Sometimes accessing data requires that you authenticate to external data sources through JDBC. Instead of directly entering your credentials into a notebook, use Databricks secrets to store your credentials and reference them in notebooks and jobs. Please consult Secrets User Guide for more details.
resource "databricks_secret_scope" "this" {
name = "terraform-demo-scope"
}
The following arguments are supported:
name
- (Required) Scope name requested by the user. Must be unique within a workspace. Must consist of alphanumeric characters, dashes, underscores, and periods, and may not exceed 128 characters.initial_manage_principal
- (Optional) The principal with the only possible value users
that is initially granted MANAGE
permission to the created scope. If it's omitted, then the databricks_secret_acl with MANAGE
permission applied to the scope is assigned to the API request issuer's user identity (see documentation). This part of the state cannot be imported.On Azure, it is possible to create Azure Databricks secret scopes backed by Azure Key Vault. Secrets are stored in Azure Key Vault and can be accessed through the Azure Databricks secrets utilities, making use of Azure Databricks access control and secret redaction. A secret scope may be configured with at most one Key Vault.
To define AKV access policies, you must use azurerm_key_vault_access_policy instead of access_policy blocks on azurerm_key_vault
, otherwise Terraform will remove access policies needed to access the Key Vault and the secret scope won't be in a usable state anymore.
data "azurerm_client_config" "current" {
}
resource "azurerm_key_vault" "this" {
name = "${var.prefix}-kv"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_enabled = false
purge_protection_enabled = false
sku_name = "standard"
tags = var.tags
}
resource "azurerm_key_vault_access_policy" "this" {
key_vault_id = azurerm_key_vault.this.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = ["Delete", "Get", "List", "Set"]
}
resource "databricks_secret_scope" "kv" {
name = "keyvault-managed"
keyvault_metadata {
resource_id = azurerm_key_vault.this.id
dns_name = azurerm_key_vault.this.vault_uri
}
}
In addition to all arguments above, the following attributes are exported:
id
- The id for the secret scope object.backend_type
- Either DATABRICKS
or AZURE_KEYVAULT
The secret resource scope can be imported using the scope name. initial_manage_principal
state won't be imported, because the underlying API doesn't include it in the response.
terraform import databricks_secret_scope.object <scopeName>
The following resources are often used in the same context: