[FEATURE] Token Expiry is available in Terraform

[ShaneMazur]

Use-cases

We write token values (regular tokens and OBO) out to external tools (ex. OnePassword items). With Databricks now enforcing token expiry, we need to ensure end users are aware of when the tokens will expire so they may request new ones if required.

Attempted Solutions

Not so much attempted as proposed and shot down:

1. Calculate expiry time automatically when token resources are created. Use that in creating other items.
2. Create a time_static resource whenever we create a token to track when tokens are created. Could also be done for when they expire.

Main issue with either of these is that it breaks a resource downstream of token fails to provision (either the time_static or the onepassword item). In addition, it would require regeneration of all tokens since we wouldn't have done this for existing tokens and it must be done on creation

Proposal

token resources include creation, expiry, etc in their attribute reference as it is in the REST API (POST & GET

References

[mgyucht]

Hi @ShaneMazur, thanks for raising this issue. Generally speaking, we are recommending people switch from using PATs to OAuth. For automation use-cases, you would use a service principal. The databricks_service_principal_secret resource does include expiry_time: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/service_principal_secret#expire_time-1. Can you use service principals instead of tokens for your use case?

[ShaneMazur]

@mgyucht We'd be happy to use the OAuth credentials over a PAT for the service principal, however, there are still many (I'd even say most) downstream applications that still only accept the token (especially BI applications)