CrownBerry
commented
1 year ago I have a similar issue with an account-level group principal.
Group created via terraform:
resource "databricks_group" "this" {
provider = databricks.mws
display_name = "${var.group_name}_${var.environment}"
}I'm trying to grant permission for catalog:
resource "databricks_grants" "catalog" {
provider = databricks.ws
catalog = var.unity_catalog_access_name
grant {
principal = databricks_group.this.display_name
privileges = var.unity_catalog_access_privileges
}
}Plan:
+ resource "databricks_grants" "catalog" {
+ catalog = "[REDACTED]"
+ id = (known after apply)
+ grant {
+ principal = "[REDACTED]"
+ privileges = [
+ "ALL_PRIVILEGES",
]
}
}Result:
│ Error: cannot create grants: Could not find principal with name [REDACTED]
│
│ with module.rbac.module.group["[REDACTED]"].databricks_grants.catalog[0],
│ on modules/rbac/group/main.tf line 27, in resource "databricks_grants" "catalog":
│ 27: resource "databricks_grants" "catalog" {
│terraform: 1.3.7 databricks provider: 1.14.2
nkvuong
Configuration
Expected Behavior
Trying to assign unity catalog permissions on a given catalog using the
databricks_grantsresource. The principalsome@account.comdoes exist in the account level but is not linked to the current workspace the provider is using.Actual Behavior
The provider is not able to resolve the identity. This is not an issue using SQL GRANTS, CLI or Rest API. But for some reason this only works with the terraform if we previously assigned the identity to the workspace. It seems that the provider does the identity lookup only on the workspace level not on the account level.
Steps to Reproduce
terraform apply-->terraform planworks fine but each time we try apply the configuration we get the error from above.Terraform and provider versions
terraform version: 1.3.4 databricks provider version : 1.6.5