fix: added condition for key vault access policy creation

owlleg6 · owlleg6 · commit 08e64a172ed5 · 2023-07-18T19:35:51.000+03:00
diff --git a/secrets.tf b/secrets.tf
@@ -46,10 +46,27 @@ resource "databricks_secret" "this" {
 
 # Azure Key Vault-backed Scope
 resource "azurerm_key_vault_access_policy" "databricks" {
-  for_each = {
+  for_each = var.create_databricks_access_policy_to_key_vault ? {
     for param in var.key_vault_secret_scope : (param.name) => param
     if length(param.name) != 0
-  }
+  } : {}
+
+  key_vault_id = each.value.key_vault_id
+  object_id    = "9b38785a-6e08-4087-a0c4-20634343f21f" # Global 'AzureDatabricks' SP object id
+  tenant_id    = data.azurerm_key_vault_secret.tenant_id.value
+
+  secret_permissions = [
+    "Get",
+    "List",
+  ]
+}
+
+# Azure Key Vault-backed Scope
+resource "azurerm_key_vault_access_policy" "databricks" {
+  for_each = var.create_databricks_access_policy_to_key_vault ? {
+    for param in var.key_vault_secret_scope : (param.name) => param
+    if length(param.name) != 0
+  } : {}
 
   key_vault_id = each.value.key_vault_id
   object_id    = "9b38785a-6e08-4087-a0c4-20634343f21f" # Global 'AzureDatabricks' SP object id
diff --git a/variables.tf b/variables.tf
@@ -118,6 +118,12 @@ variable "key_vault_id" {
 }
 
 # Azure Key Vault-backed Secret Scope
+variable "create_databricks_access_policy_to_key_vault" {
+  type        = bool
+  description = "Boolean flag to enable creation of Key Vault Access Policy for Databricks Global Service Principal."
+  default     = true
+}
+
 variable "key_vault_secret_scope" {
   type = list(object({
     name         = optional(string)
