAccMachineLearningWorkspaceNetworkOutboundRulePrivateEndpoint_redis is unrelated to this PR.

[catriona-m]

Thanks @teowa LGTM!

comments addressed

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.