Issue 2971: Service principal data source retrieval by SCIM ID (#3142)

karolusz · alexott · tanmay-db · web-flow · commit 171d7cac69b4 · 2025-07-10T11:10:57.000Z
## Changes Allows for retrieval of service principals as data sources by SCIM ID. Slight changes to allow for the use of `ExactlyOneOf` in schema definition, which helps with config validation. Commit 54810c4 has a working and tested implementation closer to the original one, if so desired. Closes #2971 ## Tests Unrelated unit tests failing in the local dev environment. - [x] `make test` run locally - [x] relevant change in `docs/` folder - [ ] covered with integration tests in `internal/acceptance` - [ ] relevant acceptance tests are passing - [ ] using Go SDK --------- Co-authored-by: Alex Ott <alexey.ott@databricks.com> Co-authored-by: Alex Ott <alexott@gmail.com> Co-authored-by: Tanmay Rustagi <88379306+tanmay-db@users.noreply.github.com>
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -8,6 +8,7 @@
 
 * Add `bearer_token` to the list of sensitive options in `databricks_connection` ([#4812](https://github.com/databricks/terraform-provider-databricks/pull/4812)).
 * Use single-node cluster for `databricks_sql_permissions` ([#4813](https://github.com/databricks/terraform-provider-databricks/pull/4813)).
+* Allow to retrieve service principal data by SCIM ID ([#3142](https://github.com/databricks/terraform-provider-databricks/pull/3142)).
 * Add support for Lakebase `databricks_database_instance` in  `databricks_permissions` ([#4824](https://github.com/databricks/terraform-provider-databricks/pull/4824)).
 * Added support for Alert V2 in `databricks_permissions` ([#4831](https://github.com/databricks/terraform-provider-databricks/pull/4831)).
 * Replace instead of dropping Delta `databricks_sql_table` ([#2424](https://github.com/databricks/terraform-provider-databricks/pull/2424)).
diff --git a/docs/data-sources/service_principal.md b/docs/data-sources/service_principal.md
@@ -31,16 +31,18 @@ resource "databricks_group_member" "my_member_a" {
 
 Data source allows you to pick service principals by one of the following attributes (only one of them):
 
-- `application_id` - (Required if `display_name` isn't used) ID of the service principal. The service principal must exist before this resource can be retrieved.
-- `display_name` - (Required if `application_id` isn't used) Exact display name of the service principal. The service principal must exist before this resource can be retrieved.  In case if there are several service principals with the same name, an error is thrown.
+- `application_id` - (Required if neither `display_name` nor `scim_id` is used) ID of the service principal. The service principal must exist before this resource can be retrieved.
+- `display_name` - (Required if neither `application_id` nor `scim_id` is  used) Exact display name of the service principal. The service principal must exist before this resource can be retrieved.  In case if there are several service principals with the same name, an error is thrown.
+- `scim_id` - (Required if neither `application_id` nor `display_name` is used) Unique SCIM ID for a service principal in the Databricks workspace. The service principal must exist before this resource can be retrieved.
 
 ## Attribute Reference
 
 Data source exposes the following attributes:
 
-- `id` - The id of the service principal.
+- `id` - The id of the service principal (SCIM ID).
 - `external_id` - ID of the service principal in an external identity provider.
 - `display_name` - Display name of the [service principal](../resources/service_principal.md), e.g. `Foo SPN`.
+- `scim_id` - same as `id`.
 - `home` - Home folder of the [service principal](../resources/service_principal.md), e.g. `/Users/11111111-2222-3333-4444-555666777888`.
 - `repos` - Repos location of the [service principal](../resources/service_principal.md), e.g. `/Repos/11111111-2222-3333-4444-555666777888`.
 - `active` - Whether service principal is active or not.
diff --git a/scim/data_service_principal.go b/scim/data_service_principal.go
@@ -5,59 +5,79 @@ import (
 	"fmt"
 
