Merge pull request #33 from data-platform-hq/feat_secret_scope_kv_policy_condition

owlleg6 · web-flow · commit 504d93922755 · 2023-07-18T19:40:49.000+03:00
fix: added condition for key vault access policy creation
diff --git a/secrets.tf b/secrets.tf
@@ -46,10 +46,10 @@ resource "databricks_secret" "this" {
 
 # Azure Key Vault-backed Scope
 resource "azurerm_key_vault_access_policy" "databricks" {
-  for_each = {
+  for_each = var.create_databricks_access_policy_to_key_vault ? {
     for param in var.key_vault_secret_scope : (param.name) => param
     if length(param.name) != 0
-  }
+  } : {}
 
   key_vault_id = each.value.key_vault_id
   object_id    = "9b38785a-6e08-4087-a0c4-20634343f21f" # Global 'AzureDatabricks' SP object id
diff --git a/variables.tf b/variables.tf
@@ -118,6 +118,12 @@ variable "key_vault_id" {
 }
 
 # Azure Key Vault-backed Secret Scope
+variable "create_databricks_access_policy_to_key_vault" {
+  type        = bool
+  description = "Boolean flag to enable creation of Key Vault Access Policy for Databricks Global Service Principal."
+  default     = true
+}
+
 variable "key_vault_secret_scope" {
   type = list(object({
     name         = optional(string)
