search

databricks / terraform-provider-databricks

Databricks Terraform Provider
https://registry.terraform.io/providers/databricks/databricks/latest
Other
445 stars 383 forks source link

[ISSUE] Issue with `databricks_permissions` resource: Tries to remove access with higher access instead of adding new permission #3899

Open pcsrijith opened 1 month ago

pcsrijith commented 1 month ago

Configuration

resource "databricks_group" "auto" {
  display_name = "Automation"
}

resource "databricks_directory" "this" {
  path = "/Workspace/Users/abc"
}

resource "databricks_permissions" "folder_usage" {
  directory_path = databricks_directory.this.path
  depends_on     = [databricks_directory.this]

  access_control {
    group_name       = databricks_group.auto.display_name
    permission_level = "CAN_RUN"
  }
}

Expected Behavior

Groups to be added along with their respective permissions

Actual Behavior

In Case, any group is already added with CAN_MANAGE access, it tries to remove that first before adding, resulting in failure.

Steps to Reproduce

  1. Find a folder which has CAN_MANAGE access (except "Admins") to some group.
  2. Run the above code and add any new/existing group with lower access. For e.g. CAN_RUN access.
  3. Terraform apply 
    Error: cannot create permissions: Cannot remove Automation's CAN_MANAGE permission on 11111111111111

Terraform and provider versions

Terraform Version: 1.9.3 Databricks provider version 1.49.1

Is it a regression?

Debug Output

Important Factoids

Would you like to implement a fix?

No

alexott commented 1 month ago

could be related to #3586

pcsrijith commented 1 month ago

@alexott. Thanks for looking into this. However, I was wondering why it was designed this way at the first place. Adding manually the required permissions to any user/groups works without any issues.

alexott commented 1 month ago

it's because databricks_permissions is authoritative resource - all permissions must be defined in one place. This blog post describes this: https://www.linkedin.com/posts/vuong-nguyen_here-is-something-that-came-up-quite-often-activity-7163117985031790593-9pHI?utm_source=share&utm_medium=member_desktop

There is a github issue to add databricks_permission, but someone should implement it.

favoretti commented 1 month ago

could be related to #3586

Nope, broke on my dev provider with the patch merged as well. Will be looking into what happened tomorrow for us as well.