We use Azure databricks and managing via terraform. We have configured SCIM connector provisioner(AAD Enterprise app) to sync users and groups from AAD to Databricks. This works good. I can able to assign job or cluster permissions to these SCIM synced groups but when I try to assign admin role(entire workspace admin) to SCIM synced group the terraform error shows "API is not available for this worspace". Sorry, I don't what it means, Is it related to terraform provider or Am I putting something wrong? Please suggest me what should I use or correct. Please find below code 'principal_id' argument accepts user id or group id or service principal id as per terraform documentation here https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permission_assignment#principal_id
Provider configuration:
terraform {
required_version = ">= 1.1.4"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.8.0"
}
databricks = {
source = "databricks/databricks"
version = ">= 1.6.3"
}
}
}
provider "databricks" { #Assign databricks workspace id to provider
azure_workspace_resource_id =
data.azurerm_databricks_workspace.adb_ws.id
}
Resource Block:
resource "databricks_permission_assignment" "assign_scim_admingroup" {
principal_id = data.databricks_group.dbricks_admin_group.id
permissions = ["ADMIN"]
}
Error in terraform:
│ Error: cannot create permission assignment: Permission assignment APIs are not available for this workspace.
│
│ with databricks_permission_assignment.assign_scim_admingroup,
│ on Dbricks-permission.tf line 104, in resource "databricks_permission_assignment" "assign_scim_admingroup":
│ 43: resource "databricks_permission_assignment" "assign_scim_admingroup" {
My expectation is Databricks group synced with AAD via SCIM connecter provisioner groups should be assigned as "ADMIN" role using terraform.
I tried to reproduce the same in my environment:
Code:
I received the same error:
Please note :
Manage groups - Azure Databricks | Microsoft Learn
The account admins can assign them using ,the principal ID which can be retrieved using the SCIM API.
Make sure to
enable identity federation
, to assign group roles and have premium plan in order to manage the assignment of users to workspacesYou can also check Automate SCIM provisioning using Microsoft Graph from
Reference: Configure SCIM provisioning using Microsoft Azure Active Directory - Azure Databricks | Microsoft Learn