https://community.databricks.com/t5/data-engineering/databricks-grants-fails-because-it-keeps-track-of-a-removed/m-p/71171#M34265 <P>Hi all,</P><P>My terraform script fails on a databricks_grants with the error:</P><P>&nbsp;</P><LI-CODE lang="markup">"Error: cannot update grants: Could not find principal with name DataUsers".</LI-CODE><P>&nbsp;</P><UL><LI>The principal DataUsers does not exist anymore because it has previously been deleted by terraform.</LI><LI>Both databricks UI and databricks CLI confirm that this principal does not exist.</LI><LI>There is no trace about DataUsers in the terraform state</LI></UL><P>The terraform sequence is as follow:</P><P>I have a list of groups to be created: groupList = ["DataUsers", "DataReaders"]</P><OL><LI>Groups creation:with databricks_group along with a for_each loop on groupList</LI></OL><P>&nbsp;</P><LI-CODE lang="javascript">resource "databricks_group" "list_groups" { for_each = var.groupList display_name = each.key force = true }​</LI-CODE><P>&nbsp;</P><UL><LI>Granting schema privileges to the groups: with databricks_grants</LI></UL><P>&nbsp;</P><LI-CODE lang="javascript">resource "databricks_grants" "schema_granting_groups" { for_each = toset(var.fmdp_schema_database_list) schema = "${each.value}" dynamic "grant" { for_each = databricks_group.list_groups content { principal = grant.value.display_name privileges = "USE_SCHEMA" } } }​</LI-CODE><P>&nbsp;</P><UL><LI>Apply: terraform apply =&gt; everything is created/configured as expected</LI><LI>Remove DataUsers from groupList: groupList = ["DataReaders"]</LI><LI>Apply: terraform apply =&gt; <EM>"Error: cannot update grants: Could not find principal with name DataUsers"</EM></LI><LI>Check: based on databricks UI and databricks CLI, the apply (step5) <STRONG>succeeded as expected</STRONG></LI></UL><P>Based on implicit dependencies, databricks_groups is always executed before databricks_grants. It works well for terraform apply and terraform destroy, but in this use case it is a "replaced in place".. logically databricks_grant should have been called first to revoke the privilege on the group, before the group be removed. But this is not the case: databricks_groups is still called before databricks_grants, which could justify the error..<BR /><BR />This said, i was expecting that if we perform another terrafom apply, databricks_grants would be OK, because there is no trace of the removed group in its state. But for an unknown reason databricks_grants still wants to see the DataUsers group and struggles to revoke the privilege that was granted to DataUsers group..<BR /><BR />Any idea how it could be solved? How databricks_grants continues to reference a group that does not exist anymore in its terraform&nbsp; state?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 31 May 2024 09:44:31 GMT Pedro1 2024-05-31T09:44:31Z https://community.databricks.com/t5/data-engineering/databricks-grants-fails-because-it-keeps-track-of-a-removed/m-p/71171#M34265 <P>Hi all,</P><P>My terraform script fails on a databricks_grants with the error:</P><P>&nbsp;</P><LI-CODE lang="markup">"Error: cannot update grants: Could not find principal with name DataUsers".</LI-CODE><P>&nbsp;</P><UL><LI>The principal DataUsers does not exist anymore because it has previously been deleted by terraform.</LI><LI>Both databricks UI and databricks CLI confirm that this principal does not exist.</LI><LI>There is no trace about DataUsers in the terraform state</LI></UL><P>The terraform sequence is as follow:</P><P>I have a list of groups to be created: groupList = ["DataUsers", "DataReaders"]</P><OL><LI>Groups creation:with databricks_group along with a for_each loop on groupList</LI></OL><P>&nbsp;</P><LI-CODE lang="javascript">resource "databricks_group" "list_groups" { for_each = var.groupList display_name = each.key force = true }​</LI-CODE><P>&nbsp;</P><UL><LI>Granting schema privileges to the groups: with databricks_grants</LI></UL><P>&nbsp;</P><LI-CODE lang="javascript">resource "databricks_grants" "schema_granting_groups" { for_each = toset(var.fmdp_schema_database_list) schema = "${each.value}" dynamic "grant" { for_each = databricks_group.list_groups content { principal = grant.value.display_name privileges = "USE_SCHEMA" } } }​</LI-CODE><P>&nbsp;</P><UL><LI>Apply: terraform apply =&gt; everything is created/configured as expected</LI><LI>Remove DataUsers from groupList: groupList = ["DataReaders"]</LI><LI>Apply: terraform apply =&gt; <EM>"Error: cannot update grants: Could not find principal with name DataUsers"</EM></LI><LI>Check: based on databricks UI and databricks CLI, the apply (step5) <STRONG>succeeded as expected</STRONG></LI></UL><P>Based on implicit dependencies, databricks_groups is always executed before databricks_grants. It works well for terraform apply and terraform destroy, but in this use case it is a "replaced in place".. logically databricks_grant should have been called first to revoke the privilege on the group, before the group be removed. But this is not the case: databricks_groups is still called before databricks_grants, which could justify the error..<BR /><BR />This said, i was expecting that if we perform another terrafom apply, databricks_grants would be OK, because there is no trace of the removed group in its state. But for an unknown reason databricks_grants still wants to see the DataUsers group and struggles to revoke the privilege that was granted to DataUsers group..<BR /><BR />Any idea how it could be solved? How databricks_grants continues to reference a group that does not exist anymore in its terraform&nbsp; state?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 31 May 2024 09:44:31 GMT https://community.databricks.com/t5/data-engineering/databricks-grants-fails-because-it-keeps-track-of-a-removed/m-p/71171#M34265 Pedro1 2024-05-31T09:44:31Z https://community.databricks.com/t5/data-engineering/databricks-grants-fails-because-it-keeps-track-of-a-removed/m-p/71182#M34266 <P>Terraform databricks provider= <SPAN>1.45.0</SPAN></P> Fri, 31 May 2024 10:47:06 GMT https://community.databricks.com/t5/data-engineering/databricks-grants-fails-because-it-keeps-track-of-a-removed/m-p/71182#M34266 Pedro1 2024-05-31T10:47:06Z https://community.databricks.com/t5/data-engineering/databricks-grants-fails-because-it-keeps-track-of-a-removed/m-p/122056#M46637 <P><EM>I'm here searching for a similar but different issue, so this is just a suggestion of something to try..</EM></P><P>Have you tried setting a <A href="https://developer.hashicorp.com/terraform/language/meta-arguments/depends_on" target="_self">depends_on</A>&nbsp;argument within your <EM>databricks_grants</EM> block?</P> Wed, 18 Jun 2025 03:47:00 GMT https://community.databricks.com/t5/data-engineering/databricks-grants-fails-because-it-keeps-track-of-a-removed/m-p/122056#M46637 wkeifenheim-og 2025-06-18T03:47:00Z