Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add instructions for group rule set management #2561

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 77 additions & 12 deletions docs/resources/access_control_rule_set.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@ subcategory: "Security"

This resource allows you to manage access rules on Databricks account level resources. For convenience we allow accessing this resource through the Databricks account and workspace.

-> **Note** Currently, we only support managing access rules on service principal resources through `databricks_access_control_rule_set`.
-> **Note** Currently, we only support managing access rules on service principal, group and account resources through `databricks_access_control_rule_set`.

-> **Warning** `databricks_access_control_rule_set` cannot be used to manage access rules for resources supported by [databricks_permissions](permissions.md). Refer to its documentation for more information.

## Example usage
## Service principal rule set usage

Rule set management through a Databricks workspace:
Through a Databricks workspace:

```hcl
locals {
Expand All @@ -38,7 +38,7 @@ resource "databricks_access_control_rule_set" "automation_sp_rule_set" {
}
```

Rule set management through AWS Databricks account:
Through AWS Databricks account:

```hcl
locals {
Expand All @@ -47,10 +47,10 @@ locals {

// initialize provider at account-level
provider "databricks" {
host = "https://accounts.cloud.databricks.com"
account_id = local.account_id
username = var.databricks_account_username
password = var.databricks_account_password
host = "https://accounts.cloud.databricks.com"
account_id = local.account_id
client_id = var.client_id
client_secret = var.client_secret
}

// account level group creation
Expand All @@ -72,7 +72,7 @@ resource "databricks_access_control_rule_set" "automation_sp_rule_set" {
}
```

Rule set management through Azure Databricks account:
Through Azure Databricks account:

```hcl
locals {
Expand All @@ -83,7 +83,6 @@ locals {
provider "databricks" {
host = "https://accounts.azuredatabricks.net"
account_id = local.account_id
auth_type = "azure-cli"
}

// account level group creation
Expand All @@ -106,7 +105,7 @@ resource "databricks_access_control_rule_set" "automation_sp_rule_set" {
}
```

Rule set management through GCP Databricks account:
Through GCP Databricks account:

```hcl
locals {
Expand Down Expand Up @@ -138,10 +137,75 @@ resource "databricks_access_control_rule_set" "automation_sp_rule_set" {
}
```

## Group rule set usage

Refer to the appropriate provider configuration as shown in the examples for service principal rule set.

```hcl
locals {
account_id = "00000000-0000-0000-0000-000000000000"
}

// account level group
data "databricks_group" "ds" {
display_name = "Data Science"
}

data "databricks_user" "john" {
user_name = "john.doe@example.com"
}

resource "databricks_access_control_rule_set" "ds_group_rule_set" {
name = "accounts/${local.account_id}/groups/${databricks_group.ds.id}/ruleSets/default"

grant_rules {
principals = [data.databricks_user.john.acl_principal_id]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be merged only after #2555 is merged - right now we have acl_principal_id only on resources

role = "roles/group.manager"
}
}
```

## Account rule set usage

Refer to the appropriate provider configuration as shown in the examples for service principal rule set.

```hcl
locals {
account_id = "00000000-0000-0000-0000-000000000000"
}

// account level group
data "databricks_group" "ds" {
display_name = "Data Science"
}

data "databricks_user" "john" {
user_name = "john.doe@example.com"
}

resource "databricks_access_control_rule_set" "account_rule_set" {
name = "accounts/${local.account_id}/ruleSets/default"

// user john is manager for all groups in the account
grant_rules {
principals = [data.databricks_user.john.acl_principal_id]
role = "roles/group.manager"
}

// group data science is manager for all service principals in the account
grant_rules {
principals = [data.databricks_user.ds.acl_principal_id]
role = "roles/servicePrincipal.manager"
}
}
```

## Argument Reference

* `name` - (Required) Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
gauthamsunjay marked this conversation as resolved.
Show resolved Hide resolved
* `accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/default`
* `accounts/{account_id}/groups/{group_id}/ruleSets/default`
gauthamsunjay marked this conversation as resolved.
Show resolved Hide resolved
* `accounts/{account_id}/ruleSets/default`

* `grant_rules` - (Required) The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.

Expand All @@ -162,9 +226,10 @@ grant_rules {

Arguments of the `grant_rules` block are:

- `role` - (Required) Role to be granted. The supported roles are listed below. For more information about these roles, refer to [service principal roles](https://docs.databricks.com/security/auth-authz/access-control/service-principal-acl.html#service-principal-roles).
- `role` - (Required) Role to be granted. The supported roles are listed below. For more information about these roles, refer to [service principal roles](https://docs.databricks.com/security/auth-authz/access-control/service-principal-acl.html#service-principal-roles) or [group roles](https://docs.databricks.com/en/administration-guide/users-groups/groups.html#manage-roles-on-an-account-group-using-the-workspace-admin-settings-page).
* `roles/servicePrincipal.manager` - Manager of a service principal.
* `roles/servicePrincipal.user` - User of a service principal.
* `roles/group.manager` - Manager of a group.
- `principals` - (Required) a list of principals who are granted a role. The following format is supported:
* `users/{username}` (also exposed as `acl_principal_id` attribute of `databricks_user` resource).
* `groups/{groupname}` (also exposed as `acl_principal_id` attribute of `databricks_group` resource).
Expand Down
46 changes: 40 additions & 6 deletions internal/acceptance/account_rule_set_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"github.com/stretchr/testify/assert"

"github.com/databricks/terraform-provider-databricks/common"
"github.com/databricks/terraform-provider-databricks/qa"
)

// Application ID is mandatory in Azure today.
Expand All @@ -28,13 +29,8 @@ func getServicePrincipalResource(cloudEnv string) string {
`
}

func TestMwsAccAccountRuleSetsFullLifeCycle(t *testing.T) {
// This endpoint is restricted to basic auth today, used only by AWS account-level tests.
// Remove this skip when this restriction is lifted in Azure & GCP.
func TestMwsAccAccountServicePrincipalRuleSetsFullLifeCycle(t *testing.T) {
cloudEnv := os.Getenv("CLOUD_ENV")
if cloudEnv != "aws" {
t.Skip("Skipping test in Azure")
}
spResource := getServicePrincipalResource(cloudEnv)
accountLevel(t, step{
Template: spResource + `
Expand Down Expand Up @@ -68,3 +64,41 @@ func TestMwsAccAccountRuleSetsFullLifeCycle(t *testing.T) {
}),
})
}

func TestMwsAccAccountGroupRuleSetsFullLifeCycle(t *testing.T) {
username := qa.RandomEmail()
accountLevel(t, step{
Template: `
resource "databricks_user" "this" {
user_name = "` + username + `"
}
resource "databricks_group" "this" {
display_name = "Group {var.RANDOM}"
}
resource "databricks_access_control_rule_set" "group_rule_set" {
name = "accounts/{env.DATABRICKS_ACCOUNT_ID}/groups/${databricks_group.this.id}/ruleSets/default"
grant_rules {
principals = [
databricks_user.this.acl_principal_id
]
role = "roles/group.manager"
}
}`,
Check: resourceCheck("databricks_access_control_rule_set.group_rule_set",
func(ctx context.Context, client *common.DatabricksClient, id string) error {
a, err := client.AccountClient()
if err != nil {
return err
}
ruleSetRes, err := a.AccessControl.GetRuleSet(ctx, iam.GetRuleSetRequest{
Name: id,
Etag: "",
})
if err != nil {
return err
}
assert.Equal(t, len(ruleSetRes.GrantRules), 1)
return nil
}),
})
}