@@ -46,6 +46,19 @@ resource "databricks_permission_assignment" "group" {
4646 # A metastore must be assigned to the Databricks workspace before permissions can be assigned to groups.
4747 data . external . current_metastore_assignment
4848 ]
49+
50+ lifecycle {
51+ ignore_changes =
52+ # If the token used to resolve the internal ID of the group has expired,
53+ # it will be rotated and Terraform will be unable to resolve the external
54+ # group during the plan phase. In this case, the result of the external
55+ # group proxy will be deferred until the apply phase, forcing the
56+ # replacement (i.e., temporary removal) of this permission assignment.
57+ # Ignore changes to the internal ID to prevent external groups from
58+ # temporarily losing access to the workspace.
59+ principal_id
60+ ]
61+ }
4962}
5063
5164# Retrieve information about the corresponding workspace-level groups.
@@ -88,6 +101,20 @@ resource "databricks_permission_assignment" "service_principal" {
88101 # A metastore must be assigned to the Databricks workspace before permissions can be assigned to service principals.
89102 data . external . current_metastore_assignment
90103 ]
104+
105+ lifecycle {
106+ ignore_changes =
107+ # If the token used to resolve the internal ID of the service principal
108+ # has expired, it will be rotated and Terraform will be unable to resolve
109+ # the external service principal during the plan phase. In this case, the
110+ # result of the external service principal proxy will be deferred until
111+ # the apply phase, forcing the replacement (i.e., temporary removal) of
112+ # this permission assignment. Ignore changes to the internal ID to prevent
113+ # external service principals from temporarily losing access to the
114+ # workspace.
115+ principal_id
116+ ]
117+ }
91118}
92119
93120# Retrieve information about the corresponding workspace-level service principals.
0 commit comments