feat: iam refactor; entitlements

Author: owlleg6

iam.tf

@@ -1,64 +1,83 @@
-data "databricks_group" "admins" {
-  display_name = "admins"
+locals {
+  admin_user_map = var.workspace_admins.user == null ? {} : {
+    for user in var.workspace_admins.user : "user.${user}" => user if user != null
+  }
+
+  admin_sp_map = var.workspace_admins.service_principal == null ? {} : {
+    for sp in var.workspace_admins.service_principal : "service_principal.${sp}" => sp if sp != null
+  }
+
+  members_object_list = concat(
+    flatten([for group, params in var.iam : [
+      for pair in setproduct([group], params.user) : {
+        type = "user", group = pair[0], member = pair[1]
+      }] if params.user != null
+    ]),
+    flatten([for group, params in var.iam : [
+      for pair in setproduct([group], params.service_principal) : {
+        type = "service_principal", group = pair[0], member = pair[1]
+      }] if params.service_principal != null
+    ])
+  )
 }
 
 resource "databricks_group" "this" {
-  for_each = toset([for group in keys(var.iam) : group if group != "admins"])
+  for_each = toset(keys(var.iam))
 
   display_name = each.key
-  lifecycle { ignore_changes = [external_id] }
+  lifecycle { ignore_changes = [external_id, allow_cluster_create, allow_instance_pool_create, databricks_sql_access, workspace_access] }
 }
 
 resource "databricks_user" "this" {
-  for_each = toset(flatten([for k, v in { for group, member in var.iam : group => member["user"] } : distinct(flatten(v))]))
+  for_each = toset(flatten(concat(
+    values({ for group, member in var.iam : group => member.user if member.user != null }),
+    values(local.admin_user_map)
+  )))
 
-  user_name             = each.value
-  databricks_sql_access = true
-  lifecycle { ignore_changes = [external_id] }
+  user_name = each.key
+  lifecycle { ignore_changes = [external_id, allow_cluster_create, allow_instance_pool_create, databricks_sql_access, workspace_access] }
 }
 
 resource "databricks_service_principal" "this" {
-  for_each = toset(flatten([for k, v in { for group, member in var.iam : group => member["service_principal"] } : distinct(flatten(v))]))
-
-  display_name          = each.value
-  application_id        = lookup(var.user_object_ids, each.value)
-  databricks_sql_access = true
-}
-
-resource "databricks_group_member" "admin_users" {
-  for_each = { for entry in flatten([for group, types in var.iam : [for type in types : [for member in type : {
-    group = group, member = member
-  } if group == "admins" && type == types["user"]]]]) : "${entry.group}.${entry.member}" => entry }
-
-  group_id  = data.databricks_group.admins.id
-  member_id = databricks_user.this[each.value.member].id
+  for_each = toset(flatten(concat(
+    values({ for group, member in var.iam : group => member.service_principal if member.service_principal != null }),
+    values(local.admin_sp_map)
+  )))
+
+  display_name   = each.key
+  application_id = lookup(var.user_object_ids, each.value)
+  lifecycle { ignore_changes = [external_id, allow_cluster_create, allow_instance_pool_create, databricks_sql_access, workspace_access] }
 }
 
-resource "databricks_group_member" "admin_service_principals" {
-  for_each = { for entry in flatten([for group, types in var.iam : [for type in types : [for member in type : {
-    group = group, member = member
-  } if group == "admins" && type == types["service_principal"]]]]) : "${entry.group}.${entry.member}" => entry }
+resource "databricks_permission_assignment" "this" {
+  for_each = merge(local.admin_user_map, local.admin_sp_map)
 
-  group_id  = data.databricks_group.admins.id
-  member_id = databricks_service_principal.this[each.value.member].id
+  principal_id = startswith(each.key, "user") ? databricks_user.this[each.value].id : databricks_service_principal.this[each.value].id
+  permissions  = ["ADMIN"]
 }
 
-resource "databricks_group_member" "users" {
-  for_each = { for entry in flatten([for group, types in var.iam : [for type in types : [for member in type : {
-    group = group, member = member
-  } if group != "admins" && group != "users" && type == types["user"]]]]) : "${entry.group}.${entry.member}" => entry }
+resource "databricks_group_member" "this" {
+  for_each = {
+    for entry in local.members_object_list : "${entry.type}.${entry.group}.${entry.member}" => entry
+  }
 
   group_id  = databricks_group.this[each.value.group].id
-  member_id = databricks_user.this[each.value.member].id
+  member_id = startswith(each.key, "user") ? databricks_user.this[each.value.member].id : databricks_service_principal.this[each.value.member].id
 }
 
-resource "databricks_group_member" "service_principals" {
-  for_each = { for entry in flatten([for group, types in var.iam : [for type in types : [for member in type : {
-    group = group, member = member
-  } if group != "admins" && group != "users" && type == types["service_principal"]]]]) : "${entry.group}.${entry.member}" => entry }
+resource "databricks_entitlements" "this" {
+  for_each = {
+    for group, params in var.iam : group => params.entitlements
+    if params.entitlements != null
+  }
 
-  group_id  = databricks_group.this[each.value.group].id
-  member_id = databricks_service_principal.this[each.value.member].id
+  group_id                   = databricks_group.this[each.key].id
+  allow_cluster_create       = contains(each.value, "allow_cluster_create")
+  allow_instance_pool_create = contains(each.value, "allow_instance_pool_create")
+  databricks_sql_access      = contains(each.value, "databricks_sql_access")
+  workspace_access           = true
+
+  depends_on = [databricks_group_member.this]
 }
 
 resource "databricks_permissions" "sql_endpoint" {

variables.tf

@@ -14,21 +14,32 @@ variable "user_object_ids" {
   default     = {}
 }
 
-variable "iam" {
-  type = map(object({
+variable "workspace_admins" {
+  type = object({
     user              = list(string)
     service_principal = list(string)
-  }))
-  description = "Map of groups and members of users and service principals to be created. You can add you own groups and members. E.g., `'group' = { user = ['user1','user2'] service_principal = ['sp1']}` and etc."
+  })
+  description = "Provide users or service principals to grant them Admin permissions."
   default = {
-    "admins" = {
-      "user"              = []
-      "service_principal" = []
-    }
-    "default" = {
-      "user"              = []
-      "service_principal" = []
-    }
+    user              = null
+    service_principal = null
+  }
+}
+
+variable "iam" {
+  type = map(object({
+    user              = optional(list(string))
+    service_principal = optional(list(string))
+    entitlements      = optional(list(string))
+  }))
+  description = "Used to create workspace group. Map of group name and its parameters, such as users and service principals added to the group. Also possible to configure group entitlements."
+  default     = {}
+
+  validation {
+    condition = contains(values(var.iam), "entitlements") ? alltrue([
+      for item in toset(flatten([for group, params in var.iam : params.entitlements])) : contains(["allow_cluster_create", "allow_instance_pool_create", "databricks_sql_access"], item)
+    ]) : true
+    error_message = "Entitlements validation. The only suitable values are: databricks_sql_access, allow_instance_pool_create, allow_cluster_create"
   }
 }
 

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     databricks = {
       source  = "databricks/databricks"
-      version = ">=1.4.0"
+      version = ">=1.9.0"
     }
   }
 }