[FEATURE] Support GitHub App authentication for `databricks_git_credential` in Terraform

NiklasA commented 4 months ago

Use-cases

I would like the Databricks Terraform Provider (databricks_git_credential) to support the option to authenticate using a GitHub App. This feature would allow users to securely manage their GitHub credentials using a GitHub App, which is a more secure and flexible method of authentication compared to personal access tokens.

Attempted Solutions

Currently, there is no direct support for GitHub App authentication in the databricks_git_credential resource. The existing solutions rely on personal access tokens, which are less secure and harder to manage compared to GitHub App credentials.

Proposal

I propose adding support for GitHub App authentication in thedatabricks_git_credential resource. This can be achieved by introducing a new block within the resource configuration to specify the necessary parameters for GitHub App authentication.

Here is an example of the proposed Terraform configuration:

resource "databricks_git_credential" "this" {
  git_provider = "github"

  github_app_auth {
    app_id          = var.github_app_id
    installation_id = var.github_app_installation_id
    private_key     = file(var.github_app_private_key_path)
  }
}

In this configuration:

app_id is the ID of the GitHub App.
installation_id is the installation ID of the GitHub App.
private_key is the path to the private key file of the GitHub App

References

Currently, there are no specific GitHub issues related to this feature request.

NiklasA commented 3 months ago

Hi @alexott , sorry to bother you, do you already have a timeline for the implementation? Thanks in advance, and best regards!

alexott commented 3 months ago

It most probably requires APIs that will be used by Terraform. We don't have it yet

mgyucht commented 2 months ago

@NiklasA Authentication is typically configured at the provider "databricks" level. Syntactically, it seems like you're describing a flow where a user would first provision a Github App and then use those credentials to configure the provider itself:

provider databricks {
  github_app_id = ...
  github_private_key = ...
  github_installation_id = ...
}

Am I understanding this right?

To make authentication easier, we are adopting Open ID Connect, which allows users to authenticate from Github Actions to Databricks without setting up long-lived secrets. To use this, you will need to configure only the host and client ID (account ID as well for account-level provider). You would then add the permission id-token: write to your GH action. This works as long as you are using Github Actions when deploying Terraform. Would that work for you?

NiklasA commented 2 months ago

Hello @mgyucht,

we organize our notebooks within distinct GitHub repositories, each corresponding to a different data product.

Our goal is to automate the Databricks configuration entirely using Terraform. Specifically, we want to set up databricks_repo resources that automatically sync with our GitHub repositories during the terraform apply phase.

However, we encounter a limitation: The current Terraform provider version supports authentication only through GitHub personal access tokens and not via GitHub Apps. I hope this clarification helps to illustrate our use case.

NiklasA commented 1 month ago

@mgyucht any update on this?

databricks / terraform-provider-databricks