Skip to content

azurerm_databricks_workspace - Remove the PATCH (for tags) during Update() #31509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sreallymatt merged 6 commits into from
Jan 21, 2026
Merged

azurerm_databricks_workspace - Remove the PATCH (for tags) during Update() #31509

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e23e57a
`azurerm_databricks_workspace` - Swap the order of PATCH (for tags) a…
magodo Jan 15, 2026
6ff4da6
restore the existing test case
magodo Jan 15, 2026
7d8487e
Try to disable CMK
magodo Jan 16, 2026
dd1fcc1
Revert "Try to disable CMK"
magodo Jan 16, 2026
631ae73
Update uses PUT only
magodo Jan 20, 2026
8df1b4a
remove the tags setting as it was set above...
magodo Jan 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Try to disable CMK
  • Loading branch information
@magodo
magodo committed Jan 16, 2026
commit 7d8487e5504ff96b852dea7a64ca6b102ec4c402
49 changes: 34 additions & 15 deletions internal/services/databricks/databricks_workspace_resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1237,14 +1237,16 @@ func resourceDatabricksWorkspaceUpdate(d *pluginsdk.ResourceData, meta interface
KeyVaultUri: key.KeyVaultBaseUrl,
},
}
}

if rotationEnabled := d.Get("managed_disk_cmk_rotation_to_latest_version_enabled").(bool); rotationEnabled {
encrypt.Entities.ManagedDisk.RotationToLatestKeyVersionEnabled = pointer.To(rotationEnabled)
if rotationEnabled := d.Get("managed_disk_cmk_rotation_to_latest_version_enabled").(bool); rotationEnabled {
encrypt.Entities.ManagedDisk.RotationToLatestKeyVersionEnabled = pointer.To(rotationEnabled)
}
}

if setEncrypt {
props.Encryption = encrypt
} else {
props.Encryption = nil
}

enhancedSecurityCompliance := d.Get("enhanced_security_compliance")
Expand All @@ -1255,22 +1257,39 @@ func resourceDatabricksWorkspaceUpdate(d *pluginsdk.ResourceData, meta interface
// The order matters, especially when the user both update the tags and enables the `managed_disk_cmk_rotation_to_latest_version_enabled` together.
// Enabling `managed_disk_cmk_rotation_to_latest_version_enabled` will cause updating the `tags` (via PATCH) on the managed resources requires additional
// data plane roles on the `managed_disk_identity.0.principal_id`, which is only available after enabling `managed_disk_cmk_rotation_to_latest_version_enabled`.
//
// For this reason, patch the `tags` first (before enabling the `managed_disk_cmk_rotation_to_latest_version_enabled`), then update the workspace as a whole via
// the PUT.
if d.HasChange("tags") {
workspaceUpdate := workspaces.WorkspaceUpdate{
Tags: tags.Expand(d.Get("tags").(map[string]interface{})),
if d.HasChange("managed_disk_cmk_rotation_to_latest_version_enabled") && d.Get("managed_disk_cmk_rotation_to_latest_version_enabled").(bool) {
// When this change enables the `managed_disk_cmk_rotation_to_latest_version_enabled`, do the patch first.
if d.HasChange("tags") {
workspaceUpdate := workspaces.WorkspaceUpdate{
Tags: tags.Expand(d.Get("tags").(map[string]interface{})),
}

err := client.UpdateThenPoll(ctx, *id, workspaceUpdate)
if err != nil {
return fmt.Errorf("updating %s Tags: %+v", id, err)
}
}
if err := client.CreateOrUpdateThenPoll(ctx, *id, model); err != nil {
return fmt.Errorf("updating %s: %+v", id, err)
}
} else {
// On the other hand, if there is no change on `managed_disk_cmk_rotation_to_latest_version_enabled` or disabling it, a normal module will most likely also
// has the role assigned on the `managed_disk_identity.0.principal_id` revoked during the execution (i.e. the revert order of the creation dependency).
// In this case, we need to PUT the workspace first to disable disk encryption auto rotation first, then patch the tags (so there is no access to the key vault).
if err := client.CreateOrUpdateThenPoll(ctx, *id, model); err != nil {
return fmt.Errorf("updating %s: %+v", id, err)
}
if d.HasChange("tags") {
workspaceUpdate := workspaces.WorkspaceUpdate{
Tags: tags.Expand(d.Get("tags").(map[string]interface{})),
}

err := client.UpdateThenPoll(ctx, *id, workspaceUpdate)
if err != nil {
return fmt.Errorf("updating %s Tags: %+v", id, err)
err := client.UpdateThenPoll(ctx, *id, workspaceUpdate)
if err != nil {
return fmt.Errorf("updating %s Tags: %+v", id, err)
}
}
}
if err := client.CreateOrUpdateThenPoll(ctx, *id, model); err != nil {
return fmt.Errorf("updating %s: %+v", id, err)
}

return resourceDatabricksWorkspaceRead(d, meta)
}
Expand Down
7 changes: 7 additions & 0 deletions internal/services/databricks/databricks_workspace_resource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,13 @@ func TestAccDatabricksWorkspace_managedDiskCMKRotation(t *testing.T) {
),
},
data.ImportStep("custom_parameters.0.public_subnet_network_security_group_association_id", "custom_parameters.0.private_subnet_network_security_group_association_id"),
{
Config: r.managedDiskCMKRotationDisabled(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep("custom_parameters.0.public_subnet_network_security_group_association_id", "custom_parameters.0.private_subnet_network_security_group_association_id"),
})
}

Expand Down