terraform-provider-databricks icon indicating copy to clipboard operation
terraform-provider-databricks copied to clipboard

Published 20 hours ago verified publisher icon databricks

[ISSUE] Issue with `databricks_grants` resource overwriting without informative plan/apply output

Open keenanwells-tatari opened this issue 6 months ago • 1 comments
trafficstars

Hello, I know the topic I bring up in this issue is already documented in other issues, such as https://github.com/databricks/terraform-provider-databricks/issues/2665, but I would like to raise it again as the plan output feels dangerous and uninformative for the databricks_grants resource default behavior of replacing existing grants.

Configuration

Here I've added some new grants for a list of all our external locations.

resource "databricks_grants" "external_location_grants_tableau" {
  for_each = {
    for item in local.schema_grants :
    "${item.env}-${item.tier}-${item.schema}" => item
  }

  external_location = each.value.location

  grant {
    principal  = databricks_service_principal.tableau-sp.application_id
    privileges = ["READ FILES"]
  }
}

NOTE: I know the correct thing to do here would have been to reach for databricks_grant, however this is an easy mistake to make given the single letter difference in the resource.

Expected Behavior

I would expect the output of plan/apply output to help a user catch what they are about to do, with indication of the resources being removed in the diff and the output (e.g. Plan: 700 to add, X to change, 700 to destroy.

Actual Behavior

The plan/apply output does not provide output indicating what is actually going to happen, here is an example of the output provided, truncated for brevity:


    ... (much the same repeated above)

 # databricks_grants.external_location_grants_tableau["staging-silver-foo_silver"] will be created
  + resource "databricks_grants" "external_location_grants_tableau" {
      + external_location = "s3://foo-bucket-staging-us-west-2/silver/foo_silver"
      + id                = (known after apply)

      + grant {
          + principal  = (known after apply)
          + privileges = [
              + "READ FILES",
            ]
        }
    }

    ... (much the same repeated below)

    Plan: 735 to add, 2 to change, 1 to destroy.

Steps to Reproduce

Add databricks_grants resource that will overwrite existing external location (or any other object) permissions. Run terraform plan / apply.

Terraform and provider versions

provider: v1.48.0 terraform: v1.6.0

Is it a regression?

No

Debug Output

Included above

Important Factoids

None

Would you like to implement a fix?

No

keenanwells-tatari avatar Apr 29 '25 18:04 keenanwells-tatari

Same here

krishnasism avatar Jun 11 '25 08:06 krishnasism