subcategory |
---|
Security |
These resources are invoked in the workspace context.
In workspace context, adding account-level user to a workspace:
# Use the account provider
data "databricks_user" "me" {
user_name = "[email protected]"
provider = databricks.account
}
resource "databricks_permission_assignment" "add_user" {
principal_id = data.databricks_user.me.id
permissions = ["USER"]
provider = databricks.workspace
}
In workspace context, adding account-level service principal to a workspace:
# Use the account provider
data "databricks_service_principal" "sp" {
display_name = "Automation-only SP"
provider = databricks.account
}
resource "databricks_permission_assignment" "add_admin_spn" {
principal_id = data.databricks_service_principal.sp.id
permissions = ["ADMIN"]
provider = databricks.workspace
}
In workspace context, adding account-level group to a workspace:
# Use the account provider
data "databricks_group" "account_level" {
display_name = "example-group"
provider = databricks.account
}
# Use the workspace provider
resource "databricks_permission_assignment" "this" {
principal_id = data.databricks_group.account_level.id
permissions = ["USER"]
provider = databricks.workspace
}
data "databricks_group" "workspace_level" {
display_name = "example-group"
depends_on = [databricks_permission_assignment.this]
provider = databricks.workspace
}
output "databricks_group_id" {
value = data.databricks_group.workspace_level.id
}
The following arguments are required:
principal_id
- Databricks ID of the user, service principal, or group. The principal ID can be retrieved using the account-level SCIM API, or using databricks_user, databricks_service_principal or databricks_group data sources with account API (and has to be an account admin). A more sensible approach is to retrieve the list ofprincipal_id
as outputs from another Terraform stack.permissions
- The list of workspace permissions to assign to the principal:"USER"
- Can access the workspace with basic privileges."ADMIN"
- Can access the workspace and has workspace admin privileges to manage users and groups, workspace configurations, and more.
In addition to all arguments above, the following attributes are exported:
id
- ID of the permission assignment - same asprincipal_id
.
The resource databricks_permission_assignment
can be imported using the principal id
terraform import databricks_permission_assignment.this principal_id
The following resources are used in the same context:
- databricks_group to manage groups in Databricks Workspace or Account Console (for AWS deployments).
- databricks_group data to retrieve information about databricks_group members, entitlements and instance profiles.
- databricks_group_member to attach users and groups as group members.
- databricks_mws_permission_assignment to manage permission assignment from an account context