entitlements.md

subcategory
Security

databricks_entitlements Resource

This resource allows you to set entitlements to existing databricks_users, databricks_group or databricks_service_principal.

-> Note You must define entitlements of a principal using either databricks_entitlements or directly within one of databricks_users, databricks_group or databricks_service_principal. Having entitlements defined in both resources will result in non-deterministic behaviour.

Example Usage

Setting entitlements for a regular user:

data "databricks_user" "me" {
  user_name = "[email protected]"
}

resource "databricks_entitlements" "me" {
  user_id                    = data.databricks_user.me.id
  allow_cluster_create       = true
  allow_instance_pool_create = true
}

Setting entitlements for a service principal:

data "databricks_service_principal" "this" {
  application_id = "11111111-2222-3333-4444-555666777888"
}

resource "databricks_entitlements" "this" {
  service_principal_id       = data.databricks_service_principal.this.sp_id
  allow_cluster_create       = true
  allow_instance_pool_create = true
}

Setting entitlements to all users in a workspace - referencing special users databricks_group

data "databricks_group" "users" {
  display_name = "users"
}

resource "databricks_entitlements" "workspace-users" {
  group_id                   = data.databricks_group.users.id
  allow_cluster_create       = true
  allow_instance_pool_create = true
}

Argument Reference

The following arguments are available to specify the identity you need to enforce entitlements. You must specify exactly one of those arguments otherwise resource creation will fail.

• user_id - Canonical unique identifier for the user.
• group_id - Canonical unique identifier for the group.
• service_principal_id - Canonical unique identifier for the service principal.

The following entitlements are available.

• allow_cluster_create - (Optional) Allow the principal to have cluster create privileges. Defaults to false. More fine grained permissions could be assigned with databricks_permissions and cluster_id argument. Everyone without allow_cluster_create argument set, but with permission to use Cluster Policy would be able to create clusters, but within boundaries of that specific policy.
• allow_instance_pool_create - (Optional) Allow the principal to have instance pool create privileges. Defaults to false. More fine grained permissions could be assigned with databricks_permissions and instance_pool_id argument.
• databricks_sql_access - (Optional) This is a field to allow the principal to have access to Databricks SQL feature in User Interface and through databricks_sql_endpoint.
• workspace_access - (Optional) This is a field to allow the principal to have access to Databricks Workspace.

Import

The resource can be imported using a synthetic identifier. Examples of valid synthetic identifiers are:

• user/user_id - user user_id.
• group/group_id - group group_id.
• spn/spn_id - service principal spn_id.

terraform import databricks_entitlements.me user/<user-id>

Related Resources

The following resources are often used in the same context:

• End to end workspace management guide.
• databricks_group to manage groups in Databricks Workspace or Account Console (for AWS deployments).
• databricks_group data to retrieve information about databricks_group members, entitlements and instance profiles.
• databricks_group_instance_profile to attach databricks_instance_profile (AWS) to databricks_group.
• databricks_group_member to attach users and groups as group members.
• databricks_instance_profile to manage AWS EC2 instance profiles that users can launch databricks_cluster and access data, like databricks_mount.
• databricks_user data to retrieve information about databricks_user.