Skip to content

Commit 43c9e71

Browse files
owlleg6owlleg6
authored
Merge pull request #7 from data-platform-hq/secret-scope-acls
feat: secret scope acls
2 parents 0c26bc8 + 4d61a1b commit 43c9e71

File tree

4 files changed

+44
-11
lines changed

4 files changed

+44
-11
lines changed

README.md

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -9,14 +9,14 @@ Terraform module used for management of Databricks Premium Resources
99
| Name | Version |
1010
|------------------------------------------------------------------------------|-----------|
1111
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
12-
| <a name="requirement_databricks"></a> [databricks](#requirement\_databricks) | >= 1.9.0 |
12+
| <a name="requirement_databricks"></a> [databricks](#requirement\_databricks) | >= 1.9.2 |
1313
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.40.0 |
1414

1515
## Providers
1616

1717
| Name | Version |
1818
|------------------------------------------------------------------------|---------|
19-
| <a name="provider_databricks"></a> [databricks](#provider\_databricks) | 1.9.0 |
19+
| <a name="provider_databricks"></a> [databricks](#provider\_databricks) | 1.9.2 |
2020
| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.40.0 |
2121

2222
## Modules
@@ -37,6 +37,7 @@ No modules.
3737
| [databricks_permissions.default_cluster](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource |
3838
| [databricks_permissions.cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource |
3939
| [databricks_permissions.sql_endpoint](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource |
40+
| [databricks_secret_acl.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret_acl) | resource |
4041
| [databricks_workspace_conf.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/workspace_conf) | resource |
4142
| [databricks_ip_access_list.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/ip_access_list) | resource |
4243
| [databricks_sql_endpoint.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/sql_endpoint) | resource |
@@ -65,19 +66,19 @@ No modules.
6566
| <a name="input_workspace_admins"></a> [workspace\_admins](#input\_workspace\_admins) | Provide users or service principals to grant them Admin permissions in Workspace. | <pre> object({ <br> user = list(string) <br> service_principal = list(string)<br> }) </pre> | <pre> { <br> user = null <br> service_principal = null <br> } </pre> | no |
6667
| <a name="input_iam"></a> [iam](#input\_iam) | Used to create workspace group. Map of group name and its parameters, such as users and service principals added to the group. Also possible to configure group entitlements. | <pre> map(object({ <br> user = optional(list(string)) <br> service_principal = optional(list(string)) <br> entitlements = optional(list(string)) <br> }))</pre> | {} | no |
6768
| <a name="input_iam_permissions"></a> [iam\_permissions](#input\_iam\_permissions) | Map of permission for groups. You can provide certain permission on services to groups. E.g., `'sql_endpoint'={'CAN_USE'=['group1', 'group2'] CAN_MANAGE=['group3']} | <pre> map(object({ <br> CAN_USE = list(string) <br> CAN_MANAGE = list(string)<br> })) </pre> | <pre> { <br> "sql_endpoint" = { <br> "CAN_USE" = ["default"] <br> "CAN_MANAGE" = [] <br> } <br> } </pre> | no |
68-
| <a name="input_default_cluster_id"></a> [default\_cluster\_id](#input\_default\_cluster\_id) | Single value of default Cluster id created by 'databricks-runtime' module | `string`| "" | no |
69+
| <a name="input_default_cluster_id"></a> [default\_cluster\_id](#input\_default\_cluster\_id) | Single value of default Cluster id created by 'databricks-runtime' module | `string`| " " | no |
6970
| <a name="input_cluster_policies_object"></a> [cluster\_policies\_object](#input\_cluster\_policies\_object) |List of objects that provides an ability to grant custom workspace group a permission to use(CAN_USE) cluster policy | <pre>list(object({<br> id = string<br> name = string<br> can_use = list(string)<br>}))</pre> | <pre>[{<br> id = null<br> name = null<br> can_use = null<br>}))</pre> | no |
7071
| <a name="input_sql_endpoint"></a> [sql\_endpoint](#input\_sql\_endpoint) | Map of SQL Endpoints to be deployed in Databricks Workspace | <pre> map(object({ <br> cluster_size = string <br> min_num_clusters = optional(number) <br> max_num_clusters = optional(number) <br> auto_stop_mins = optional(string) <br> enable_photon = optional(bool) <br> enable_serverless_compute = optional(bool) <br> })) </pre> | {} | no |
7172
| <a name="input_default_values_sql_endpoint"></a> [default\_values\_sql\_endpoint](#input\_default\_values\_sql\_endpoint) | Default values for SQL Endpoint | <pre> object({ <br> cluster_size = string <br> min_num_clusters = number <br> max_num_clusters = number <br> auto_stop_mins = string <br> enable_photon = bool <br> enable_serverless_compute = bool <br> }) </pre> | <pre> { <br> cluster_size = "2X-Small" <br> min_num_clusters = 0 <br> max_num_clusters = 1 <br> auto_stop_mins = "30" <br> enable_photon = false <br> enable_serverless_compute = false <br> } </pre> | no |
7273
| <a name="input_create_metastore"></a> [create\_metastore](#input\_create\_metastore) | Boolean flag for Unity Catalog Metastore current in this environment. One Metastore per region | `bool` | false | no |
73-
| <a name="input_access_connector_id"></a> [access\_connector\_id](#input\_access\_connector\_id) | Databricks Access Connector Id that lets you to connect managed identities to an Azure Databricks account. Provides an ability to access Unity Catalog with assigned identity | `string` | "" | no |
74-
| <a name="input_storage_account_id"></a> [storage\_account\_id](#input\_storage\_account\_id) | Storage Account Id where Unity Catalog Metastore would be provisioned | `string` | "" | no |
75-
| <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Storage Account Name where Unity Catalog Metastore would be provisioned | `string` | "" | no |
74+
| <a name="input_access_connector_id"></a> [access\_connector\_id](#input\_access\_connector\_id) | Databricks Access Connector Id that lets you to connect managed identities to an Azure Databricks account. Provides an ability to access Unity Catalog with assigned identity | `string` | " " | no |
75+
| <a name="input_storage_account_id"></a> [storage\_account\_id](#input\_storage\_account\_id) | Storage Account Id where Unity Catalog Metastore would be provisioned | `string` | " " | no |
76+
| <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Storage Account Name where Unity Catalog Metastore would be provisioned | `string` | " " | no |
7677
| <a name="input_catalog"></a> [catalog](#input\_catalog) | Map of SQL Endpoints to be deployed in Databricks Workspace | <pre> map(object({ <br> catalog_grants = optional(map(list(string))) <br> catalog_comment = optional(string) <br> catalog_properties = optional(map(string)) <br> schema_name = optional(list(string)) <br> schema_grants = optional(map(list(string))) <br> schema_comment = optional(string) <br> schema_properties = optional(map(string))<br>})) </pre> | {} | no |
77-
| <a name="input_suffix"></a> [suffix](#input\_suffix) | Optional suffix that would be added to the end of resources names. | `string` | "" | no |
78-
| <a name="input_external_metastore_id"></a> [external\_metastore\_id](#input\_external\_metastore\_id) | Unity Catalog Metastore Id that is located in separate environment. Provide this value to associate Databricks Workspace with target Metastore | `string` | "" | no |
79-
| <a name="input_metastore_grants"></a> [metastore\_grants](#input\_metastore\_grants) | Permissions to give on metastore to group | `map(list(string))` | {} | no |
80-
78+
| <a name="input_suffix"></a> [suffix](#input\_suffix) | Optional suffix that would be added to the end of resources names. | `string` | " " | no |
79+
| <a name="input_external_metastore_id"></a> [external\_metastore\_id](#input\_external\_metastore\_id) | Unity Catalog Metastore Id that is located in separate environment. Provide this value to associate Databricks Workspace with target Metastore | `string` | " " | no |
80+
| <a name="input_metastore_grants"></a> [metastore\_grants](#input\_metastore\_grants)| Permissions to give on metastore to group | `map(list(string))` | {} | no |
81+
| <a name="input_secret_scope_object"></a> [secret\_scope\_object](#input\_secret\_scope\_object)| List of objects, where 'scope_name' param is a Secret scope name and 'acl' are list of objects with 'principals' and one of allowed 'permission' ('READ', 'WRITE' or 'MANAGE') | <pre>list(object({<br> scope_name = string<br> acl = list(object({<br> principal = string<br> permission = string<br> }))<br>}))</pre> | <pre>[{<br> scope_name = null<br> acl = null<br>}]</pre> | no |
8182

