feat: secret scope acls

Author: owlleg6

permissions.tf

@@ -1,3 +1,11 @@
+locals {
+  secrets_acl_objects_list = flatten([for param in var.secret_scope_object : [
+    for permission in param.acl : {
+      scope = param.scope_name, principal = permission.principal, permission = permission.permission
+    }] if param.acl != null
+  ])
+}
+
 resource "databricks_permissions" "default_cluster" {
   for_each = length(var.default_cluster_id) == 0 ? {} : {
     for k, v in var.iam : k => v.default_cluster_permission
@@ -46,3 +54,11 @@ resource "databricks_permissions" "sql_endpoint" {
 
   depends_on = [databricks_group.this]
 }
+
+resource "databricks_secret_acl" "this" {
+  for_each = { for entry in local.secrets_acl_objects_list : "${entry.scope}.${entry.principal}.${entry.permission}" => entry }
+
+  scope      = each.value.scope
+  principal  = databricks_group.this[each.value.principal].display_name
+  permission = each.value.permission
+}

variables.tf

@@ -197,3 +197,19 @@ variable "metastore_grants" {
     error_message = "Metastore permission validation. The only possible values for permissions are: CREATE_CATALOG, CREATE_EXTERNAL_LOCATION, CREATE_SHARE, CREATE_RECIPIENT, CREATE_PROVIDER"
   }
 }
+
+# Secret Scope ACLs variables
+variable "secret_scope_object" {
+  type = list(object({
+    scope_name = string
+    acl = list(object({
+      principal  = string
+      permission = string
+    }))
+  }))
+  description = "List of objects, where 'scope_name' param is a Secret scope name and 'acl' are list of objects with 'principals' and one of allowed 'permission' ('READ', 'WRITE' or 'MANAGE')"
+  default = [{
+    scope_name = null
+    acl        = null
+  }]
+}

versions.tf

@@ -8,7 +8,7 @@ terraform {
     }
     databricks = {
       source  = "databricks/databricks"
-      version = ">=1.9.0"
+      version = ">=1.9.2"
     }
   }
 }