[FEATURE] SCIM service principal resource

[stikkireddy]

Is your feature request related to a problem? Please describe.
I would like the scim service principal resource to be implemented, with acceptance tests and documented in the website docs. https://docs.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/scim/scim-sp

Describe the solution you'd like
This requires:

1. Client implementation to communicate with SCIM api
2. Resource object to create or destroy SCIM object
3. Documentation update describing the attributes of the service principal object & usage.

Describe alternatives you've considered
Design is straight forward follows the pattern of scim user.

Additional context
For more information read here: https://docs.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/scim/scim-sp. It enables you to use Terraform to add SCIM service principals to the workspace via SCIM.

[nfx]

issue is old and it doesn't seem it needs any attention. closing it for now

[tcz001]

Hi @nfx I hope we can reopen this issue, scim_service_principal is not implemented on this provider

[stikkireddy]

@tcz001 want to pick this up?

[nfx]

why do we need to create SP through scim api? won't it simply work if SP is granted contributor role on workspace resource in Azure through either Portal UI or terraform role assignment resource?

[dfanesiDB]

I have a project starting in few weeks which will need Active Directory and SCIM integration features in Terraform. I wonder whether it is possible to completely automate in Terraform the workspace creation and the AD configuration with SCIM enabled.

[nfx]

@dfanesiDB , just in case, Active Directory should trigger SCIM provisioning as enterprise app, Terraform should be used only for defining groups & their permissions. And yes, it is possible to automate complete workspace, see the very first link in readme :)

[tcz001]

@nfx we need Service principal in scim because it's without the Admin permission by default, while Azure RBAC contributor role will be added as Admin by default and it has 2000 role assignments limitation, that's why we need this resource to be implemented

[tcz001]

@tcz001 want to pick this up?

yes, we will try to send a PR on this

[tcz001]

@nfx one quick question, should we name the resource as databricks_service_principal to follow your recent change on databricks_user and deprecated databricks_scim_user?

[nfx]

@tcz001 , databricks_service_principal is naming convention to go ahead with, correct. SCIM is just the name of the industry standard interface to manage identities, it shouldn't leak into resource names. Most of people would even ask first - "what is SCIM?..".

To be clear, this is what we'd expect in PR:

• resource code itself, which has 90% coverage by unit tests - see examples for databricks_user. you can check coverage by running make coverage.
• acceptance tests
• documentation (+change to databricks_permissions resource doc in this particular case)

[tcz001]

@nfx @sdebruyn PR is created

[nfx]

Changes from #386 merged in #432 and will be part of 0.3.0 release.

[snowch]

As this ticket is closed, is the original requirement (below) now possible with terraform?

I would like the scim service principal resource to be implemented, with acceptance tests and documented in the website docs. https://docs.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/scim/scim-sp

Are there any docs on this? I couldn't see anything here:

There's also a question on this topic stackoverflow.

[nfx]

@snowch https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/service_principal