search

databricks / terraform-provider-databricks

Databricks Terraform Provider
https://registry.terraform.io/providers/databricks/databricks/latest
Other
445 stars 384 forks source link

[ISSUE] Issue with `databricks_permissions` resource when using with a SQL Warehouse endpoint #2678

Closed thaiphv closed 12 months ago

thaiphv commented 1 year ago

Configuration

resource "databricks_sql_endpoint" "this" {
  auto_stop_mins       = var.auto_stop_mins
  cluster_size         = var.cluster_size
  max_num_clusters     = var.max_num_clusters
  name                 = local.endpoint_name
  spot_instance_policy = var.spot_instance_policy
  warehouse_type       = "PRO"
  channel {
    name = "CHANNEL_NAME_CURRENT"
  }
}

resource "databricks_group" "this" {
  display_name = "${local.endpoint_name} Usage"
  provider = databricks.mws
}

resource "databricks_permissions" "this" {
  sql_endpoint_id = databricks_sql_endpoint.this.id

  access_control {
    group_name       = databricks_group.this.display_name
    permission_level = "CAN_USE"
  }
}

Expected Behavior

The databricks_permissions resource is created successfully.

Actual Behavior

Terraform failed to apply with the error:

Error: cannot create permissions: PUT requests for warehouse a2325222d375d1cb with no existing owner must provide a new owner.
  with module.shared_small.databricks_permissions.this,

If I followed the error message and granted "IS_OWNER" to the service user, Terraform failed with a different error:

Error: cannot create permissions: it is not possible to decrease administrative permissions for the current user: <redacted>
  with module.shared_small.databricks_permissions.this,

Steps to Reproduce

  1. terraform apply-->

Terraform and provider versions

Terraform: 1.4.6 Databricks provider: 1.25.0

Debug Output

2023-09-12T18:12:54.686+1000 [ERROR] provider.terraform-provider-databricks_v1.25.0: Response contains error diagnostic: diagnostic_detail= tf_proto_version=5.4 tf_resource_type=databricks_permissions tf_rpc=ApplyResourceChange @caller=/home/runner/work/terraform-provider-databricks/terraform-provider-databricks/vendor/github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/diag/diagnostics.go:58 @module=sdk.proto diagnostic_severity=ERROR diagnostic_summary="cannot create permissions: PUT requests for warehouse a2325222d375d1cb with no existing owner must provide a new owner." tf_provider_addr=registry.terraform.io/databricks/databricks tf_req_id=39343cb6-b0f2-3c20-aeec-f2226c00b2fa timestamp=2023-09-12T18:12:54.686+1000 
2023-09-12T18:12:54.687+1000 [ERROR] vertex "module.shared_small.databricks_permissions.this" error: cannot create permissions: PUT requests for warehouse a2325222d375d1cb with no existing owner must provide a new owner.
vsluc commented 1 year ago

I am facing the same issue using this resource. But the update permissions API https://docs.databricks.com/api/workspace/warehouses/updatepermissions and the UI work fine. Would be great to have the issue fixed in terraform.

tanmay-db commented 1 year ago

There was a recent fix for an issue similar to this https://github.com/databricks/terraform-provider-databricks/pull/2600. cc: @nkvuong

vsluc commented 1 year ago

There was a recent fix for an issue similar to this #2600. cc: @nkvuong

Thanks @tanmay-db . I am using the latest tf version 1.25.0 and the reported issue persists.

nkvuong commented 1 year ago

@vsluc could I confirm a few more details:

vsluc commented 1 year ago

@nkvuong

which identity is terraform executed as? does it have any admin permission?

The terraform uses a service principal which is granted admin privileges on the workspace.

the error it is not possible to decrease administrative permissions for the current user: what user is that? Error: cannot create permissions: PUT requests for warehouse <redacted> with no existing owner must provide a new owner. Is the error I am getting. I didn't get the error that you pointed out. But I tried to explicitly add the IS_OWNER privilege for the service principal which created the SQL endpoint as per the documentation, but it didn't help. Same error as I have provided.

Below is the code snippet I tried, resource "databricks_permissions" "endpoint_usage" { sql_endpoint_id = databricks_sql_endpoint.bi_small.id access_control { service_principal_name = <service principal which created the SQL endpoint> permission_level = "IS_OWNER" } access_control { group_name = <account group> permission_level = var.sql_endpoint_bi_small_team_bi_grants } }

thaiphv commented 1 year ago

@vsluc could I confirm a few more details:

  • which identity is terraform executed as? does it have any admin permission?

@nkvuong I guess the question is for me as I reported the issue. I used a user account with admin privileges for authentication.

  • the error it is not possible to decrease administrative permissions for the current user: <redacted> what user is that?

Again it's just a normal user account with username/password.

tanmay-db commented 1 year ago

Hi @thaiphv @vsluc, we are working to get the DEBUG logs working so we can debug further with logs. That work is in progress: https://github.com/databricks/terraform-provider-databricks/pull/2706. After this is done and released, could you please send the logs?

sfalquier commented 1 year ago

I am facing the same issue with version 1.26.0

kolyarice commented 1 year ago

I am experiencing this issue as well with v1.26.0 Tried rolling back to v1.23.0 but get a version conflict with existing state ;(

Error: Resource instance managed by newer provider version The current state of databricks_metastore_data_access.metastore_dac was created by a newer provider version than is currently selected. Upgrade the databricks provider to work with this state.

marcin-sg commented 1 year ago

Same on 1.25.0. It looks to me that tf user is getting implicitly CAN_MANAGE permission instead of IS_OWNER.

