fix: updated varialbes

owlleg6 · owlleg6 · commit 280425b29f21 · 2023-05-19T14:56:45.000+03:00
diff --git a/iam.tf b/iam.tf
@@ -8,41 +8,50 @@ locals {
   }
 
   members_object_list = concat(
-    flatten([for group, params in var.iam : [
+    flatten([for group, params in var.iam_workspace_groups : [
       for pair in setproduct([group], params.user) : {
         type = "user", group = pair[0], member = pair[1]
       }] if params.user != null
     ]),
-    flatten([for group, params in var.iam : [
+    flatten([for group, params in var.iam_workspace_groups : [
       for pair in setproduct([group], params.service_principal) : {
         type = "service_principal", group = pair[0], member = pair[1]
       }] if params.service_principal != null
     ])
   )
-  account_groups = { for group in var.account_groups : group.name => group if group.name != null }
-  iam_map        = length(var.iam) != 0 ? { for group, params in var.iam : group => params if length(var.account_groups) == 0 } : {}
+
+  iam_account_map = tomap({
+    for group in var.iam_account_groups : group.group_name => group.entitlements
+    if group.group_name != null
+  })
+
+  iam_workspace_map = {
+    for group, params in var.iam_workspace_groups : group => params.entitlements
+  }
 }
 
 data "databricks_group" "account_groups" {
-  for_each = local.account_groups
+  for_each = local.iam_account_map
 
   display_name = each.key
 }
 
 data "databricks_group" "admin" {
+  count = length(local.iam_account_map) != 0 ? 0 : 1
+
   display_name = "admins"
 }
 
 resource "databricks_group" "this" {
-  for_each = length(local.account_groups) != 0 ? [] : toset(keys(var.iam))
+  for_each = length(local.iam_account_map) != 0 ? [] : toset(keys(var.iam_workspace_groups))
 
   display_name = each.key
   lifecycle { ignore_changes = [external_id, allow_cluster_create, allow_instance_pool_create, databricks_sql_access, workspace_access] }
 }
 
 resource "databricks_user" "this" {
   for_each = toset(flatten(concat(
-    values({ for group, member in var.iam : group => member.user if member.user != null }),
+    values({ for group, member in var.iam_workspace_groups : group => member.user if member.user != null }),
     values(local.admin_user_map)
   )))
 
@@ -52,7 +61,7 @@ resource "databricks_user" "this" {
 
 resource "databricks_service_principal" "this" {
   for_each = toset(flatten(concat(
-    values({ for group, member in var.iam : group => member.service_principal if member.service_principal != null }),
+    values({ for group, member in var.iam_workspace_groups : group => member.service_principal if member.service_principal != null }),
     values(local.admin_sp_map)
   )))
 
@@ -62,14 +71,14 @@ resource "databricks_service_principal" "this" {
 }
 
 resource "databricks_group_member" "admin" {
-  for_each = length(local.account_groups) != 0 ? {} : merge(local.admin_user_map, local.admin_sp_map)
+  for_each = length(local.iam_account_map) != 0 ? {} : merge(local.admin_user_map, local.admin_sp_map)
 
-  group_id  = data.databricks_group.admin.id
+  group_id  = data.databricks_group.admin[0].id
   member_id = startswith(each.key, "user") ? databricks_user.this[each.value].id : databricks_service_principal.this[each.value].id
 }
 
 resource "databricks_group_member" "this" {
-  for_each = length(local.account_groups) != 0 ? {} : {
+  for_each = length(local.iam_account_map) != 0 ? {} : {
     for entry in local.members_object_list : "${entry.type}.${entry.group}.${entry.member}" => entry
   }
 
@@ -78,12 +87,12 @@ resource "databricks_group_member" "this" {
 }
 
 resource "databricks_entitlements" "this" {
-  for_each = merge(local.account_groups, local.iam_map)
+  for_each = length(local.iam_account_map) != 0 ? local.iam_account_map : local.iam_workspace_map
 
