Closed thaiphv closed 12 months ago
I am facing the same issue using this resource. But the update permissions API https://docs.databricks.com/api/workspace/warehouses/updatepermissions and the UI work fine. Would be great to have the issue fixed in terraform.
There was a recent fix for an issue similar to this https://github.com/databricks/terraform-provider-databricks/pull/2600. cc: @nkvuong
There was a recent fix for an issue similar to this #2600. cc: @nkvuong
Thanks @tanmay-db . I am using the latest tf version 1.25.0 and the reported issue persists.
@vsluc could I confirm a few more details:
it is not possible to decrease administrative permissions for the current user: <redacted>
what user is that?@nkvuong
which identity is terraform executed as? does it have any admin permission?
The terraform uses a service principal which is granted admin privileges on the workspace.
the error it is not possible to decrease administrative permissions for the current user:
what user is that? Error: cannot create permissions: PUT requests for warehouse <redacted> with no existing owner must provide a new owner.
Is the error I am getting. I didn't get the error that you pointed out. But I tried to explicitly add the IS_OWNER privilege for the service principal which created the SQL endpoint as per the documentation, but it didn't help. Same error as I have provided.
Below is the code snippet I tried,
resource "databricks_permissions" "endpoint_usage" { sql_endpoint_id = databricks_sql_endpoint.bi_small.id access_control { service_principal_name = <service principal which created the SQL endpoint> permission_level = "IS_OWNER" } access_control { group_name = <account group> permission_level = var.sql_endpoint_bi_small_team_bi_grants } }
@vsluc could I confirm a few more details:
- which identity is terraform executed as? does it have any admin permission?
@nkvuong I guess the question is for me as I reported the issue. I used a user account with admin privileges for authentication.
- the error
it is not possible to decrease administrative permissions for the current user: <redacted>
what user is that?
Again it's just a normal user account with username/password.
Hi @thaiphv @vsluc, we are working to get the DEBUG logs working so we can debug further with logs. That work is in progress: https://github.com/databricks/terraform-provider-databricks/pull/2706. After this is done and released, could you please send the logs?
I am facing the same issue with version 1.26.0
I am experiencing this issue as well with v1.26.0 Tried rolling back to v1.23.0 but get a version conflict with existing state ;(
Error: Resource instance managed by newer provider version The current state of databricks_metastore_data_access.metastore_dac was created by a newer provider version than is currently selected. Upgrade the databricks provider to work with this state.
Same on 1.25.0. It looks to me that tf user is getting implicitly CAN_MANAGE
permission instead of IS_OWNER
.
For some use cases using 1.24 seems to work but I don't think that resolves the exact issue described above. We are investigating. Mentioning for visibility.
PR with fix: https://github.com/databricks/terraform-provider-databricks/issues/2678. We are working on to check compatibility with https://github.com/databricks/terraform-provider-databricks/issues/2268
Trying again with 1.26.0 but got a different error:
2023-09-27T17:08:56.551+1000 [ERROR] provider.terraform-provider-databricks_v1.26.0: Response contains error diagnostic: tf_proto_version=5.4 tf_provider_addr=registry.terraform.io/databricks/databricks tf_req_id=c70a4be7-0b4d-10e4-2446-bcfd80e5cf85 diagnostic_detail= diagnostic_summary="cannot create permissions: PUT requests for warehouse 7c9d015e990d0e7b with no existing owner must provide a new owner." @module=sdk.proto diagnostic_severity=ERROR tf_resource_type=databricks_permissions tf_rpc=ApplyResourceChange @caller=/home/runner/work/terraform-provider-databricks/terraform-provider-databricks/vendor/github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/diag/diagnostics.go:58 timestamp=2023-09-27T17:08:56.551+1000
We are doing a terraform release today, the issue got auto closed with PR merge (https://github.com/databricks/terraform-provider-databricks/pull/2719). Reopening for the time being.
Hi @kolyarice @vsluc @thaiphv can you please try with 1.27.0 and see if it resolves the issue? Thanks.
1.27.0 resolved the issue, thanks!
closed as it was confirmed as fixed
Hi @kolyarice, a question regarding:
I am experiencing this issue as well with v1.26.0 Tried rolling back to v1.23.0 but get a version conflict with existing state ;( Error: Resource instance managed by newer provider version The current state of databricks_metastore_data_access.metastore_dac was created by a newer provider version than is currently selected. Upgrade the databricks provider to work with this state.
Just to confirm, did you try terraform init -upgrade
after lowering the version?
Just to confirm, did you try
terraform init -upgrade
after lowering the version?
yes, I used that command to install the older provider version (after adding a version statement in the required_providers block)
@tanmay-db the rollback failed as there was a state upgrade for databricks_metastore_data_access
in v.1.25. This is an edge case and does not happen frequently
We still get this issue with v1.28.0
opened https://github.com/databricks/terraform-provider-databricks/issues/2865
Terraform v1.4.6 on windows_amd64
│ Error: cannot update permissions: PUT requests for warehouse 3bc8a799f01c9aa6 with no existing owner must provide a new owner. │ │ with module.databricks_components_dev.module.databricks_components.databricks_permissions.endpoint_usage["llc_warehouse"], │ on .terraform\modules\databricks_components_dev.databricks_components\permissions_sql_warehouse.tf line 1, in resource "databricks_permissions" "endpoint_usage": │ 1: resource "databricks_permissions" "endpoint_usage" { │ ╵ ╷ │ Error: cannot update permissions: PUT requests for warehouse 8b7cd3ca6ff1ccfc with no existing owner must provide a new owner. │ │ with module.databricks_components_dev.module.databricks_components.databricks_permissions.endpoint_usage["pbi_warehouse"], │ on .terraform\modules\databricks_components_dev.databricks_components\permissions_sql_warehouse.tf line 1, in resource "databricks_permissions" "endpoint_usage": │ 1: resource "databricks_permissions" "endpoint_usage" { │ ╵
│ Error: cannot update permissions: PUT requests for warehouse 3bc8a799f01c9aa6 with no existing owner must provide a new owner. │ │ with module.databricks_components_dev.module.databricks_components.databricks_permissions.endpoint_usage["llc_warehouse"], │ on .terraform\modules\databricks_components_dev.databricks_components\permissions_sql_warehouse.tf line 1, in resource "databricks_permissions" "endpoint_usage": │ 1: resource "databricks_permissions" "endpoint_usage" { │ ╵
╷ │ Error: cannot update permissions: PUT requests for warehouse 8b7cd3ca6ff1ccfc with no existing owner must provide a new owner. │ │ with module.databricks_components_dev.module.databricks_components.databricks_permissions.endpoint_usage["pbi_warehouse"], │ on .terraform\modules\databricks_components_dev.databricks_components\permissions_sql_warehouse.tf line 1, in resource "databricks_permissions" "endpoint_usage": │ 1: resource "databricks_permissions" "endpoint_usage" { │ ╵
resource "databricks_permissions" "endpoint_usage" {
for_each = local.db_sql_warehouse_config
sql_endpoint_id = databricks_sql_endpoint.warehouse[each.key].id
access_control {
permission_level = local.db_permissions_presets_sql_is_owner
service_principal_name = local.db_sp_tooling_client_id
}
dynamic "access_control" {
for_each = { for entry in local.db_sql_warehouse_groups : "${entry.sql_warehouse}-${entry.group_name}" => entry if entry.sql_warehouse == each.value.name }
content {
group_name = access_control.value.group_name
permission_level = access_control.value.sql_permissions
}
}
depends_on = [
databricks_permission_assignment.db_user_group
]
lifecycle {
create_before_destroy = true
}
}
Configuration
Expected Behavior
The
databricks_permissions
resource is created successfully.Actual Behavior
Terraform failed to apply with the error:
If I followed the error message and granted "IS_OWNER" to the service user, Terraform failed with a different error:
Steps to Reproduce
terraform apply
-->Terraform and provider versions
Terraform: 1.4.6 Databricks provider: 1.25.0
Debug Output