added isolation mode support for databricks_external_location & databricks_storage_credential (#3704)

nkvuong · web-flow · commit 483eb992b698 · 2024-06-28T13:22:12.000Z
* add isolation mode support for external location &amp; storage credential

* add doc &amp; test
diff --git a/catalog/resource_catalog.go b/catalog/resource_catalog.go
@@ -90,6 +90,7 @@ func ResourceCatalog() common.Resource {
 			if !updateRequired(d, []string{"owner", "isolation_mode", "enable_predictive_optimization"}) {
 				return nil
 			}
+
 			var updateCatalogRequest catalog.UpdateCatalog
 			common.DataToStructPointer(d, catalogSchema, &updateCatalogRequest)
 			updateCatalogRequest.Name = d.Id()
@@ -98,6 +99,7 @@ func ResourceCatalog() common.Resource {
 				return err
 			}
 
+			// Bind the current workspace if the catalog is isolated, otherwise the read will fail
 			return bindings.AddCurrentWorkspaceBindings(ctx, d, w, ci.Name, "catalog")
 		},
 		Read: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
@@ -163,9 +165,6 @@ func ResourceCatalog() common.Resource {
 			// So if we don't update the field then the requests would be made to old Name which doesn't exists.
 			d.SetId(ci.Name)
 
-			if d.Get("isolation_mode") != "ISOLATED" {
-				return nil
-			}
 			// Bind the current workspace if the catalog is isolated, otherwise the read will fail
 			return bindings.AddCurrentWorkspaceBindings(ctx, d, w, ci.Name, "catalog")
 		},
diff --git a/catalog/resource_external_location.go b/catalog/resource_external_location.go
@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/databricks/databricks-sdk-go/service/catalog"
+	"github.com/databricks/terraform-provider-databricks/catalog/bindings"
 	"github.com/databricks/terraform-provider-databricks/common"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
@@ -20,6 +21,7 @@ type ExternalLocationInfo struct {
 	ReadOnly       bool                       `json:"read_only,omitempty"`
 	AccessPoint    string                     `json:"access_point,omitempty"`
 	EncDetails     *catalog.EncryptionDetails `json:"encryption_details,omitempty"`
+	IsolationMode  string                     `json:"isolation_mode,omitempty" tf:"computed"`
 }
 
 func ResourceExternalLocation() common.Resource {
@@ -59,8 +61,8 @@ func ResourceExternalLocation() common.Resource {
 			}
 			d.SetId(el.Name)
 
-			// Don't update owner if it is not provided
-			if d.Get("owner") == "" {
+			// Update owner or isolation mode if it is provided
+			if !updateRequired(d, []string{"owner", "isolation_mode"}) {
 				return nil
 			}
 
@@ -71,7 +73,9 @@ func ResourceExternalLocation() common.Resource {
 			if err != nil {
 				return err
 			}
-			return nil
+
+			// Bind the current workspace if the external location is isolated, otherwise the read will fail
+			return bindings.AddCurrentWorkspaceBindings(ctx, d, w, el.Name, "external-location")
 		},
 		Read: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
 			w, err := c.WorkspaceClient()
@@ -129,7 +133,8 @@ func ResourceExternalLocation() common.Resource {
 				}
 				return err
 			}
-			return nil
+			// Bind the current workspace if the external location is isolated, otherwise the read will fail
+			return bindings.AddCurrentWorkspaceBindings(ctx, d, w, updateExternalLocationRequest.Name, "external-location")
 		},
 		Delete: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
 			force := d.Get("force_destroy").(bool)
diff --git a/catalog/resource_external_location_test.go b/catalog/resource_external_location_test.go
@@ -5,8 +5,10 @@ import (
 	"testing"
 
 	"github.com/databricks/databricks-sdk-go/apierr"
+	"github.com/databricks/databricks-sdk-go/experimental/mocks"
 	"github.com/databricks/databricks-sdk-go/service/catalog"
 	"github.com/databricks/terraform-provider-databricks/qa"
+	"github.com/stretchr/testify/mock"
 )
 
 func TestExternalLocationCornerCases(t *testing.T) {
@@ -52,6 +54,81 @@ func TestCreateExternalLocation(t *testing.T) {
 	}.ApplyNoError(t)
 }
 