-  group_id                   = length(local.account_groups) != 0 ? data.databricks_group.account_groups[each.key].id : databricks_group.this[each.key].id
-  allow_cluster_create       = contains(coalesce(each.value.entitlements, ["none"]), "allow_cluster_create")
-  allow_instance_pool_create = contains(coalesce(each.value.entitlements, ["none"]), "allow_instance_pool_create")
-  databricks_sql_access      = contains(coalesce(each.value.entitlements, ["none"]), "databricks_sql_access")
+  group_id                   = length(local.iam_account_map) != 0 ? data.databricks_group.account_groups[each.key].id : databricks_group.this[each.key].id
+  allow_cluster_create       = contains(coalesce(each.value, ["none"]), "allow_cluster_create")
+  allow_instance_pool_create = contains(coalesce(each.value, ["none"]), "allow_instance_pool_create")
+  databricks_sql_access      = contains(coalesce(each.value, ["none"]), "databricks_sql_access")
   workspace_access           = true
 
   depends_on = [databricks_group_member.this]
diff --git a/permissions.tf b/permissions.tf
@@ -4,27 +4,20 @@ locals {
       scope = param.scope_name, principal = permission.principal, permission = permission.permission
     }] if param.acl != null
   ])
-  account_level_group_permissions = { for group in var.account_groups : (group.cluster_name) => {
-    permissions = [{
-      group_name       = group.name,
-      permission_level = group.permission
-    }]
-    } if group.permission != null
-  }
-  workspace_level_group_permissions = length(var.account_groups) != 0 ? {} : {
-    for group in var.clusters : (group.cluster_name) => group if length(group.permissions) != 0
-  }
 }
 
 resource "databricks_permissions" "clusters" {
-  for_each = merge(local.account_level_group_permissions, local.workspace_level_group_permissions)
+  for_each = {
+    for v in var.clusters : (v.cluster_name) => v
+    if length(v.permissions) != 0
+  }
 
   cluster_id = databricks_cluster.cluster[each.key].id
 
   dynamic "access_control" {
     for_each = each.value.permissions
     content {
-      group_name       = length(var.account_groups) != 0 ? data.databricks_group.account_groups[access_control.value.group_name].display_name : databricks_group.this[access_control.value.group_name].display_name
+      group_name       = length(var.iam_workspace_groups) != 0 ? data.databricks_group.account_groups[access_control.value.group_name].display_name : databricks_group.this[access_control.value.group_name].display_name
       permission_level = access_control.value.permission_level
     }
   }
@@ -41,7 +34,7 @@ resource "databricks_permissions" "sql_endpoint" {
   dynamic "access_control" {
     for_each = each.value.permissions
     content {
-      group_name       = databricks_group.this[access_control.value.group_name].display_name
+      group_name       = length(var.iam_workspace_groups) != 0 ? data.databricks_group.account_groups[access_control.value.group_name].display_name : databricks_group.this[access_control.value.group_name].display_name
       permission_level = access_control.value.permission_level
     }
   }
@@ -51,6 +44,6 @@ resource "databricks_secret_acl" "this" {
   for_each = { for entry in local.secrets_acl_objects_list : "${entry.scope}.${entry.principal}.${entry.permission}" => entry }
 
   scope      = databricks_secret_scope.this[each.value.scope].name
-  principal  = databricks_group.this[each.value.principal].display_name
+  principal  = length(var.iam_workspace_groups) != 0 ? data.databricks_group.account_groups[each.value.principal].display_name : databricks_group.this[each.value.principal].display_name
   permission = each.value.permission
 }
diff --git a/variables.tf b/variables.tf
@@ -43,18 +43,16 @@ variable "workspace_admins" {
   }
 }
 
-variable "account_groups" {
+variable "iam_account_groups" {
   type = list(object({
-    name         = string
+    group_name   = optional(string)
     entitlements = optional(list(string))
-    cluster_name = optional(string)
-    permission   = optional(string)
   }))
-  description = "List of objects with group name and entitlements for this group, cluster name to which should be added group and permissions for this group in cluster"
+  description = "List of objects with group name and entitlements for this group"
   default     = []
 }
 
-variable "iam" {
+variable "iam_workspace_groups" {
   type = map(object({
     user              = optional(list(string))
     service_principal = optional(list(string))
@@ -64,8 +62,8 @@ variable "iam" {
   default     = {}
 
   validation {
-    condition = length([for item in values(var.iam)[*] : item.entitlements if item.entitlements != null]) != 0 ? alltrue([
-      for entry in flatten(values(var.iam)[*].entitlements) : contains(["allow_cluster_create", "allow_instance_pool_create", "databricks_sql_access"], entry) if entry != null
+    condition = length([for item in values(var.iam_workspace_groups)[*] : item.entitlements if item.entitlements != null]) != 0 ? alltrue([
+      for entry in flatten(values(var.iam_workspace_groups)[*].entitlements) : contains(["allow_cluster_create", "allow_instance_pool_create", "databricks_sql_access"], entry) if entry != null
     ]) : true
     error_message = "Entitlements validation. The only suitable values are: databricks_sql_access, allow_instance_pool_create, allow_cluster_create"
   }
