How to use for_each with databricks_grants resource

MarekVitez · June 5, 2023, 3:32pm

Hi,
I am trying to use databricks_grants resource together with for_each meta-argument.
My code:

locals {
  groups = ["group1", "group2"]
}

resource "databricks_grants" "catalog_grants" {
  catalog = databricks_catalog.catalog_raw.name

  for_each = toset(local.groups)
  grant {
    principal  = local.service_principal_id
    privileges = ["ALL_PRIVILEGES"]
  }
  grant {
    principal  = each.key
    privileges = ["ALL_PRIVILEGES"]
  }
}

I’d like to assign grants for databricks catalogs to list of groups, using for_each. As you can see, I assign not just one but multiple grants to this catalog. I understand, that each loop will most likely overwrite service principal’s grant, but at the end it should stay, so let’s ignore it. However, same thing happens for my groups variable - the last group overwrites itself as principal in the grant, and at the end catalog has only 2 grants - one for service principal and one for the group ( I expect to get three - one for service principal, and one for each of two groups). Is this limitation of terraform, databricks provider, or am I simply using it wrong ?

maxb · June 5, 2023, 4:37pm

Your code has lost all its indentation, and is hard to read - Welcome to the forum - please reformat your message

You are using the databricks_grants resource improperly - as hinted at by it having a plural name, each single instance of databricks_grants manages all the grants for a catalog, etc.

You’ve got each of your two instances of databricks_grants set up to fight with each other, and the last processed wins.

You need to have only one databricks_grants resource, and inside that resource, use Dynamic Blocks - Configuration Language | Terraform | HashiCorp Developer to specify the variable number of nested grant blocks inside that single resource.

MarekVitez · June 5, 2023, 10:52pm

yes, you’re right, this works for me:

locals {
  groups = ["group1", "group2"]
}

resource "databricks_grants" "catalog_grants" {
  catalog = databricks_catalog.catalog_raw.name

  dynamic "grant" {
    for_each = local.groups    
    content {
      principal  = grant.value
      privileges = ["ALL_PRIVILEGES"]
    }
  }
}