Add service principals to Databricks using terraform

Question

In the past eveytime I was deploying the databricks with terraform I had to add the Azure SPN manually. But now Im learning more and decided to automate this too. Since the new Changes to Azure databricks, my Azure service principal is account admin automatically.

my code:

resource "databricks_service_principal" "sp" {
  provider       = databricks.azure_account
  for_each       = local.all_spns
  application_id = local.all_spns[each.key]["application_id"]
  display_name   = local.all_spns[each.key]["display_name"]
  active         = local.all_spns[each.key]["account_enabled"]
  external_id    = each.key
  force          = true
}

According to doc, force should do a trick and implicitly import the specified service principal into Terraform state. But getting the error

│ Error: cannot create service principal: invalidValue PERMISSION_DENIED: Cannot remove roles for 479791...(id of the service principal in account admin).

I understand the problem, as if I remove the service principal, then I have the authorization error on deploying anything with terraform.

I tried to run terraform import but getting the error too.

terraform import module.gg.module.databricks_groups["groups"].databricks_service_principal.sp["7bd75d0e-3305-44a0..."] "479791..."

Error:

Index brackets must contain either a literal number or a literal string.

My goal is to just import into state and manage it. Just to change the name as it is not supper clear which SPN is it, dev prd or shd!

Answer 1

Add service principals to Databricks using terraform

Here is terraform code to create a databricks workspace and assign the service principal the account_admin role without importing the service principal..

  terraform {
          required_providers {
            azurerm = {
              source = "hashicorp/azurerm"
            }
            databricks = {
              source = "databricks/databricks"
            }
          }
        }
        
        resource "azurerm_resource_group" "rgname" {
          name = "databricks-RG"
          location  = "centralus"
        }
        
        resource "azurerm_databricks_workspace" "example" {
          name                = "databricks-venkat"
          resource_group_name = azurerm_resource_group.rgname.name
          location            = azurerm_resource_group.rgname.location
          sku                 = "premium"
        }
         
      provider "databricks" {
         host = "https://accounts.azuredatabricks.net"
         account_id =""
        }
    resource "databricks_service_principal" "sp" {
        application_id       = "<Service Prinicpal ID>"
        display_name         = "venkatapp"
        allow_cluster_create = true
        }
    
    resource "databricks_service_principal_role" "account_admin" {
      service_principal_id = databricks_service_principal.sp.id
      role                 = "account_admin"
    }
    

Terraform apply:

After executing the terraform code above, the workspace is created and the service principal is assigned the account_admin role..