无法使用 Terraform 从系统组中销毁 Azure Databricks 组成员身份
Cannot destroy Azure Databricks group membership from system groups with Terraform
我正在尝试使用 databrickslabs/databricks 提供程序通过 Terraform 管理我的 Azure Databricks 用户和组。像这样:
resource "databricks_group" "group" {
display_name = var.group_name
force = true
allow_cluster_create = false
allow_instance_pool_create = false
databricks_sql_access = true
workspace_access = true
}
resource "databricks_user" "user" {
user_name = var.user_mail
display_name = var.user_name
force = true
}
resource "databricks_group_member" "membership" {
group_id = databricks_group.group.id
member_id = databricks_user.user.id
}
这一切都是通过我的 Azure 服务主体部署的,作为更大的代码库的一部分,该代码库还提供了 Databricks Workspace...而且效果很好。
但是,如果我将用户添加到 Databricks 内置组之一(admins 或 users),而部署工作正常,terraform destroy -- 同样,运行 作为我的服务主体——在尝试销毁 databricks_group_member.membership 资源时出现以下错误:
Error: cannot delete group member: PERMISSION_DENIED: Requesting user '0a19c919-7b10-499d-acd4-057944582a41' does not have permission to edit system groups.
为什么我的服务主体可以定义组成员资格,但不能删除它?是否有一些特殊的 Databricks 权限我可以给我的服务主体——当我创建工作区时——这将解决这个问题?否则,我必须在资源上手动执行 terraform state rm 才能让 destroy 通过。
users 是一个 built-in 组,其中包含工作区的所有用户,您不能从中删除用户,但也不应将用户显式添加到其中。您可以删除用户,然后它也会从 users 中删除。如果怕所有用户的权限太宽泛,可以尽量从users组中撤销,为每个组设置具体的权限。
关于 admins 组,example from documentation 工作正常 - 您添加用户,将其放入 admins 组:
Terraform will perform the following actions:
# databricks_group_member.i-am-admin will be created
+ resource "databricks_group_member" "i-am-admin" {
+ group_id = "5662462700018557"
+ id = (known after apply)
+ member_id = (known after apply)
}
# databricks_user.me will be created
+ resource "databricks_user" "me" {
+ active = true
+ allow_cluster_create = false
+ allow_instance_pool_create = false
+ databricks_sql_access = false
+ display_name = (known after apply)
+ id = (known after apply)
+ user_name = "me@example.com"
+ workspace_access = false
}
Plan: 2 to add, 0 to change, 0 to destroy.
databricks_user.me: Creating...
databricks_user.me: Creation complete after 2s [id=3766754836829044]
databricks_group_member.i-am-admin: Creating...
databricks_group_member.i-am-admin: Creation complete after 1s [id=5662462700018557|3766754836829044]
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
并且当您通过删除 databricks_group_member 资源将此用户从 admins 组中删除时,它只是在没有错误的情况下被删除,但用户将保留为 users 组的成员:
Terraform will perform the following actions:
# databricks_group_member.i-am-admin will be destroyed
- resource "databricks_group_member" "i-am-admin" {
- group_id = "5662462700018557" -> null
- id = "5662462700018557|3766754836829044" -> null
- member_id = "3766754836829044" -> null
}
Plan: 0 to add, 0 to change, 1 to destroy.
databricks_group_member.i-am-admin: Destroying... [id=5662462700018557|3766754836829044]
databricks_group_member.i-am-admin: Destruction complete after 1s
Apply complete! Resources: 0 added, 0 changed, 1 destroyed.
我正在尝试使用 databrickslabs/databricks 提供程序通过 Terraform 管理我的 Azure Databricks 用户和组。像这样:
resource "databricks_group" "group" {
display_name = var.group_name
force = true
allow_cluster_create = false
allow_instance_pool_create = false
databricks_sql_access = true
workspace_access = true
}
resource "databricks_user" "user" {
user_name = var.user_mail
display_name = var.user_name
force = true
}
resource "databricks_group_member" "membership" {
group_id = databricks_group.group.id
member_id = databricks_user.user.id
}
这一切都是通过我的 Azure 服务主体部署的,作为更大的代码库的一部分,该代码库还提供了 Databricks Workspace...而且效果很好。
但是,如果我将用户添加到 Databricks 内置组之一(admins 或 users),而部署工作正常,terraform destroy -- 同样,运行 作为我的服务主体——在尝试销毁 databricks_group_member.membership 资源时出现以下错误:
Error: cannot delete group member: PERMISSION_DENIED: Requesting user '0a19c919-7b10-499d-acd4-057944582a41' does not have permission to edit system groups.
为什么我的服务主体可以定义组成员资格,但不能删除它?是否有一些特殊的 Databricks 权限我可以给我的服务主体——当我创建工作区时——这将解决这个问题?否则,我必须在资源上手动执行 terraform state rm 才能让 destroy 通过。
users 是一个 built-in 组,其中包含工作区的所有用户,您不能从中删除用户,但也不应将用户显式添加到其中。您可以删除用户,然后它也会从 users 中删除。如果怕所有用户的权限太宽泛,可以尽量从users组中撤销,为每个组设置具体的权限。
关于 admins 组,example from documentation 工作正常 - 您添加用户,将其放入 admins 组:
Terraform will perform the following actions:
# databricks_group_member.i-am-admin will be created
+ resource "databricks_group_member" "i-am-admin" {
+ group_id = "5662462700018557"
+ id = (known after apply)
+ member_id = (known after apply)
}
# databricks_user.me will be created
+ resource "databricks_user" "me" {
+ active = true
+ allow_cluster_create = false
+ allow_instance_pool_create = false
+ databricks_sql_access = false
+ display_name = (known after apply)
+ id = (known after apply)
+ user_name = "me@example.com"
+ workspace_access = false
}
Plan: 2 to add, 0 to change, 0 to destroy.
databricks_user.me: Creating...
databricks_user.me: Creation complete after 2s [id=3766754836829044]
databricks_group_member.i-am-admin: Creating...
databricks_group_member.i-am-admin: Creation complete after 1s [id=5662462700018557|3766754836829044]
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
并且当您通过删除 databricks_group_member 资源将此用户从 admins 组中删除时,它只是在没有错误的情况下被删除,但用户将保留为 users 组的成员:
Terraform will perform the following actions:
# databricks_group_member.i-am-admin will be destroyed
- resource "databricks_group_member" "i-am-admin" {
- group_id = "5662462700018557" -> null
- id = "5662462700018557|3766754836829044" -> null
- member_id = "3766754836829044" -> null
}
Plan: 0 to add, 0 to change, 1 to destroy.
databricks_group_member.i-am-admin: Destroying... [id=5662462700018557|3766754836829044]
databricks_group_member.i-am-admin: Destruction complete after 1s
Apply complete! Resources: 0 added, 0 changed, 1 destroyed.