Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ISSUE] Provider wants to redeploy databricks_permissions when importing it #3882

Open
camilo-s opened this issue Aug 12, 2024 · 3 comments
Open

Comments

@camilo-s
Copy link

Configuration

terraform {
  required_providers {
    databricks = {
      source = "databricks/databricks"
    }
  }
}
locals {
  entra_id_groups = {
    platform = "<REDACTED>"
    dsc      = "<REDACTED>"
    bi       = "<REDACTED>"
  }
}

resource "databricks_directory" "release_folder" {
  for_each = local.entra_id_groups
  path     = "/Repos/${each.key}"
}

data "databricks_service_principal" "workspace" {
  application_id = var.service_principal_application_id
}

data "databricks_group" "entra_id_groups" {
  for_each = local.entra_id_groups

  display_name = local.entra_id_groups[each.key]
}

resource "databricks_permissions" "release_folder" {
  for_each       = local.entra_id_groups
  directory_path = databricks_directory.release_folder[each.key].path

  access_control {
    service_principal_name = data.databricks_service_principal.workspace.application_id
    permission_level       = "CAN_MANAGE"
  }

  access_control {
    group_name       = data.databricks_group.entra_id_groups["platform"].display_name
    permission_level = "CAN_READ"
  }

  dynamic "access_control" {
    for_each = each.key != "platform" ? [0] : []
    content {
      group_name       = data.databricks_group.entra_id_groups[each.key].display_name
      permission_level = "CAN_READ"
    }
  }

}

# Copy-paste your Terraform configuration here

Expected Behavior

The provider imports both the databricks_directory and the databricks_permissions resources, which match the existing resources's configuration.

Actual Behavior

The provider is able to import the databricks_directory resources with no problem, but plans to redeploy the databricks_permissions due to a claimed change in the directory_id and the directory_path.

