I am attempting to manage my Azure Databricks users and groups with Terraform, using the databrickslabs/databricks provider. Something like this:
resource "databricks_group" "group" {
display_name = var.group_name
force = true
allow_cluster_create = false
allow_instance_pool_create = false
databricks_sql_access = true
workspace_access = true
}
resource "databricks_user" "user" {
user_name = var.user_mail
display_name = var.user_name
force = true
}
resource "databricks_group_member" "membership" {
group_id = databricks_group.group.id
member_id = databricks_user.user.id
}
This is all deployed through my Azure service principal, as part of a larger codebase that also provisions the Databricks Workspace...and it works great.
However, if I add users to one of the Databricks built-in groups (admins or users), while the deployment works, terraform destroy -- again, running as my service principal -- gives the following error when trying to destroy the databricks_group_member.membership resource:
Error: cannot delete group member: PERMISSION_DENIED: Requesting user '0a19c919-7b10-499d-acd4-057944582a41' does not have permission to edit system groups.
Why can my service principal define group membership, but not delete it? Is there some special Databricks permission I can give my service principal -- when I create the workspace -- which will resolve this? Otherwise, I have to manually do terraform state rm on the resource to get the destroy to go through.
users is a built-in group that contains all users of the workspace, you can't remove user from it, but you also shouldn't add users explicitly into it. You can remove user, then it will be removed from users as well. If you're afraid about having too broad permissions for all users, you can revoke as much as possible from the users group, and set specific permissions for each group.
Regarding admins group, the example from documentation works just fine - you add user, put it into the admins group:
Terraform will perform the following actions:
# databricks_group_member.i-am-admin will be created
+ resource "databricks_group_member" "i-am-admin" {
+ group_id = "5662462700018557"
+ id = (known after apply)
+ member_id = (known after apply)
}
# databricks_user.me will be created
+ resource "databricks_user" "me" {
+ active = true
+ allow_cluster_create = false
+ allow_instance_pool_create = false
+ databricks_sql_access = false
+ display_name = (known after apply)
+ id = (known after apply)
+ user_name = "[email protected]"
+ workspace_access = false
}
Plan: 2 to add, 0 to change, 0 to destroy.
databricks_user.me: Creating...
databricks_user.me: Creation complete after 2s [id=3766754836829044]
databricks_group_member.i-am-admin: Creating...
databricks_group_member.i-am-admin: Creation complete after 1s [id=5662462700018557|3766754836829044]
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
and when you remove this user from admins group by removing the databricks_group_member resource, it just removed without error, but user will stay a member of users group:
Terraform will perform the following actions:
# databricks_group_member.i-am-admin will be destroyed
- resource "databricks_group_member" "i-am-admin" {
- group_id = "5662462700018557" -> null
- id = "5662462700018557|3766754836829044" -> null
- member_id = "3766754836829044" -> null
}
Plan: 0 to add, 0 to change, 1 to destroy.
databricks_group_member.i-am-admin: Destroying... [id=5662462700018557|3766754836829044]
databricks_group_member.i-am-admin: Destruction complete after 1s
Apply complete! Resources: 0 added, 0 changed, 1 destroyed.