Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE] Issue with databricks_secret_acl resource - Cannot work with account level groups #4195

Open
seblatre opened this issue Nov 6, 2024 · 0 comments
Open

[ISSUE] Issue with databricks_secret_acl resource - Cannot work with account level groups #4195

seblatre opened this issue Nov 6, 2024 · 0 comments

Comments

@seblatre
Copy link

seblatre commented Nov 6, 2024
edited
Loading

Configuration

terraform {
  required_providers {
    databricks = {
      source  = "databricks/databricks"
      version = "~> 1.56.0"
    }
  }
}
provider "databricks" {
  alias      = "account"
  host       = "https://accounts.azuredatabricks.net"
  account_id = "<databricksAccountId>"
}
provider "databricks" {
  alias                       = "workspace"
  host                        = "adb-<databricksWorkspaceId>.10.azuredatabricks.net"
  azure_workspace_resource_id = "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Databricks/workspaces/<databricksWorkspaceName>"
}
resource "databricks_group" "account_group" {
  display_name = "GROUP-A45"

  provider = databricks.account
}
resource "databricks_mws_permission_assignment" "workspace_group" {
  workspace_id = "<databricksWorkspaceId>"
  principal_id = databricks_group.account_group.id
  permissions  = ["USER"]

  provider = databricks.account
}
resource "databricks_secret_scope" "team" {
  name = "Scope_A45_team"

  keyvault_metadata {
    resource_id = "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.KeyVault/vaults/keyvaulttesta45"
    dns_name    = "https://keyvaulttesta45.vault.azure.net/"
  }

  provider = databricks.workspace
}
resource "databricks_secret_acl" "team_acl" {
  principal  = databricks_group.account_group.display_name
  permission = "READ"
  scope      = databricks_secret_scope.team.name

  provider = databricks.workspace
}

Expected Behavior

This configuration should work without issue

Actual Behavior

When running {{terraform apply}}, we run into the following error

databricks_group.account_group: Creating...
databricks_secret_scope.team: Creating...
databricks_group.account_group: Creation complete after 2s [id=980426357238593]
databricks_mws_permission_assignment.workspace_group: Creating...
databricks_secret_scope.team: Creation complete after 4s [id=Scope_A45_team]
databricks_secret_acl.team_acl: Creating...
databricks_mws_permission_assignment.workspace_group: Creation complete after 5s [id=25518447772330|980426357238593]
╷
│ Error: cannot create secret acl: User or Group GROUP-A45 does not exist.
│
│   with databricks_secret_acl.team_acl,
│   on main.tf line 41, in resource "databricks_secret_acl" "team_acl":
│   41: resource "databricks_secret_acl" "team_acl" {
│
╵

Steps to Reproduce

  1. terraform apply (sometimes it doesn't allow to reproduce the issue, need to terraform destroy then try again)

Terraform and provider versions

$ terraform version
Terraform v1.9.8
on windows_amd64
+ provider registry.terraform.io/databricks/databricks v1.56.0

Is it a regression?

I don't think

Debug Output

I sniffed the API call that were made by the provider:
image

Important Factoids

I tried using account level provider for databricks_secret_acl but this is not allowed.

I also tried to add this depends_on block in the databricks_secret_acl resource without better chance:

  depends_on = [
    databricks_mws_permission_assignment.workspace_group
  ]

Would you like to implement a fix?

No, sorry
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@seblatre