cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error when trying to destory databricks_permissions with OpenTofu

MiriamHundemer
New Contributor

Wednesday

Hi,

In our company's project we created a databricks_user for a service account (which is needed for our deployment process) via OpenTofu and afterwards adjusted permissions to that "user's" user folder using the databricks_permissions resource.

resource "databricks_user" "databricks_deployment_sa" {
  allow_cluster_create = true
  display_name         = "Databricks Deployment SA"
  provider             = databricks.workspace
  user_name            = var.google_service_account_email
  workspace_access     = true
}

resource "databricks_permissions" "add_folder_permission" {
  #  directory_path = databricks_directory.sa_user_folder.path
  directory_path = databricks_user.databricks_deployment_sa.home

  dynamic "access_control" {
    for_each = [
      data.databricks_group.xxx,
      data.databricks_group.xxx
    ]
    content {
      group_name       = access_control.value
      permission_level = "CAN_MANAGE"
    }
  }
  access_control {
    permission_level = "CAN_MANAGE"
    user_name        = var.google_service_account_email
  }
  provider = databricks.workspace
}

If I want to destroy these resources however, tofu throws an error, saying that it cannot remove the CAN_MANAGE permission of the service account..

Error: cannot delete permissions: Cannot remove <service_account_email>'s CAN_MANAGE permission on 716423664771912

So now it seems to me, that I am no longer able to destroy my tofu managed workspace as long as I have this databricks_permissions block in my tofu code.

The databricks workspace in question is part of a test environment to test infrastructural changes without effecting the productive work so it would really be necessary to destroy tofu managed infrastructure.

Are there any ideas how I could accomplish this? Help would be much appreciated!

0 Kudos
1 REPLY 1

NandiniN
Databricks Employee
Databricks Employee

Friday

Hi @MiriamHundemer ,

The issue occurs because the owner of the home folder (in this case, the databricks_user.databricks_deployment_sa service account) often has an unremovable CAN_MANAGE permission on its own home directory.

When OpenTofu attempts to destroy the databricks_permissions resource, it tries to revert the permissions to the state before the resource was applied (or completely remove all permissions if the resource is being destroyed). Because it cannot remove the owner's inherent CAN_MANAGE permission, the destruction fails.

To resolve this, you can tell OpenTofu to forget it's managing the databricks_permissions resource without actually destroying the underlying permissions.

  • Remove the resource from the OpenTofu state, using the tofu state rm command, which tells OpenTofu to Stop tracking this resource, but don't try to destroy it.
  • Run tofu destroy again

When the databricks_user is destroyed, its home directory and all associated files/permissions will be deleted by Databricks, including the unremovable permission that caused the initial error.

Please let me know if this works.

Thanks!

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements