cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Creating Group in Terraform using external_id

cgrass
New Contributor III

โ€Ž10-03-2024 02:59 PM

The documentation here doesn't give much information about how to use `external_id` when creating a new group. If I reference the object_id for an Azure AD Group, the databricks group gets created but the members from the AD group are not added, nor is the AD group a member group of the databricks group. I looked at the tf code and it seems to just pass along the id to the scim databricks api.

Any ideas?

1 REPLY 1

MiPa
New Contributor II

โ€Ž05-05-2025 08:38 AM - edited โ€Ž05-05-2025 08:39 AM

Greetings from the future! ๐Ÿ˜‰

Now it is clear that external_id, which IS Azure's ObjectID, comes from the internal sync mechanism, that can be enabled in your account under previews:

MiPa_0-1746459120358.png

I was able to reference my security group in Terraform and create that group in an account, with this code:

# Reference to existing Microsoft Entra ID (Azure AD) group
data "azuread_group" "databricks_group1" {
  display_name     = "Databricks_Group1"
  security_enabled = true
}

# Output the object ID of the group
output "databricks_group1_object_id" {
  value       = data.azuread_group.databricks_group1.object_id
  description = "Object ID of the Databricks_Group1 Entra ID group"
}

// ...existing code...

# Create Databricks account external group linked to Entra ID group
resource "databricks_group" "databricks_group1_external" {
  provider     = databricks.account
  display_name = data.azuread_group.databricks_group1.display_name
  external_id  = data.azuread_group.databricks_group1.object_id
}

# Output the Databricks external group ID
output "databricks_group1_external_id" {
  value       = databricks_group.databricks_group1_external.id
  description = "ID of the Databricks external group linked to Entra ID group"
}

This updated my Terraform plan and I was able to deploy it:

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + databricks_group1_external_id = (known after apply)
  + databricks_group1_object_id   = "f1b22903-2c5c-4f60-a673-4c52b8cd1e24"

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

databricks_group.databricks_group1_external: Creating...
databricks_group.databricks_group1_external: Creation complete after 5s [id=597986374716779]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

databricks_group1_external_id = "597986374716779"
databricks_group1_object_id = "f1b22903-2c5c-4f60-a673-4c52b8cd1e24"
test2_group_id = "848008903310313"
workspace_group_id = "236839776286494"

which ends with a brand new group created in the account, with all existing members of that group! What a nice feature, and all without any SCIM integration!

MiPa_1-1746459398512.png

 

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements