terraform-provider-databricks icon indicating copy to clipboard operation
terraform-provider-databricks copied to clipboard

Published 20 hours ago verified publisher icon databricks

[ISSUE] Resource `databricks_entitlements` fails when configuring `users` group

Open liahagan opened this issue 2 years ago • 3 comments

Configuration

data "databricks_group" "users" {
  display_name = "users"
}

resource "databricks_entitlements" "users" {
  group_id              = data.databricks_group.users.id
  databricks_sql_access = false
}

Expected Behavior

Entitlements of the users group should be updated to reflect the Terraform configuration.

Actual Behavior

Apply stage fails with error message

Error: cannot create entitlements: Error in performing the patch operation on group resource.

Steps to Reproduce

  1. terraform apply

Terraform and provider versions

Terraform v1.3.5
on linux_amd64
+ provider registry.terraform.io/databricks/databricks v1.7.0
+ provider registry.terraform.io/hashicorp/azuread v2.31.0
+ provider registry.terraform.io/hashicorp/azurerm v3.36.0
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/time v0.9.1

Debug Output

Group ID has been replaced with dummy value.

2022-12-20T16:28:13.136+0100 [DEBUG] provider.terraform-provider-databricks_v1.7.0: PATCH /api/2.0/preview/scim/v2/Groups/123456789098765 {
  "Operations": [
    {
      "op": "add",
      "path": "entitlements",
      "value": null
    }
  ],
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ]
}: timestamp=2022-12-20T16:28:13.136+0100
2022-12-20T16:28:13.541+0100 [DEBUG] provider.terraform-provider-databricks_v1.7.0: 500 Internal Server Error {
  "detail": "Error in performing the patch operation on group resource.",
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:Error"
  ],
  "status": "500"
}: timestamp=2022-12-20T16:28:13.541+0100

Important Factoids

  • This only happens with the users group. Terraform behaves as expected when configuring other groups with databricks_entitlements
  • Using Azure Databricks
  • Unity Catalog and identity federation is enabled for the workspace

liahagan avatar Dec 20 '22 15:12 liahagan

@liahagan I reproduced the issue when there is only false for databricks_sql_access and workspace_access. Can you check if it works when true is set on either one on your env?

TakeshiMatsukura avatar Dec 21 '22 01:12 TakeshiMatsukura

@TakeshiMatsukura I tried with the config below which was applied without error in Terraform. However, Databricks SQL access has not been disabled when looking in the admin console. I think this is the same issue as reported in #1860, which I was able to fix by running apply again.

resource "databricks_entitlements" "users" {
  group_id                   = data.databricks_group.users.id
  allow_cluster_create       = false
  allow_instance_pool_create = false
  databricks_sql_access      = false
  workspace_access           = true
}

I then changed the config so all entitlements were false, and this was recognized in the Terraform plan with ~ workspace_access = true -> false. But after applying the change, the workspace access entitlement was still active. This was still the case after multiple attempts.

liahagan avatar Dec 21 '22 17:12 liahagan

Tried to use latest databricks provider, but the result is nothing, doesn't work. Will anyone from Databricks team take it in development?

untiro avatar Feb 12 '24 12:02 untiro