Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ISSUE] Provider wants to redeploy databricks_entitlements when importing it #3856

Closed
camilo-s opened this issue Aug 5, 2024 · 0 comments · Fixed by #3858
Closed

[ISSUE] Provider wants to redeploy databricks_entitlements when importing it #3856

camilo-s opened this issue Aug 5, 2024 · 0 comments · Fixed by #3858

Comments

@camilo-s
Copy link

camilo-s commented Aug 5, 2024

Configuration

# Copy-paste your Terraform configuration here
terraform {
  required_providers {
    databricks = {
      source = "databricks/databricks"
    }
  }
}

locals {
  standard_access = {
    ops = {
      developer = {
        privileges_external_location = ["ALL_PRIVILEGES"]
        privileges_volume            = ["ALL_PRIVILEGES"]
        privileges_schema            = ["ALL_PRIVILEGES"]
        sql_warehouse_permission     = "CAN_USE"
        cluster_permission           = "CAN_MANAGE"
        secret_scope_acl_core        = null
      }
      default-access = {
        privileges_external_location = []
        privileges_volume            = []
        privileges_schema            = ["USE_SCHEMA"]
        sql_warehouse_permission     = "CAN_USE"
        cluster_permission           = null
        secret_scope_acl_core        = null
      }
    }
    dev = {
      developer = {
        privileges_external_location = ["ALL_PRIVILEGES"]
        privileges_volume            = ["ALL_PRIVILEGES"]
        privileges_schema            = ["ALL_PRIVILEGES"]
        sql_warehouse_permission     = "CAN_USE"
        cluster_permission           = "CAN_MANAGE"
        secret_scope_acl_core        = "READ"
      }
      default-access = {
        privileges_external_location = []
        privileges_volume            = []
        privileges_schema            = ["USE_SCHEMA"]
        sql_warehouse_permission     = "CAN_USE"
        cluster_permission           = null
        secret_scope_acl_core        = null
      }
    }
    qa = {
      developer = {
        privileges_external_location = ["READ_FILES"]
        privileges_volume            = ["READ_VOLUME"]
        privileges_schema = [
          "USE_SCHEMA",
          "SELECT",
          "EXECUTE"
        ]
        sql_warehouse_permission = "CAN_USE"
        cluster_permission       = "CAN_MANAGE"
        secret_scope_acl_core    = "READ"
      }
      default-access = {
        privileges_external_location = []
        privileges_volume            = []
        privileges_schema            = ["USE_SCHEMA"]
        sql_warehouse_permission     = "CAN_USE"
        cluster_permission           = null
        secret_scope_acl_core        = null
      }
    }
    prod = {
      developer = {
        privileges_external_location = ["READ_FILES"]
        privileges_volume            = ["READ_VOLUME"]
        privileges_schema = [
          "USE_SCHEMA",
          "SELECT",
          "EXECUTE"
        ]
        sql_warehouse_permission = "CAN_USE"
        cluster_permission       = "CAN_MANAGE"
        secret_scope_acl_core    = "READ"
      }
      default-access = {
        privileges_external_location = []
        privileges_volume            = []
        privileges_schema            = ["USE_SCHEMA"]
        sql_warehouse_permission     = "CAN_USE"
        cluster_permission           = null
        secret_scope_acl_core        = null
      }
    }
  }
  access_groups = {
    for group, group_object in var.access_groups :
    group => merge(
      group_object,
      local.standard_access[var.environment][group]
    )
  }
}

import {
  to = module.databricks_resources.databricks_entitlements.groups
  id = "group/<REDACTED>"
}

import {
  to = module.databricks_resources.databricks_permission_assignment.groups["developer"]
  id = "<REDACTED>"
}

resource "databricks_permission_assignment" "groups" {
  for_each = local.access_groups

  principal_id = each.value.group_id
  permissions  = ["USER"]
}

resource "databricks_entitlements" "groups" {
  group_id             = local.access_groups["developer"].group_id
  allow_cluster_create = true

  depends_on = [databricks_permission_assignment.groups]
}

Expected Behavior

Terraform plan intends to imports both resources without having to redeploy either.

Actual Behavior

Terraform plan correctly intends to import databricks_permission_assignment with no changes and therefore no need to redeploy.

However it lists property group_id of databricks_entitlements as being new and forcing redeployment of databricks_entitlements.

Terraform will perform the following actions:

  # module.databricks_resources.databricks_entitlements.groups must be replaced
  # (imported from "group/<REDACTED>")
  # Warning: this will destroy the imported resource
-/+ resource "databricks_entitlements" "groups" {
        allow_cluster_create       = true
        allow_instance_pool_create = false
        databricks_sql_access      = false
      + group_id                   = "<REDACTED>" # forces replacement
      ~ id                         = "group/<REDACTED>" -> (known after apply)
        workspace_access           = false
    }

  # module.databricks_resources.databricks_permission_assignment.groups["developer"] will be imported
    resource "databricks_permission_assignment" "groups" {
        id           = "<REDACTED>"
        permissions  = [
            "USER",
        ]
        principal_id = <REDACTED>
    }

Steps to Reproduce

Terraform and provider versions

databricks/databricks v1.49.1
Terraform v1.9.3

Is it a regression?

No. This is the first time I try to import a databricks_entitlements resource.

Debug Output

Important Factoids

Would you like to implement a fix?

github-merge-queue bot pushed a commit that referenced this issue Aug 7, 2024
## Changes
- Populate missing ids when importing `databricks_entitlements`
resource. Resolve #3856

## Tests
<!-- 
How is this tested? Please see the checklist below and also describe any
other relevant tests
-->

- [x] `make test` run locally

---------

Co-authored-by: Alex Ott <alexott@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant