fix: make defining permissions optional

Artem Vovchenko · Artem Vovchenko · commit 8e4f90b4aed9 · 2025-01-24T15:02:29.000+02:00
diff --git a/README.md b/README.md
@@ -74,8 +74,7 @@ module "databricks_locations" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.0.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 4.0.1 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~>1.3 |
 | <a name="requirement_databricks"></a> [databricks](#requirement\_databricks) | ~>1.0 |
 
 ## Providers
@@ -101,8 +100,9 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_external_locations"></a> [external\_locations](#input\_external\_locations) | List of object with external location configuration attributes | <pre>list(object({<br/>    index            = string # Index of instance, for example short name, used later to access exact external location in output map<br/>    name             = string # Custom whole name of resource<br/>    url              = string # Path URL in cloud storage<br/>    credentials_name = optional(string)<br/>    owner            = optional(string)      # Owner of resource<br/>    skip_validation  = optional(bool, true)  # Suppress validation errors if any & force save the external location<br/>    read_only        = optional(bool, false) # Indicates whether the external location is read-only.<br/>    force_destroy    = optional(bool, true)<br/>    force_update     = optional(bool, true)<br/>    comment          = optional(string, "External location provisioned by Terraform")<br/>    permissions = optional(set(object({<br/>      principal  = string<br/>      privileges = list(string)<br/>    })), [])<br/>    isolation_mode = optional(string, "ISOLATION_MODE_OPEN")<br/>  }))</pre> | `[]` | no |
-| <a name="input_storage_credential"></a> [storage\_credential](#input\_storage\_credential) | Object with storage credentials configuration attributes | <pre>object({<br/>    azure_access_connector_id = optional(string, null) # Azure Databricks Access Connector Id<br/>    cloud                     = optional(string, "")<br/>    name                      = optional(string, null) # Custom whole name of resource    <br/>    owner                     = optional(string)       # Owner of resource<br/>    force_destroy             = optional(bool, true)<br/>    comment                   = optional(string, "Managed identity credential provisioned by Terraform")<br/>    permissions = optional(set(object({<br/>      principal  = string<br/>      privileges = list(string)<br/>    })), [])<br/>    isolation_mode = optional(string, "ISOLATION_MODE_OPEN")<br/>  })</pre> | n/a | yes |
+| <a name="input_cloud"></a> [cloud](#input\_cloud) | Cloud (azure, aws or gcp) | `string` | n/a | yes |
+| <a name="input_external_locations"></a> [external\_locations](#input\_external\_locations) | List of object with external location configuration attributes | <pre>list(object({<br/>    index            = string                # Index of instance, for example short name, used later to access exact external location in output map<br/>    name             = string                # Custom whole name of resource<br/>    url              = string                # Path URL in cloud storage<br/>    credentials_name = optional(string)      # If storage_credential.create_storage_credential is set to false, provide id of existing storage credential here<br/>    owner            = optional(string)      # Owner of resource<br/>    skip_validation  = optional(bool, true)  # Suppress validation errors if any & force save the external location<br/>    read_only        = optional(bool, false) # Indicates whether the external location is read-only.<br/>    force_destroy    = optional(bool, true)<br/>    force_update     = optional(bool, true)<br/>    comment          = optional(string, "External location provisioned by Terraform")<br/>    permissions = optional(set(object({<br/>      principal  = string<br/>      privileges = list(string)<br/>    })), [])<br/>    isolation_mode = optional(string, "ISOLATION_MODE_OPEN")<br/>  }))</pre> | `[]` | no |
+| <a name="input_storage_credential"></a> [storage\_credential](#input\_storage\_credential) | Object with storage credentials configuration attributes | <pre>object({<br/>    azure_access_connector_id = optional(string, null) # Azure Databricks Access Connector Id<br/>    name                      = optional(string, null) # Custom whole name of resource<br/>    owner                     = optional(string)       # Owner of resource<br/>    force_destroy             = optional(bool, true)<br/>    comment                   = optional(string, "Managed identity credential provisioned by Terraform")<br/>    create_storage_credential = optional(bool, true) # "Boolean flag that determines whether to create storage credential or use the existing one"<br/>    permissions = optional(set(object({<br/>      principal  = string<br/>      privileges = list(string)<br/>    })), [])<br/>    isolation_mode = optional(string, "ISOLATION_MODE_OPEN")<br/>  })</pre> | n/a | yes |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
@@ -13,32 +13,32 @@ locals {
 }
 
 resource "databricks_storage_credential" "this" {
-  count = var.storage_credential.cloud != "" ? 1 : 0
+  count = var.storage_credential.create_storage_credential ? 1 : 0
 
   name  = var.storage_credential.name
   owner = var.storage_credential.owner
 
   # Dynamic block for Azure
   dynamic "azure_managed_identity" {
-    for_each = var.storage_credential.cloud == "azure" ? [1] : []
+    for_each = var.cloud == "azure" ? [1] : []
     content {
       access_connector_id = var.storage_credential.azure_access_connector_id
     }
   }
 
   # Dynamic block for GCP
   dynamic "databricks_gcp_service_account" {
-    for_each = var.storage_credential.cloud == "gcp" ? [1] : []
+    for_each = var.cloud == "gcp" ? [1] : []
     content {}
   }
 
   force_destroy  = var.storage_credential.force_destroy
   comment        = var.storage_credential.comment
-  isolation_mode = var.storage_credential.cloud == "azure" ? var.storage_credential.isolation_mode : null
+  isolation_mode = var.cloud == "azure" ? var.storage_credential.isolation_mode : null
 }
 
 resource "databricks_grants" "credential" {
-  count = var.storage_credential.cloud != "" ? 1 : 0
+  count = var.storage_credential.create_storage_credential ? (length(var.storage_credential.permissions) != 0 ? 1 : 0) : 0
 
   storage_credential = try(databricks_storage_credential.this[0].id, null)
   dynamic "grant" {
diff --git a/variables.tf b/variables.tf
@@ -1,11 +1,11 @@
 variable "storage_credential" {
   type = object({
     azure_access_connector_id = optional(string, null) # Azure Databricks Access Connector Id
-    cloud                     = optional(string, "")
-    name                      = optional(string, null) # Custom whole name of resource    
+    name                      = optional(string, null) # Custom whole name of resource
     owner                     = optional(string)       # Owner of resource
     force_destroy             = optional(bool, true)
     comment                   = optional(string, "Managed identity credential provisioned by Terraform")
+    create_storage_credential = optional(bool, true) # "Boolean flag that determines whether to create storage credential or use the existing one"
     permissions = optional(set(object({
       principal  = string
       privileges = list(string)
@@ -15,12 +15,17 @@ variable "storage_credential" {
   description = "Object with storage credentials configuration attributes"
 }
 
+variable "cloud" {
+  type        = string
+  description = "Cloud (azure, aws or gcp)"
+}
+
 variable "external_locations" {
   type = list(object({
-    index            = string # Index of instance, for example short name, used later to access exact external location in output map
-    name             = string # Custom whole name of resource
-    url              = string # Path URL in cloud storage
-    credentials_name = optional(string)
+    index            = string                # Index of instance, for example short name, used later to access exact external location in output map
+    name             = string                # Custom whole name of resource
+    url              = string                # Path URL in cloud storage
+    credentials_name = optional(string)      # If storage_credential.create_storage_credential is set to false, provide id of existing storage credential here
     owner            = optional(string)      # Owner of resource
     skip_validation  = optional(bool, true)  # Suppress validation errors if any & force save the external location
     read_only        = optional(bool, false) # Indicates whether the external location is read-only.
diff --git a/versions.tf b/versions.tf
@@ -1,11 +1,7 @@
 terraform {
-  required_version = ">=1.0.0"
+  required_version = "~>1.3"
 
   required_providers {
-    azurerm = {
-      source  = "hashicorp/azurerm"
-      version = ">= 4.0.1"
-    }
     databricks = {
       source  = "databricks/databricks"
       version = "~>1.0"
