Hey @daan_dw ,
Possible reason for your problem:
Databricks Asset Bundles use Terraform under the hood, and Terraform cannot resolve Databricks secret references (like ${secrets.aws_secrets.cluster_profile_arn})
at deployment time. Secrets are only accessible at runtime within notebooks and jobs, not during the bundle deployment phase when Terraform is provisioning
resources. This is why you get the "undeclared resource" error - Terraform expects all configuration values to be resolved before creating resources.
Possible Solutions:
Use Bundle Variables with Environment Variables: Define your secret as a variable in databricks.yml and inject it using the BUNDLE_VAR_ prefix during deployment.
Reference it with ${var.variable_name} in your configuration.
CI/CD Platform Secrets (Recommended): Store secrets in your CI/CD platform (GitHub Secrets, Azure DevOps Variables, etc.) and inject them during automated
deployments using environment variables. This keeps secrets secure and outside version control.
Target-Specific Configuration: For non-sensitive values or different environments, define values directly in target sections of your bundle configuration for dev,
staging, and prod environments.
Variable Override Files: Create a local .databricks/bundle/variables.json file (added to .gitignore) for development purposes.
The key is to never reference Databricks secrets directly in bundle configuration and instead use bundle variables that are populated externally at deployment time.
harisankar