+func TestCreateIsolatedExternalLocation(t *testing.T) {
+	qa.ResourceFixture{
+		MockWorkspaceClientFunc: func(w *mocks.MockWorkspaceClient) {
+			e := w.GetMockExternalLocationsAPI().EXPECT()
+			e.Create(mock.Anything, catalog.CreateExternalLocation{
+				Name:           "abc",
+				Url:            "s3://foo/bar",
+				CredentialName: "bcd",
+				Comment:        "def",
+			}).Return(&catalog.ExternalLocationInfo{
+				Name:           "abc",
+				Url:            "s3://foo/bar",
+				CredentialName: "bcd",
+				Comment:        "def",
+				MetastoreId:    "e",
+				Owner:          "f",
+			}, nil)
+			e.Update(mock.Anything, catalog.UpdateExternalLocation{
+				Name:           "abc",
+				Url:            "s3://foo/bar",
+				CredentialName: "bcd",
+				Comment:        "def",
+				IsolationMode:  "ISOLATED",
+			}).Return(&catalog.ExternalLocationInfo{
+				Name:           "abc",
+				Url:            "s3://foo/bar",
+				CredentialName: "bcd",
+				Comment:        "def",
+				IsolationMode:  "ISOLATED",
+				MetastoreId:    "e",
+				Owner:          "f",
+			}, nil)
+			w.GetMockMetastoresAPI().EXPECT().Current(mock.Anything).Return(&catalog.MetastoreAssignment{
+				MetastoreId: "e",
+				WorkspaceId: 123456789101112,
+			}, nil)
+			w.GetMockWorkspaceBindingsAPI().EXPECT().UpdateBindings(mock.Anything, catalog.UpdateWorkspaceBindingsParameters{
+				SecurableName: "abc",
+				SecurableType: "external-location",
+				Add: []catalog.WorkspaceBinding{
+					{
+						WorkspaceId: int64(123456789101112),
+						BindingType: catalog.WorkspaceBindingBindingTypeBindingTypeReadWrite,
+					},
+				},
+			}).Return(&catalog.WorkspaceBindingsResponse{
+				Bindings: []catalog.WorkspaceBinding{
+					{
+						WorkspaceId: int64(123456789101112),
+						BindingType: catalog.WorkspaceBindingBindingTypeBindingTypeReadWrite,
+					},
+				},
+			}, nil)
+			e.GetByName(mock.Anything, "abc").Return(&catalog.ExternalLocationInfo{
+				Name:           "abc",
+				Url:            "s3://foo/bar",
+				CredentialName: "bcd",
+				Comment:        "def",
+				IsolationMode:  "ISOLATED",
+				MetastoreId:    "e",
+				Owner:          "f",
+			}, nil)
+		},
+		Resource: ResourceExternalLocation(),
+		Create:   true,
+		HCL: `
+		name = "abc"
+		url = "s3://foo/bar"
+		credential_name = "bcd"
+		comment = "def"
+		isolation_mode = "ISOLATED"
+		`,
+	}.ApplyNoError(t)
+}
+
 func TestCreateExternalLocationWithOwner(t *testing.T) {
 	qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{
diff --git a/catalog/resource_storage_credential.go b/catalog/resource_storage_credential.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/databricks/databricks-sdk-go"
 	"github.com/databricks/databricks-sdk-go/service/catalog"
+	"github.com/databricks/terraform-provider-databricks/catalog/bindings"
 	"github.com/databricks/terraform-provider-databricks/common"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
@@ -21,6 +22,7 @@ type StorageCredentialInfo struct {
 	MetastoreID                 string                                       `json:"metastore_id,omitempty" tf:"computed"`
 	ReadOnly                    bool                                         `json:"read_only,omitempty"`
 	SkipValidation              bool                                         `json:"skip_validation,omitempty"`
+	IsolationMode               string                                       `json:"isolation_mode,omitempty" tf:"computed"`
 }
 
 func removeGcpSaField(originalSchema map[string]*schema.Schema) map[string]*schema.Schema {
@@ -71,10 +73,11 @@ func ResourceStorageCredential() common.Resource {
 				}
 				d.SetId(storageCredential.CredentialInfo.Name)
 
-				// Don't update owner if it is not provided
-				if d.Get("owner") == "" {
+				// Update owner or isolation mode if it is provided
+				if !updateRequired(d, []string{"owner", "isolation_mode"}) {
 					return nil
 				}
+
 				update.Name = d.Id()
 				_, err = acc.StorageCredentials.Update(ctx, catalog.AccountsUpdateStorageCredential{
 					CredentialInfo:        &update,
@@ -96,8 +99,8 @@ func ResourceStorageCredential() common.Resource {
 				}
 				d.SetId(storageCredential.Name)
 
