From dd59c83dfdd049e76bc1943414a999ae8b10fe9a Mon Sep 17 00:00:00 2001 From: Alex Ott Date: Wed, 4 Dec 2024 10:57:16 +0100 Subject: [PATCH] [Feature] support for `databricks_credential` in `databricks_workspace_binding` For `databricks_credential` we have a separate binding type, so it was added to validations --- catalog/resource_workspace_binding.go | 3 +- docs/resources/workspace_binding.md | 4 +-- internal/acceptance/workspace_binding_test.go | 28 +++++++++++++++---- 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/catalog/resource_workspace_binding.go b/catalog/resource_workspace_binding.go index de8da8cd10..fc2c0825f6 100644 --- a/catalog/resource_workspace_binding.go +++ b/catalog/resource_workspace_binding.go @@ -43,7 +43,8 @@ func ResourceWorkspaceBinding() common.Resource { Optional: true, Default: "catalog", } - common.CustomizeSchemaPath(m, "securable_type").SetValidateFunc(validation.StringInSlice([]string{"catalog", "external_location", "storage_credential"}, false)) + common.CustomizeSchemaPath(m, "securable_type").SetValidateFunc(validation.StringInSlice([]string{ + "catalog", "external_location", "storage_credential", "service_credential"}, false)) common.CustomizeSchemaPath(m, "binding_type").SetDefault(catalog.WorkspaceBindingBindingTypeBindingTypeReadWrite).SetValidateFunc(validation.StringInSlice([]string{ string(catalog.WorkspaceBindingBindingTypeBindingTypeReadWrite), string(catalog.WorkspaceBindingBindingTypeBindingTypeReadOnly), diff --git a/docs/resources/workspace_binding.md b/docs/resources/workspace_binding.md index e7dd0105af..06cb4a8569 100644 --- a/docs/resources/workspace_binding.md +++ b/docs/resources/workspace_binding.md @@ -9,7 +9,7 @@ If you use workspaces to isolate user data access, you may want to limit access By default, Databricks assigns the securable to all workspaces attached to the current metastore. By using `databricks_workspace_binding`, the securable will be unassigned from all workspaces and only assigned explicitly using this resource. --> To use this resource the securable must have its isolation mode set to `ISOLATED` (for [databricks_catalog](catalog.md)) or `ISOLATION_MODE_ISOLATED` (for (for [databricks_external_location](external_location.md) or [databricks_storage_credential](storage_credential.md)) for the `isolation_mode` attribute. Alternatively, the isolation mode can be set using the UI or API by following [this guide](https://docs.databricks.com/data-governance/unity-catalog/create-catalogs.html#configuration), [this guide](https://docs.databricks.com/en/connect/unity-catalog/external-locations.html#workspace-binding) or [this guide](https://docs.databricks.com/en/connect/unity-catalog/storage-credentials.html#optional-assign-a-storage-credential-to-specific-workspaces). +-> To use this resource the securable must have its isolation mode set to `ISOLATED` (for [databricks_catalog](catalog.md)) or `ISOLATION_MODE_ISOLATED` (for (for [databricks_external_location](external_location.md), [databricks_storage_credential](storage_credential.md) or [databricks_credential](credential.md)) for the `isolation_mode` attribute. Alternatively, the isolation mode can be set using the UI or API by following [this guide](https://docs.databricks.com/data-governance/unity-catalog/create-catalogs.html#configuration), [this guide](https://docs.databricks.com/en/connect/unity-catalog/external-locations.html#workspace-binding) or [this guide](https://docs.databricks.com/en/connect/unity-catalog/storage-credentials.html#optional-assign-a-storage-credential-to-specific-workspaces). -> If the securable's isolation mode was set to `ISOLATED` using Terraform then the securable will have been automatically bound to the workspace it was created from. @@ -33,7 +33,7 @@ The following arguments are required: * `workspace_id` - ID of the workspace. Change forces creation of a new resource. * `securable_name` - Name of securable. Change forces creation of a new resource. -* `securable_type` - Type of securable. Can be `catalog`, `external-location` or `storage-credential`. Default to `catalog`. Change forces creation of a new resource. +* `securable_type` - Type of securable. Can be `catalog`, `external-location`, `storage-credential` or `service_credential`. Default to `catalog`. Change forces creation of a new resource. * `binding_type` - (Optional) Binding mode. Default to `BINDING_TYPE_READ_WRITE`. Possible values are `BINDING_TYPE_READ_ONLY`, `BINDING_TYPE_READ_WRITE`. ## Import diff --git a/internal/acceptance/workspace_binding_test.go b/internal/acceptance/workspace_binding_test.go index f55f4ebd72..74768259f5 100644 --- a/internal/acceptance/workspace_binding_test.go +++ b/internal/acceptance/workspace_binding_test.go @@ -30,6 +30,16 @@ func workspaceBindingTemplateWithWorkspaceId(workspaceId string) string { } isolation_mode = "ISOLATION_MODE_ISOLATED" } + + resource "databricks_credential" "credential" { + name = "service-cred-{var.RANDOM}" + aws_iam_role { + role_arn = "{env.TEST_METASTORE_DATA_ACCESS_ARN}" + } + purpose = "SERVICE" + skip_validation = true + isolation_mode = "ISOLATION_MODE_ISOLATED" + } resource "databricks_external_location" "some" { name = "external-{var.RANDOM}" @@ -40,28 +50,34 @@ func workspaceBindingTemplateWithWorkspaceId(workspaceId string) string { resource "databricks_workspace_binding" "dev" { catalog_name = databricks_catalog.dev.name - workspace_id = %s + workspace_id = %[1]s } resource "databricks_workspace_binding" "prod" { securable_name = databricks_catalog.prod.name securable_type = "catalog" - workspace_id = %s + workspace_id = %[1]s binding_type = "BINDING_TYPE_READ_ONLY" } resource "databricks_workspace_binding" "ext" { securable_name = databricks_external_location.some.id securable_type = "external_location" - workspace_id = %s + workspace_id = %[1]s } resource "databricks_workspace_binding" "cred" { securable_name = databricks_storage_credential.external.id securable_type = "storage_credential" - workspace_id = %s - } - `, workspaceId, workspaceId, workspaceId, workspaceId) + workspace_id = %[1]s + } + + resource "databricks_workspace_binding" "service_cred" { + securable_name = databricks_credential.credential.id + securable_type = "service_credential" + workspace_id = %[1]s + } + `, workspaceId) } func TestUcAccWorkspaceBindingToOtherWorkspace(t *testing.T) {