Merge pull request #31 from data-platform-hq/fix_precondition

fix: create precondition

Author: owlleg6

permissions.tf

@@ -21,6 +21,21 @@ resource "databricks_permissions" "clusters" {
       permission_level = access_control.value.permission_level
     }
   }
+
+  lifecycle {
+    precondition {
+      condition = length(var.iam_account_groups) != 0 ? alltrue([
+        for permission in each.value.permissions : contains(
+          var.iam_account_groups[*].group_name, permission.group_name
+        )
+      ]) : true
+      error_message = <<-EOT
+      Databricks Account group mentioned in 'permissions' parameter of 'cluster_config' variable doesn't exists or wasn't assigned to Workspace.
+      Please make sure provided group exist within Databricks Account and then check if it assigned to target Workspace (look for 'iam_account_groups' variable).
+      These are valid Account Groups on Workspace: ${join(", ", var.iam_account_groups[*].group_name)}
+      EOT
+    }
+  }
 }
 
 resource "databricks_permissions" "sql_endpoint" {
@@ -38,6 +53,21 @@ resource "databricks_permissions" "sql_endpoint" {
       permission_level = access_control.value.permission_level
     }
   }
+
+  lifecycle {
+    precondition {
+      condition = length(var.iam_account_groups) != 0 ? alltrue([
+        for permission in each.value.permissions : contains(
+          var.iam_account_groups[*].group_name, permission.group_name
+        )
+      ]) : true
+      error_message = <<-EOT
+      Databricks Account group mentioned in 'permissions' parameter of 'sql_endpoint' variable doesn't exists or wasn't assigned to Workspace.
+      Please make sure provided group exist within Databricks Account and then check if it assigned to target Workspace (look for 'iam_account_groups' variable).
+      These are valid Account Groups on Workspace: ${join(", ", var.iam_account_groups[*].group_name)}
+      EOT
+    }
+  }
 }
 
 resource "databricks_secret_acl" "this" {
@@ -46,4 +76,15 @@ resource "databricks_secret_acl" "this" {
   scope      = databricks_secret_scope.this[each.value.scope].name
   principal  = length(var.iam_account_groups) != 0 ? data.databricks_group.account_groups[each.value.principal].display_name : databricks_group.this[each.value.principal].display_name
   permission = each.value.permission
+
+  lifecycle {
+    precondition {
+      condition     = length(var.iam_account_groups) != 0 ? contains(var.iam_account_groups[*].group_name, each.value.principal) : true
+      error_message = <<-EOT
+      Databricks Account group mentioned in 'acl' parameter of 'secret_scope' variable doesn't exists or wasn't assigned to Workspace.
+      Please make sure provided group exist within Databricks Account and then check if it assigned to target Workspace (look for 'iam_account_groups' variable).
+      These are valid Account Groups on Workspace: ${join(", ", var.iam_account_groups[*].group_name)}
+      EOT
+    }
+  }
 }