This resource allows you to manage access rules on Databricks account level resources. For convenience we allow accessing this resource through the Databricks account and workspace.
Through a Databricks workspace:
locals {
account_id = "00000000-0000-0000-0000-000000000000"
}
// account level group
data "databricks_group" "ds" {
display_name = "Data Science"
}
resource "databricks_service_principal" "automation_sp" {
display_name = "SP_FOR_AUTOMATION"
}
resource "databricks_access_control_rule_set" "automation_sp_rule_set" {
name = "accounts/${local.account_id}/servicePrincipals/${databricks_service_principal.automation_sp.application_id}/ruleSets/default"
grant_rules {
principals = [data.databricks_group.ds.acl_principal_id]
role = "roles/servicePrincipal.user"
}
}
Through AWS Databricks account:
locals {
account_id = "00000000-0000-0000-0000-000000000000"
}
// initialize provider at account-level
provider "databricks" {
host = "https://accounts.cloud.databricks.com"
account_id = local.account_id
client_id = var.client_id
client_secret = var.client_secret
}
// account level group creation
resource "databricks_group" "ds" {
display_name = "Data Science"
}
resource "databricks_service_principal" "automation_sp" {
display_name = "SP_FOR_AUTOMATION"
}
resource "databricks_access_control_rule_set" "automation_sp_rule_set" {
name = "accounts/${local.account_id}/servicePrincipals/${databricks_service_principal.automation_sp.application_id}/ruleSets/default"
grant_rules {
principals = [databricks_group.ds.acl_principal_id]
role = "roles/servicePrincipal.user"
}
}
Through Azure Databricks account:
locals {
account_id = "00000000-0000-0000-0000-000000000000"
}
// initialize provider at Azure account-level
provider "databricks" {
host = "https://accounts.azuredatabricks.net"
account_id = local.account_id
}
// account level group creation
resource "databricks_group" "ds" {
display_name = "Data Science"
}
resource "databricks_service_principal" "automation_sp" {
application_id = "00000000-0000-0000-0000-000000000000"
display_name = "SP_FOR_AUTOMATION"
}
resource "databricks_access_control_rule_set" "automation_sp_rule_set" {
name = "accounts/${local.account_id}/servicePrincipals/${databricks_service_principal.automation_sp.application_id}/ruleSets/default"
grant_rules {
principals = [databricks_group.ds.acl_principal_id]
role = "roles/servicePrincipal.user"
}
}
Through GCP Databricks account:
locals {
account_id = "00000000-0000-0000-0000-000000000000"
}
// initialize provider at account-level
provider "databricks" {
host = "https://accounts.gcp.databricks.com"
account_id = local.account_id
}
// account level group creation
resource "databricks_group" "ds" {
display_name = "Data Science"
}
resource "databricks_service_principal" "automation_sp" {
display_name = "SP_FOR_AUTOMATION"
}
resource "databricks_access_control_rule_set" "automation_sp_rule_set" {
name = "accounts/${local.account_id}/servicePrincipals/${databricks_service_principal.automation_sp.application_id}/ruleSets/default"
grant_rules {
principals = [databricks_group.ds.acl_principal_id]
role = "roles/servicePrincipal.user"
}
}
Refer to the appropriate provider configuration as shown in the examples for service principal rule set.
locals {
account_id = "00000000-0000-0000-0000-000000000000"
}
// account level group
data "databricks_group" "ds" {
display_name = "Data Science"
}
data "databricks_user" "john" {
user_name = "john.doe@example.com"
}
resource "databricks_access_control_rule_set" "ds_group_rule_set" {
name = "accounts/${local.account_id}/groups/${databricks_group.ds.id}/ruleSets/default"
grant_rules {
principals = [data.databricks_user.john.acl_principal_id]
role = "roles/group.manager"
}
}
Refer to the appropriate provider configuration as shown in the examples for service principal rule set.
locals {
account_id = "00000000-0000-0000-0000-000000000000"
}
// account level group
data "databricks_group" "ds" {
display_name = "Data Science"
}
// account level group
data "databricks_group" "marketplace_admins" {
display_name = "Marketplace Admins"
}
data "databricks_user" "john" {
user_name = "john.doe@example.com"
}
resource "databricks_access_control_rule_set" "account_rule_set" {
name = "accounts/${local.account_id}/ruleSets/default"
// user john is manager for all groups in the account
grant_rules {
principals = [data.databricks_user.john.acl_principal_id]
role = "roles/group.manager"
}
// group data science is manager for all service principals in the account
grant_rules {
principals = [data.databricks_group.ds.acl_principal_id]
role = "roles/servicePrincipal.manager"
}
grant_rules {
principals = [data.databricks_group.marketplace_admins.acl_principal_id]
role = "roles/marketplace.admin"
}
}
name
- (Required) Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/default
accounts/{account_id}/groups/{group_id}/ruleSets/default
accounts/{account_id}/ruleSets/default
grant_rules
- (Required) The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
One or more grant_rules
blocks are required to actually set access rules.
grant_rules {
principals = [
databricks_group.ds.acl_principal_id
]
role = "roles/servicePrincipal.user"
}
Arguments of the grant_rules
block are:
role
- (Required) Role to be granted. The supported roles are listed below. For more information about these roles, refer to service principal roles, group roles or marketplace roles.
roles/servicePrincipal.manager
- Manager of a service principal.roles/servicePrincipal.user
- User of a service principal.roles/group.manager
- Manager of a group.roles/marketplace.admin
- Admin of marketplace.principals
- (Required) a list of principals who are granted a role. The following format is supported:
users/{username}
(also exposed as acl_principal_id
attribute of databricks_user
resource).groups/{groupname}
(also exposed as acl_principal_id
attribute of databricks_group
resource).servicePrincipals/{applicationId}
(also exposed as acl_principal_id
attribute of databricks_service_principal
resource).In addition to all arguments above, the following attributes are exported:
id
- ID of the access control rule set - the same as name
.The following resources are often used in the same context: