Group role member feature #101

stikkireddy · 2020-06-15T10:24:03Z

Created three new resources with optional review for adding one more:

Resources:

Pushed & Tested:

databricks_group (only supports display name with allow_cluster_create)
databricks_group_role (1 to 1 mapping between instance profile and group)
databricks_group_member (1 to 1 mapping between parent group [group_id] and member [group_id or user_id])

Optional & Up for Discussion:

databricks_group_members (1 to all mappings between one parent group and all its members which will greatly reduce stress against SCIM api for patch requests to add members)

The purpose of the above resources are to manage groups only at the name & entitlement level.
The databricks_group only will include display name and entitlements to create or delete clusters.

Up for discussion to also move that outside of the group object because of the permissions api. I have flagged them as deprecated.

Example resource objects:

Creating member links:

resource "databricks_group" "my_group" {
  display_name = "%[1]s"
}
resource "databricks_group" "my_sub_group_a" {
  display_name = "sub_a_%[1]s"
}
resource "databricks_group" "my_sub_group_b" {
  display_name = "sub_b_%[1]s"
}
resource "databricks_group_member" "my_member_a" {
  group_id = databricks_group.my_group.id
  member_id = databricks_group.my_sub_group_a.id
}
resource "databricks_group_member" "my_member_b" {
  group_id = databricks_group.my_group.id
  member_id = databricks_group.my_sub_group_b.id
}

Creating Roles:

resource "databricks_instance_profile" "instance_profile" {
  instance_profile_arn = "%s"
  skip_validation = true
}
resource "databricks_group" "my_group" {
  display_name = "%s"
}
resource "databricks_group_role" "my_group_role" {
  group_id = databricks_group.my_group.id
  instance_profile_id = databricks_instance_profile.instance_profile.id
}

…le to manage the scim resources separately

nfx · 2020-06-15T10:36:01Z

databricks/resource_databricks_group_role.go

+	"strings"
+)
+
+func resourceGroupRole() *schema.Resource {


this resource might have an alias - databricks_group_instance_profile :) because here we semantically mix two things and confuse outside user

Great point, I always found this quite confusing as well... I will switch it to databricks_group_instance_profile

…rm into group-role-member-feature

stikkireddy added 2 commits June 15, 2020 06:18

added databricks_group, databricks_group_member & databricks_group_ro…

67edef8

…le to manage the scim resources separately

format and linting errors resolved

83f6e80

stikkireddy requested a review from nfx June 15, 2020 10:24

nfx reviewed Jun 15, 2020

View reviewed changes

nfx approved these changes Jun 15, 2020

View reviewed changes

stikkireddy added 7 commits June 15, 2020 06:57

Merge branch 'master' of github.com:databrickslabs/databricks-terrafo…

0f03f7b

…rm into group-role-member-feature

removed deprecation notice as it is invalid

511d3c3

Merge branch 'master' of github.com:databrickslabs/databricks-terrafo…

09ff551

…rm into group-role-member-feature

renamed group_role to group_instance_profile

76afb2e

fixed function name ValidateInstanceProfileARN in the doc comments

20af367

formatting and fixed typo

d56c8ed

added vendoring for aws sdk

54d5011

stikkireddy merged commit 86f53be into master Jun 15, 2020

stikkireddy deleted the group-role-member-feature branch July 16, 2020 14:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Group role member feature #101

Group role member feature #101

stikkireddy commented Jun 15, 2020 •

edited

nfx Jun 15, 2020

stikkireddy Jun 15, 2020

Group role member feature #101

Group role member feature #101

Conversation

stikkireddy commented Jun 15, 2020 • edited

nfx Jun 15, 2020

Choose a reason for hiding this comment

stikkireddy Jun 15, 2020

Choose a reason for hiding this comment

stikkireddy commented Jun 15, 2020 •

edited