 	"github.com/databricks/terraform-provider-databricks/common"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
-// DataSourceServicePrincipal returns information about the spn specified by the application_id
+// DataSourceServicePrincipal returns information about the spn specified by the application_id, id, display_name, or scim_id
 func DataSourceServicePrincipal() common.Resource {
 	type spnData struct {
 		ApplicationID  string `json:"application_id,omitempty" tf:"computed"`
 		DisplayName    string `json:"display_name,omitempty" tf:"computed"`
-		SpID           string `json:"sp_id,omitempty" tf:"computed"`
+		ScimID         string `json:"scim_id,omitempty" tf:"computed"`
 		ID             string `json:"id,omitempty" tf:"computed"`
 		Home           string `json:"home,omitempty" tf:"computed"`
 		Repos          string `json:"repos,omitempty" tf:"computed"`
 		Active         bool   `json:"active,omitempty" tf:"computed"`
 		ExternalID     string `json:"external_id,omitempty" tf:"computed"`
 		AclPrincipalID string `json:"acl_principal_id,omitempty" tf:"computed"`
 	}
-	return common.DataResource(spnData{}, func(ctx context.Context, e any, c *common.DatabricksClient) error {
-		response := e.(*spnData)
-		spnAPI := NewServicePrincipalsAPI(ctx, c)
-		var spList []User
-		var err error
-		if response.ApplicationID != "" && response.DisplayName != "" {
-			return fmt.Errorf("please specify only one of application_id or display_name")
-		}
-		if response.ApplicationID != "" {
-			spList, err = spnAPI.Filter(fmt.Sprintf(`applicationId eq "%s"`, response.ApplicationID), true)
-		} else if response.DisplayName != "" {
-			spList, err = spnAPI.Filter(fmt.Sprintf(`displayName eq "%s"`, response.DisplayName), true)
-		} else {
-			return fmt.Errorf("please specify either application_id or display_name")
-		}
-		if err != nil {
-			return err
-		}
-		if len(spList) == 0 {
+
+	s := common.StructToSchema(spnData{}, func(
+		s map[string]*schema.Schema) map[string]*schema.Schema {
+		s["application_id"].ExactlyOneOf = []string{"application_id", "display_name", "scim_id"}
+		s["display_name"].ExactlyOneOf = []string{"application_id", "display_name", "scim_id"}
+		s["scim_id"].ExactlyOneOf = []string{"application_id", "display_name", "scim_id"}
+		return s
+	})
+
+	return common.Resource{
+		Schema: s,
+		Read: func(ctx context.Context, d *schema.ResourceData, m *common.DatabricksClient) error {
+			var response spnData
+			var spList []User
+			var err error
+
+			common.DataToStructPointer(d, s, &response)
+			spnAPI := NewServicePrincipalsAPI(ctx, m)
+
 			if response.ApplicationID != "" {
-				return fmt.Errorf("cannot find SP with ID %s", response.ApplicationID)
+				spList, err = spnAPI.Filter(fmt.Sprintf(`applicationId eq "%s"`, response.ApplicationID), true)
+			} else if response.ScimID != "" {
+				spList, err = spnAPI.Filter(fmt.Sprintf(`id eq "%s"`, response.ScimID), true)
+			} else if response.DisplayName != "" {
+				spList, err = spnAPI.Filter(fmt.Sprintf(`displayName eq "%s"`, response.DisplayName), true)
 			} else {
-				return fmt.Errorf("cannot find SP with name %s", response.DisplayName)
+				return fmt.Errorf("please specify either application_id, display_name, or scim_id")
 			}
-		} else if len(spList) > 1 {
-			return fmt.Errorf("there are more than 1 service principal with name %s", response.DisplayName)
-		}
-
-		sp := spList[0]
-		response.DisplayName = sp.DisplayName
-		response.ApplicationID = sp.ApplicationID
-		response.Home = fmt.Sprintf("/Users/%s", sp.ApplicationID)
-		response.Repos = fmt.Sprintf("/Repos/%s", sp.ApplicationID)
-		response.AclPrincipalID = fmt.Sprintf("servicePrincipals/%s", sp.ApplicationID)
-		response.ExternalID = sp.ExternalID
-		response.Active = sp.Active
-		response.SpID = sp.ID
-		response.ID = sp.ID
-		return nil
-	})
+			if err != nil {
+				return err
+			}
+
+			if len(spList) == 0 {
+				if response.ApplicationID != "" {
+					return fmt.Errorf("cannot find SP with an application ID %s", response.ApplicationID)
+				} else if response.ScimID != "" {
+					return fmt.Errorf("cannot find SP with an ID %s", response.ScimID)
+				} else {
+					return fmt.Errorf("cannot find SP with name %s", response.DisplayName)
+				}
+			} else if len(spList) > 1 {
+				return fmt.Errorf("there are %d Service Principals with name %s", len(spList), response.DisplayName)
+			}
+
+			sp := spList[0]
+			response.DisplayName = sp.DisplayName
+			response.ApplicationID = sp.ApplicationID
+			response.Home = fmt.Sprintf("/Users/%s", sp.ApplicationID)
+			response.Repos = fmt.Sprintf("/Repos/%s", sp.ApplicationID)
+			response.AclPrincipalID = fmt.Sprintf("servicePrincipals/%s", sp.ApplicationID)
+			response.ExternalID = sp.ExternalID
+			response.Active = sp.Active
+			response.ScimID = sp.ID
+
+			err = common.StructToData(response, s, d)
+			d.SetId(sp.ID)
+			return err
+		},
+	}
 }
diff --git a/scim/data_service_principal_acc_test.go b/scim/data_service_principal_acc_test.go
@@ -0,0 +1,50 @@
+package scim_test
+
+import (
+	"testing"
+
+	"github.com/databricks/terraform-provider-databricks/internal/acceptance"
+)
+
+const spnBySCIMID = `
+resource "databricks_service_principal" "this" {
+	display_name = "SPN {var.RANDOM}"
+}
+
+data "databricks_service_principal" "this" {
+	scim_id = databricks_service_principal.this.id
+	depends_on = [databricks_service_principal.this]
+}`
+
+const azureSpnBySCIMID = `
+resource "databricks_service_principal" "this" {
+	application_id = "{var.RANDOM_UUID}"
+	display_name = "SPN {var.RANDOM}"
+	force = true
+}
+
+data "databricks_service_principal" "this" {
+	scim_id = databricks_service_principal.this.id 
+	depends_on = [databricks_service_principal.this]
+}`
+
+func TestAccDataSourceSPNOnAWSBySCIMID(t *testing.T) {
+	acceptance.GetEnvOrSkipTest(t, "TEST_EC2_INSTANCE_PROFILE")
+	acceptance.WorkspaceLevel(t, acceptance.Step{
+		Template: spnBySCIMID,
+	})
+}
+
+func TestAccDataSourceSPNOnGCPBySCIMID(t *testing.T) {
+	acceptance.GetEnvOrSkipTest(t, "GOOGLE_CREDENTIALS")
+	acceptance.WorkspaceLevel(t, acceptance.Step{
+		Template: spnBySCIMID,
+	})
+}
+
+func TestAccDataSourceSPNOnAzureBySCIMID(t *testing.T) {
+	acceptance.GetEnvOrSkipTest(t, "ARM_CLIENT_ID")
+	acceptance.WorkspaceLevel(t, acceptance.Step{
+		Template: azureSpnBySCIMID,
+	})
+}
diff --git a/scim/data_service_principal_test.go b/scim/data_service_principal_test.go
@@ -41,7 +41,7 @@ func TestDataServicePrincipalReadByAppId(t *testing.T) {
 		NonWritable: true,
 		ID:          "abc",
 	}.ApplyAndExpectData(t, map[string]any{
-		"sp_id":            "abc",
+		"scim_id":          "abc",
 		"id":               "abc",
 		"application_id":   "abc",
 		"display_name":     "Example Service Principal",
@@ -52,7 +52,95 @@ func TestDataServicePrincipalReadByAppId(t *testing.T) {
 	})
 }
 
