search

databricks / terraform-provider-databricks

Databricks Terraform Provider
https://registry.terraform.io/providers/databricks/databricks/latest
Other
445 stars 384 forks source link

[ISSUE] Issue with `databricks_service_principal` Resource #1521

Closed panselaukik closed 2 years ago

panselaukik commented 2 years ago

Configuration

terraform {
  required_version = ">=v0.14.7"
}

Expected Behavior

resource "databricks_service_principal" "sp" {
  display_name         = "Example service principal"
  allow_cluster_create = true
}

The resource should create a service-principal in databricks hosted on AWS cloud without passing the application_id, as the document says: application_id - This is the application id of the given service principal and will be their form of access and identity. On other clouds than Azure this value is auto-generated.

Actual Behavior

Error: cannot create service principal: Required attribute applicationID is missing in the SCIM Object. Request is unparsable, syntactically incorrect, or violates schema.

Steps to Reproduce

resource "databricks_service_principal" "sp" {
  display_name         = "Example service principal"
  allow_cluster_create = true
}

terraform plan
terraform apply

Terraform and provider versions

databricks = {
 source  = "databricks/databricks"
 version = "1.2.0"
    }

terraform {
  required_version = ">=v0.14.7"
}
alexott commented 2 years ago

Show your provider block - are you trying it against account or workspace?

panselaukik commented 2 years ago

Show your provider block - are you trying it against account or workspace?

If I try it with account block, it creates the first time, but if you run terraform plan again, it errors out saying ApplicationID should not be passed

alexott commented 2 years ago

Anyway, paste your provider configuration

panselaukik commented 2 years ago 
provider "databricks" {
  alias      = "mws"
  host       = "https://accounts.cloud.databricks.com"
  account_id = var.account_id
  username   = var.databricks-username
  password   = var.databricks-password
}
alexott commented 2 years ago

Thank you. @nfx - is it known issue with identity federation?

panselaukik commented 2 years ago

FYI: These are 2 different things:

If you use:
provider "databricks" {
  host  = var.databricks_host
  token = var..databricks_token
  alias = "example-alias"
}

It won't create a Service Principal at all, with error: Error: cannot create service principal: Required attribute applicationID is missing in the SCIM Object. Request is unparsable, syntactically incorrect, or violates schema.

If you use:
provider "databricks" {
  alias      = "mws"
  host       = "https://accounts.cloud.databricks.com"
  account_id = var.account_id
  username   = var.databricks-username
  password   = var.databricks-password
}

This should create the service principal on your first run, but if you run terraform plan again, it will error with applicationId is passed

panselaukik commented 2 years ago

@alexott I was able to create the Service Principals, maybe some additional documentation needed

1. Create Service Principal on account level
2. Add to a group on account level
3. Give Token Creation permission on workspace level
4. Create OBO token on workspace level

Also one issue is, I cannot create a non-expiring token, Resource databricks_obo_token errors out if we don't pass lifetime_seconds

Thankyou

alexott commented 2 years ago

All tokens need to have a lifetime, non-expiring tokens aren't recommended... Regarding documentation - please open PR for it

panselaukik commented 2 years ago

Hi @alexott , there are some apps we connect them to Databricks where we use the non-expiring tokens, currently we use the API's to create those tokens which allow omitting the lifetime_seconds parameter and create such tokens, we now are implementing this through Terraform, is this something we can add to the resource? Thankyou

nfx commented 2 years ago

@panselaukik did you try setting application_id in the resource?