Databricks Community

Sudheer2 · 4 weeks ago

Hello Databricks Community,

I am using Terraform to create a Databricks recipient for sharing data with a non-Databricks user. The recipient is set up with authentication_type = "TOKEN", which generates a temporary URL to download a credentials file. By default, this URL expires after a certain period.

I would like to set a custom expiration time for the generated token (e.g., "2025-02-27T06:44:20.291Z"). However, it seems that Terraform is using the default expiration time and I can't find a way to specify the expiration time explicitly in the Terraform configuration.

Here’s the Terraform resource definition I am using:

hcl

Copy code

resource "databricks_recipient" "external_recipient" { name = var.recipient_name comment = "Created by Terraform" authentication_type = "TOKEN" ip_access_list { allowed_ip_addresses = [] # Define allowed IPv4 addresses (optional) } }

Questions:

How can I set a custom expiration time for the generated token URL when creating a recipient using Terraform?
Is there an option in the Databricks API or Terraform provider to specify the expiration time for the credentials file?
Thank you in advance for your help!

Alberto_Umana · 4 weeks ago

Hello @Sudheer2,

Currently, the Terraform provider for Databricks does not support setting a custom expiration time for the generated token URL when creating a recipient with authentication_type = "TOKEN". The expiration time is automatically determined and cannot be explicitly specified in the Terraform configuration

For now, you might need to manage the token expiration manually or use the Databricks API directly to create the recipient with the desired expiration time.

There is a feature request internally to implement this.

Use the Databricks REST API to create a recipient with a custom expiration time:

curl -X POST https://<databricks-instance>/api/2.0/unity-catalog/recipients \
-H "Authorization: Bearer <your-access-token>" \
-H "Content-Type: application/json" \
-d '{
  "name": "<recipient-name>",
  "comment": "Created by API",
  "authentication_type": "TOKEN",
  "expiration_time": "2025-02-27T06:44:20.291Z"
}'

Sudheer2 · 3 weeks ago

Hello @Alberto_Umana

Thank you for your helpful response. I followed your suggestion to use a null_resource with the local-exec provisioner to make the API call to create a recipient. However, I’m facing an issue where the resource is being reported as created in the Terraform output (i.e., "1 resource added"), but I cannot see the recipient in the Databricks workspace.

Here’s the Terraform configuration I’m using:

resource "null_resource" "create_recipient" { provisioner "local-exec" { command = <<EOT echo "Calling Databricks API to create recipient..." RESPONSE=$(curl -s -X POST "${var.databricks_host}/api/2.0/unity-catalog/recipients" \ -H "Authorization: Bearer ${var.databricks_token}" \ -H "Content-Type: application/json" \ -d '{ "name": "${var.recipient_name}", "comment": "Created by API", "authentication_type": "TOKEN", "expiration_time": "2024-12-04T06:44:20.291Z" }') echo $RESPONSE > recipient_response.json EOT } triggers = { recipient_name = var.recipient_name } }

The local-exec provisioner is executing the curl command successfully, but when I check the Databricks workspace, the recipient doesn’t appear.

A few things I’ve tried:

Checked the response returned by the curl call (which is written to recipient_response.json), but there’s no error message. It appears the request was successful.
Confirmed that the databricks_host and databricks_token variables are set correctly.
Do you have any additional suggestions on troubleshooting this issue? Specifically, is there a way to check the actual result of the API call directly, or should I be using a different method to confirm the recipient creation?
Looking forward to your advice.
Best regards,
Sudheer Ch.

@Alberto_Umana