From a8697675a30aa05cefec436b7e90dddfe93e3351 Mon Sep 17 00:00:00 2001 From: Leonid Frolov <51460118+leonidfrolov@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:18:50 +0300 Subject: [PATCH 1/2] feat: resource to grant CAN_USE permissions to groups --- cluster.tf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/cluster.tf b/cluster.tf index eaf4d56..0d4dc20 100644 --- a/cluster.tf +++ b/cluster.tf @@ -116,6 +116,23 @@ resource "databricks_cluster_policy" "this" { definition = jsonencode(each.value) } +resource "databricks_permissions" "this" { + for_each = { + for param in var.custom_cluster_policies : (param.name) => param.can_use + if param.can_use != null + } + + cluster_policy_id = databricks_cluster_policy.this[each.key].id + + dynamic "access_control" { + for_each = each.value + content { + group_name = access_control.value + permission_level = "CAN_USE" + } + } +} + resource "databricks_cluster_policy" "overrides" { for_each = { for param in var.default_cluster_policies_override : (param.name) => param From 680b48dd7782759dcac625d21a382e70896b1899 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 25 Sep 2024 11:19:30 +0000 Subject: [PATCH 2/2] terraform-docs: automated action --- README.md | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 47a0db7..418eaef 100644 --- a/README.md +++ b/README.md @@ -193,6 +193,7 @@ No modules. | [databricks_mount.adls](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/mount) | resource | | [databricks_permissions.clusters](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource | | [databricks_permissions.sql_endpoint](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource | +| [databricks_permissions.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource | | [databricks_secret.main](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret) | resource | | [databricks_secret.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret) | resource | | [databricks_secret_acl.external](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret_acl) | resource | @@ -213,30 +214,30 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [clusters](#input\_clusters) | Set of objects with parameters to configure Databricks clusters and assign permissions to it for certain custom groups | 
set(object({
    cluster_name                 = string
    spark_version                = optional(string, "13.3.x-scala2.12")
    spark_conf                   = optional(map(any), {})
    cluster_conf_passthrought    = optional(bool, false)
    spark_env_vars               = optional(map(any), {})
    data_security_mode           = optional(string, "USER_ISOLATION")
    node_type_id                 = optional(string, "Standard_D3_v2")
    autotermination_minutes      = optional(number, 30)
    min_workers                  = optional(number, 1)
    max_workers                  = optional(number, 2)
    availability                 = optional(string, "ON_DEMAND_AZURE")
    first_on_demand              = optional(number, 0)
    spot_bid_max_price           = optional(number, 1)
    cluster_log_conf_destination = optional(string, null)
    init_scripts_workspace       = optional(set(string), [])
    init_scripts_volumes         = optional(set(string), [])
    init_scripts_dbfs            = optional(set(string), [])
    init_scripts_abfss           = optional(set(string), [])
    single_user_name             = optional(string, null)
    single_node_enable           = optional(bool, false)
    custom_tags                  = optional(map(string), {})
    permissions = optional(set(object({
      group_name       = string
      permission_level = string
    })), [])
    pypi_library_repository = optional(set(string), [])
    maven_library_repository = optional(set(object({
      coordinates = string
      exclusions  = set(string)
    })), [])
  }))
| `[]` | no | +| [clusters](#input\_clusters) | Set of objects with parameters to configure Databricks clusters and assign permissions to it for certain custom groups | 
set(object({
    cluster_name                 = string
    spark_version                = optional(string, "13.3.x-scala2.12")
    spark_conf                   = optional(map(any), {})
    cluster_conf_passthrought    = optional(bool, false)
    spark_env_vars               = optional(map(any), {})
    data_security_mode           = optional(string, "USER_ISOLATION")
    node_type_id                 = optional(string, "Standard_D3_v2")
    autotermination_minutes      = optional(number, 30)
    min_workers                  = optional(number, 1)
    max_workers                  = optional(number, 2)
    availability                 = optional(string, "ON_DEMAND_AZURE")
    first_on_demand              = optional(number, 0)
    spot_bid_max_price           = optional(number, 1)
    cluster_log_conf_destination = optional(string, null)
    init_scripts_workspace       = optional(set(string), [])
    init_scripts_volumes         = optional(set(string), [])
    init_scripts_dbfs            = optional(set(string), [])
    init_scripts_abfss           = optional(set(string), [])
    single_user_name             = optional(string, null)
    single_node_enable           = optional(bool, false)
    custom_tags                  = optional(map(string), {})
    permissions = optional(set(object({
      group_name       = string
      permission_level = string
    })), [])
    pypi_library_repository = optional(set(string), [])
    maven_library_repository = optional(set(object({
      coordinates = string
      exclusions  = set(string)
    })), [])
  }))
| `[]` | no | | [create\_databricks\_access\_policy\_to\_key\_vault](#input\_create\_databricks\_access\_policy\_to\_key\_vault) | Boolean flag to enable creation of Key Vault Access Policy for Databricks Global Service Principal. | `bool` | `true` | no | -| [custom\_cluster\_policies](#input\_custom\_cluster\_policies) | Provides an ability to create custom cluster policy, assign it to cluster and grant CAN\_USE permissions on it to certain custom groups
name - name of custom cluster policy to create
can\_use - list of string, where values are custom group names, there groups have to be created with Terraform;
definition - JSON document expressed in Databricks Policy Definition Language. No need to call 'jsonencode()' function on it when providing a value; | 
list(object({
    name       = string
    can_use    = list(string)
    definition = any
  }))
| 
[
  {
    "can_use": null,
    "definition": null,
    "name": null
  }
]
| no | -| [default\_cluster\_policies\_override](#input\_default\_cluster\_policies\_override) | Provides an ability to override default cluster policy
name - name of cluster policy to override
family\_id - family id of corresponding policy
definition - JSON document expressed in Databricks Policy Definition Language. No need to call 'jsonencode()' function on it when providing a value; | 
list(object({
    name       = string
    family_id  = string
    definition = any
  }))
| 
[
  {
    "definition": null,
    "family_id": null,
    "name": null
  }
]
| no | +| [custom\_cluster\_policies](#input\_custom\_cluster\_policies) | Provides an ability to create custom cluster policy, assign it to cluster and grant CAN\_USE permissions on it to certain custom groups
name - name of custom cluster policy to create
can\_use - list of string, where values are custom group names, there groups have to be created with Terraform;
definition - JSON document expressed in Databricks Policy Definition Language. No need to call 'jsonencode()' function on it when providing a value; | 
list(object({
    name       = string
    can_use    = list(string)
    definition = any
  }))
| 
[
  {
    "can_use": null,
    "definition": null,
    "name": null
  }
]
| no | +| [default\_cluster\_policies\_override](#input\_default\_cluster\_policies\_override) | Provides an ability to override default cluster policy
name - name of cluster policy to override
family\_id - family id of corresponding policy
definition - JSON document expressed in Databricks Policy Definition Language. No need to call 'jsonencode()' function on it when providing a value; | 
list(object({
    name       = string
    family_id  = string
    definition = any
  }))
| 
[
  {
    "definition": null,
    "family_id": null,
    "name": null
  }
]