tanmay-db commented 1 year ago

For some use cases using 1.24 seems to work but I don't think that resolves the exact issue described above. We are investigating. Mentioning for visibility.

tanmay-db commented 12 months ago

PR with fix: https://github.com/databricks/terraform-provider-databricks/issues/2678. We are working on to check compatibility with https://github.com/databricks/terraform-provider-databricks/issues/2268

thaiphv commented 12 months ago

Trying again with 1.26.0 but got a different error:

2023-09-27T17:08:56.551+1000 [ERROR] provider.terraform-provider-databricks_v1.26.0: Response contains error diagnostic: tf_proto_version=5.4 tf_provider_addr=registry.terraform.io/databricks/databricks tf_req_id=c70a4be7-0b4d-10e4-2446-bcfd80e5cf85 diagnostic_detail= diagnostic_summary="cannot create permissions: PUT requests for warehouse 7c9d015e990d0e7b with no existing owner must provide a new owner." @module=sdk.proto diagnostic_severity=ERROR tf_resource_type=databricks_permissions tf_rpc=ApplyResourceChange @caller=/home/runner/work/terraform-provider-databricks/terraform-provider-databricks/vendor/github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/diag/diagnostics.go:58 timestamp=2023-09-27T17:08:56.551+1000
tanmay-db commented 12 months ago

We are doing a terraform release today, the issue got auto closed with PR merge (https://github.com/databricks/terraform-provider-databricks/pull/2719). Reopening for the time being.

tanmay-db commented 12 months ago

Hi @kolyarice @vsluc @thaiphv can you please try with 1.27.0 and see if it resolves the issue? Thanks.

kolyarice commented 12 months ago

1.27.0 resolved the issue, thanks!

alexott commented 12 months ago

closed as it was confirmed as fixed

tanmay-db commented 11 months ago

Hi @kolyarice, a question regarding:

I am experiencing this issue as well with v1.26.0 Tried rolling back to v1.23.0 but get a version conflict with existing state ;( Error: Resource instance managed by newer provider version The current state of databricks_metastore_data_access.metastore_dac was created by a newer provider version than is currently selected. Upgrade the databricks provider to work with this state.

Just to confirm, did you try terraform init -upgrade after lowering the version?

kolyarice commented 11 months ago

Just to confirm, did you try terraform init -upgrade after lowering the version?

yes, I used that command to install the older provider version (after adding a version statement in the required_providers block)

nkvuong commented 11 months ago

@tanmay-db the rollback failed as there was a state upgrade for databricks_metastore_data_access in v.1.25. This is an edge case and does not happen frequently

shortpoet commented 10 months ago

We still get this issue with v1.28.0

opened https://github.com/databricks/terraform-provider-databricks/issues/2865

Terraform v1.4.6 on windows_amd64

│ Error: cannot update permissions: PUT requests for warehouse 3bc8a799f01c9aa6 with no existing owner must provide a new owner. │ │ with module.databricks_components_dev.module.databricks_components.databricks_permissions.endpoint_usage["llc_warehouse"], │ on .terraform\modules\databricks_components_dev.databricks_components\permissions_sql_warehouse.tf line 1, in resource "databricks_permissions" "endpoint_usage": │ 1: resource "databricks_permissions" "endpoint_usage" { │ ╵ ╷ │ Error: cannot update permissions: PUT requests for warehouse 8b7cd3ca6ff1ccfc with no existing owner must provide a new owner. │ │ with module.databricks_components_dev.module.databricks_components.databricks_permissions.endpoint_usage["pbi_warehouse"], │ on .terraform\modules\databricks_components_dev.databricks_components\permissions_sql_warehouse.tf line 1, in resource "databricks_permissions" "endpoint_usage": │ 1: resource "databricks_permissions" "endpoint_usage" { │ ╵

[error]Terraform command 'apply' failed with exit code '1'.

[error]╷

│ Error: cannot update permissions: PUT requests for warehouse 3bc8a799f01c9aa6 with no existing owner must provide a new owner. │ │ with module.databricks_components_dev.module.databricks_components.databricks_permissions.endpoint_usage["llc_warehouse"], │ on .terraform\modules\databricks_components_dev.databricks_components\permissions_sql_warehouse.tf line 1, in resource "databricks_permissions" "endpoint_usage": │ 1: resource "databricks_permissions" "endpoint_usage" { │ ╵

╷ │ Error: cannot update permissions: PUT requests for warehouse 8b7cd3ca6ff1ccfc with no existing owner must provide a new owner. │ │ with module.databricks_components_dev.module.databricks_components.databricks_permissions.endpoint_usage["pbi_warehouse"], │ on .terraform\modules\databricks_components_dev.databricks_components\permissions_sql_warehouse.tf line 1, in resource "databricks_permissions" "endpoint_usage": │ 1: resource "databricks_permissions" "endpoint_usage" { │ ╵

resource "databricks_permissions" "endpoint_usage" {
  for_each = local.db_sql_warehouse_config

  sql_endpoint_id = databricks_sql_endpoint.warehouse[each.key].id
  access_control {
    permission_level       = local.db_permissions_presets_sql_is_owner
    service_principal_name = local.db_sp_tooling_client_id
  }

  dynamic "access_control" {
    for_each = { for entry in local.db_sql_warehouse_groups : "${entry.sql_warehouse}-${entry.group_name}" => entry if entry.sql_warehouse == each.value.name }

    content {
      group_name       = access_control.value.group_name
      permission_level = access_control.value.sql_permissions
    }
  }
  depends_on = [
    databricks_permission_assignment.db_user_group
  ]

  lifecycle {
    create_before_destroy = true
  }
}