feat: cluster and clsuter policy permission assignments

Author: owlleg6

iam.tf

@@ -83,21 +83,3 @@ resource "databricks_entitlements" "this" {
 
   depends_on = [databricks_group_member.this]
 }
-
-resource "databricks_permissions" "sql_endpoint" {
-  for_each = { for entry in databricks_sql_endpoint.this : (entry.name) => (entry.id) }
-
-  sql_endpoint_id = each.value
-
-  dynamic "access_control" {
-    for_each = { for entry in flatten([for resource, permissions in var.iam_permissions : [for permission, groups in permissions : [for group in groups : {
-      resource = resource, permission = permission, group = group
-    } if resource == "sql_endpoint"]]]) : "${entry.resource}.${entry.permission}.${entry.group}" => entry }
-    content {
-      group_name       = access_control.value.group
-      permission_level = access_control.value.permission
-    }
-  }
-
-  depends_on = [databricks_group.this]
-}

permissions.tf

@@ -0,0 +1,50 @@
+resource "databricks_permissions" "default_cluster" {
+  for_each = length(var.default_cluster_id) == 0 ? {} : {
+    for k, v in var.iam : k => v.default_cluster_permission
+    if v.default_cluster_permission != null
+  }
+
+  cluster_id = var.default_cluster_id
+
+  access_control {
+    group_name       = databricks_group.this[each.key].display_name
+    permission_level = each.value
+  }
+}
+
+resource "databricks_permissions" "cluster_policy" {
+  for_each = {
+    for policy in var.cluster_policies_object : (policy.name) => policy
+    if policy.can_use != null
+  }
+
+  cluster_policy_id = each.value.id
+
+  dynamic "access_control" {
+    for_each = each.value.can_use
+    content {
+      group_name       = databricks_group.this[access_control.value].display_name
+      permission_level = "CAN_USE"
+    }
+  }
+}
+
+resource "databricks_permissions" "sql_endpoint" {
+  for_each = { for entry in databricks_sql_endpoint.this : (entry.name) => (entry.id) }
+
+  sql_endpoint_id = each.value
+
+  dynamic "access_control" {
+    for_each = { for entry in flatten([for resource, permissions in var.iam_permissions : [for permission, groups in permissions : [for group in groups : {
+      resource = resource, permission = permission, group = group
+    } if resource == "sql_endpoint"]]]) : "${entry.resource}.${entry.permission}.${entry.group}" => entry }
+    content {
+      group_name       = access_control.value.group
+      permission_level = access_control.value.permission
+    }
+  }
+
+  depends_on = [databricks_group.this]
+}
+
+

variables.tf

@@ -18,6 +18,13 @@ variable "workspace_id" {
   description = "Id of Azure Databricks workspace"
 }
 
+variable "ip_rules" {
+  type        = map(string)
+  description = "Map of IP addresses permitted for access to DB"
+  default     = {}
+}
+
+# Identity Access Management variables
 variable "user_object_ids" {
   type        = map(string)
   description = "Map of AD usernames and corresponding object IDs"
@@ -38,9 +45,10 @@ variable "workspace_admins" {
 
 variable "iam" {
   type = map(object({
-    user              = optional(list(string))
-    service_principal = optional(list(string))
-    entitlements      = optional(list(string))
+    user                       = optional(list(string))
+    service_principal          = optional(list(string))
+    entitlements               = optional(list(string))
+    default_cluster_permission = optional(string)
   }))
   description = "Used to create workspace group. Map of group name and its parameters, such as users and service principals added to the group. Also possible to configure group entitlements."
   default     = {}
@@ -67,12 +75,28 @@ variable "iam_permissions" {
   }
 }
 
-variable "ip_rules" {
-  type        = map(string)
-  description = "Map of IP addresses permitted for access to DB"
-  default     = {}
+# Default Cluster and Cluster Policy variables
+variable "default_cluster_id" {
+  type    = string
+  description = "Single value of default Cluster id created by 'databricks-runtime' module"
+  default = ""
+}
+
+variable "cluster_policies_object" {
+  type = list(object({
+    id      = string
+    name    = string
+    can_use = list(string)
+  }))
+  description = "List of objects that provides an ability to grant custom workspace group a permission to use(CAN_USE) cluster policy"
+  default = [{
+    id      = null
+    name    = null
+    can_use = null
+  }]
 }
 
+# SQL Endpoint variables
 variable "sql_endpoint" {
   type = map(object({
     cluster_size              = string
@@ -106,6 +130,7 @@ variable "default_values_sql_endpoint" {
   }
 }
 
+# Unity Catalog variables
 variable "create_metastore" {
   type        = bool
   description = "Boolean flag for Unity Catalog Metastore current in this environment. One Metastore per region"