[Feature] Add databricks_credential resource
#4219
Conversation
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
|
|
||
| A credential represents an authentication and authorization mechanism for accessing services on your cloud tenant. Each credential is subject to Unity Catalog access-control policies that control which users and groups can access the credential. | ||
|
|
||
| To create credentials, you must be a Databricks account admin or have the `CREATE SERVICE CREDENTIAL` privilege. The user who creates the credential can delegate ownership to another user or group to manage permissions on it |
There was a problem hiding this comment.
Will create service credential work with service principals on azure?
There was a problem hiding this comment.
Should we also mention CREATE_STORAGE_CREDENTIAL ?
There was a problem hiding this comment.
the SDK only accepts SERVICE for purpose apparently
There was a problem hiding this comment.
our go-sdk struct does not match the OpenAPI spec for some reason...maybe we need to wait for it to be regenerated
There was a problem hiding this comment.
our go-sdk struct does not match the OpenAPI spec for some reason...maybe we need to wait for it to be regenerated
I think that's the issue here. We recently updated the proto files (and hence the OpenAPI specs) to include the management of storage credentials with the /credentials endpoints
There was a problem hiding this comment.
Will create service credential work with service principals on azure?
No. We only support Azure Managed Identities
|
Should we add something regarding the IAM role requirements? https://docs.databricks.com/en/connect/unity-catalog/cloud-services/service-credentials.html#step-1-create-an-iam-role |
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
| return err | ||
| } | ||
| // Bind the current workspace if the external location is isolated, otherwise the read will fail | ||
| return bindings.AddCurrentWorkspaceBindings(ctx, d, w, updateCredRequest.NameArg, catalog.UpdateBindingsSecurableTypeServiceCredential) |
There was a problem hiding this comment.
How it will handle change from ISOLATED to OPEN?
There was a problem hiding this comment.
bindings.AddCurrentWorkspaceBindings function handles that logic
|
|
||
| A credential represents an authentication and authorization mechanism for accessing services on your cloud tenant. Each credential is subject to Unity Catalog access-control policies that control which users and groups can access the credential. | ||
|
|
||
| To create credentials, you must be a Databricks account admin or have the `CREATE SERVICE CREDENTIAL` privilege. The user who creates the credential can delegate ownership to another user or group to manage permissions on it |
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
force-pushed
the
feature/credential
branch
from
4519765
to
b8b2e2a
Compare
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
| - `name` - Name of Credentials, which must be unique within the [databricks_metastore](metastore.md). Change forces creation of a new resource. | ||
| - `purpose` - Indicates the purpose of the credential. Can be `SERVICE`. | ||
| - `owner` - (Optional) Username/groupname/sp application_id of the credential owner. | ||
| - `read_only` - (Optional) Indicates whether the credential is only usable for read operations. |
There was a problem hiding this comment.
Note this only applies to storage credentials
|
|
||
| - `name` - Name of Credentials, which must be unique within the [databricks_metastore](metastore.md). Change forces creation of a new resource. | ||
| - `purpose` - Indicates the purpose of the credential. Can be `SERVICE`. | ||
| - `owner` - (Optional) Username/groupname/sp application_id of the credential owner. |
There was a problem hiding this comment.
Afaik, the owner can't be set. It's derived from the identity of the user creating the credential
There was a problem hiding this comment.
this applies to update - and in case of create, we execute an update as well
| The following arguments are required: | ||
|
|
||
| - `name` - Name of Credentials, which must be unique within the [databricks_metastore](metastore.md). Change forces creation of a new resource. | ||
| - `purpose` - Indicates the purpose of the credential. Can be `SERVICE`. |
There was a problem hiding this comment.
| - `purpose` - Indicates the purpose of the credential. Can be `SERVICE`. | |
| - `purpose` - Indicates the purpose of the credential. Can be `SERVICE` or `STORAGE`. |
| - `skip_validation` - (Optional) Suppress validation errors if any & force save the credential. | ||
| - `force_destroy` - (Optional) Delete credential regardless of its dependencies. | ||
| - `force_update` - (Optional) Update credential regardless of its dependents. | ||
| - `isolation_mode` - (Optional) Whether the credential is accessible from all workspaces or a specific set of workspaces. Can be `ISOLATION_MODE_ISOLATED` or `ISOLATION_MODE_OPEN`. Setting the credential to `ISOLATION_MODE_ISOLATED` will automatically allow access from the current workspace. |
There was a problem hiding this comment.
| - `isolation_mode` - (Optional) Whether the credential is accessible from all workspaces or a specific set of workspaces. Can be `ISOLATION_MODE_ISOLATED` or `ISOLATION_MODE_OPEN`. Setting the credential to `ISOLATION_MODE_ISOLATED` will automatically allow access from the current workspace. | |
| - `isolation_mode` - (Optional) Whether the credential is accessible from all workspaces or a specific set of workspaces. Can be `ISOLATION_MODE_ISOLATED` or `ISOLATION_MODE_OPEN`. Setting the credential to `ISOLATION_MODE_ISOLATED` will automatically restrict access to only from the current workspace. |
When isolation_mode is changed, do we implicitly make a call to bind the credential to the current workspace?
There was a problem hiding this comment.
yes, otherwise TF cannot manage the credential - I don't want to say "automatically restrict access to only from the current workspace", as customers will add additional bindings as necessary via the databricks_workspace_binding resource
| @@ -0,0 +1,96 @@ | |||
| --- | |||
There was a problem hiding this comment.
For storage credentials we also have some docs under data-sources/. Will you add those too?
There was a problem hiding this comment.
those are data sources, we need to implement them in a separate PR
nkvuong
force-pushed
the
feature/credential
branch
from
b8b2e2a
to
56ac60c
Compare
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
nkvuong
force-pushed
the
feature/credential
branch
from
56ac60c
to
615b20e
Compare
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
nkvuong
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
|
Test Details: go/deco-tests/11869025907 |
Changes
databricks_credentialresource that represents service credentialResolves #4214
Tests
make testrun locallydocs/folderinternal/acceptance