topic Re: Error when trying to destory databricks_permissions with OpenTofu in Administration & Architecture

Error when trying to destory databricks_permissions with OpenTofu

MiriamHundemer — Wed, 24 Sep 2025 07:53:24 GMT

Hi,

In our company's project we created a databricks_user for a service account (which is needed for our deployment process) via OpenTofu and afterwards adjusted permissions to that "user's" user folder using the databricks_permissions resource.

resource "databricks_user" "databricks_deployment_sa" { allow_cluster_create = true display_name = "Databricks Deployment SA" provider = databricks.workspace user_name = var.google_service_account_email workspace_access = true } resource "databricks_permissions" "add_folder_permission" { # directory_path = databricks_directory.sa_user_folder.path directory_path = databricks_user.databricks_deployment_sa.home dynamic "access_control" { for_each = [ data.databricks_group.xxx, data.databricks_group.xxx ] content { group_name = access_control.value permission_level = "CAN_MANAGE" } } access_control { permission_level = "CAN_MANAGE" user_name = var.google_service_account_email } provider = databricks.workspace }

If I want to destroy these resources however, tofu throws an error, saying that it cannot remove the CAN_MANAGE permission of the service account..

Error: cannot delete permissions: Cannot remove <service_account_email>'s CAN_MANAGE permission on 716423664771912

So now it seems to me, that I am no longer able to destroy my tofu managed workspace as long as I have this databricks_permissions block in my tofu code.

The databricks workspace in question is part of a test environment to test infrastructural changes without effecting the productive work so it would really be necessary to destroy tofu managed infrastructure.

Are there any ideas how I could accomplish this? Help would be much appreciated!

Re: Error when trying to destory databricks_permissions with OpenTofu

NandiniN — Fri, 26 Sep 2025 10:12:40 GMT

Hi @MiriamHundemer ,

The issue occurs because the owner of the home folder (in this case, the databricks_user.databricks_deployment_sa service account) often has an unremovable CAN_MANAGE permission on its own home directory.

When OpenTofu attempts to destroy the databricks_permissions resource, it tries to revert the permissions to the state before the resource was applied (or completely remove all permissions if the resource is being destroyed). Because it cannot remove the owner's inherent CAN_MANAGE permission, the destruction fails.

To resolve this, you can tell OpenTofu to forget it's managing the databricks_permissions resource without actually destroying the underlying permissions.

Remove the resource from the OpenTofu state, using the tofu state rm command, which tells OpenTofu to Stop tracking this resource, but don't try to destroy it.
Run tofu destroy again

When the databricks_user is destroyed, its home directory and all associated files/permissions will be deleted by Databricks, including the unremovable permission that caused the initial error.

Please let me know if this works.

Thanks!

Re: Error when trying to destory databricks_permissions with OpenTofu

MiriamHundemer — Wed, 01 Oct 2025 12:53:34 GMT

Hi @NandiniN ,

thank you so much for your reply.

I tried out your suggestion and tofu was indeed able to destroy "the rest" of the workspace infrastructure once I manually removed the databricks_permissions from the state. Although this works now it seems more like a workaround to me. I am still of the opinion that it should be possible to destroy all of the resources you created with tofu.

Fortunately there seems to be a silver lining as I found an existing pull request for the databricks tofu provider on github which introduces an additive "databricks_permission" resource which allows you to add additional permissions without overwriting existing ones. I'm really looking forward to that.