Open liahagan opened 1 year ago
I'm having the same issue pattern currently with v1.49.1. Sometimes it seems as if the groups/user backend service is not responding correctly. Strangely enough, the same group display names work with other resources such as permissions or assignments but fail with secret acls. Does not make any sense and is fairly annoying.
@mansenfranzen can you share relevant debug logs?
Sorry, I didn't record the debug log. The error just disappeared again after some time without any intervention. Next time it happens, I will catch the log and share it here.
Hello! I just run into the same issue with Terraform 1.9.5 and databricks 1.45.0.
I have the following simple configuration:
variable "project_name" {
type = string
}
variable "keyvault_team" {
type = object({
id = string
name = string
vault_uri = string
})
}
resource "databricks_group" "project" {
display_name = upper(var.project_name)
allow_cluster_create = false
allow_instance_pool_create = false
databricks_sql_access = false
workspace_access = false
}
resource "databricks_secret_scope" "team" {
name = "Scope_${upper(var.project_name)}_team"
keyvault_metadata {
resource_id = var.keyvault_team.id
dns_name = var.keyvault_team.vault_uri
}
}
resource "databricks_secret_acl" "team_acl" {
principal = databricks_group.project.display_name
permission = "READ"
scope = databricks_secret_scope.team.name
}
This is randomly happening with normal terraform apply
or through terraform test
like here:
I didn't capture logs but I did log HTTP call through proxy (not sure if it helps):
Hello @alexott, I've been able to generate logs from this issue but there is no more to see than the HTTP sniffing...
2024-09-06T11:29:02.940+0200 [DEBUG] provider.terraform-provider-databricks_v1.45.0.exe: POST /api/2.0/secrets/acls/put
> {
> "permission": "READ",
> "principal": "A97",
> "scope": "Scope_A97_team"
> }
< HTTP/1.1 200 OK
< {}: tf_provider_addr=registry.terraform.io/databricks/databricks tf_rpc=ApplyResourceChange @module=databricks tf_req_id=f9fb5b01-82cf-82d9-31dd-6e86029902d2 tf_resource_type=databricks_secret_acl @caller=/home/runner/work/terraform-provider-databricks/terraform-provider-databricks/logger/logger.go:33 timestamp="2024-09-06T11:29:02.940+0200"
2024-09-06T11:29:03.013+0200 [DEBUG] provider.terraform-provider-databricks_v1.45.0.exe: PATCH /api/2.0/preview/scim/v2/Groups/523061308792933
[...]
2024-09-06T11:29:03.027+0200 [DEBUG] provider.terraform-provider-databricks_v1.45.0.exe: PATCH /api/2.0/preview/scim/v2/Groups/489949216506626
[...]
2024-09-06T11:29:03.177+0200 [DEBUG] provider.terraform-provider-databricks_v1.45.0.exe: GET /api/2.0/secrets/acls/get?principal=A97&scope=Scope_A97_team
< HTTP/1.1 404 Not Found
< {
< "error_code": "RESOURCE_DOES_NOT_EXIST",
< "message": "Failed to get secret acl for principal A97 for scope Scope_A97_team."
< }: tf_provider_addr=registry.terraform.io/databricks/databricks tf_req_id=f9fb5b01-82cf-82d9-31dd-6e86029902d2 tf_rpc=ApplyResourceChange @caller=/home/runner/work/terraform-provider-databricks/terraform-provider-databricks/logger/logger.go:33 @module=databricks tf_resource_type=databricks_secret_acl timestamp="2024-09-06T11:29:03.177+0200"
2024-09-06T11:29:03.178+0200 [DEBUG] provider.terraform-provider-databricks_v1.45.0.exe: non-retriable error: Failed to get secret acl for principal A97 for scope Scope_A97_team.: @module=databricks tf_provider_addr=registry.terraform.io/databricks/databricks tf_req_id=f9fb5b01-82cf-82d9-31dd-6e86029902d2 @caller=/home/runner/work/terraform-provider-databricks/terraform-provider-databricks/logger/logger.go:33 tf_resource_type=databricks_secret_acl tf_rpc=ApplyResourceChange timestamp="2024-09-06T11:29:03.177+0200"
2024-09-06T11:29:03.178+0200 [ERROR] provider.terraform-provider-databricks_v1.45.0.exe: Response contains error diagnostic: diagnostic_detail="" tf_resource_type=databricks_secret_acl tf_provider_addr=registry.terraform.io/databricks/databricks @caller=/home/runner/work/terraform-provider-databricks/terraform-provider-databricks/vendor/github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/diag/diagnostics.go:58 @module=sdk.proto diagnostic_severity=ERROR diagnostic_summary="cannot read secret acl: Failed to get secret acl for principal A97 for scope Scope_A97_team." tf_proto_version=5.6 tf_req_id=f9fb5b01-82cf-82d9-31dd-6e86029902d2 tf_rpc=ApplyResourceChange timestamp="2024-09-06T11:29:03.178+0200"
2024-09-06T11:29:03.178+0200 [ERROR] vertex "databricks_secret_acl.team_acl" error: cannot read secret acl: Failed to get secret acl for principal A97 for scope Scope_A97_team.
Configuration
Expected Behavior
terraform apply
succeeds. Groups, workspace assignments and entitlements, secret scope and secret scope ACLs successfully created.Actual Behavior
Secret scope ACL creation fails very often, but not always with this error. No patterns for failure have been discovered.
Steps to Reproduce
Terraform v1.4.6 on darwin_amd64
Debug Output
This is the debug output for
databricks_secret_acl
resources that are created correctly:This is the debug output when creation fails (notice that the POST operation returns a success):
Important Factoids
We have another
databricks_secret_acl
resource in our code that assigns READ access for a service principal to the same secret scope. This has never failed. The only difference is the principal type (service principal vs. account-level group) and that the resource in this issue is looping withfor_each
while the other does not have a loop.