Reputation: 59
Map and assign admin roles and custom roles to account level Azure Databricks groups provisioned via SCIM at account level using Terraform
I have enabled SCIM at the account level and provisioned AAD groups to my Azure Databricks group.I need to create an account level security group and map Databricks admin roles like : 1)Account Admin 2)Marketplace admin 3)Billing admin as well as custom roles to the group.
My script:
provider "databricks" {
alias = "manager"
host = "https://account.azuredatabricks.net"
account_id = "..."
}
resource "databricks_group" "test_group" {
provider = databricks.manager
display_name = "test_group_uc"
}
resource "databricks_group_role" "my_group_account_admin"{
provider = databricks.manager
group_id = databricks_group.test_group.id
role = "account_admin"
}
This works, I am able to assign account_admin role in test_group_uc. But when I try to assign other admin roles like : workspace_admin or billing_admin , I receive errors as :
Error : cannot create group role : invalidValue Invalid role value workspace_admin
I also require some help to find resources on how to create custom roles.
Upvotes: 0
Views: 141
Answers (1)
Reputation: 2226
Admin roles and custom roles to account level Azure Databricks groups provisioned at account level using Terraform
As per the databricks documentation after the 1.210 release of the databricks/databricks provider with an account-level group using the workspace provider and credentials we can be able to provide the necessary roles for groups and service principle.
demo configuration:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "4.12.1"
databricks = {
source = "databricks/databricks"
version = "1.59.0"
}
}
}
.
.
provider "databricks" {
alias = "manager"
host = "https://accounts.azuredatabricks.net"
account_id = "<YOUR_ACCOUNT_ID>"
}
resource "databricks_service_principal" "sp" {
application_id = "<Service Principal ID>"
display_name = "vksbapp"
allow_cluster_create = true
}
resource "databricks_service_principal_role" "account_admin" {
service_principal_id = databricks_service_principal.sp.id
role = "account_admin"
}
resource "databricks_group" "test_group" {
provider = databricks.manager
display_name = "test_group_uc"
}
resource "databricks_group_role" "my_group_account_admin" {
provider = databricks.manager
group_id = databricks_group.test_group.id
role = "account_admin"
}
resource "databricks_group_role" "my_group_marketplace_admin" {
provider = databricks.manager
group_id = databricks_group.test_group.id
role = "marketplace_admin"
}
resource "databricks_group_role" "my_group_billing_admin" {
provider = databricks.manager
group_id = databricks_group.test_group.id
role = "billing_admin"
}
resource "databricks_group_role" "my_group_custom_role" {
provider = databricks.manager
group_id = databricks_group.test_group.id
role = "<CUSTOM_ROLE_NAME>"
}
refer:
databricks_group_role | Resources | databricks/databricks | Terraform | Terraform Registry
Upvotes: 0
Related Questions
- Add Account-Level Group to Databricks Workspace using Terraform
- Terraform - Azure as a provider and limited access account
- Is it possible to set role "account_admin" on Azure Databricks with Terraform?
- Can't set Databricks account admin using Terraform
- Error: cannot create metastore: Only account admin can create metastores
- Error while assigning admin role to SCIM provisioned AAD groups in Databricks
- Azure Databricks SCIM provisioning
- Sync Azure AD users & groups to Azure Databricks workspace without using Azure Databricks SCIM Connector
- How to implement row level security in Azure Databricks using role data from a table present inside the database?
- Assign Azure rbac Role to Virtual Machine using terraform