Merge pull request #21 from data-platform-hq/feat/entitlements_databricks_account_level_groups

feat: entitlements for databricks_account_level_groups

Author: owlleg6

iam.tf

@@ -8,33 +8,50 @@ locals {
   }
 
   members_object_list = concat(
-    flatten([for group, params in var.iam : [
+    flatten([for group, params in var.iam_workspace_groups : [
       for pair in setproduct([group], params.user) : {
         type = "user", group = pair[0], member = pair[1]
       }] if params.user != null
     ]),
-    flatten([for group, params in var.iam : [
+    flatten([for group, params in var.iam_workspace_groups : [
       for pair in setproduct([group], params.service_principal) : {
         type = "service_principal", group = pair[0], member = pair[1]
       }] if params.service_principal != null
     ])
   )
+
+  iam_account_map = tomap({
+    for group in var.iam_account_groups : group.group_name => group.entitlements
+    if group.group_name != null
+  })
+
+  iam_workspace_map = {
+    for group, params in var.iam_workspace_groups : group => params.entitlements
+  }
+}
+
+data "databricks_group" "account_groups" {
+  for_each = local.iam_account_map
+
+  display_name = each.key
 }
 
 data "databricks_group" "admin" {
+  count = length(local.iam_account_map) != 0 ? 0 : 1
+
   display_name = "admins"
 }
 
 resource "databricks_group" "this" {
-  for_each = toset(keys(var.iam))
+  for_each = length(local.iam_account_map) != 0 ? [] : toset(keys(var.iam_workspace_groups))
 
   display_name = each.key
   lifecycle { ignore_changes = [external_id, allow_cluster_create, allow_instance_pool_create, databricks_sql_access, workspace_access] }
 }
 
 resource "databricks_user" "this" {
   for_each = toset(flatten(concat(
-    values({ for group, member in var.iam : group => member.user if member.user != null }),
+    values({ for group, member in var.iam_workspace_groups : group => member.user if member.user != null }),
     values(local.admin_user_map)
   )))
 
@@ -44,7 +61,7 @@ resource "databricks_user" "this" {
 
 resource "databricks_service_principal" "this" {
   for_each = toset(flatten(concat(
-    values({ for group, member in var.iam : group => member.service_principal if member.service_principal != null }),
+    values({ for group, member in var.iam_workspace_groups : group => member.service_principal if member.service_principal != null }),
     values(local.admin_sp_map)
   )))
 
@@ -54,14 +71,14 @@ resource "databricks_service_principal" "this" {
 }
 
 resource "databricks_group_member" "admin" {
-  for_each = merge(local.admin_user_map, local.admin_sp_map)
+  for_each = length(local.iam_account_map) != 0 ? {} : merge(local.admin_user_map, local.admin_sp_map)
 
-  group_id  = data.databricks_group.admin.id
+  group_id  = data.databricks_group.admin[0].id
   member_id = startswith(each.key, "user") ? databricks_user.this[each.value].id : databricks_service_principal.this[each.value].id
 }
 
 resource "databricks_group_member" "this" {
-  for_each = {
+  for_each = length(local.iam_account_map) != 0 ? {} : {
     for entry in local.members_object_list : "${entry.type}.${entry.group}.${entry.member}" => entry
   }
 
@@ -70,14 +87,12 @@ resource "databricks_group_member" "this" {
 }
 
 resource "databricks_entitlements" "this" {
-  for_each = {
-    for group, params in var.iam : group => params
-  }
+  for_each = length(local.iam_account_map) != 0 ? local.iam_account_map : local.iam_workspace_map
 
-  group_id                   = databricks_group.this[each.key].id
-  allow_cluster_create       = contains(coalesce(each.value.entitlements, ["none"]), "allow_cluster_create")
-  allow_instance_pool_create = contains(coalesce(each.value.entitlements, ["none"]), "allow_instance_pool_create")
-  databricks_sql_access      = contains(coalesce(each.value.entitlements, ["none"]), "databricks_sql_access")
+  group_id                   = length(local.iam_account_map) != 0 ? data.databricks_group.account_groups[each.key].id : databricks_group.this[each.key].id
+  allow_cluster_create       = contains(coalesce(each.value, ["none"]), "allow_cluster_create")
+  allow_instance_pool_create = contains(coalesce(each.value, ["none"]), "allow_instance_pool_create")
+  databricks_sql_access      = contains(coalesce(each.value, ["none"]), "databricks_sql_access")
   workspace_access           = true
 
   depends_on = [databricks_group_member.this]

permissions.tf

@@ -17,7 +17,7 @@ resource "databricks_permissions" "clusters" {
   dynamic "access_control" {
     for_each = each.value.permissions
     content {
-      group_name       = databricks_group.this[access_control.value.group_name].display_name
+      group_name       = length(var.iam_workspace_groups) != 0 ? data.databricks_group.account_groups[access_control.value.group_name].display_name : databricks_group.this[access_control.value.group_name].display_name
       permission_level = access_control.value.permission_level
     }
   }
@@ -34,7 +34,7 @@ resource "databricks_permissions" "sql_endpoint" {
   dynamic "access_control" {
     for_each = each.value.permissions
     content {
-      group_name       = databricks_group.this[access_control.value.group_name].display_name
+      group_name       = length(var.iam_workspace_groups) != 0 ? data.databricks_group.account_groups[access_control.value.group_name].display_name : databricks_group.this[access_control.value.group_name].display_name
       permission_level = access_control.value.permission_level
     }
   }
@@ -44,6 +44,6 @@ resource "databricks_secret_acl" "this" {
   for_each = { for entry in local.secrets_acl_objects_list : "${entry.scope}.${entry.principal}.${entry.permission}" => entry }
 
   scope      = databricks_secret_scope.this[each.value.scope].name
-  principal  = databricks_group.this[each.value.principal].display_name
+  principal  = length(var.iam_workspace_groups) != 0 ? data.databricks_group.account_groups[each.value.principal].display_name : databricks_group.this[each.value.principal].display_name
   permission = each.value.permission
 }

variables.tf

@@ -43,7 +43,16 @@ variable "workspace_admins" {
   }
 }
 
-variable "iam" {
+variable "iam_account_groups" {
+  type = list(object({
+    group_name   = optional(string)
+    entitlements = optional(list(string))
+  }))
+  description = "List of objects with group name and entitlements for this group"
+  default     = []
+}
+
+variable "iam_workspace_groups" {
   type = map(object({
     user              = optional(list(string))
     service_principal = optional(list(string))
@@ -53,8 +62,8 @@ variable "iam" {
   default     = {}
 
   validation {
-    condition = length([for item in values(var.iam)[*] : item.entitlements if item.entitlements != null]) != 0 ? alltrue([
-      for entry in flatten(values(var.iam)[*].entitlements) : contains(["allow_cluster_create", "allow_instance_pool_create", "databricks_sql_access"], entry) if entry != null
+    condition = length([for item in values(var.iam_workspace_groups)[*] : item.entitlements if item.entitlements != null]) != 0 ? alltrue([
+      for entry in flatten(values(var.iam_workspace_groups)[*].entitlements) : contains(["allow_cluster_create", "allow_instance_pool_create", "databricks_sql_access"], entry) if entry != null
     ]) : true
     error_message = "Entitlements validation. The only suitable values are: databricks_sql_access, allow_instance_pool_create, allow_cluster_create"
   }