Skip to content

Commit

Permalink
[Feature] Allow to use GCP SA in databricks_credential (storage only)
Browse files Browse the repository at this point in the history
Right now it's only possible to use it only for `purpose = "STORAGE"`.
  • Loading branch information
alexott committed Dec 7, 2024
1 parent 2f4b570 commit c5fbe75
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 2 deletions.
7 changes: 6 additions & 1 deletion catalog/resource_credential.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@ import (

var credentialSchema = common.StructToSchema(catalog.CredentialInfo{},
func(m map[string]*schema.Schema) map[string]*schema.Schema {
var alofServiceCreds = []string{"aws_iam_role", "azure_managed_identity", "azure_service_principal"}
var alofServiceCreds = []string{"aws_iam_role", "azure_managed_identity", "azure_service_principal",
"databricks_gcp_service_account"}
for _, cred := range alofServiceCreds {
common.CustomizeSchemaPath(m, cred).SetExactlyOneOf(alofServiceCreds)
}
Expand All @@ -25,6 +26,10 @@ var credentialSchema = common.StructToSchema(catalog.CredentialInfo{},
common.CustomizeSchemaPath(m, computed).SetComputed()
}

common.CustomizeSchemaPath(m, "databricks_gcp_service_account").SetComputed()
common.CustomizeSchemaPath(m, "databricks_gcp_service_account", "email").SetComputed()
common.CustomizeSchemaPath(m, "databricks_gcp_service_account", "credential_id").SetComputed()
common.CustomizeSchemaPath(m, "databricks_gcp_service_account", "private_key_id").SetComputed()
common.MustSchemaPath(m, "aws_iam_role", "external_id").Computed = true
common.MustSchemaPath(m, "aws_iam_role", "unity_catalog_iam_arn").Computed = true
common.MustSchemaPath(m, "azure_managed_identity", "credential_id").Computed = true
Expand Down
26 changes: 25 additions & 1 deletion docs/resources/credential.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,26 @@ resource "databricks_credential" "external_mi" {
}
resource "databricks_grants" "external_creds" {
credential = databricks_credential.external.id
credential = databricks_credential.external_mi.id
grant {
principal = "Data Engineers"
privileges = ["ACCESS"]
}
}
```

For GCP

```hcl
resource "databricks_credential" "external_gcp_sa" {
name = "gcp_sa_credential"
databricks_gcp_service_account {}
purpose = "SERVICE"
comment = "GCP SA credential managed by TF"
}
resource "databricks_grants" "external_creds" {
credential = databricks_credential.external_gcp_sa.id
grant {
principal = "Data Engineers"
privileges = ["ACCESS"]
Expand Down Expand Up @@ -87,6 +106,11 @@ The following arguments are required:
- `application_id` - The application ID of the application registration within the referenced AAD tenant
- `client_secret` - The client secret generated for the above app ID in AAD. **This field is redacted on output**

`databricks_gcp_service_account` optional configuration block for creating a Databricks-managed GCP Service Account. Only applicable when purpose is `STORAGE`:

- `email` (output only) - The email of the GCP service account created, to be granted access to relevant buckets.


## Attribute Reference

In addition to all arguments above, the following attributes are exported:
Expand Down

0 comments on commit c5fbe75

Please sign in to comment.