-				// Don't update owner if it is not provided
-				if d.Get("owner") == "" {
+				// Update owner or isolation mode if it is provided
+				if !updateRequired(d, []string{"owner", "isolation_mode"}) {
 					return nil
 				}
 
@@ -106,7 +109,8 @@ func ResourceStorageCredential() common.Resource {
 				if err != nil {
 					return err
 				}
-				return nil
+				// Bind the current workspace if the storage credential is isolated, otherwise the read will fail
+				return bindings.AddCurrentWorkspaceBindings(ctx, d, w, storageCredential.Name, "storage-credential")
 			})
 		},
 		Read: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
@@ -241,7 +245,8 @@ func ResourceStorageCredential() common.Resource {
 					}
 					return err
 				}
-				return nil
+				// Bind the current workspace if the storage credential is isolated, otherwise the read will fail
+				return bindings.AddCurrentWorkspaceBindings(ctx, d, w, update.Name, "storage-credential")
 			})
 		},
 		Delete: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
diff --git a/catalog/resource_storage_credential_test.go b/catalog/resource_storage_credential_test.go
@@ -4,8 +4,10 @@ import (
 	"testing"
 
 	"github.com/databricks/databricks-sdk-go/apierr"
+	"github.com/databricks/databricks-sdk-go/experimental/mocks"
 	"github.com/databricks/databricks-sdk-go/service/catalog"
 	"github.com/databricks/terraform-provider-databricks/qa"
+	"github.com/stretchr/testify/mock"
 )
 
 func TestStorageCredentialsCornerCases(t *testing.T) {
@@ -60,6 +62,96 @@ func TestCreateStorageCredentials(t *testing.T) {
 	})
 }
 
+func TestCreateIsolatedStorageCredential(t *testing.T) {
+	qa.ResourceFixture{
+		MockWorkspaceClientFunc: func(w *mocks.MockWorkspaceClient) {
+			e := w.GetMockStorageCredentialsAPI().EXPECT()
+			e.Create(mock.Anything, catalog.CreateStorageCredential{
+				Name: "a",
+				AwsIamRole: &catalog.AwsIamRoleRequest{
+					RoleArn: "def",
+				},
+				Comment: "c",
+			}).Return(&catalog.StorageCredentialInfo{
+				Name: "a",
+				AwsIamRole: &catalog.AwsIamRoleResponse{
+					RoleArn:    "def",
+					ExternalId: "123",
+				},
+				MetastoreId: "d",
+				Id:          "1234-5678",
+				Owner:       "f",
+			}, nil)
+			e.Update(mock.Anything, catalog.UpdateStorageCredential{
+				Name: "a",
+				AwsIamRole: &catalog.AwsIamRoleRequest{
+					RoleArn: "def",
+				},
+				Comment:       "c",
+				IsolationMode: "ISOLATED",
+			}).Return(&catalog.StorageCredentialInfo{
+				Name: "a",
+				AwsIamRole: &catalog.AwsIamRoleResponse{
+					RoleArn:    "def",
+					ExternalId: "123",
+				},
+				MetastoreId:   "d",
+				Id:            "1234-5678",
+				Owner:         "f",
+				IsolationMode: "ISOLATED",
+			}, nil)
+			w.GetMockMetastoresAPI().EXPECT().Current(mock.Anything).Return(&catalog.MetastoreAssignment{
+				MetastoreId: "e",
+				WorkspaceId: 123456789101112,
+			}, nil)
+			w.GetMockWorkspaceBindingsAPI().EXPECT().UpdateBindings(mock.Anything, catalog.UpdateWorkspaceBindingsParameters{
+				SecurableName: "a",
+				SecurableType: "storage-credential",
+				Add: []catalog.WorkspaceBinding{
+					{
+						WorkspaceId: int64(123456789101112),
+						BindingType: catalog.WorkspaceBindingBindingTypeBindingTypeReadWrite,
+					},
+				},
+			}).Return(&catalog.WorkspaceBindingsResponse{
+				Bindings: []catalog.WorkspaceBinding{
+					{
+						WorkspaceId: int64(123456789101112),
+						BindingType: catalog.WorkspaceBindingBindingTypeBindingTypeReadWrite,
+					},
+				},
+			}, nil)
+			e.GetByName(mock.Anything, "a").Return(&catalog.StorageCredentialInfo{
+				Name: "a",
+				AwsIamRole: &catalog.AwsIamRoleResponse{
+					RoleArn:    "def",
+					ExternalId: "123",
+				},
+				MetastoreId:   "d",
+				Id:            "1234-5678",
+				Owner:         "f",
+				IsolationMode: "ISOLATED",
+			}, nil)
+		},
+		Resource: ResourceStorageCredential(),
+		Create:   true,
+		HCL: `
+		name = "a"
+		aws_iam_role {
+			role_arn = "def"
+		}
+		comment = "c"
+		isolation_mode = "ISOLATED"
+		`,
+	}.ApplyAndExpectData(t, map[string]any{
+		"aws_iam_role.0.external_id": "123",
+		"aws_iam_role.0.role_arn":    "def",
+		"name":                       "a",
+		"storage_credential_id":      "1234-5678",
+		"isolation_mode":             "ISOLATED",
+	})
+}
+
 func TestCreateStorageCredentialWithOwner(t *testing.T) {
 	qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{
diff --git a/docs/resources/external_location.md b/docs/resources/external_location.md
@@ -129,6 +129,7 @@ The following arguments are required:
 - `force_update` - (Optional) Update external location regardless of its dependents.
 - `access_point` - (Optional) The ARN of the s3 access point to use with the external location (AWS).
 - `encryption_details` - (Optional) The options for Server-Side Encryption to be used by each Databricks s3 client when connecting to S3 cloud storage (AWS).
+- `isolation_mode` - (Optional) Whether the external location is accessible from all workspaces or a specific set of workspaces. Can be `ISOLATED` or `OPEN`. Setting the external location to `ISOLATED` will automatically allow access from the current workspace.
 
