Skip to content

Latest commit

 

History

History
91 lines (67 loc) · 4.56 KB

entitlements.md

File metadata and controls

91 lines (67 loc) · 4.56 KB
subcategory
Security

databricks_entitlements Resource

This resource allows you to set entitlements to existing databricks_users, databricks_group or databricks_service_principal.

-> You must define entitlements of a principal using either databricks_entitlements or directly within one of databricks_users, databricks_group or databricks_service_principal. Having entitlements defined in both resources will result in non-deterministic behaviour.

Example Usage

Setting entitlements for a regular user:

data "databricks_user" "me" {
  user_name = "[email protected]"
}

resource "databricks_entitlements" "me" {
  user_id                    = data.databricks_user.me.id
  allow_cluster_create       = true
  allow_instance_pool_create = true
}

Setting entitlements for a service principal:

data "databricks_service_principal" "this" {
  application_id = "11111111-2222-3333-4444-555666777888"
}

resource "databricks_entitlements" "this" {
  service_principal_id       = data.databricks_service_principal.this.sp_id
  allow_cluster_create       = true
  allow_instance_pool_create = true
}

Setting entitlements to all users in a workspace - referencing special users databricks_group

data "databricks_group" "users" {
  display_name = "users"
}

resource "databricks_entitlements" "workspace-users" {
  group_id                   = data.databricks_group.users.id
  allow_cluster_create       = true
  allow_instance_pool_create = true
}

Argument Reference

The following arguments are available to specify the identity you need to enforce entitlements. You must specify exactly one of those arguments otherwise resource creation will fail.

  • user_id - Canonical unique identifier for the user.
  • group_id - Canonical unique identifier for the group.
  • service_principal_id - Canonical unique identifier for the service principal.

The following entitlements are available.

  • allow_cluster_create - (Optional) Allow the principal to have cluster create privileges. Defaults to false. More fine grained permissions could be assigned with databricks_permissions and cluster_id argument. Everyone without allow_cluster_create argument set, but with permission to use Cluster Policy would be able to create clusters, but within boundaries of that specific policy.
  • allow_instance_pool_create - (Optional) Allow the principal to have instance pool create privileges. Defaults to false. More fine grained permissions could be assigned with databricks_permissions and instance_pool_id argument.
  • databricks_sql_access - (Optional) This is a field to allow the principal to have access to Databricks SQL feature in User Interface and through databricks_sql_endpoint.
  • workspace_access - (Optional) This is a field to allow the principal to have access to Databricks Workspace.

Import

The resource can be imported using a synthetic identifier. Examples of valid synthetic identifiers are:

  • user/user_id - user user_id.
  • group/group_id - group group_id.
  • spn/spn_id - service principal spn_id.
terraform import databricks_entitlements.me user/<user-id>

Related Resources

The following resources are often used in the same context: