Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE] Issue with databricks_permission silently removes "tokens" permissions #2431

Closed
yegorski opened this issue Jun 27, 2023 · 5 comments
Closed

[ISSUE] Issue with databricks_permission silently removes "tokens" permissions #2431

yegorski opened this issue Jun 27, 2023 · 5 comments

Comments

@yegorski
Copy link

👋 I looked around at others issues like #2268, #2131, #2104, and #1976 but they don't quite describe my issue.

My issue is that the databricks_permissions resource removed all tokens when adding a new one when it is invoked with authorization = "tokens". The documentation warns about this behavior:

Configuring this resource for an object will OVERWRITE any existing permissions of the same type unless imported, and changes made outside of Terraform will be reset unless the changes are also reflected in the configuration.

But it would be great if the Databricks Terraform provider (we tested on 1.18.0) makes an extra DB API call to check and warn when removing tokens. Right now it silently removes previous token grants.

Configuration

For example we were unaware that we managing token permissions in 2 TF repos. This one:

resource "databricks_permissions" "token_permissions" {
  authorization = "tokens"

  access_control {
    service_principal_name = databricks_service_principal.service_account.application_id
    permission_level       = "CAN_USE"
  }
}

overrode this one:

resource "databricks_permissions" "token_permissions" {
  authorization = "tokens"

  access_control {
    group_name       = data.databricks_group.all_users.display_name
    permission_level = "CAN_USE"
  }
}

And removed token access for all our users❗

In the end we figured it out and combined them:

resource "databricks_permissions" "token_permissions" {
  authorization = "tokens"

  access_control {
    group_name       = data.databricks_group.all_users.display_name
    permission_level = "CAN_USE"
  }

  access_control {
    service_principal_name = databricks_service_principal.service_account.application_id
    permission_level       = "CAN_USE"
  }
}

Expected Behavior

databricks_permission resource warns when there are existing token permissions about to be removed.

Actual Behavior

databricks_permission resource silently removes other token permissions.

Steps to Reproduce

See Configuration section above.
@nkvuong
Copy link
Contributor

nkvuong commented Jul 3, 2023

There is a feature request #2395

@yegorski
Copy link
Author

yegorski commented Jul 3, 2023

That request looks good to me, would be a satisfactory solution.

@jlakshmipathi
Copy link

@yegorski Are there any workarounds?

@yegorski
Copy link
Author

No, not until #2395 is implemented

@jl178 jl178 mentioned this issue Sep 8, 2023
Closed
@alexott
Copy link
Contributor

alexott commented Aug 28, 2024

Closing in favor of #2395

@alexott alexott closed this as completed Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alexott @yegorski @nkvuong @jlakshmipathi