subcategory |
---|
Security |
This resource allows you to set entitlements to existing databricks_users, databricks_group or databricks_service_principal.
-> You must define entitlements of a principal using either databricks_entitlements
or directly within one of databricks_users, databricks_group or databricks_service_principal. Having entitlements defined in both resources will result in non-deterministic behaviour.
Setting entitlements for a regular user:
data "databricks_user" "me" {
user_name = "[email protected]"
}
resource "databricks_entitlements" "me" {
user_id = data.databricks_user.me.id
allow_cluster_create = true
allow_instance_pool_create = true
}
Setting entitlements for a service principal:
data "databricks_service_principal" "this" {
application_id = "11111111-2222-3333-4444-555666777888"
}
resource "databricks_entitlements" "this" {
service_principal_id = data.databricks_service_principal.this.sp_id
allow_cluster_create = true
allow_instance_pool_create = true
}
Setting entitlements to all users in a workspace - referencing special users
databricks_group
data "databricks_group" "users" {
display_name = "users"
}
resource "databricks_entitlements" "workspace-users" {
group_id = data.databricks_group.users.id
allow_cluster_create = true
allow_instance_pool_create = true
}
The following arguments are available to specify the identity you need to enforce entitlements. You must specify exactly one of those arguments otherwise resource creation will fail.
user_id
- Canonical unique identifier for the user.group_id
- Canonical unique identifier for the group.service_principal_id
- Canonical unique identifier for the service principal.
The following entitlements are available.
allow_cluster_create
- (Optional) Allow the principal to have cluster create privileges. Defaults to false. More fine grained permissions could be assigned with databricks_permissions andcluster_id
argument. Everyone withoutallow_cluster_create
argument set, but with permission to use Cluster Policy would be able to create clusters, but within boundaries of that specific policy.allow_instance_pool_create
- (Optional) Allow the principal to have instance pool create privileges. Defaults to false. More fine grained permissions could be assigned with databricks_permissions and instance_pool_id argument.databricks_sql_access
- (Optional) This is a field to allow the principal to have access to Databricks SQL feature in User Interface and through databricks_sql_endpoint.workspace_access
- (Optional) This is a field to allow the principal to have access to Databricks Workspace.
The resource can be imported using a synthetic identifier. Examples of valid synthetic identifiers are:
user/user_id
- useruser_id
.group/group_id
- groupgroup_id
.spn/spn_id
- service principalspn_id
.
terraform import databricks_entitlements.me user/<user-id>
The following resources are often used in the same context:
- End to end workspace management guide.
- databricks_group to manage groups in Databricks Workspace or Account Console (for AWS deployments).
- databricks_group data to retrieve information about databricks_group members, entitlements and instance profiles.
- databricks_group_instance_profile to attach databricks_instance_profile (AWS) to databricks_group.
- databricks_group_member to attach users and groups as group members.
- databricks_instance_profile to manage AWS EC2 instance profiles that users can launch databricks_cluster and access data, like databricks_mount.
- databricks_user data to retrieve information about databricks_user.