search

databricks / terraform-provider-databricks

Databricks Terraform Provider
https://registry.terraform.io/providers/databricks/databricks/latest
Other
454 stars 391 forks source link

[DOC] Should not use resource output in provider definition #99

Closed algattik closed 4 years ago

algattik commented 4 years ago

Affected Resource(s)

https://github.com/databrickslabs/databricks-terraform/blob/master/website/content/Provider/_index.md

Expected Details

The doc suggest using the output of a resource in the provider definition:

provider "databricks" {
  azure_auth = {
    managed_resource_group  = azurerm_databricks_workspace.demo_test_workspace.managed_resource_group_name
    azure_region            = azurerm_databricks_workspace.demo_test_workspace.location
    workspace_name          = azurerm_databricks_workspace.demo_test_workspace.name
    resource_group          = azurerm_databricks_workspace.demo_test_workspace.resource_group_name
    client_id               = var.client_id
    client_secret           = var.client_secret
    tenant_id               = var.tenant_id
    subscription_id         = var.subscription_id
  }
}

The Terraform Kubernetes provider documentation warns against this. Presumably this would affect the Databricks provider too, although I have not encountered this issue.

List of things to potentially add/remove:

This is a list of things to manipulate in the docs:

Important Factoids

The Terraform documentation for the Kubernetes provider states that should not be done:

IMPORTANT WARNING When using interpolation to pass credentials to the Kubernetes provider from other resources, these resources SHOULD NOT be created in the same apply operation where Kubernetes provider resources are also used. This will lead to intermittent and unpredictable errors which are hard to debug and diagnose. The root issue lies with the order in which Terraform itself evaluates the provider blocks vs. actual resources.

References

stikkireddy commented 4 years ago

Good point @algattik, I will add this as a warning. I believe this can also happen, I have not encountered it as of now. All token creation and generation actually happens during runtime and not at provider configure but if a resource (notebook, cluster, etc.) is being created before workspace is provisioned then it will fail at runtime!

nfx commented 4 years ago

@stikkireddy I've actually encountered same issue with PAT created in MWS API, as it's expired and not refreshed. I'll be digging into it later. for now i'll probably end up doing manual terraform state modification.

nfx commented 4 years ago

@algattik @stikkireddy this should be fixed with proper lazy authentication implemented in #270 and well as other changes related to deprecating azure_auth config block.