cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

databricks_grants fails because it keeps track of a removed principal

Pedro1
New Contributor II

‎05-31-2024 02:44 AM

Hi all,

My terraform script fails on a databricks_grants with the error:

 

"Error: cannot update grants: Could not find principal with name DataUsers".

 

  • The principal DataUsers does not exist anymore because it has previously been deleted by terraform.
  • Both databricks UI and databricks CLI confirm that this principal does not exist.
  • There is no trace about DataUsers in the terraform state

The terraform sequence is as follow:

I have a list of groups to be created: groupList = ["DataUsers", "DataReaders"]

  1. Groups creation:with databricks_group along with a for_each loop on groupList

 

resource "databricks_group" "list_groups" {
  for_each     = var.groupList
  display_name = each.key
  force        = true
}​

 

  • Granting schema privileges to the groups: with databricks_grants

 

resource "databricks_grants" "schema_granting_groups" {
  for_each = toset(var.fmdp_schema_database_list)  
  schema = "${each.value}"

  dynamic "grant" {
    for_each = databricks_group.list_groups
    content {
      principal  = grant.value.display_name
      privileges = "USE_SCHEMA"
    }
  }
}​

 

  • Apply: terraform apply => everything is created/configured as expected
  • Remove DataUsers from groupList: groupList = ["DataReaders"]
  • Apply: terraform apply => "Error: cannot update grants: Could not find principal with name DataUsers"
  • Check: based on databricks UI and databricks CLI, the apply (step5) succeeded as expected

Based on implicit dependencies, databricks_groups is always executed before databricks_grants. It works well for terraform apply and terraform destroy, but in this use case it is a "replaced in place".. logically databricks_grant should have been called first to revoke the privilege on the group, before the group be removed. But this is not the case: databricks_groups is still called before databricks_grants, which could justify the error..

This said, i was expecting that if we perform another terrafom apply, databricks_grants would be OK, because there is no trace of the removed group in its state. But for an unknown reason databricks_grants still wants to see the DataUsers group and struggles to revoke the privilege that was granted to DataUsers group..

Any idea how it could be solved? How databricks_grants continues to reference a group that does not exist anymore in its terraform  state?

 

 

 

 

 

0 Kudos
1 REPLY 1

Pedro1
New Contributor II

‎05-31-2024 03:47 AM

Terraform databricks provider= 1.45.0

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements