Merge pull request #28 from data-platform-hq/fix/key_vault_secrets_scope

owlleg6 · web-flow · commit 87ea02c108dc · 2023-05-23T17:04:05.000+03:00
fix: key vault secret scope fixed
diff --git a/secrets.tf b/secrets.tf
@@ -59,20 +59,26 @@ resource "azurerm_key_vault_access_policy" "databricks" {
 }
 
 resource "databricks_secret_scope" "external" {
-  count = var.key_vault_secret_scope.key_vault_id != null ? 1 : 0
+  for_each = {
+    for param in var.key_vault_secret_scope : (param.name) => param
+    if param.name != null
+  }
 
-  name = "external"
+  name = each.value.name
   keyvault_metadata {
-    resource_id = var.key_vault_secret_scope.key_vault_id
-    dns_name    = var.key_vault_secret_scope.dns_name
+    resource_id = each.value.key_vault_id
+    dns_name    = each.value.dns_name
   }
   depends_on = [azurerm_key_vault_access_policy.databricks]
 }
 
 resource "databricks_secret_acl" "external" {
-  count = var.key_vault_secret_scope.key_vault_id != null ? 1 : 0
+  for_each = {
+    for param in var.key_vault_secret_scope : (param.name) => param
+    if param.name != null
+  }
 
-  scope      = databricks_secret_scope.external[0].name
+  scope      = databricks_secret_scope.external[each.value.name].name
   principal  = "users"
   permission = "READ"
 }
diff --git a/variables.tf b/variables.tf
@@ -132,6 +132,17 @@ variable "key_vault_id" {
   description = "ID of the Key Vault instance where the Secret resides"
 }
 
+# Azure Key Vault-backed Secret Scope
+variable "key_vault_secret_scope" {
+  type = object({
+    name         = optional(string)
+    key_vault_id = optional(string)
+    dns_name     = optional(string)
+  })
+  description = "Object with Azure Key Vault parameters required for creation of Azure-backed Databricks Secret scope"
+  default     = {}
+}
+
 variable "tenant_id_secret_name" {
   type        = string
   description = "The name of Azure Key Vault secret that contains tenant ID secret of Service Principal to access in Azure Key Vault"
@@ -214,15 +225,3 @@ variable "mount_cluster_name" {
   description = "Name of the cluster that will be used during storage mounting. If mount_adls_passthrough == true, cluster should also have option cluster_conf_passthrought == true"
   default     = null
 }
-
-variable "key_vault_secret_scope" {
-  type = object({
-    key_vault_id = string
-    dns_name     = string
-  })
-  description = "Object with Azure Key Vault parameters required for creation of Azure-backed Databricks Secret scope"
-  default = {
-    key_vault_id = null
-    dns_name     = null
-  }
-}