| no | | [global\_databricks\_sp\_object\_id](#input\_global\_databricks\_sp\_object\_id) | Global 'AzureDatabricks' SP object id. Used to create Key Vault Access Policy for Secret Scope | `string` | `"9b38785a-6e08-4087-a0c4-20634343f21f"` | no | -| [iam\_account\_groups](#input\_iam\_account\_groups) | List of objects with group name and entitlements for this group | 
list(object({
    group_name   = optional(string)
    entitlements = optional(list(string))
  }))
| `[]` | no | -| [iam\_workspace\_groups](#input\_iam\_workspace\_groups) | Used to create workspace group. Map of group name and its parameters, such as users and service principals added to the group. Also possible to configure group entitlements. | 
map(object({
    user              = optional(list(string))
    service_principal = optional(list(string))
    entitlements      = optional(list(string))
  }))
| `{}` | no | +| [iam\_account\_groups](#input\_iam\_account\_groups) | List of objects with group name and entitlements for this group | 
list(object({
    group_name   = optional(string)
    entitlements = optional(list(string))
  }))
| `[]` | no | +| [iam\_workspace\_groups](#input\_iam\_workspace\_groups) | Used to create workspace group. Map of group name and its parameters, such as users and service principals added to the group. Also possible to configure group entitlements. | 
map(object({
    user              = optional(list(string))
    service_principal = optional(list(string))
    entitlements      = optional(list(string))
  }))
| `{}` | no | | [ip\_rules](#input\_ip\_rules) | Map of IP addresses permitted for access to DB | `map(string)` | `{}` | no | -| [key\_vault\_secret\_scope](#input\_key\_vault\_secret\_scope) | Object with Azure Key Vault parameters required for creation of Azure-backed Databricks Secret scope | 
list(object({
    name         = string
    key_vault_id = string
    dns_name     = string
    tenant_id    = string
  }))
| `[]` | no | +| [key\_vault\_secret\_scope](#input\_key\_vault\_secret\_scope) | Object with Azure Key Vault parameters required for creation of Azure-backed Databricks Secret scope | 
list(object({
    name         = string
    key_vault_id = string
    dns_name     = string
    tenant_id    = string
  }))
| `[]` | no | | [mount\_adls\_passthrough](#input\_mount\_adls\_passthrough) | Boolean flag to use mount options for credentials passthrough. Should be used with mount\_cluster\_name, specified cluster should have option cluster\_conf\_passthrought == true | `bool` | `false` | no | | [mount\_cluster\_name](#input\_mount\_cluster\_name) | Name of the cluster that will be used during storage mounting. If mount\_adls\_passthrough == true, cluster should also have option cluster\_conf\_passthrought == true | `string` | `null` | no | | [mount\_enabled](#input\_mount\_enabled) | Boolean flag that determines whether mount point for storage account filesystem is created | `bool` | `false` | no | | [mount\_service\_principal\_client\_id](#input\_mount\_service\_principal\_client\_id) | Application(client) Id of Service Principal used to perform storage account mounting | `string` | `null` | no | | [mount\_service\_principal\_secret](#input\_mount\_service\_principal\_secret) | Service Principal Secret used to perform storage account mounting | `string` | `null` | no | | [mount\_service\_principal\_tenant\_id](#input\_mount\_service\_principal\_tenant\_id) | Service Principal tenant id used to perform storage account mounting | `string` | `null` | no | -| [mountpoints](#input\_mountpoints) | Mountpoints for databricks | 
map(object({
    storage_account_name = string
    container_name       = string
  }))
| `{}` | no | +| [mountpoints](#input\_mountpoints) | Mountpoints for databricks | 
map(object({
    storage_account_name = string
    container_name       = string
  }))
| `{}` | no | | [pat\_token\_lifetime\_seconds](#input\_pat\_token\_lifetime\_seconds) | The lifetime of the token, in seconds. If no lifetime is specified, the token remains valid indefinitely | `number` | `315569520` | no | -| [secret\_scope](#input\_secret\_scope) | Provides an ability to create custom Secret Scope, store secrets in it and assigning ACL for access management
scope\_name - name of Secret Scope to create;
acl - list of objects, where 'principal' custom group name, this group is created in 'Premium' module; 'permission' is one of "READ", "WRITE", "MANAGE";
