Open SebGay opened 5 months ago
@SebGay the issue is that the sp that is executing TF does not have permission to read the external location. The error is misleading which hides the root cause
@nkvuong thank you very much for your help. I will leave it to your discretion to close the issue or if a fix with a more precise error and documentation note is due.
For others - the issue was specifically that by specifying the owner
as a group that did not contain the service principal, the service principal lacked the READ_FILES
grant that is required for validation and further usage. Instead I removed the owner
argument and simply did an external location grant of ALL_PRIVILEGES
for that group.
Configuration
Microsoft.Databricks/accessConnectors/read
Expected Behavior
An external location is created and accessible by terraform state for further use (such as creating a catalog at this location).
Actual Behavior
An external location is created but an error prevents further deployment. Subsequently, the external resource is unable to have its state refreshed by
terraform plan
.The error indicates the
CREATE FOREIGN CATALOG
permission is required. This permission is only present as a connection grant which should not be applied as a) a catalog is not being created and b) ADLS gen2 is cloud storage and should therefore be of the regular type.When deleting the external location using the databricks UI, the following warning is presented despite no catalog, schemas or tables having been registered to the external location.
Steps to Reproduce
terraform apply
the above terraform scriptTerraform and provider versions
opentofu 1.6.2 databricks/databricks 1.39.0
Debug Output
Important Factoids
Would you like to implement a fix?