terraform-provider-databricks icon indicating copy to clipboard operation
terraform-provider-databricks copied to clipboard
verified publisher icon databricks

[ISSUE] Issue with `databricks_workspace_binding` resource

Open DucNM11 opened this issue 1 year ago • 5 comments

Configuration

resource "databricks_external_location" "checkpointing" {
  name            = "${var.environment}_${azurerm_storage_container.checkpointing.name}"
  url             = "abfss://${azurerm_storage_container.checkpointing.name}@${azurerm_storage_account.datalake.name}.dfs.core.windows.net/"
  credential_name = databricks_storage_credential.datalake_storage_account.name
  comment         = "Managed by TF"
  isolation_mode  = "ISOLATED"
  force_destroy   = true
  force_update    = true
}

resource "databricks_workspace_binding" "checkpointing" {
  workspace_id   = azurerm_databricks_workspace.databricks_workspace.workspace_id
  securable_name = databricks_external_location.checkpointing.name
  securable_type = "external-location"
}

Expected Behavior

The two resources are destroyed successfully

Actual Behavior

│ Error: cannot delete external location: External Location '***' is not accessible in current workspace

Because of this behavior, tearing down related resources can only be done with workaround/manual intervention

Steps to Reproduce

DucNM11 avatar Aug 14 '24 13:08 DucNM11

I'm having this problem also. Any updates? I found this related issue: https://github.com/databricks/terraform-provider-databricks/issues/4305

devlucasc avatar Dec 27 '24 14:12 devlucasc

The workaround we found was to use the cli to restore access to the resource after deleting the binding. Here, we run it through local-exec from null_resource.

resource "databricks_external_location" "this" {
....
}

resource "databricks_workspace_bindings" "restrict_this_to_workspace1" {
....
}

resource "null_resource" "post_delete_el_input" {
   depends_on = [ databricks_workspace_binding.restrict_this_to_workspace1 ]

    provisioner "local-exec" {
      command = "databricks -p profile-workspace1 update-bindings external_location ${databricks_external_location.this.name} --json '{\"add\": [{\"workspace_id\": \"1234123412341234\", \"bingin_type\": \"BINDING_TYPE_READ_WRITE\"}]}'"
    }
]

Bernolt avatar Mar 21 '25 22:03 Bernolt

Hi everyone,

I believe I'm encountering a related issue and wanted to share my experience:

Initially, I created a workspace binding for a catalog using the databricks_workspace_binding resource. Later, I commented out the relevant tfvars values (e.g., workspace_id, securable_name, binding_type), which caused Terraform to destroy the binding. As expected, the catalog was moved to the "Outside this Workspace" section in the UI.

I then manually reassigned the catalog back to the workspace through the Databricks UI, which worked as expected. When I re-applied the Terraform config (uncommenting the values), it didn't throw any errors, and it appeared to be attempting to reapply the binding, which I assume is Terraform's way of syncing the state.

However, if I had not manually reassigned the catalog and simply uncommented the values before reapplying the Terraform config, I encountered the following error:

Error: cannot read catalog: Catalog 'XXXXX' is not accessible in current workspace

This seems to point to the issue where Terraform struggles to manage a securable once the binding has been removed, which aligns with other reports in this thread.

From what I've gathered, when the binding is removed, the catalog no longer belongs to the workspace, which makes it inaccessible for the workspace-level provider. This is a bit confusing, especially since my service principal governing the deployment has metastore admin privileges. Additionally, if I attempt to use the account-level provider, I get the expected error, indicating that it can't be used with databricks_workspace_binding, which requires a workspace-level provider.

Is there any official update or a recommended workaround for this situation? Or is the CLI intervention (as mentioned above) still the only viable option?

Thanks in advance for any insights!

KARTIKEYA47JAIN avatar Aug 08 '25 11:08 KARTIKEYA47JAIN

We also have this issue and having to build a whole manual workaround process. Any update on a permanent fix?

In a private repo, but would be happy to share the Github Actions log if that's useful? https://github.com/EECA-NZ/az-l4-databricks-tf/issues/14

billgeo avatar Sep 16 '25 00:09 billgeo

Hi,

Any updates on this? We have the same problem when destroying the external locations with isolation mode ISOLATED with its workspace binding.

databricks_workspace_binding.uc_external_locations_bindings["cz_comm_telemetry-common"]: Destroying... [id=7468699070917090|external_location|loc-landa-uc-sbx-cz-comm-telemetry]
databricks_workspace_binding.uc_external_locations_bindings["cz_comm_telemetry-common"]: Destruction complete after 2s
databricks_grants.external_location_grants["cz_comm_telemetry"]: Destroying... [id=external_location/loc-landa-uc-sbx-cz-comm-telemetry]

╷
│ Error: cannot delete grants: External Location 'loc-landa-uc-sbx-cz-comm-telemetry' is not accessible in current workspace
│ 
│ 
╵

leireroman12 avatar Nov 17 '25 11:11 leireroman12