We use Azure databricks and managing via terraform. We have configured SCIM connector provisioner(AAD Enterprise app) to sync users and groups from AAD to Databricks. This works good. I can able to assign job or cluster permissions to these SCIM synced groups but when I try to assign admin role(entire workspace admin) to SCIM synced group the terraform error shows "API is not available for this worspace". Sorry, I don't what it means, Is it related to terraform provider or Am I putting something wrong? Please suggest me what should I use or correct. Please find below code 'principal_id' argument accepts user id or group id or service principal id as per terraform documentation here https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permission_assignment#principal_id
Provider configuration:
terraform {
required_version = ">= 1.1.4"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.8.0"
}
databricks = {
source = "databricks/databricks"
version = ">= 1.6.3"
}
}
}
provider "databricks" { #Assign databricks workspace id to provider
azure_workspace_resource_id =
data.azurerm_databricks_workspace.adb_ws.id
}
Resource Block:
resource "databricks_permission_assignment" "assign_scim_admingroup" {
principal_id = data.databricks_group.dbricks_admin_group.id
permissions = ["ADMIN"]
}
Error in terraform:
│ Error: cannot create permission assignment: Permission assignment APIs are not available for this workspace.
│
│ with databricks_permission_assignment.assign_scim_admingroup,
│ on Dbricks-permission.tf line 104, in resource "databricks_permission_assignment" "assign_scim_admingroup":
│ 43: resource "databricks_permission_assignment" "assign_scim_admingroup" {
My expectation is Databricks group synced with AAD via SCIM connecter provisioner groups should be assigned as "ADMIN" role using terraform.
I tried to reproduce the same in my environment:
Code:
resource "azuread_group" "example" {
display_name = "kavyaMyGroup"
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
members = [
azuread_user.example.object_id,
# more users
]
}
resource "databricks_user" "me" {
// user_name = "testuser@databricks.com"
user_name = azuread_user.example.user_principal_name
display_name = "Test User"
}
resource "databricks_group" "this" {
// display_name = "vsakaSomeGroup"
display_name = azuread_group.example.display_name
allow_cluster_create = true
allow_instance_pool_create = true
workspace_access = true
databricks_sql_access = true
}
resource "databricks_group_member" "vip_member" {
group_id = databricks_group.this.id
member_id = databricks_user.me.id
}
I received the same error:
│ Error: cannot create permission assignment: Permission assignment APIs are not available for this workspace.
│
│ with databricks_permission_assignment.assign_scim_admingroup,
│ on main.tf line 145, in resource "databricks_permission_assignment" "assign_scim_admingroup":
Please note:
The admins group is a reserved group in Azure Databricks and cannot be removed. Note that Workspace-local groups cannot be granted access to data in a Unity Catalog metastore or assigned to other workspaces.
To add groups to a workspace using the account console,
the workspace must be enabled for identity federation
.Only account-level groups are assignable.
Manage groups - Azure Databricks | Microsoft Learn
The account admins can assign them using,the principal ID which can be retrieved using the SCIM API.
resource "databricks_permission_assignment" "assign_scim_admingroup" {
/principal_id = databricks_group.this.id
permissions = ["ADMIN"]
}
Make sure to enable identity federation
, to assign group roles and have premium plan in order to manage the assignment of users to workspaces
You can also check Automate SCIM provisioning using Microsoft Graph from
Reference: Configure SCIM provisioning using Microsoft Azure Active Directory - Azure Databricks | Microsoft Learn
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.