Hello,
In the context of reviewing our company's databricks structure and migrating legacy workspaces to Unity Catalog enabled ones, we're stuck with a few questions regarding enabling the automatic identity management feature.
We currently provision Databricks users and groups using Terraform, pulling group membership data from Microsoft Entra ID. Our approach involves:
Manual Replication: For each Databricks workspace, we manually replicate Entra ID group definitions in Terraform.
Terraform Resources: We use the Databricks Terraform provider to create:
- databricks_group resources for each group
- databricks_user resources for individual users
- databricks_service_principal resources for service principals
- databricks_group_member resources to manage memberships
Limitations: This approach requires manual updates and Terraform deployments for every group or membership change.
Questions
- If we enable the AIM will there be user/groups collision? My understand says otherwise, considering that we currently provision local workspace user/groups and AIM works at the databricks account level. Hence, the groups that'll be generated via AIM will be account sourced and shouldn't conflict with workspace provisioned ones.
- Suppose there is no group collision. The next step to take after enabling AIM is simply destroying all workspace local users/groups since these will no longer be needed?
- A follow-up question to 2: what happens to workspace resources which are bound to workspace users and groups?
