terraform-provider-databricks icon indicating copy to clipboard operation
terraform-provider-databricks copied to clipboard

Published 20 hours ago verified publisher icon databricks

[ISSUE] Issue with `databricks_secret_acl` resource - Cannot work with account level groups

Open seblatre opened this issue 1 year ago • 1 comments
trafficstars

Configuration

terraform {
  required_providers {
    databricks = {
      source  = "databricks/databricks"
      version = "~> 1.56.0"
    }
  }
}
provider "databricks" {
  alias      = "account"
  host       = "https://accounts.azuredatabricks.net"
  account_id = "<databricksAccountId>"
}
provider "databricks" {
  alias                       = "workspace"
  host                        = "adb-<databricksWorkspaceId>.10.azuredatabricks.net"
  azure_workspace_resource_id = "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Databricks/workspaces/<databricksWorkspaceName>"
}
resource "databricks_group" "account_group" {
  display_name = "GROUP-A45"

  provider = databricks.account
}
resource "databricks_mws_permission_assignment" "workspace_group" {
  workspace_id = "<databricksWorkspaceId>"
  principal_id = databricks_group.account_group.id
  permissions  = ["USER"]

  provider = databricks.account
}
resource "databricks_secret_scope" "team" {
  name = "Scope_A45_team"

  keyvault_metadata {
    resource_id = "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.KeyVault/vaults/keyvaulttesta45"
    dns_name    = "https://keyvaulttesta45.vault.azure.net/"
  }

  provider = databricks.workspace
}
resource "databricks_secret_acl" "team_acl" {
  principal  = databricks_group.account_group.display_name
  permission = "READ"
  scope      = databricks_secret_scope.team.name

  provider = databricks.workspace
}

Expected Behavior

This configuration should work without issue

Actual Behavior

When running terraform apply, we run into the following error

databricks_group.account_group: Creating...
databricks_secret_scope.team: Creating...
databricks_group.account_group: Creation complete after 2s [id=980426357238593]
databricks_mws_permission_assignment.workspace_group: Creating...
databricks_secret_scope.team: Creation complete after 4s [id=Scope_A45_team]
databricks_secret_acl.team_acl: Creating...
databricks_mws_permission_assignment.workspace_group: Creation complete after 5s [id=25518447772330|980426357238593]
╷
│ Error: cannot create secret acl: User or Group GROUP-A45 does not exist.
│
│   with databricks_secret_acl.team_acl,
│   on main.tf line 41, in resource "databricks_secret_acl" "team_acl":
│   41: resource "databricks_secret_acl" "team_acl" {
│
╵

Steps to Reproduce

  1. terraform apply (sometimes it doesn't allow to reproduce the issue, need to terraform destroy then try again)

Terraform and provider versions

$ terraform version
Terraform v1.9.8
on windows_amd64
+ provider registry.terraform.io/databricks/databricks v1.56.0

Is it a regression?

I don't think

Debug Output

I sniffed the API call that were made by the provider: image

Important Factoids

I tried using account level provider for databricks_secret_acl but this is not allowed.

I also tried to add this depends_on block in the databricks_secret_acl resource without better chance:

  depends_on = [
    databricks_mws_permission_assignment.workspace_group
  ]

Would you like to implement a fix?

No, sorry

seblatre avatar Nov 06 '24 09:11 seblatre