Skip to content

Commit 0dcaa51

Browse files
ivasm-koivasm-ko
committed
updated iam.tf, permissions.tf and variables.tf
1 parent 4f8dba6 commit 0dcaa51

File tree

3 files changed

+36
-12
lines changed

3 files changed

+36
-12
lines changed

iam.tf

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -19,14 +19,22 @@ locals {
1919
}] if params.service_principal != null
2020
])
2121
)
22+
account_groups = { for group in var.account_groups : group.name => group if group.name != null }
23+
iam_map = length(var.iam) != 0 ? { for group, params in var.iam : group => params if length(var.account_groups) == 0 } : {}
24+
}
25+
26+
data "databricks_group" "account_groups" {
27+
for_each = local.account_groups
28+
29+
display_name = each.key
2230
}
2331

2432
data "databricks_group" "admin" {
2533
display_name = "admins"
2634
}
2735

2836
resource "databricks_group" "this" {
29-
for_each = toset(keys(var.iam))
37+
for_each = length(local.account_groups) != 0 ? [] : toset(keys(var.iam))
3038

3139
display_name = each.key
3240
lifecycle { ignore_changes = [external_id, allow_cluster_create, allow_instance_pool_create, databricks_sql_access, workspace_access] }
@@ -54,14 +62,14 @@ resource "databricks_service_principal" "this" {
5462
}
5563

5664
resource "databricks_group_member" "admin" {
57-
for_each = merge(local.admin_user_map, local.admin_sp_map)
65+
for_each = length(local.account_groups) != 0 ? {} : merge(local.admin_user_map, local.admin_sp_map)
5866

5967
group_id = data.databricks_group.admin.id
6068
member_id = startswith(each.key, "user") ? databricks_user.this[each.value].id : databricks_service_principal.this[each.value].id
6169
}
6270

6371
resource "databricks_group_member" "this" {
64-
for_each = {
72+
for_each = length(local.account_groups) != 0 ? {} : {
6573
for entry in local.members_object_list : "${entry.type}.${entry.group}.${entry.member}" => entry
6674
}
6775

@@ -70,11 +78,9 @@ resource "databricks_group_member" "this" {
7078
}
7179

7280
resource "databricks_entitlements" "this" {
73-
for_each = {
74-
for group, params in var.iam : group => params
75-
}
81+
for_each = merge(local.account_groups, local.iam_map)
7682

77-
group_id = databricks_group.this[each.key].id
83+
group_id = length(local.account_groups) != 0 ? data.databricks_group.account_groups[each.key].id : databricks_group.this[each.key].id
7884
allow_cluster_create = contains(coalesce(each.value.entitlements, ["none"]), "allow_cluster_create")
7985
allow_instance_pool_create = contains(coalesce(each.value.entitlements, ["none"]), "allow_instance_pool_create")
8086
databricks_sql_access = contains(coalesce(each.value.entitlements, ["none"]), "databricks_sql_access")

permissions.tf

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,20 +4,27 @@ locals {
44
scope = param.scope_name, principal = permission.principal, permission = permission.permission
55
}] if param.acl != null
66
])
7+
account_level_group_permissions = { for group in var.account_groups : (group.cluster_name) => {
8+
permissions = [{
9+
group_name = group.name,
10+
permission_level = group.permission
11+
}]
12+
} if group.permission != null
13+
}
14+
workspace_level_group_permissions = length(var.account_groups) != 0 ? {} : {
15+
for group in var.clusters : (group.cluster_name) => group if length(group.permissions) != 0
16+
}
717
}
818

919
resource "databricks_permissions" "clusters" {
10-
for_each = {
11-
for v in var.clusters : (v.cluster_name) => v
12-
if length(v.permissions) != 0
13-
}
20+
for_each = merge(local.account_level_group_permissions, local.workspace_level_group_permissions)
1421

1522
cluster_id = databricks_cluster.cluster[each.key].id
1623

1724
dynamic "access_control" {
1825
for_each = each.value.permissions
1926
content {
20-
group_name = databricks_group.this[access_control.value.group_name].display_name
27+
group_name = length(var.account_groups) != 0 ? data.databricks_group.account_groups[access_control.value.group_name].display_name : databricks_group.this[access_control.value.group_name].display_name
2128
permission_level = access_control.value.permission_level
2229
}
2330
}

variables.tf

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,17 @@ variable "workspace_admins" {
4343
}
4444
}
4545

46+
variable "account_groups" {
47+
type = list(object({
48+
name = string
49+
entitlements = optional(list(string))
50+
cluster_name = optional(string)
51+
permission = optional(string)
52+
}))
53+
description = "List of objects with group name and entitlements for this group, cluster name to which should be added group and permissions for this group in cluster"
54+
default = []
55+
}
56+
4657
variable "iam" {
4758
type = map(object({
4859
user = optional(list(string))

0 commit comments

Comments
 (0)