Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added databricks_service_principal_role resource that grants service principals access to instance profiles #1340

Merged
merged 6 commits into from
May 30, 2022
Merged

Added databricks_service_principal_role resource that grants service principals access to instance profiles #1340

merged 6 commits into from
May 30, 2022

Conversation

neinkeinkaffee
Copy link
Contributor

@neinkeinkaffee neinkeinkaffee commented May 27, 2022
edited by nfx
Loading

This PR proposes to add a new resource databricks_service_principal_role that grants Databricks service principals access to Databricks instance profiles. At the moment, this has to be done as a manual step via the Databricks UI.

Similar attachment/pairing resources already exist for Databricks users (databricks_user_instance_profile superseded by databricks_user_role) and groups (databricks_group_instance_profile).

@neinkeinkaffee neinkeinkaffee changed the title Granting service principals access to instance profiles Add databricks_service_principal_instance_profile resource that grants service principals access to instance profiles May 27, 2022
nfx
nfx requested changes May 27, 2022
View reviewed changes
aws/resource_service_principal_instance_profile.go Outdated Show resolved Hide resolved
aws/resource_service_principal_instance_profile.go Outdated
return m
}).BindResource(common.BindResource{
CreateContext: func(ctx context.Context, servicePrincipalID, role string, c *common.DatabricksClient) error {
return scim.NewServicePrincipalsAPI(ctx, c).Patch(servicePrincipalID, scim.PatchRequest("add", "roles", role))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this won't work as you expect, because servicePrincipalID (int64) is not application_id (uuid). BindResource won't work for your use-case, unless you replace application_id with service_principal_id.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @nfx! I changed the resource to accept service_principal_id instead of application_id, and role instead of instance_profile_id.

aws/resource_service_principal_instance_profile.go Outdated Show resolved Hide resolved
docs/resources/service_principal_instance_profile.md Outdated Show resolved Hide resolved
docs/resources/service_principal_instance_profile.md Outdated Show resolved Hide resolved
docs/resources/service_principal_instance_profile.md Outdated Show resolved Hide resolved
neinkeinkaffee and others added 2 commits May 28, 2022 07:21
@neinkeinkaffee @nfx
Attach role instead of just instance profile, service_principal_id in…
4c5de6d 
…stead of application_id

Co-authored-by: Serge Smertin <259697+nfx@users.noreply.github.com>
@neinkeinkaffee
Complete the switch from instance profile to role
05ef3ed
nfx
nfx requested changes May 29, 2022
View reviewed changes
Copy link
Contributor

@nfx nfx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor consistency changes required

provider/provider.go Outdated Show resolved Hide resolved
aws/resource_service_principal_role_test.go Outdated Show resolved Hide resolved
aws/resource_service_principal_role_test.go Outdated Show resolved Hide resolved
aws/resource_service_principal_role_test.go Outdated Show resolved Hide resolved
@codecov
Copy link

codecov bot commented May 29, 2022
edited
Loading

Codecov Report

Merging #1340 (ef954da) into master (d0c9b99) will decrease coverage by 0.03%.
The diff coverage is 73.68%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1340      +/-   ##
==========================================
- Coverage   90.60%   90.56%   -0.04%     
==========================================
  Files         118      119       +1     
  Lines       10004    10021      +17     
==========================================
+ Hits         9064     9076      +12     
- Misses        559      564       +5     
  Partials      381      381
Impacted Files Coverage Δ
scim/resource_service_principal.go 96.90% <66.66%> (-1.01%) ⬇️
aws/resource_service_principal_role.go 73.33% <73.33%> (ø)
provider/provider.go 94.89% <100.00%> (+0.03%) ⬆️

nfx
nfx approved these changes May 30, 2022
View reviewed changes
Copy link
Contributor

@nfx nfx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@nfx nfx changed the title Add databricks_service_principal_instance_profile resource that grants service principals access to instance profiles Added databricks_service_principal_role resource that grants service principals access to instance profiles May 30, 2022
@nfx nfx merged commit 3520672 into databricks:master May 30, 2022
@neinkeinkaffee neinkeinkaffee deleted the sp-instance-profile branch May 30, 2022 10:33
nfx added a commit that referenced this pull request May 30, 2022
@nfx
Release v0.5.9
f1dbceb 
## 0.5.9

* Added warning section for debug mode ([#1325](#1325)).
* Added ability to specify tags for `databricks_job` ([#1337](#1337)).
* Upgraded AWS provider for AWS guides. Added examples for account-level identities ([#1332](#1332)).
* Updated docs to use `application_id` as privilege for `databricks_service_principal` ([#1336](#1336)).
* Added `databricks_service_principal_role` resource ([#1340](#1340)).
* Fixed itegration testing image ([#1342](#1342), [#1343](#1343)).
* Added `skip_validation` for `databricks_external_location` ([#1330](#1330)).
* Added `alert_on_last_attempt` to `databricks_job` ([#1341](#1341)).
* Skip `make test` on doc-only changes ([#1339](#1339)).
* Improve common package test coverage ([#1344](#1344)).
* Re-create purged cluster for `databricks_mount` for AWS S3 ([#1345](#1345)).

Updated dependency versions:

* Bump google.golang.org/api from 0.79.0 to 0.80.0
* Bump github.com/Azure/go-autorest/autorest/adal from 0.9.19 to 0.9.20
@nfx nfx mentioned this pull request May 30, 2022
Merged
michael-berk pushed a commit to michael-berk/terraform-provider-databricks that referenced this pull request Feb 15, 2023
@neinkeinkaffee
Added databricks_service_principal_role resource (databricks#1340)
ec15230 
This PR adds a new resource `databricks_service_principal_role` that grants Databricks Service Principals access to Databricks Instance Profiles. At the moment, this has to be done as a manual step via the Databricks UI.

Similar attachment/pairing resources already exist for Databricks users (`databricks_user_instance_profile` superseded by `databricks_user_role`) and groups (`databricks_group_instance_profile`).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nfx nfx nfx approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@neinkeinkaffee @nfx