8283

8384

permissions.tf

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,11 @@
1+
locals {
2+
secrets_acl_objects_list = flatten([for param in var.secret_scope_object : [
3+
for permission in param.acl : {
4+
scope = param.scope_name, principal = permission.principal, permission = permission.permission
5+
}] if param.acl != null
6+
])
7+
}
8+
19
resource "databricks_permissions" "default_cluster" {
210
for_each = length(var.default_cluster_id) == 0 ? {} : {
311
for k, v in var.iam : k => v.default_cluster_permission
@@ -46,3 +54,11 @@ resource "databricks_permissions" "sql_endpoint" {
4654

4755
depends_on = [databricks_group.this]
4856
}
57+
58+
resource "databricks_secret_acl" "this" {
59+
for_each = { for entry in local.secrets_acl_objects_list : "${entry.scope}.${entry.principal}.${entry.permission}" => entry }
60+
61+
scope = each.value.scope
62+
principal = databricks_group.this[each.value.principal].display_name
63+
permission = each.value.permission
64+
}

variables.tf

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -197,3 +197,19 @@ variable "metastore_grants" {
197197
error_message = "Metastore permission validation. The only possible values for permissions are: CREATE_CATALOG, CREATE_EXTERNAL_LOCATION, CREATE_SHARE, CREATE_RECIPIENT, CREATE_PROVIDER"
198198
}
199199
}
200+
201+
# Secret Scope ACLs variables
202+
variable "secret_scope_object" {
203+
type = list(object({
204+
scope_name = string
205+
acl = list(object({
206+
principal = string
207+
permission = string
208+
}))
209+
}))
210+
description = "List of objects, where 'scope_name' param is a Secret scope name and 'acl' are list of objects with 'principals' and one of allowed 'permission' ('READ', 'WRITE' or 'MANAGE')"
211+
default = [{
212+
scope_name = null
213+
acl = null
214+
}]
215+
}

versions.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ terraform {
88
}
99
databricks = {
1010
source = "databricks/databricks"
11-
version = ">=1.9.0"
11+
version = ">=1.9.2"
1212
}
1313
}
1414
}

0 commit comments

Comments
 (0)