search

databricks / terraform-provider-databricks

Databricks Terraform Provider
https://registry.terraform.io/providers/databricks/databricks/latest
Other
443 stars 379 forks source link

[ISSUE] Case sensitivity differences between databricks_grants and databricks_group #2700

Open jacovg91 opened 11 months ago

jacovg91 commented 11 months ago

Hello,

Something very annoying came up when developing UC objects in Terraform.

databricks_group is case insensitive when it comes to the display_name field, but databricks_grants is case senvitive when it comes to the principal field.

Configuration

Copy-paste your Terraform configuration here

Lets say our AD group is called "Group123"

data "databricks_group" "dbw_workspace_groups" {
  provider     = databricks.account
  display_name = "Group123"
}

Doesn't matter if you use casing in the databricks_group resource. both group123 and Group123 work.

But if I for example pass "group123" to the following:

resource "databricks_grants" "use_catalog" {
  provider = databricks.workspace
  catalog  = databricks_catalog.catalog.name
  grant {
    principal  = "group123"
    privileges = ["USE_CATALOG"]
  }
  depends_on = [databricks_catalog.catalog]
}

Yes, yes, I know I can reference the group from the data object, but still, this is wrong behaviour, right?

It'll give me an error: cannot create grants: Could not find principal with name group123

Expected Behavior

It should work regardless of casing, or atleast make it consistent between the resources.

Actual Behavior

cannot create grants: Could not find principal with name group123

Steps to Reproduce

Terraform and provider versions

Debug Output

Important Factoids

mgyucht commented 11 months ago

Thanks for reporting this issue @jacovg91! Just tested with the Databricks CLI and it seems like this is due to the SCIM API not enforcing case sensitivity for string eq operator. From SCIM spec, eq should only return exact matches, so your first example should not return that group with mismatched case. I'll raise this issue with the user management team to see if this is intentional.

Nestor10 commented 11 months ago

I've also run into this. For me this is vanity project. The ad groups we inherit are awful messy. I want databricks to show group_name and not gRoup_NamE. But if i try to place gRoup_NamE into group group_name im told that i cannot have a group be a member of itself.

question, when you use eq in the scim spec does it not bring back an array of groups? /api/2.0/preview/scim/v2/Groups If not, really we are working with two issues, it doesnt honor caps on eq but only returns one group when asked.

I tried to look in the code to see if we do a presumptive head( first item in array) operation but Go is not my driver.

if we had a groups data object that would pull back all cap insensitive groups and then we could use terraform to do the displayname match .... Or even a groups data object that pulled all groups back (sorry backend team) would provide an alternative.

Just throwing out ideas