 ## Attribute Reference
 
diff --git a/docs/resources/storage_credential.md b/docs/resources/storage_credential.md
@@ -80,6 +80,7 @@ The following arguments are required:
 - `skip_validation` - (Optional) Suppress validation errors if any & force save the storage credential.
 - `force_destroy` - (Optional) Delete storage credential regardless of its dependencies.
 - `force_update` - (Optional) Update storage credential regardless of its dependents.
+- `isolation_mode` - (Optional) Whether the storage credential is accessible from all workspaces or a specific set of workspaces. Can be `ISOLATED` or `OPEN`. Setting the credential to `ISOLATED` will automatically allow access from the current workspace.
 
 `aws_iam_role` optional configuration block for credential details for AWS:
 
diff --git a/internal/acceptance/external_location_test.go b/internal/acceptance/external_location_test.go
@@ -21,6 +21,7 @@ func externalLocationTemplateWithOwner(comment string, owner string) string {
 			name            = "external-{var.STICKY_RANDOM}"
 			url             = "s3://{env.TEST_BUCKET}/some{var.STICKY_RANDOM}"
 			credential_name = databricks_storage_credential.external.id
+			isolation_mode  = "ISOLATED"
 			comment         = "%s"
 			owner = "%s"
 		}
@@ -34,9 +35,10 @@ func storageCredentialTemplateWithOwner(comment, owner string) string {
 			aws_iam_role {
 				role_arn = "{env.TEST_METASTORE_DATA_ACCESS_ARN}"
 			}
-			comment = "%s"
-			owner = "%s"
-			force_update = true
+			comment        = "%s"
+			owner          = "%s"
+			isolation_mode = "ISOLATED"
+			force_update   = true
 		}
 	`, comment, owner)
 }

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ func externalLocationTemplateWithOwner(comment string, owner string) string {`
`21`	`21`	`name = "external-{var.STICKY_RANDOM}"`
`22`	`22`	`url = "s3://{env.TEST_BUCKET}/some{var.STICKY_RANDOM}"`
`23`	`23`	`credential_name = databricks_storage_credential.external.id`
	`24`	`+ isolation_mode = "ISOLATED"`
`24`	`25`	`comment = "%s"`
`25`	`26`	`owner = "%s"`
`26`	`27`	`}`
`@@ -34,9 +35,10 @@ func storageCredentialTemplateWithOwner(comment, owner string) string {`
`34`	`35`	`aws_iam_role {`
`35`	`36`	`role_arn = "{env.TEST_METASTORE_DATA_ACCESS_ARN}"`
`36`	`37`	`}`
`37`		`- comment = "%s"`
`38`		`- owner = "%s"`
`39`		`- force_update = true`
	`38`	`+ comment = "%s"`
	`39`	`+ owner = "%s"`
	`40`	`+ isolation_mode = "ISOLATED"`
	`41`	`+ force_update = true`
`40`	`42`	`}`
`41`	`43`	`, comment, owner)
`42`	`44`	`}`