2024-08-12T06:37:56.4803182Z Terraform used the selected providers to generate the following execution
2024-08-12T06:37:56.4803447Z plan. Resource actions are indicated with the following symbols:
2024-08-12T06:37:56.4803971Z -/+ destroy and then create replacement
2024-08-12T06:37:56.4804082Z 
2024-08-12T06:37:56.4804251Z Terraform will perform the following actions:
2024-08-12T06:37:56.4804365Z 
2024-08-12T06:37:56.4804679Z   # module.databricks_subteams.databricks_directory.release_folder["bi"] will be imported
2024-08-12T06:37:56.4805144Z     resource "databricks_directory" "release_folder" {
2024-08-12T06:37:56.4805337Z         id             = "/Repos/bi"
2024-08-12T06:37:56.4805514Z         object_id      = <REDACTED>
2024-08-12T06:37:56.4805688Z         path           = "/Repos/bi"
2024-08-12T06:37:56.4805865Z         workspace_path = "/Workspace/Repos/bi"
2024-08-12T06:37:56.4806032Z     }
2024-08-12T06:37:56.4806097Z 
2024-08-12T06:37:56.4806403Z   # module.databricks_subteams.databricks_directory.release_folder["dsc"] will be imported
2024-08-12T06:37:56.4806721Z     resource "databricks_directory" "release_folder" {
2024-08-12T06:37:56.4806909Z         id             = "/Repos/dsc"
2024-08-12T06:37:56.4807068Z         object_id      = <REDACTED>
2024-08-12T06:37:56.4807239Z         path           = "/Repos/dsc"
2024-08-12T06:37:56.4807420Z         workspace_path = "/Workspace/Repos/dsc"
2024-08-12T06:37:56.4807579Z     }
2024-08-12T06:37:56.4807641Z 
2024-08-12T06:37:56.4807947Z   # module.databricks_subteams.databricks_directory.release_folder["platform"] will be imported
2024-08-12T06:37:56.4808272Z     resource "databricks_directory" "release_folder" {
2024-08-12T06:37:56.4808466Z         id             = "/Repos/platform"
2024-08-12T06:37:56.4808913Z         object_id      = <REDACTED>
2024-08-12T06:37:56.4809090Z         path           = "/Repos/platform"
2024-08-12T06:37:56.4809281Z         workspace_path = "/Workspace/Repos/platform"
2024-08-12T06:37:56.4809446Z     }
2024-08-12T06:37:56.4809495Z 
2024-08-12T06:37:56.4809829Z   # module.databricks_subteams.databricks_permissions.release_folder["bi"] must be replaced
2024-08-12T06:37:56.4810166Z   # (imported from "/directories/<REDACTED>")
2024-08-12T06:37:56.4810471Z   # Warning: this will destroy the imported resource
2024-08-12T06:37:56.4810906Z -/+ resource "databricks_permissions" "release_folder" {
2024-08-12T06:37:56.4811286Z       - directory_id   = "<REDACTED>" -> null # forces replacement
2024-08-12T06:37:56.4811632Z       + directory_path = "/Repos/bi" # forces replacement
2024-08-12T06:37:56.4811977Z       ~ id             = "/directories/<REDACTED>" -> (known after apply)
2024-08-12T06:37:56.4812298Z       ~ object_type    = "directory" -> (known after apply)
2024-08-12T06:37:56.4812395Z 
2024-08-12T06:37:56.4812537Z         access_control {
2024-08-12T06:37:56.4812777Z             group_name             = null
2024-08-12T06:37:56.4812966Z             permission_level       = "CAN_MANAGE"
2024-08-12T06:37:56.4813273Z             service_principal_name = "<REDACTED>"
2024-08-12T06:37:56.4813550Z             user_name              = null
2024-08-12T06:37:56.4813709Z         }
2024-08-12T06:37:56.4813856Z         access_control {
2024-08-12T06:37:56.4814046Z             group_name             = "<REDACTED>"
2024-08-12T06:37:56.4814230Z             permission_level       = "CAN_READ"
2024-08-12T06:37:56.4814488Z             service_principal_name = null
2024-08-12T06:37:56.4814729Z             user_name              = null
2024-08-12T06:37:56.4814889Z         }
2024-08-12T06:37:56.4815033Z         access_control {
2024-08-12T06:37:56.4815224Z             group_name             = "<REDACTED>"
2024-08-12T06:37:56.4815419Z             permission_level       = "CAN_READ"
2024-08-12T06:37:56.4815674Z             service_principal_name = null
2024-08-12T06:37:56.4815930Z             user_name              = null
2024-08-12T06:37:56.4816086Z         }
2024-08-12T06:37:56.4816217Z     }
2024-08-12T06:37:56.4816266Z 
2024-08-12T06:37:56.4816600Z   # module.databricks_subteams.databricks_permissions.release_folder["dsc"] must be replaced
2024-08-12T06:37:56.4816937Z   # (imported from "/directories/<REDACTED>")
2024-08-12T06:37:56.4817236Z   # Warning: this will destroy the imported resource
2024-08-12T06:37:56.4817562Z -/+ resource "databricks_permissions" "release_folder" {
2024-08-12T06:37:56.4817941Z       - directory_id   = "<REDACTED>" -> null # forces replacement
2024-08-12T06:37:56.4818293Z       + directory_path = "/Repos/dsc" # forces replacement
2024-08-12T06:37:56.4818639Z       ~ id             = "/directories/<REDACTED>" -> (known after apply)
2024-08-12T06:37:56.4818957Z       ~ object_type    = "directory" -> (known after apply)
2024-08-12T06:37:56.4819051Z 
2024-08-12T06:37:56.4819195Z         access_control {
2024-08-12T06:37:56.4819432Z             group_name             = null
2024-08-12T06:37:56.4819620Z             permission_level       = "CAN_MANAGE"
2024-08-12T06:37:56.4819930Z             service_principal_name = "<REDACTED>"
2024-08-12T06:37:56.4820207Z             user_name              = null
2024-08-12T06:37:56.4820361Z         }
2024-08-12T06:37:56.4820506Z         access_control {
2024-08-12T06:37:56.4820679Z             group_name             = "<REDACTED>"
2024-08-12T06:37:56.4820935Z             permission_level       = "CAN_READ"
2024-08-12T06:37:56.4821198Z             service_principal_name = null
2024-08-12T06:37:56.4821454Z             user_name              = null
2024-08-12T06:37:56.4821610Z         }
2024-08-12T06:37:56.4821758Z         access_control {
2024-08-12T06:37:56.4821942Z             group_name             = "<REDACTED>"
2024-08-12T06:37:56.4822133Z             permission_level       = "CAN_READ"
2024-08-12T06:37:56.4822431Z             service_principal_name = null
2024-08-12T06:37:56.4822745Z             user_name              = null
2024-08-12T06:37:56.4822901Z         }
2024-08-12T06:37:56.4823035Z     }
2024-08-12T06:37:56.4823085Z 
2024-08-12T06:37:56.4823429Z   # module.databricks_subteams.databricks_permissions.release_folder["platform"] must be replaced
2024-08-12T06:37:56.4823765Z   # (imported from "/directories/<REDACTED>")
2024-08-12T06:37:56.4824061Z   # Warning: this will destroy the imported resource
2024-08-12T06:37:56.4824386Z -/+ resource "databricks_permissions" "release_folder" {
2024-08-12T06:37:56.4824762Z       - directory_id   = "<REDACTED>" -> null # forces replacement
2024-08-12T06:37:56.4825115Z       + directory_path = "/Repos/platform" # forces replacement
2024-08-12T06:37:56.4825460Z       ~ id             = "/directories/<REDACTED>" -> (known after apply)
2024-08-12T06:37:56.4825770Z       ~ object_type    = "directory" -> (known after apply)
2024-08-12T06:37:56.4825866Z 
2024-08-12T06:37:56.4826010Z         access_control {
2024-08-12T06:37:56.4826247Z             group_name             = null
2024-08-12T06:37:56.4826436Z             permission_level       = "CAN_MANAGE"
2024-08-12T06:37:56.4826743Z             service_principal_name = "<REDACTED>"
2024-08-12T06:37:56.4827022Z             user_name              = null
2024-08-12T06:37:56.4827175Z         }
2024-08-12T06:37:56.4827319Z         access_control {
2024-08-12T06:37:56.4827491Z             group_name             = "<REDACTED>"
2024-08-12T06:37:56.4827690Z             permission_level       = "CAN_READ"
2024-08-12T06:37:56.4827949Z             service_principal_name = null
2024-08-12T06:37:56.4828203Z             user_name              = null
2024-08-12T06:37:56.4828361Z         }
2024-08-12T06:37:56.4828493Z     }
2024-08-12T06:37:56.4828543Z 
2024-08-12T06:37:56.4828792Z Plan: 6 to import, 3 to add, 0 to change, 3 to destroy.

