Problem
databricks_mws_log_delivery currently requires credentials_id, which can only be obtained from databricks_mws_credentials. However, databricks_mws_credentials is AWS-only — it requires role_arn (an AWS IAM role ARN) with no GCP alternative.
On GCP, Databricks audit log delivery uses a fixed Databricks-managed service account (log-delivery@databricks-prod-master.iam.gserviceaccount.com). Customers grant this SA roles/storage.admin on the target GCS bucket — no customer-side credential registration is needed.
The GCP Account Console already supports configuring audit log delivery with just a bucket name and optional delivery path prefix, without any credential object. This means the GCP REST API supports it, but the Terraform provider does not.
Expected Behavior
On GCP, credentials_id should be optional for databricks_mws_log_delivery, similar to how databricks_mws_workspaces already handles cloud-specific optional fields (e.g., credentials_id is marked as "AWS only" in that resource).
Ideally:
credentials_id → Optional (required for AWS, not needed for GCP)databricks_mws_storage_configurations should explicitly document GCS bucket support
Current Behavior
│ Error: Missing required argument
│
│ on main.tf line X, in resource "databricks_mws_log_delivery" "audit_logs":
│ The argument "credentials_id" is required, but no definition was found.
Attempting to create databricks_mws_credentials without role_arn also fails:
│ Error: Missing required argument
│
│ The argument "role_arn" is required, but no definition was found.
Root Cause (Provider Source)
In mws/resource_mws_log_delivery.go, the LogDeliveryConfiguration struct defines CredentialsID without omitempty or tf:"optional":
type LogDeliveryConfiguration struct {
CredentialsID string `json:"credentials_id" tf:"force_new"` // No omitempty → Required
StorageConfigurationID string `json:"storage_configuration_id" tf:"force_new"` // No omitempty → Required
// ...
}Similarly, in mws/resource_mws_credentials.go, RoleArn is required with no GCP alternative:
AwsCredentials struct {
StsRole *StsRole `json:"sts_role"`
}
StsRole struct {
RoleArn string `json:"role_arn" tf:"force_new"`
}References
Workaround
Currently using the GCP Account Console to configure audit log delivery manually, as there is no Terraform path on GCP.
Environment
- Terraform Provider Version: latest (v1.x)
- Cloud: GCP
Problem
databricks_mws_log_deliverycurrently requirescredentials_id, which can only be obtained fromdatabricks_mws_credentials. However,databricks_mws_credentialsis AWS-only — it requiresrole_arn(an AWS IAM role ARN) with no GCP alternative.On GCP, Databricks audit log delivery uses a fixed Databricks-managed service account (
log-delivery@databricks-prod-master.iam.gserviceaccount.com). Customers grant this SAroles/storage.adminon the target GCS bucket — no customer-side credential registration is needed.The GCP Account Console already supports configuring audit log delivery with just a bucket name and optional delivery path prefix, without any credential object. This means the GCP REST API supports it, but the Terraform provider does not.
Expected Behavior
On GCP,
credentials_idshould be optional fordatabricks_mws_log_delivery, similar to howdatabricks_mws_workspacesalready handles cloud-specific optional fields (e.g.,credentials_idis marked as "AWS only" in that resource).Ideally:
credentials_id→ Optional (required for AWS, not needed for GCP)databricks_mws_storage_configurationsshould explicitly document GCS bucket supportCurrent Behavior
Attempting to create
databricks_mws_credentialswithoutrole_arnalso fails:Root Cause (Provider Source)
In
mws/resource_mws_log_delivery.go, theLogDeliveryConfigurationstruct definesCredentialsIDwithoutomitemptyortf:"optional":Similarly, in
mws/resource_mws_credentials.go,RoleArnis required with no GCP alternative:References
databricks_mws_workspacesalready supports GCP with cloud-specific optional fields as a precedentWorkaround
Currently using the GCP Account Console to configure audit log delivery manually, as there is no Terraform path on GCP.
Environment