subcategory |
---|
Unity Catalog |
-> Public Preview This feature is in Public Preview. Contact your Databricks representative to request access.
Each databricks_metastore requires an IAM role that will be assumed by Unity Catalog to access data. databricks_metastore_data_access
defines this
For AWS
resource "databricks_metastore" "this" {
name = "primary"
storage_root = "s3://${aws_s3_bucket.metastore.id}/metastore"
owner = "uc admins"
force_destroy = true
}
resource "databricks_metastore_data_access" "this" {
metastore_id = databricks_metastore.this.id
name = aws_iam_role.metastore_data_access.name
aws_iam_role {
role_arn = aws_iam_role.metastore_data_access.arn
}
is_default = true
}
For Azure using managed identity as credential (recommended)
resource "databricks_metastore" "this" {
name = "primary"
storage_root = format("abfss://%s@%s.dfs.core.windows.net/",
azurerm_storage_account.unity_catalog.name,
azurerm_storage_container.unity_catalog.name)
owner = "uc admins"
force_destroy = true
}
resource "databricks_metastore_data_access" "this" {
metastore_id = databricks_metastore.this.id
name = "mi_dac"
azure_managed_identity {
access_connector_id = var.access_connector_id
}
is_default = true
}
For Azure using service principal as credential
resource "databricks_metastore" "this" {
name = "primary"
storage_root = format("abfss://%s@%s.dfs.core.windows.net/",
azurerm_storage_account.unity_catalog.name,
azurerm_storage_container.unity_catalog.name)
owner = "uc admins"
force_destroy = true
}
resource "databricks_metastore_data_access" "this" {
metastore_id = databricks_metastore.this.id
name = "sp_dac"
azure_service_principal {
directory_id = var.tenant_id
application_id = azuread_application.unity_catalog.application_id
client_secret = azuread_application_password.unity_catalog.value
}
is_default = true
}
The following arguments are required:
name
- Name of Data Access Configuration, which must be unique within the databricks_metastore. Change forces creation of a new resource.metastore_id
- Unique identifier of the parent Metastore
aws_iam_role
optional configuration block for credential details for AWS:
role_arn
- The Amazon Resource Name (ARN) of the AWS IAM role for S3 data access, of the formarn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF
azure_service_principal
optional configuration block for credential details for Azure:
directory_id
- The directory ID corresponding to the Azure Active Directory (AAD) tenant of the applicationapplication_id
- The application ID of the application registration within the referenced AAD tenantclient_secret
- The client secret generated for the above app ID in AAD. This field is redacted on output
azure_managed_identity
optional configuration block for using managed identity as credential details for Azure:
access_connector_id
- The Resource ID of the Azure Databricks Access Connector resource, of the form/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name/providers/Microsoft.Databricks/accessConnectors/connector-name
-> Note Importing this resource is not currently supported.