Decouple ACLs from the data lake gen2 resource that creates filesystems/directories

avinashpancham commented 2 years ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The resources azurerm_storage_data_lake_gen2_filesystem and azurerm_storage_data_lake_gen2_path are responsible for both creating the filesystem/directory of the datalake and managing the ACLs. Often resource creation and the ACL management have different lifecycles and can even be maintained by two different teams. Therefore it should be investigated whether these two actions can be split into two resources.

The best option would be to have a single resource for creation and a single resource for ACL management, and thus removing the ACL logic completely from the resources azurerm_storage_data_lake_gen2_filesystem and azurerm_storage_data_lake_gen2_path. Given the backward compatibility that is however not a feasible option.

Instead I would like to propose to keep these two resources as is and create a separate resource on the side to manage ACLs. In this way users can decide for themselves if they use the existing approach to create both the filesystem/path and set the corresponding ACL using a single resource or that they split these two actions over two resources. This behavior is in line with other resources from the azurerm provider

the azurerm_key_vault and azurerm_key_vault_access_policy resources which both can set access policies
the azurerm_network_security_group and azurerm_network_security_rule resources which both can set network security rules.

New or Affected Resource(s)/Data Source(s)

azurerm_storage_data_lake_gen2_filesystem, azurerm_storage_data_lake_gen2_path

Potential Terraform Configuration

resource "azurerm_storage_data_lake_gen2_acl" "this" {
storage_account_id = ...
path = ...
scope = ...
type = ...
id = ...
permissions = ...
}

References

https://github.com/hashicorp/terraform-provider-azurerm/issues/9425

jiaweitao001 commented 2 years ago

Thanks for the proposal of creating a single resource for ACL management, we will put it in our stack for further investigation. For now you can manage it through Azure CLI or Azure Portal.

ikhudur commented 1 year ago

Any new updates regarding this issue?

PVisser81 commented 3 months ago

Is there perhaps a workaround for this issue? Our team is also encountering the problem that it is not possible to set ACLs on existing Azure Storage Account Blob Containers/folders that have been created by another team with a different Terraform state.

hashicorp / terraform-provider-azurerm