databricks_grants fails because it keeps track of a removed principal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-31-2024 02:44 AM
Hi all,
My terraform script fails on a databricks_grants with the error:
"Error: cannot update grants: Could not find principal with name DataUsers".
- The principal DataUsers does not exist anymore because it has previously been deleted by terraform.
- Both databricks UI and databricks CLI confirm that this principal does not exist.
- There is no trace about DataUsers in the terraform state
The terraform sequence is as follow:
I have a list of groups to be created: groupList = ["DataUsers", "DataReaders"]
- Groups creation:with databricks_group along with a for_each loop on groupList
resource "databricks_group" "list_groups" {
for_each = var.groupList
display_name = each.key
force = true
}
- Granting schema privileges to the groups: with databricks_grants
resource "databricks_grants" "schema_granting_groups" {
for_each = toset(var.fmdp_schema_database_list)
schema = "${each.value}"
dynamic "grant" {
for_each = databricks_group.list_groups
content {
principal = grant.value.display_name
privileges = "USE_SCHEMA"
}
}
}
- Apply: terraform apply => everything is created/configured as expected
- Remove DataUsers from groupList: groupList = ["DataReaders"]
- Apply: terraform apply => "Error: cannot update grants: Could not find principal with name DataUsers"
- Check: based on databricks UI and databricks CLI, the apply (step5) succeeded as expected
Based on implicit dependencies, databricks_groups is always executed before databricks_grants. It works well for terraform apply and terraform destroy, but in this use case it is a "replaced in place".. logically databricks_grant should have been called first to revoke the privilege on the group, before the group be removed. But this is not the case: databricks_groups is still called before databricks_grants, which could justify the error..
This said, i was expecting that if we perform another terrafom apply, databricks_grants would be OK, because there is no trace of the removed group in its state. But for an unknown reason databricks_grants still wants to see the DataUsers group and struggles to revoke the privilege that was granted to DataUsers group..
Any idea how it could be solved? How databricks_grants continues to reference a group that does not exist anymore in its terraform state?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-31-2024 03:47 AM
Terraform databricks provider= 1.45.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-17-2025 08:47 PM
I'm here searching for a similar but different issue, so this is just a suggestion of something to try..
Have you tried setting a depends_on argument within your databricks_grants block?