Steps to Reproduce

  1. terraform apply

Terraform and provider versions

Installed databricks/databricks v1.49.1 (self-signed, key ID 92A95A66446BCE3F)

Terraform v1.9.4
on linux_amd64

Is it a regression?

It didn't work with provider version 1.44.0 either.

Debug Output

Important Factoids

Would you like to implement a fix?

@alexott
Copy link
Contributor

alexott commented Aug 12, 2024

Technically it's correct - when we import a resource, we don't have directory_path, only directory_id, so it's imported into the state. When you doing plan, it detects it, and forces recreation because it use other option than you specified in the TF code.

One workaround would be instead of:

directory_path = databricks_directory.release_folder[each.key].path

use

directory_id = databricks_directory.release_folder[each.key].object_id

@camilo-s
Copy link
Author

camilo-s commented Aug 12, 2024

According to the documentation, permissions on directories should be defined using the directory_path attribute.

But still, I don't get it since I'm providing the directory_id with the import blocks (they were missing but I've added them now to the configuration snippet), so the provider should be able to map it to the respective directory_path.

To me the issue looks similar to #3856, where the provider wasn't setting missing id's when importing the resources.

@alexott
Copy link
Contributor

alexott commented Aug 12, 2024

We're not doing such remapping - you can either use directory_id or directory_path. When doing import, we obtain only directory_id (the directory_path is just a wrapper around it). The #3856 was very different issue.

alexott added a commit that referenced this issue Aug 12, 2024
Clarify that permissions on workspace objects (directories/files/notebooks) could be set
either by path or by the object ID, and the import will use only object ID.

This should help with issues like #3882
github-merge-queue bot pushed a commit that referenced this issue Aug 13, 2024
## Changes
<!-- Summary of your changes that are easy to understand -->

Clarify that permissions on workspace objects
(directories/files/notebooks) could be set either by path or by the
object ID, and the import will use only object ID.

This should help with issues like #3882

## Tests
<!-- 
How is this tested? Please see the checklist below and also describe any
other relevant tests
-->

- [ ] `make test` run locally
- [x] relevant change in `docs/` folder
- [ ] covered with integration tests in `internal/acceptance`
- [ ] relevant acceptance tests are passing
- [ ] using Go SDK
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants