terraform-provider-databricks icon indicating copy to clipboard operation
terraform-provider-databricks copied to clipboard

[FEATURE] Token Expiry is available in Terraform

Open ShaneMazur opened this issue 7 months ago • 2 comments

Use-cases

We write token values (regular tokens and OBO) out to external tools (ex. OnePassword items). With Databricks now enforcing token expiry, we need to ensure end users are aware of when the tokens will expire so they may request new ones if required.

Attempted Solutions

Not so much attempted as proposed and shot down:

  1. Calculate expiry time automatically when token resources are created. Use that in creating other items.
  2. Create a time_static resource whenever we create a token to track when tokens are created. Could also be done for when they expire.

Main issue with either of these is that it breaks a resource downstream of token fails to provision (either the time_static or the onepassword item). In addition, it would require regeneration of all tokens since we wouldn't have done this for existing tokens and it must be done on creation

Proposal

token resources include creation, expiry, etc in their attribute reference as it is in the REST API (POST & GET

References

ShaneMazur avatar Apr 16 '25 20:04 ShaneMazur

Hi @ShaneMazur, thanks for raising this issue. Generally speaking, we are recommending people switch from using PATs to OAuth. For automation use-cases, you would use a service principal. The databricks_service_principal_secret resource does include expiry_time: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/service_principal_secret#expire_time-1. Can you use service principals instead of tokens for your use case?

mgyucht avatar May 01 '25 11:05 mgyucht

@mgyucht We'd be happy to use the OAuth credentials over a PAT for the service principal, however, there are still many (I'd even say most) downstream applications that still only accept the token (especially BI applications)

ShaneMazur avatar May 01 '25 20:05 ShaneMazur