Open camilo-s opened 1 year ago
Ideally this should follow the schema for databricks_mws_permission_assignment
, which does have a workspace_id
attribute.
@camilo-s it is a bit confusing, but databricks_mws_permission_assignment
is meant to be used at account level, and databricks_permission_assignment
is meant to be used at workspace level (and therefore does not require a workspace id)
@nkvuong I understand this. But then how might databricks_permission_assignment
possibly be used to provision existing account-level groups at the workspace level at all? It acts at workspace level (i.e. calling the Permission Assignment Workspace API) which is agnostic to account-level groups, so it rightfully returns an error for not being able to find the account-level groups by ID, as I've indicated in #2239.
I made an attempt to leverage databricks_mws_permission_assignment
to call the Permission Assignment Account API for my Azure Databricks account, but that API doesn't seem to work for Azure at the moment (documented in #2239).
Use-cases
Here's a summary of my use-case (also described in #2239):
azurerm
,azuread
,databricks
.Attempted Solutions
My current solution proceeds as follows:
databricks_group
data source using the account-level provider (which is authenticated using Azure MSI): This works.databricks_permission_assignment
resource using the workspace-level provider: The resource's documentation indicates this is the right way to enable groups at workspace level, but it doesn't work because it can't find the groups by ID. This is kind of understandable: This resource will talk to the Permission Assignment Workspace API/api/2.0/preview/permissionassignments/principals/{principal_id}
, which has no way to know which groups exist at account-level but not at workspace-level.Proposal
My proposals are:
To enable this resource for use with an account provider, so it can talk to the Permission Assignment Account API, and correspondingly expose the
workspace_id
parameter of this API.References