diff --git a/catalog/resource_credential.go b/catalog/resource_credential.go index 4cf77e319..72f1ea5da 100644 --- a/catalog/resource_credential.go +++ b/catalog/resource_credential.go @@ -11,7 +11,8 @@ import ( var credentialSchema = common.StructToSchema(catalog.CredentialInfo{}, func(m map[string]*schema.Schema) map[string]*schema.Schema { - var alofServiceCreds = []string{"aws_iam_role", "azure_managed_identity", "azure_service_principal"} + var alofServiceCreds = []string{"aws_iam_role", "azure_managed_identity", "azure_service_principal", + "databricks_gcp_service_account"} for _, cred := range alofServiceCreds { common.CustomizeSchemaPath(m, cred).SetExactlyOneOf(alofServiceCreds) } @@ -25,6 +26,10 @@ var credentialSchema = common.StructToSchema(catalog.CredentialInfo{}, common.CustomizeSchemaPath(m, computed).SetComputed() } + common.CustomizeSchemaPath(m, "databricks_gcp_service_account").SetComputed() + common.CustomizeSchemaPath(m, "databricks_gcp_service_account", "email").SetComputed() + common.CustomizeSchemaPath(m, "databricks_gcp_service_account", "credential_id").SetComputed() + common.CustomizeSchemaPath(m, "databricks_gcp_service_account", "private_key_id").SetComputed() common.MustSchemaPath(m, "aws_iam_role", "external_id").Computed = true common.MustSchemaPath(m, "aws_iam_role", "unity_catalog_iam_arn").Computed = true common.MustSchemaPath(m, "azure_managed_identity", "credential_id").Computed = true diff --git a/docs/resources/credential.md b/docs/resources/credential.md index e612e9f89..f56ec07fe 100644 --- a/docs/resources/credential.md +++ b/docs/resources/credential.md @@ -50,7 +50,26 @@ resource "databricks_credential" "external_mi" { } resource "databricks_grants" "external_creds" { - credential = databricks_credential.external.id + credential = databricks_credential.external_mi.id + grant { + principal = "Data Engineers" + privileges = ["ACCESS"] + } +} +``` + +For GCP + +```hcl +resource "databricks_credential" "external_gcp_sa" { + name = "gcp_sa_credential" + databricks_gcp_service_account {} + purpose = "SERVICE" + comment = "GCP SA credential managed by TF" +} + +resource "databricks_grants" "external_creds" { + credential = databricks_credential.external_gcp_sa.id grant { principal = "Data Engineers" privileges = ["ACCESS"] @@ -87,6 +106,11 @@ The following arguments are required: - `application_id` - The application ID of the application registration within the referenced AAD tenant - `client_secret` - The client secret generated for the above app ID in AAD. **This field is redacted on output** +`databricks_gcp_service_account` optional configuration block for creating a Databricks-managed GCP Service Account. Only applicable when purpose is `STORAGE`: + +- `email` (output only) - The email of the GCP service account created, to be granted access to relevant buckets. + + ## Attribute Reference In addition to all arguments above, the following attributes are exported: