Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE] Issue with databricks_grants resource #2216

Open
beszabo-hiya opened this issue Apr 13, 2023 · 2 comments
Open

[ISSUE] Issue with databricks_grants resource #2216

beszabo-hiya opened this issue Apr 13, 2023 · 2 comments
Labels
Bug The issue is a bug.

Comments

@beszabo-hiya
Copy link

beszabo-hiya commented Apr 13, 2023
edited
Loading

Configuration

resource "databricks_grants" "catalog_access" {
  catalog = element(split(".", var.schema), 0)
  grant {
    principal  = "principal-1"
    privileges = ["USE_CATALOG"]
  }
  grant {
    principal  = "principal-1-ro"
    privileges = ["USE_CATALOG"]
  }
}

resource "databricks_grants" "catalog_access_princ2" {
  catalog = element(split(".", var.schema), 0)
  grant {
    principal  = "principal-2"
    privileges = ["USE_CATALOG"]
  }
  grant {
    principal  = "principal-2-ro"
    privileges = ["USE_CATALOG"]
  }
}

Expected Behavior

After the first apply, no changes should take place

Actual Behavior

Running apply multiple times gives different results

Steps to Reproduce

  1. terraform apply-->
  2. terraform apply-->
  3. terraform apply-->

Terraform and provider versions

Latest

Issue description

First run of terraform apply

  # module.permission_grants_princ1_ro.databricks_grants.catalog_access will be created
  + resource "databricks_grants" "catalog_access" {
      + catalog = "datalake"
      + id      = (known after apply)

      + grant {
          + principal  = "principal-1"
          + privileges = [
              + "USE_CATALOG",
            ]
        }
      + grant {
          + principal  = "principal-1-ro"
          + privileges = [
              + "USE_CATALOG",
            ]
        }
    }

  # module.permission_grants_princ1_ro.databricks_grants.catalog_access_princ2 will be created
  + resource "databricks_grants" "catalog_access_princ2" {
      + catalog = "datalake"
      + id      = (known after apply)

      + grant {
          + principal  = "principal-2"
          + privileges = [
              + "USE_CATALOG",
            ]
        }
      + grant {
          + principal  = "principal-2-ro"
          + privileges = [
              + "USE_CATALOG",
            ]
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

After running this see both princ1, princ1-ro, princ2, princ2-ro on the grants page of the Catalog. Which is the expected behaviour

Second run of terraform apply. No code changes were made.

  # module.permission_grants_princ1_ro.databricks_grants.catalog_access will be updated in-place
  ~ resource "databricks_grants" "catalog_access" {
        id      = "catalog/datalake"
        # (1 unchanged attribute hidden)

      - grant {
          - principal  = "principal-2" -> null
          - privileges = [
              - "USE_CATALOG",
            ] -> null
        }
      - grant {
          - principal  = "principal-2-ro" -> null
          - privileges = [
              - "USE_CATALOG",
            ] -> null
        }

        # (2 unchanged blocks hidden)
    }

  # module.permission_grants_princ1_ro.databricks_grants.catalog_access_princ2 will be updated in-place
  ~ resource "databricks_grants" "catalog_access_princ2" {
        id      = "catalog/datalake"
        # (1 unchanged attribute hidden)

      - grant {
          - principal  = "principal-1" -> null
          - privileges = [
              - "USE_CATALOG",
            ] -> null
        }
      - grant {
          - principal  = "principal-1-ro" -> null
          - privileges = [
              - "USE_CATALOG",
            ] -> null
        }

        # (2 unchanged blocks hidden)
    }

After applying i got the error:
Error: cannot read grants: got empty permissions list.
Also deleted all the grants from the Catalog.

3rd apply

  # module.permission_grants_princ1_ro.databricks_grants.catalog_access will be created
  + resource "databricks_grants" "catalog_access" {
      + catalog = "datalake"
      + id      = (known after apply)

      + grant {
          + principal  = "principal-1"
          + privileges = [
              + "USE_CATALOG",
            ]
        }
      + grant {
          + principal  = "principal-1-ro"
          + privileges = [
              + "USE_CATALOG",
            ]
        }
    }

  # module.permission_grants_princ1_ro.databricks_grants.catalog_access_princ2 will be created
  + resource "databricks_grants" "catalog_access_princ2" {
      + catalog = "datalake"
      + id      = (known after apply)

      + grant {
          + principal  = "principal-2"
          + privileges = [
              + "USE_CATALOG",
            ]
        }
      + grant {
          + principal  = "principal-2-ro"
          + privileges = [
              + "USE_CATALOG",
            ]
        }
    }

After applying everything is there again.
@TakeshiMatsukura TakeshiMatsukura added the Bug The issue is a bug. label Apr 14, 2023
@nkvuong
Copy link
Contributor

nkvuong commented Apr 14, 2023

@beszabo-hiya this is spelled out in the doc - https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grants

It is required to define all permissions for a securable in a single resource, otherwise Terraform cannot guarantee config drift prevention.

@scheleaap
Copy link

See also #1976

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug The issue is a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@scheleaap @nkvuong @TakeshiMatsukura @beszabo-hiya