databricks_access_control_rule_set Resource

This resource allows you to manage access rules on Databricks account level resources. For convenience we allow accessing this resource through the Databricks account and workspace.

Service principal rule set usage

Through a Databricks workspace:

locals {
  account_id = "00000000-0000-0000-0000-000000000000"
}

// account level group
data "databricks_group" "ds" {
  display_name = "Data Science"
}

resource "databricks_service_principal" "automation_sp" {
  display_name = "SP_FOR_AUTOMATION"
}

resource "databricks_access_control_rule_set" "automation_sp_rule_set" {
  name = "accounts/${local.account_id}/servicePrincipals/${databricks_service_principal.automation_sp.application_id}/ruleSets/default"

  grant_rules {
    principals = [data.databricks_group.ds.acl_principal_id]
    role       = "roles/servicePrincipal.user"
  }
}

Through AWS Databricks account:

locals {
  account_id = "00000000-0000-0000-0000-000000000000"
}

// initialize provider at account-level
provider "databricks" {
  host          = "https://accounts.cloud.databricks.com"
  account_id    = local.account_id
  client_id     = var.client_id
  client_secret = var.client_secret
}

// account level group creation
resource "databricks_group" "ds" {
  display_name = "Data Science"
}

resource "databricks_service_principal" "automation_sp" {
  display_name = "SP_FOR_AUTOMATION"
}

resource "databricks_access_control_rule_set" "automation_sp_rule_set" {
  name = "accounts/${local.account_id}/servicePrincipals/${databricks_service_principal.automation_sp.application_id}/ruleSets/default"

  grant_rules {
    principals = [databricks_group.ds.acl_principal_id]
    role       = "roles/servicePrincipal.user"
  }
}

Through Azure Databricks account:

locals {
  account_id = "00000000-0000-0000-0000-000000000000"
}

// initialize provider at Azure account-level
provider "databricks" {
  host       = "https://accounts.azuredatabricks.net"
  account_id = local.account_id
}

// account level group creation
resource "databricks_group" "ds" {
  display_name = "Data Science"
}

resource "databricks_service_principal" "automation_sp" {
  application_id = "00000000-0000-0000-0000-000000000000"
  display_name   = "SP_FOR_AUTOMATION"
}

resource "databricks_access_control_rule_set" "automation_sp_rule_set" {
  name = "accounts/${local.account_id}/servicePrincipals/${databricks_service_principal.automation_sp.application_id}/ruleSets/default"

  grant_rules {
    principals = [databricks_group.ds.acl_principal_id]
    role       = "roles/servicePrincipal.user"
  }
}

Through GCP Databricks account:

locals {
  account_id = "00000000-0000-0000-0000-000000000000"
}

// initialize provider at account-level
provider "databricks" {
  host       = "https://accounts.gcp.databricks.com"
  account_id = local.account_id
}

// account level group creation
resource "databricks_group" "ds" {
  display_name = "Data Science"
}

resource "databricks_service_principal" "automation_sp" {
  display_name = "SP_FOR_AUTOMATION"
}

resource "databricks_access_control_rule_set" "automation_sp_rule_set" {
  name = "accounts/${local.account_id}/servicePrincipals/${databricks_service_principal.automation_sp.application_id}/ruleSets/default"

  grant_rules {
    principals = [databricks_group.ds.acl_principal_id]
    role       = "roles/servicePrincipal.user"
  }
}

Group rule set usage

Refer to the appropriate provider configuration as shown in the examples for service principal rule set.

locals {
  account_id = "00000000-0000-0000-0000-000000000000"
}

// account level group
data "databricks_group" "ds" {
  display_name = "Data Science"
}

data "databricks_user" "john" {
  user_name = "john.doe@example.com"
}

resource "databricks_access_control_rule_set" "ds_group_rule_set" {
  name = "accounts/${local.account_id}/groups/${databricks_group.ds.id}/ruleSets/default"

  grant_rules {
    principals = [data.databricks_user.john.acl_principal_id]
    role       = "roles/group.manager"
  }
}

Account rule set usage

Refer to the appropriate provider configuration as shown in the examples for service principal rule set.

locals {
  account_id = "00000000-0000-0000-0000-000000000000"
}

// account level group
data "databricks_group" "ds" {
  display_name = "Data Science"
}

// account level group
data "databricks_group" "marketplace_admins" {
  display_name = "Marketplace Admins"
}

data "databricks_user" "john" {
  user_name = "john.doe@example.com"
}

resource "databricks_access_control_rule_set" "account_rule_set" {
  name = "accounts/${local.account_id}/ruleSets/default"

  // user john is manager for all groups in the account
  grant_rules {
    principals = [data.databricks_user.john.acl_principal_id]
    role       = "roles/group.manager"
  }

  // group data science is manager for all service principals in the account
  grant_rules {
    principals = [data.databricks_group.ds.acl_principal_id]
    role       = "roles/servicePrincipal.manager"
  }

  grant_rules {
    principals = [data.databricks_group.marketplace_admins.acl_principal_id]
    role       = "roles/marketplace.admin"
  }
}

Argument Reference

grant_rules

One or more grant_rules blocks are required to actually set access rules.

grant_rules {
  principals = [
    databricks_group.ds.acl_principal_id
  ]
  role = "roles/servicePrincipal.user"
}

Arguments of the grant_rules block are:

Attribute Reference

In addition to all arguments above, the following attributes are exported:

The following resources are often used in the same context: