databricks_sql_permissions Resource

This resource manages data object access control lists in Databricks workspaces for things like tables, views, databases, and more. In order to enable Table Access control, you have to login to the workspace as administrator, go to Admin Console, pick Access Control tab, click on Enable button in Table Access Control section, and click Confirm. The security guarantees of table access control will only be effective if cluster access control is also turned on. Please make sure that no users can create clusters in your workspace and all databricks_cluster have approximately the following configuration:

resource "databricks_cluster" "cluster_with_table_access_control" {
  // ...

  spark_conf = {
    "spark.databricks.acl.dfAclsEnabled" : "true",
    "spark.databricks.repl.allowedLanguages" : "python,sql",
  }

}

It could be combined with creation of High-Concurrency and Single-Node clusters - in this case it should have corresponding custom_tags and spark.databricks.cluster.profile in Spark configuration as described in documentation for databricks_cluster resource.

The created cluster could be referred to by providing its ID as cluster_id property.

resource "databricks_sql_permissions" "foo_table" {
  cluster_id = databricks_cluster.cluster_name.id
  #...
}

It is required to define all permissions for a securable in a single resource, otherwise Terraform cannot guarantee config drift prevention.

Example Usage

The following resource definition will enforce access control on a table by executing the following SQL queries on a special auto-terminating cluster it would create for this operation:

resource "databricks_sql_permissions" "foo_table" {
  table = "foo"

  privilege_assignments {
    principal  = "serge@example.com"
    privileges = ["SELECT", "MODIFY"]
  }

  privilege_assignments {
    principal  = "special group"
    privileges = ["SELECT"]
  }
}

Argument Reference

The following arguments are available to specify the data object you need to enforce access controls on. You must specify only one of those arguments (except for table and view), otherwise resource creation will fail.

privilege_assignments blocks

You must specify one or many privilege_assignments configuration blocks to declare privileges to a principal, which corresponds to display_name of databricks_group or databricks_user. Terraform would ensure that only those principals and privileges defined in the resource are applied for the data object and would remove anything else. It would not remove any transitive privileges. DENY statements are intentionally not supported. Every privilege_assignments has the following required arguments:

Available privilege names are:

Import

The resource can be imported using a synthetic identifier. Examples of valid synthetic identifiers are:

$ terraform import databricks_sql_permissions.foo /<object-type>/<object-name>

The following resources are often used in the same context: