Skip to content

Commit 79e6013

Browse files
owlleg6owlleg6
authored
Merge pull request #5 from data-platform-hq/fix/added_secret_scopes_combined
fix: added secret scopes combined
2 parents 7f637eb + 4fd301b commit 79e6013

File tree

1 file changed

+24
-9
lines changed

1 file changed

+24
-9
lines changed

secrets.tf

Lines changed: 24 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
locals {
22
secrets_acl_objects_list = flatten([for param in var.secret_scope : [
3-
for permission in param.acl : {
3+
for permission in param.scope_acl : {
44
scope = param.scope_name, principal = permission.principal, permission = permission.permission
55
}] if param.scope_acl != null
66
])
@@ -12,6 +12,25 @@ locals {
1212
secret_key = secret.key,
1313
secret_value = secret.string_value,
1414
}]]) : "${object.scope_name}:${object.secret_key}" => object }
15+
16+
secret_scopes_combined = merge(
17+
{
18+
for param in var.secret_scope : param.scope_name => {
19+
scope_name = param.scope_name
20+
secrets = param.secrets != null ? param.secrets : []
21+
key_vault_id = null
22+
dns_name = null
23+
} if param.scope_name != null
24+
},
25+
var.cloud_name == "azure" ? {
26+
for kv in var.key_vault_secret_scope : kv.name => {
27+
scope_name = kv.name
28+
secrets = []
29+
key_vault_id = kv.key_vault_id
30+
dns_name = kv.dns_name
31+
} if kv.name != null
32+
} : {}
33+
)
1534
}
1635

1736
# Secret Scope with SP secrets for mounting Azure Data Lake Storage
@@ -39,16 +58,12 @@ resource "databricks_secret" "main" {
3958

4059
# Custom additional Databricks Secret Scope
4160
resource "databricks_secret_scope" "this" {
42-
for_each = {
43-
for param in var.secret_scope : (param.scope_name) => param
44-
if param.scope_name != null
45-
}
61+
for_each = local.secret_scopes_combined
4662

47-
name = each.key
63+
name = each.value.scope_name
4864

49-
# Key Vault metadata block only for Azure
5065
dynamic "keyvault_metadata" {
51-
for_each = var.cloud_name == "azure" ? [for kv in var.key_vault_secret_scope : kv] : []
66+
for_each = each.value.key_vault_id != null ? [each.value] : []
5267
content {
5368
resource_id = keyvault_metadata.value.key_vault_id
5469
dns_name = keyvault_metadata.value.dns_name
@@ -69,7 +84,7 @@ resource "databricks_secret" "this" {
6984

7085
resource "databricks_secret_acl" "this" {
7186
for_each = var.cloud_name == "azure" && length(local.secrets_acl_objects_list) > 0 ? {
72-
for_each = { for entry in local.secrets_acl_objects_list : "${entry.scope}.${entry.principal}.${entry.permission}" => entry }
87+
for entry in local.secrets_acl_objects_list : "${entry.scope}.${entry.principal}.${entry.permission}" => entry
7388
} : {}
7489

7590
scope = databricks_secret_scope.this[each.value.scope].name

0 commit comments

Comments
 (0)