fix: entitlements validation and creation fix

Author: owlleg6

iam.tf

@@ -71,14 +71,13 @@ resource "databricks_group_member" "this" {
 
 resource "databricks_entitlements" "this" {
   for_each = {
-    for group, params in var.iam : group => params.entitlements
-    if params.entitlements != null
+    for group, params in var.iam : group => params
   }
 
   group_id                   = databricks_group.this[each.key].id
-  allow_cluster_create       = contains(each.value, "allow_cluster_create")
-  allow_instance_pool_create = contains(each.value, "allow_instance_pool_create")
-  databricks_sql_access      = contains(each.value, "databricks_sql_access")
+  allow_cluster_create       = contains(coalesce(each.value.entitlements, ["none"]), "allow_cluster_create")
+  allow_instance_pool_create = contains(coalesce(each.value.entitlements, ["none"]), "allow_instance_pool_create")
+  databricks_sql_access      = contains(coalesce(each.value.entitlements, ["none"]), "databricks_sql_access")
   workspace_access           = true
 
   depends_on = [databricks_group_member.this]

variables.tf

@@ -54,8 +54,8 @@ variable "iam" {
   default     = {}
 
   validation {
-    condition = contains(values(var.iam), "entitlements") ? alltrue([
-      for item in toset(flatten([for group, params in var.iam : params.entitlements])) : contains(["allow_cluster_create", "allow_instance_pool_create", "databricks_sql_access"], item)
+    condition = length([for item in values(var.iam)[*] : item.entitlements if item.entitlements != null]) != 0 ? alltrue([
+      for entry in flatten(values(var.iam)[*].entitlements) : contains(["allow_cluster_create", "allow_instance_pool_create", "databricks_sql_access"], entry) if entry != null
     ]) : true
     error_message = "Entitlements validation. The only suitable values are: databricks_sql_access, allow_instance_pool_create, allow_cluster_create"
   }