-func TestDataServicePrincipalReadByIdNotFound(t *testing.T) {
+func TestDataServicePrincipalReadBySpId(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=id%20eq%20%22abc%22",
+				Response: UserList{
+					Resources: []User{
+						{
+							ID:            "abc",
+							DisplayName:   "Example Service Principal",
+							Active:        true,
+							ApplicationID: "abc",
+							Groups: []ComplexValue{
+								{
+									Display: "admins",
+									Value:   "4567",
+								},
+								{
+									Display: "ds",
+									Value:   "9877",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		Resource:    DataSourceServicePrincipal(),
+		HCL:         `scim_id = "abc"`,
+		Read:        true,
+		NonWritable: true,
+		ID:          "abc",
+	}.ApplyAndExpectData(t, map[string]any{
+		"scim_id":          "abc",
+		"id":               "abc",
+		"application_id":   "abc",
+		"display_name":     "Example Service Principal",
+		"active":           true,
+		"home":             "/Users/abc",
+		"repos":            "/Repos/abc",
+		"acl_principal_id": "servicePrincipals/abc",
+	})
+}
+func TestDataServicePrincipalReadByDisplayName(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=displayName%20eq%20%22testsp%22",
+				Response: UserList{
+					Resources: []User{
+						{
+							ID:            "abc",
+							DisplayName:   "testsp",
+							Active:        true,
+							ApplicationID: "abc",
+							Groups: []ComplexValue{
+								{
+									Display: "admins",
+									Value:   "4567",
+								},
+								{
+									Display: "ds",
+									Value:   "9877",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		Resource:    DataSourceServicePrincipal(),
+		HCL:         `display_name = "testsp"`,
+		Read:        true,
+		NonWritable: true,
+		ID:          "abc",
+	}.ApplyAndExpectData(t, map[string]any{
+		"scim_id":          "abc",
+		"id":               "abc",
+		"application_id":   "abc",
+		"display_name":     "testsp",
+		"active":           true,
+		"home":             "/Users/abc",
+		"repos":            "/Repos/abc",
+		"acl_principal_id": "servicePrincipals/abc",
+	})
+}
+func TestDataServicePrincipalReadByAppIdNotFound(t *testing.T) {
 	qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{
 			{
@@ -66,9 +154,25 @@ func TestDataServicePrincipalReadByIdNotFound(t *testing.T) {
 		Read:        true,
 		NonWritable: true,
 		ID:          "_",
-	}.ExpectError(t, "cannot find SP with ID abc")
+	}.ExpectError(t, "cannot find SP with an application ID abc")
 }
 
