search

databricks / terraform-provider-databricks

Databricks Terraform Provider
https://registry.terraform.io/providers/databricks/databricks/latest
Other
454 stars 392 forks source link

[ISSUE] Issue with `databricks_mws_workspaces` resource #2750

Open michaelvonderbecke opened 1 year ago

michaelvonderbecke commented 1 year ago

We are following the instructions in the databricks provider docs on how to create a rotating token for the workspace using time_rotating. However this breaks our workflow as when we first set up the time_rotating in the token and every time the token rotates, it does not update the terraform output on the first apply run and therefore the subsequent apply through the workspace api fails due to the token in the terraform state being invalid. This problem does not occur if we don't use time_rotating and the token expires naturally (although that has its own separate problem as we cannot run a terraform plan through the workspace API until we rerun an apply to generate a new token). There seems to be an issue where terraform doesn't know that the token output needs to be refreshed after it's changed until a second apply or a -refresh-only apply is run after the first apply succeeds and rotates the token.

Configuration

resource "time_rotating" "token" {
  rotation_days = 45
}

resource "databricks_mws_workspaces" "this" {
  account_id                 = var.databricks_account_id
  aws_region                 = var.region
  workspace_name             = local.workspace_name
  deployment_name            = local.workspace_name
  credentials_id             = databricks_mws_credentials.this.credentials_id
  storage_configuration_id   = databricks_mws_storage_configurations.root.storage_configuration_id
  network_id                 = databricks_mws_networks.this.network_id
  private_access_settings_id = databricks_mws_private_access_settings.pas.private_access_settings_id
  pricing_tier               = "ENTERPRISE"

  token {
    comment = "Terraform (created: ${time_rotating.token.rfc3339})"
    # lifetime of 90 days - will get rotated after 45 days
    lifetime_seconds = 60 * 60 * 24 * 90
  }
}

output "workspace_token" {
  value     = databricks_mws_workspaces.this.token[0].token_value
  sensitive = true
}

Expected Behavior

When the time_rotating resource expires a new token should be generated and the workspace_token output should be updated

Actual Behavior

A new token gets generated but the workspace_token output does not change, causing the subsequent workspace api terraform apply to fail. A second apply run causes the output to be updated (even though on the second apply run nothing else changes)

Steps to Reproduce

Just create a workspace with a token block using time_rotating for the comment and any time time_rotating expires and the token gets regenerated the terraform apply will not update the output unless a second apply is run.

Terraform and provider versions

Terraform 1.5.3 Provider 1.24

michaelvonderbecke commented 1 year ago

Looking back at one of my terraform applies that failed it appears that when the time_rotating rotates, terraform sees that the databricks_mws_workspaces token block has a change to comment, but does not see that token_value changes - not sure if the provider needs to be updated to inform terraform that token_value is going to change any time comment changes.