cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Terraform keep show changes for databricks_sql_permissions on plan and apply

164079
Contributor II

Hi team,

A very weird behaviour when using databricks_sql_permissions with terraform, the changes keep repeating to show on plan and apply.

Its repeating also after i apply the changes...

Please advise.

1 ACCEPTED SOLUTION

Accepted Solutions

Pat
Honored Contributor III

I am not sure if I understand this correctly, but what you need to do is set privileges in one terraform resource, otherwise they will get overwritten, meaning you should do:

resource "databricks_sql_permissions" "any_file" {
any_file = true
 
 
privilege_assignments {
principal = "EC - DATA"
privileges = ["SELECT", "MODIFY"]
}
 
privilege_assignments {
principal = "SOME_OTHER- DATA"
privileges = ["SELECT"]
}
 
 
}

not:

resource "databricks_sql_permissions" "ec_data_any_file" {
any_file = true
 
 
privilege_assignments {
principal = "EC - DATA"
privileges = ["SELECT", "MODIFY"]
}
 
}
 
resource "databricks_sql_permissions" "some_other_data_any_file" {
any_file = true
 
privilege_assignments {
principal = "SOME_OTHER- DATA"
privileges = ["SELECT"]
}
 
}

 source: https://registry.terraform.io/providers/databricks/databricks/1.6.5/docs/resources/sql_permissions#a...

You must specify one or many

privilege_assignments

configuration blocks to declare

privileges

to a

principal

, which corresponds to

display_name

of databricks_group or databricks_user. Terraform would ensure that only those principals and privileges defined in the resource are applied for the data object and would remove anything else.

View solution in original post

14 REPLIES 14

Vivian_Wilfred
Databricks Employee
Databricks Employee

Hi @Avi Edriโ€‹ , What is the terraform version and databricks provider version that you are using? Looks like it is related to the issue reported here

Hi @Vivian Wilfredโ€‹ 

Yes its look like as a same issue.

My terraform version is: terraform-1.0.11

databricks provider:

provider "databricks" {

alias = "mws"

host = "https://accounts.cloud.databricks.com"

Pat
Honored Contributor III

I am not sure about this, what is your databricks provider version, is it 1.6.3+?

it looks like you are changing permissions, hence why there is an update.

"EC - data" group is new permission and other groups will loose permissions.

Pat
Honored Contributor III

to identify this you can do

terraform state show 'databricks_sql_permissions.data_any_file'

164079
Contributor II

Yes, my databricks provider is 1.6.5

This is why its so weird, those changes on plan keep coming back even after apply them several times.

Pat
Honored Contributor III

Hi @Avi Edriโ€‹ ,

I can see from the screen that you are using id = "any file/", it seems to be related to the import:

https://registry.terraform.io/providers/databricks/databricks/0.5.3/docs/resources/sql_permissions#i...

can you try the below:

resource "databricks_sql_permissions" "any_file" {
  any_file = true
 
  privilege_assignments {
    principal  = "group-name"
    privileges = ["SELECT"]
  }
 
 privilege_assignments {
    principal  = "group-name2"
    privileges = ["MODIFY", "SELECT"]
  }
 
}

source: https://registry.terraform.io/providers/databricks/databricks/0.5.3/docs/resources/sql_permissions#a...

You can also share your terraform code.

thanks,

Pat

164079
Contributor II

Hi @Pat Sienkiewiczโ€‹ 

Its already as you mention in my code, looks like on plan its adding this /

from my code:

resource "databricks_sql_permissions" "data_any_file" {

any_file = true

privilege_assignments {

principal = "EC - DATA"

privileges = ["SELECT", "MODIFY"]

}

}

Pat
Honored Contributor III

Hi @Avi Edriโ€‹ ,

so maybe it's good, no? You will replace this way your existing privileges.

I mean that you probably had different privilege_assigments previously, now you have only:

privilege_assignments {

principal = "EC - DATA"

privileges = ["SELECT", "MODIFY"]

}

"any file /" might be good I think now, it's just a representation of the resource, you can forget about that part.

thanks,

Pat.

164079
Contributor II

correct, im using diffrent resource terraform names in order to make it uniqe assignment for diffrent principals.

Pat
Honored Contributor III

I am not sure if I understand this correctly, but what you need to do is set privileges in one terraform resource, otherwise they will get overwritten, meaning you should do:

resource "databricks_sql_permissions" "any_file" {
any_file = true
 
 
privilege_assignments {
principal = "EC - DATA"
privileges = ["SELECT", "MODIFY"]
}
 
privilege_assignments {
principal = "SOME_OTHER- DATA"
privileges = ["SELECT"]
}
 
 
}

not:

resource "databricks_sql_permissions" "ec_data_any_file" {
any_file = true
 
 
privilege_assignments {
principal = "EC - DATA"
privileges = ["SELECT", "MODIFY"]
}
 
}
 
resource "databricks_sql_permissions" "some_other_data_any_file" {
any_file = true
 
privilege_assignments {
principal = "SOME_OTHER- DATA"
privileges = ["SELECT"]
}
 
}

 source: https://registry.terraform.io/providers/databricks/databricks/1.6.5/docs/resources/sql_permissions#a...

You must specify one or many

privilege_assignments

configuration blocks to declare

privileges

to a

principal

, which corresponds to

display_name

of databricks_group or databricks_user. Terraform would ensure that only those principals and privileges defined in the resource are applied for the data object and would remove anything else.

164079
Contributor II

Ohh I see,

Let me try this

164079
Contributor II

Thanks @Pat Sienkiewiczโ€‹ 

You are correct, i organize them all under on resource and no plan repetitions!

Pat
Honored Contributor III

I am glad I could help, I've been there having similar issue with some other permissions ๐Ÿ™‚

164079
Contributor II

Yess!

Appreciate that mate!

Have a great day

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group