+func TestDataServicePrincipalReadByIdNotFound(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=id%20eq%20%22abc%22",
+				Response: UserList{},
+			},
+		},
+		Resource:    DataSourceServicePrincipal(),
+		HCL:         `scim_id = "abc"`,
+		Read:        true,
+		NonWritable: true,
+		ID:          "_",
+	}.ExpectError(t, "cannot find SP with an ID abc")
+}
 func TestDataServicePrincipalReadByNameNotFound(t *testing.T) {
 	qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{
@@ -133,7 +237,7 @@ func TestDataServicePrincipalReadByNameDuplicates(t *testing.T) {
 		Read:        true,
 		NonWritable: true,
 		ID:          "abc",
-	}.ExpectError(t, "there are more than 1 service principal with name abc")
+	}.ExpectError(t, "there are 2 Service Principals with name abc")
 }
 
 func TestDataServicePrincipalReadNoParams(t *testing.T) {
@@ -143,16 +247,16 @@ func TestDataServicePrincipalReadNoParams(t *testing.T) {
 		Read:        true,
 		NonWritable: true,
 		ID:          "_",
-	}.ExpectError(t, "please specify either application_id or display_name")
+	}.ExpectError(t, "please specify either application_id, display_name, or scim_id")
 }
 
-func TestDataServicePrincipalReadBothParams(t *testing.T) {
+func TestDataServicePrincipalReadInvalidConfig(t *testing.T) {
 	qa.ResourceFixture{
 		Resource: DataSourceServicePrincipal(),
 		HCL: `display_name = "abc"
 		application_id = "abc"`,
 		Read:        true,
 		NonWritable: true,
 		ID:          "_",
-	}.ExpectError(t, "please specify only one of application_id or display_name")
+	}.ExpectError(t, "invalid config supplied. [application_id] Invalid combination of arguments. [display_name] Invalid combination of arguments. [scim_id] Invalid combination of arguments")
 }
