search

databricks / terraform-provider-databricks

Databricks Terraform Provider
https://registry.terraform.io/providers/databricks/databricks/latest
Other
457 stars 393 forks source link

[ISSUE] Issue with `databricks_secret_scope` resource: MSI deployment fails when using AKV #2752

Open istairbn opened 1 year ago

istairbn commented 1 year ago

Configuration

#RELEVANT ENTRIES ONLY
provider "databricks" {
  host                        = azurerm_databricks_workspace.this.workspace_url
  azure_workspace_resource_id = azurerm_databricks_workspace.this.id

  # ARM_USE_MSI environment variable is recommended
  azure_use_msi = true
}

resource "databricks_secret_scope" "secret_scope" {
  depends_on = [azurerm_databricks_workspace.this, azurerm_key_vault_access_policy.secret_scope]
  name       = "akv-secret-scope"

  keyvault_metadata {
    resource_id = azurerm_key_vault.secret_scope.id
    dns_name    = azurerm_key_vault.secret_scope.vault_uri
  }
}

Expected Behavior

Azure Databricks specific (to my knowledge)

Using an MSI as my deployment user, I should be able to deploy a secret scope to an Azure Key Vault backed secret scope. I can confirm it DOES work with a personal user and a Service Principal.

Actual Behavior

Error: cannot read secret scope: inner token: token error: {"error":"invalid_request","error_description":"Identity not found"}

It appears that there is some secondary authentication (presumably databricks initiating the connection to the key vault) and this is failing. This MSI has successfully deployed the workspace and other Databricks assets, so it defeinitely is an admin of the workspace.

Steps to Reproduce

  1. Use an MSI (either github or ADO OIDC for example) to deploy a databricks workspace
  2. Attempt to deploy a databricks secret scope backed by Azure Key Vault

Terraform and provider versions

terraform 1.5.6 Databricks 1.25.0

Debug Output

module.adb-lakehouse.databricks_secret_scope.secret_scope: Creating... 2023-10-02T10:24:34.352Z [INFO] Starting apply for module.adb-lakehouse.databricks_secret_scope.secret_scope 2023-10-02T10:24:34.352Z [DEBUG] module.adb-lakehouse.databricks_secret_scope.secret_scope: applying the planned Create change 2023-10-02T10:24:34.383Z [DEBUG] State storage *remote.State declined to persist a state snapshot Error: -02T10:24:34.383Z [ERROR] vertex "module.adb-lakehouse.databricks_secret_scope.secret_scope" error: cannot create secret scope: inner token: token error: {"error":"invalid_request","error_description":"Identity not found"}

Important Factoids

The actions work fine if I user a user or SPN, so it seems to be related to MSI only

alexott commented 3 months ago

Could be resolved in the latest version. Here is the docs: https://github.com/databricks/terraform-provider-databricks/pull/3932