Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

databricks_obo_token resource to manage PAT tokens on behalf of service principals in E2 workspaces #736

Merged
merged 8 commits into from
Jul 21, 2021
Merged

databricks_obo_token resource to manage PAT tokens on behalf of service principals in E2 workspaces #736

merged 8 commits into from
Jul 21, 2021

Conversation

nfx
Copy link
Contributor

@nfx nfx commented Jul 21, 2021
edited

This resource creates On-Behalf-Of tokens for a Service Principal in Databricks workspaces on AWS. It is very useful, when you want to provision resources within a workspace through narrowly-scoped service principal, that has no access to other workspaces within the same Databricks Account.

Example Usage

Creating a token for a narrowly-scoped service principal

resource "databricks_service_principal" "this" {
  display_name = "Automation-only SP"
}

resource "databricks_permissions" "token_usage" {
  authorization = "tokens"
  access_control {
    service_principal_name = databricks_service_principal.this.application_id
    permission_level = "CAN_USE"
  }
}

resource "databricks_obo_token" "this" {
  depends_on = [databricks_permissions.token_usage]
  application_id = databricks_service_principal.this.application_id
  comment = "PAT on behalf of ${databricks_service_principal.this.display_name}"
  lifetime_seconds = 3600
}

output "obo" {
  value = databricks_obo_token.this.token_value
  sensitive = true
}

Creating a token for a service principal with admin privileges

resource "databricks_service_principal" "this" {
  display_name = "Terraform"
}

data "databricks_group" "admins" {
  display_name = "admins"
}

resource "databricks_group_member" "this" {
  group_id = data.databricks_group.admins.id
  member_id = databricks_service_principal.this.id
}

resource "databricks_obo_token" "this" {
  depends_on = [databricks_group_member.this]
  application_id = databricks_service_principal.this.application_id
  comment = "PAT on behalf of ${databricks_service_principal.this.display_name}"
  lifetime_seconds = 3600
}

Argument Reference

The following arguments are required:

  • application_id - Application ID of databricks_service_principal to create PAT token for.
  • lifetime_seconds - (Integer) The number of seconds before the token expires. Token resource is re-created when it expires.
  • comment - (String) Comment that describes the purpose of the token.

Attribute Reference

In addition to all arguments above, the following attributes are exported:

  • id - Canonical unique identifier for the token.
  • token_value - Sensitive value of the newly-created token.

@nfx nfx added the aws Occurring on AWS cloud label Jul 21, 2021
@nfx nfx added this to the v0.3.7 milestone Jul 21, 2021
@nfx nfx self-assigned this Jul 21, 2021
@nfx nfx linked an issue Jul 21, 2021 that may be closed by this pull request
[FEATURE] Support creating tokens on behalf of Service Principals #555
Closed
@codecov
Copy link

codecov bot commented Jul 21, 2021
edited

Codecov Report

Merging #736 (ade9fe3) into master (ef04352) will increase coverage by 0.01%.
The diff coverage is 84.09%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #736      +/-   ##
==========================================
+ Coverage   83.55%   83.56%   +0.01%     
==========================================
  Files          87       88       +1     
  Lines        8073     8112      +39     
==========================================
+ Hits         6745     6779      +34     
- Misses        843      846       +3     
- Partials      485      487       +2
Impacted Files Coverage Δ
identity/groups.go 87.80% <37.50%> (-12.20%) ⬇️
identity/resource_obo_token.go 93.75% <93.75%> (ø)
identity/data_group.go 81.81% <100.00%> (+3.55%) ⬆️
provider/provider.go 95.31% <100.00%> (+0.01%) ⬆️

@nfx nfx requested a review from alexott July 21, 2021 13:59
@nfx nfx marked this pull request as ready for review July 21, 2021 13:59
@nfx nfx changed the title Add support for SP OBO Tokens databricks_obo_token resource to manage PAT tokens on behalf of service principals in E2 workspaces Jul 21, 2021
alexott
alexott approved these changes Jul 21, 2021
View reviewed changes
Copy link
Contributor

@alexott alexott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

docs/resources/obo_token.md

The following arguments are required:

* `application_id` - Application ID of [databricks_service_principal](service_principal.md#application_id) to create PAT token for.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

create PAT -> create a PAT

@nfx nfx merged commit afb39eb into master Jul 21, 2021
@nfx nfx deleted the obo-tokens branch July 21, 2021 17:29
@nfx nfx mentioned this pull request Jul 30, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexott alexott alexott approved these changes

Assignees

@nfx nfx

Labels
aws Occurring on AWS cloud
Projects
None yet
Milestone
v0.3.7
Development

Successfully merging this pull request may close these issues.

[FEATURE] Support creating tokens on behalf of Service Principals
2 participants
@nfx @alexott