How to set up unity catalog access connector with terraform
I am trying to update our Databricks account and workspace to use Unity Catalog, we've got all our infrastructure templated using terraform, I'm trying to deploy an azapi resource as detailed in the terraform unity catalog upgrade docs but am not having any luck. My terraform code below is used to create the connector
provider "azuread" {
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
}
provider "azurerm" {
features {}
client_id = var.client_id
client_secret = var.client_secret
subscription_id = var.subscription_id
tenant_id = var.tenant_id
}
provider "azapi" {
client_id = var.client_id
tenant_id = var.tenant_id
subscription_id = var.subscription_id
client_secret = var.client_secret
}
resource "azurerm_resource_group" "this" {
name = "${local.prefix}-metaverse-migration-rg"
location = var.region
tags = local.tags
}
resource "azapi_resource" "access_connector" {
type = "Microsoft.Databricks/accessConnectors@2022-04-01-preview"
name = "${local.prefix}-databricks-mi"
location = azurerm_resource_group.this.location
parent_id = azurerm_resource_group.this.id
identity {
type = "SystemAssigned"
}
body = jsonencode({
properties = {}
})
}
the error message I receive when running this on terraform cloud is
Error: creating/updating "Resource: (ResourceId \"/subscriptions/mysubguid/resourceGroups/databricks-metaverse-migration-rg/providers/Microsoft.Databricks/accessConnectors/databricks-databricks-mi\" / Api Version \"2022-04-01-preview\")": PUT https://management.azure.com/subscriptions/mysubguid/resourceGroups/databricks-metaverse-migration-rg/providers/Microsoft.Databricks/accessConnectors/databricks-databricks-mi -------------------------------------------------------------------------------- RESPONSE 502: 502 Bad Gateway ERROR CODE: 403 -------------------------------------------------------------------------------- { "error": { "code": "403", "message": "User not authorized." } } -----------------------------------
I'm running this under a service principal with ownership over the subscription but was getting the same error when it was a contributor. I have a suspicion I need to use a Managed Identity but not sure how/where
Thanks!
After adding the below permissions to the service principal, I was able to successfully deploy the access connector. For the access connector itself, I believe only the IdentityProvider.ReadWrite.All permission is needed with subsequent permissions being used for other deployment aspects
- terraform error when integrating S3 website redirect with CloudFront
- Nat Gateway Profile for AKS using terraform
- Terraform and Azure: Problems with association between NetworkSecurityGroups and Subnets
- How to save Terraform output variable into a Github Action’s environment variable
- terraform when using data sources no stored state was found for the given workspace in the given backend
- Upgrading AWS RDS aurora from serverless v1 to serverless v2 using terraform
- How to install multiple or two versions of Terraform?
- Terraform will damage your computer on macOS Intel
- Upgrade terraform to specific version
- Should I commit my .terraform-version file?
- Terraform code not creating multiple rules in Azure Storage lifecycle
- How to resolve 'Step Functions State Machine is not authorized to create managed-rule'?
- How to output URL of Azure Logic Apps with Terraform?
- Terraform fails to import key pair with Amazon EC2
- Check if the resource exists before using data
- Invalid arn error for terraform code with kms data resource
- Can I use helm for fire and forget k8s Jobs?
- Does AWS VPC Endpoint require subnets?
- Maps containing keys with spaces are not properly validated when those keys are used as resource names
- Adding additional storage to VM with terraform
- EC2 can't get a public ip address after stop-start
- Terraform Cloud Run Service URL
- Can I use condition's variable in the error_message of a Terraform variable validation?
- OPA eval command
- Rancher - controlplane node got into worker pool
- Terraform for-each with list of objects
- Timezone error creating SQL instance in Azure using Terraform
- Terraform shows `InvalidGroup.NotFound` while creating an EC2 instance
- How can I use Terraform to run a script to initialise the database on a newly-created Azure mssql_virtual_machine?
- 'terraform plan' NOT updating state file