Dear All,

Hope everyone is doing great!

Would appreciate some help with an issue I am facing while calling an API via Terraform Enterprise to diable the "Public Network Access" on Synapse Workspace.

Background : We are planning to use CMK encryption, Managed Vnet, Private Endpoints etc. in Synapse workspace and to achieve that Terraform needs to talk to Synapse via public endpoint due to which we cannot create the Synapse workspace with "Public Network Access Disabled" , and decided to Disable the "Public Newtork Access" after the resource is provisioned and activated.

Issue : Using the below API Call (Reference - https://docs.microsoft.com/en-us/rest/api/synapse/workspaces/create-or-update#code-try-0)

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/provi...

Body : { "properties": { "publicNetworkAccess": "Disabled" }, "location" : "australiaeast" }

Error :
{
"code": "ValidationFailed",
"message": "Workspace request validation failed, check error details for more information",
"details": [
{
"code": "DefaultDataLakeStorageCannotBeRemoved",
"message": "Default data lake storage cannot be removed"
},
{
"code": "ManagedVnetCannotBeChanged",
"message": "Managed virtual network cannot be changed after the workspace is created."
},
{
"code": "CustomerManagedKeyOperationNotAllowed",
"message": "Customer Managed Key cannot be removed from a workspace after provisioning."
},
{
"code": "PublicNetworkAccessSettingsOnlyApplicableForManagedVnet",
"message": "You can only set Public Network Access to \"Disabled\" for Synapse workspace associated with managed VNet."
}
]
}

Would appreciate any suggestions/pointers to understand why the validation fails for those properties which we are not even trying to change?

Best Regards
Rahul