secrets - list of objects, where object's 'key' param is created key name and 'string\_value' is a value for it; | 
list(object({
    scope_name = string
    acl = optional(list(object({
      principal  = string
      permission = string
    })))
    secrets = optional(list(object({
      key          = string
      string_value = string
    })))
  }))
| 
[
  {
    "acl": null,
    "scope_name": null,
    "secrets": null
  }
]
| no | -| [sql\_endpoint](#input\_sql\_endpoint) | Set of objects with parameters to configure SQL Endpoint and assign permissions to it for certain custom groups | 
set(object({
    name                      = string
    cluster_size              = optional(string, "2X-Small")
    min_num_clusters          = optional(number, 0)
    max_num_clusters          = optional(number, 1)
    auto_stop_mins            = optional(string, "30")
    enable_photon             = optional(bool, false)
    enable_serverless_compute = optional(bool, false)
    spot_instance_policy      = optional(string, "COST_OPTIMIZED")
    warehouse_type            = optional(string, "PRO")
    permissions = optional(set(object({
      group_name       = string
      permission_level = string
    })), [])
  }))
| `[]` | no | +| [secret\_scope](#input\_secret\_scope) | Provides an ability to create custom Secret Scope, store secrets in it and assigning ACL for access management
scope\_name - name of Secret Scope to create;
acl - list of objects, where 'principal' custom group name, this group is created in 'Premium' module; 'permission' is one of "READ", "WRITE", "MANAGE";
secrets - list of objects, where object's 'key' param is created key name and 'string\_value' is a value for it; | 
list(object({
    scope_name = string
    acl = optional(list(object({
      principal  = string
      permission = string
    })))
    secrets = optional(list(object({
      key          = string
      string_value = string
    })))
  }))
| 
[
  {
    "acl": null,
    "scope_name": null,
    "secrets": null
  }
]
| no | +| [sql\_endpoint](#input\_sql\_endpoint) | Set of objects with parameters to configure SQL Endpoint and assign permissions to it for certain custom groups | 
set(object({
    name                      = string
    cluster_size              = optional(string, "2X-Small")
    min_num_clusters          = optional(number, 0)
    max_num_clusters          = optional(number, 1)
    auto_stop_mins            = optional(string, "30")
    enable_photon             = optional(bool, false)
    enable_serverless_compute = optional(bool, false)
    spot_instance_policy      = optional(string, "COST_OPTIMIZED")
    warehouse_type            = optional(string, "PRO")
    permissions = optional(set(object({
      group_name       = string
      permission_level = string
    })), [])
  }))
| `[]` | no | | [suffix](#input\_suffix) | Optional suffix that would be added to the end of resources names. | `string` | `""` | no | -| [system\_schemas](#input\_system\_schemas) | Set of strings with all possible System Schema names | `set(string)` | 
[
  "access",
  "billing",
  "compute",
  "marketplace",
  "storage"
]
| no | +| [system\_schemas](#input\_system\_schemas) | Set of strings with all possible System Schema names | `set(string)` | 
[
  "access",
  "billing",
  "compute",
  "marketplace",
  "storage"
]
| no | | [system\_schemas\_enabled](#input\_system\_schemas\_enabled) | System Schemas only works with assigned Unity Catalog Metastore. Boolean flag to enabled this feature | `bool` | `false` | no | | [user\_object\_ids](#input\_user\_object\_ids) | Map of AD usernames and corresponding object IDs | `map(string)` | `{}` | no | -| [workspace\_admins](#input\_workspace\_admins) | Provide users or service principals to grant them Admin permissions in Workspace. | 
object({
    user              = list(string)
    service_principal = list(string)
  })
| 
{
  "service_principal": null,
  "user": null
}
| no | +| [workspace\_admins](#input\_workspace\_admins) | Provide users or service principals to grant them Admin permissions in Workspace. | 
object({
    user              = list(string)
    service_principal = list(string)
  })
| 
{
  "service_principal": null,
  "user": null
}
| no | ## Outputs