Refactor service principal permissions validation and enhance local comments

Author: hknutsen

modules/iam/main.tf

@@ -8,8 +8,14 @@ resource "databricks_service_principal" "this" {
 }
 
 locals {
-  # For each Databricks service principal, convert permission objects to access control rule objects.
-  # 
+  # For each Databricks service principal, convert permission objects to access
+  # control rule objects. Service principals are currently the only type of
+  # object in Databricks that do not support the "databricks_permissions"
+  # resource for managing access control. In this module, we provide a
+  # permissions-like interface for managing service principal access control
+  # using the "databricks_access_control_rule_set" resource. If support for
+  # using the "databricks_permissions" resource is added in the future, we
+  # should be able to make the switch without changing this interface.
   access_control_rules = {
     for key, sp in var.service_principals : key => [for permission in sp.permissions : {
       acl_user_id              = permission.user_name != null ? "users/${permission.user_name}" : null
@@ -23,15 +29,13 @@ locals {
   }
 }
 
-data "databricks_current_user" "this" {}
-
 resource "databricks_access_control_rule_set" "service_principal" {
   for_each = databricks_service_principal.this
 
   name = "accounts/${var.account_id}/servicePrincipals/${each.value.application_id}/ruleSets/default"
 
   grant_rules {
-    principals = concat([data.databricks_current_user.this.acl_principal_id], [for rule in local.access_control_rules[each.key] : coalesce(rule.acl_user_id, rule.acl_group_id, rule.acl_service_principal_id) if rule.role == "roles/servicePrincipal.manager"])
+    principals = [for rule in local.access_control_rules[each.key] : coalesce(rule.acl_user_id, rule.acl_group_id, rule.acl_service_principal_id) if rule.role == "roles/servicePrincipal.manager"]
     role       = "roles/servicePrincipal.manager"
   }
 

modules/iam/variables.tf

@@ -1,7 +1,7 @@
 variable "account_id" {
-  # TODO: add description.
-  type     = string
-  nullable = false
+  description = "The ID of the Databricks account to manage service principal permissions for."
+  type        = string
+  nullable    = false
 }
 
 variable "service_principals" {
@@ -16,27 +16,23 @@ variable "service_principals" {
       group_name             = optional(string)
       service_principal_name = optional(string)
       permission_level       = string
-    })))
+    })), [])
   }))
   nullable = false
-  default = {
-    "example" = {
-      display_name = "example-sp"
-      permissions = [
-        {
-          user_name        = "example-user"
-          group_name       = "example-group"
-          permission_level = "foo"
-        }
-      ]
-    }
+  default  = {}
+
+  validation {
+    condition = alltrue([
+      for _, sp in var.service_principals : length(sp.permissions) > 0
+    ])
+    error_message = "At least one permission object must be specified."
   }
 
   validation {
     condition = alltrue([
       for _, sp in var.service_principals :
       alltrue([
-        for p in coalesce(sp.permissions, []) :
+        for p in sp.permissions :
         length(compact([p.user_name, p.group_name, p.service_principal_name])) == 1
       ])
     ])
@@ -47,7 +43,7 @@ variable "service_principals" {
     condition = alltrue([
       for _, sp in var.service_principals :
       alltrue([
-        for p in coalesce(sp.permissions, []) :
+        for p in sp.permissions :
         p.permission_level == "CAN_MANAGE" || p.permission_level == "CAN_USE"
       ])
     ])