cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Terraform keep show changes for databricks_sql_permissions on plan and apply

Go to solution
164079
Contributor II

โ€Ž12-06-2022 07:00 AM

Hi team,

A very weird behaviour when using databricks_sql_permissions with terraform, the changes keep repeating to show on plan and apply.

Its repeating also after i apply the changes...

Please advise.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Pat
Honored Contributor III
In response to 164079

โ€Ž12-06-2022 11:36 PM

I am not sure if I understand this correctly, but what you need to do is set privileges in one terraform resource, otherwise they will get overwritten, meaning you should do:

resource "databricks_sql_permissions" "any_file" {
any_file = true
 
 
privilege_assignments {
principal = "EC - DATA"
privileges = ["SELECT", "MODIFY"]
}
 
privilege_assignments {
principal = "SOME_OTHER- DATA"
privileges = ["SELECT"]
}
 
 
}

not:

resource "databricks_sql_permissions" "ec_data_any_file" {
any_file = true
 
 
privilege_assignments {
principal = "EC - DATA"
privileges = ["SELECT", "MODIFY"]
}
 
}
 
resource "databricks_sql_permissions" "some_other_data_any_file" {
any_file = true
 
privilege_assignments {
principal = "SOME_OTHER- DATA"
privileges = ["SELECT"]
}
 
}

 source: https://registry.terraform.io/providers/databricks/databricks/1.6.5/docs/resources/sql_permissions#a...

You must specify one or many

privilege_assignments

configuration blocks to declare

privileges

to a

principal

, which corresponds to

display_name

of databricks_group or databricks_user. Terraform would ensure that only those principals and privileges defined in the resource are applied for the data object and would remove anything else.

View solution in original post

0 Kudos
14 REPLIES 14

Go to solution
Vivian_Wilfred
Databricks Employee
Databricks Employee

โ€Ž12-06-2022 08:00 AM

Hi @Avi Edriโ€‹ , What is the terraform version and databricks provider version that you are using? Looks like it is related to the issue reported here

Go to solution
164079
Contributor II
In response to Vivian_Wilfred

โ€Ž12-06-2022 11:09 PM

Hi @Vivian Wilfredโ€‹ 

Yes its look like as a same issue.

My terraform version is: terraform-1.0.11

databricks provider:

provider "databricks" {

alias = "mws"

host = "https://accounts.cloud.databricks.com"

0 Kudos

Go to solution
Pat
Honored Contributor III
In response to 164079

โ€Ž12-06-2022 11:17 PM

I am not sure about this, what is your databricks provider version, is it 1.6.3+?

it looks like you are changing permissions, hence why there is an update.

"EC - data" group is new permission and other groups will loose permissions.

0 Kudos

Go to solution
Pat
Honored Contributor III
In response to 164079

โ€Ž12-06-2022 11:19 PM

to identify this you can do 

terraform state show 'databricks_sql_permissions.data_any_file'

0 Kudos

Go to solution
164079
Contributor II
In response to 164079

โ€Ž12-06-2022 11:31 PM

Yes, my databricks provider is 1.6.5

This is why its so weird, those changes on plan keep coming back even after apply them several times.

0 Kudos

Go to solution
Pat
Honored Contributor III

โ€Ž12-06-2022 03:01 PM

Hi @Avi Edriโ€‹ ,

I can see from the screen that you are using id = "any file/", it seems to be related to the import:

https://registry.terraform.io/providers/databricks/databricks/0.5.3/docs/resources/sql_permissions#i...

can you try the below:

resource "databricks_sql_permissions" "any_file" {
  any_file = true
 
  privilege_assignments {
    principal  = "group-name"
    privileges = ["SELECT"]
  }
 
 privilege_assignments {
    principal  = "group-name2"
    privileges = ["MODIFY", "SELECT"]
  }
 
}

source: https://registry.terraform.io/providers/databricks/databricks/0.5.3/docs/resources/sql_permissions#a...

You can also share your terraform code.

thanks,

Pat

0 Kudos

Go to solution
164079
Contributor II
In response to Pat

โ€Ž12-06-2022 11:11 PM

Hi @Pat Sienkiewiczโ€‹ 

Its already as you mention in my code, looks like on plan its adding this /

from my code:

resource "databricks_sql_permissions" "data_any_file" {

any_file = true

privilege_assignments {

principal = "EC - DATA"

privileges = ["SELECT", "MODIFY"]

}

}

0 Kudos

Go to solution
Pat
Honored Contributor III
In response to 164079

โ€Ž12-06-2022 11:16 PM

Hi @Avi Edriโ€‹ ,

so maybe it's good, no? You will replace this way your existing privileges.

I mean that you probably had different privilege_assigments previously, now you have only:

privilege_assignments {

principal = "EC - DATA"

privileges = ["SELECT", "MODIFY"]

}

"any file /" might be good I think now, it's just a representation of the resource, you can forget about that part.

thanks,

Pat.

0 Kudos

Go to solution
164079
Contributor II
In response to 164079

โ€Ž12-06-2022 11:29 PM

correct, im using diffrent resource terraform names in order to make it uniqe assignment for diffrent principals.

0 Kudos

Go to solution
Pat
Honored Contributor III
In response to 164079

โ€Ž12-06-2022 11:36 PM

I am not sure if I understand this correctly, but what you need to do is set privileges in one terraform resource, otherwise they will get overwritten, meaning you should do:

resource "databricks_sql_permissions" "any_file" {
any_file = true
 
 
privilege_assignments {
principal = "EC - DATA"
privileges = ["SELECT", "MODIFY"]
}
 
privilege_assignments {
principal = "SOME_OTHER- DATA"
privileges = ["SELECT"]
}
 
 
}

not:

resource "databricks_sql_permissions" "ec_data_any_file" {
any_file = true
 
 
privilege_assignments {
principal = "EC - DATA"
privileges = ["SELECT", "MODIFY"]
}
 
}
 
resource "databricks_sql_permissions" "some_other_data_any_file" {
any_file = true
 
privilege_assignments {
principal = "SOME_OTHER- DATA"
privileges = ["SELECT"]
}
 
}

 source: https://registry.terraform.io/providers/databricks/databricks/1.6.5/docs/resources/sql_permissions#a...

You must specify one or many

privilege_assignments

configuration blocks to declare

privileges

to a

principal

, which corresponds to

display_name

of databricks_group or databricks_user. Terraform would ensure that only those principals and privileges defined in the resource are applied for the data object and would remove anything else.

0 Kudos

Go to solution
164079
Contributor II
In response to 164079

โ€Ž12-06-2022 11:38 PM

Ohh I see,

Let me try this

0 Kudos

Go to solution
164079
Contributor II
In response to 164079

โ€Ž12-07-2022 12:11 AM

Thanks @Pat Sienkiewiczโ€‹ 

You are correct, i organize them all under on resource and no plan repetitions!

Go to solution
Pat
Honored Contributor III
In response to 164079

โ€Ž12-07-2022 12:14 AM

I am glad I could help, I've been there having similar issue with some other permissions ๐Ÿ™‚

0 Kudos

Go to solution
164079
Contributor II
In response to 164079

โ€Ž12-07-2022 12:15 AM

Yess!

Appreciate that mate!

Have a great day

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements
Top