Skip to content

[ISSUE] Issue with databricks_permissions resource when user_name is used for access_control. There is a permanent drift with each terraform plan and applyΒ #5183

New issue
New issue
Open
Open
[ISSUE] Issue with databricks_permissions resource when user_name is used for access_control. There is a permanent drift with each terraform plan and apply#5183
@ltutar

Description

@ltutar
ltutar
opened on Nov 4, 2025

Configuration

Terraform 1.9.0.

    databricks = {
      source  = "databricks/databricks"
      version = "= 1.96.0"
    }

Expected Behavior

With consecutive terraform plan runs, I would not expect a configuration drift. Terraform apply will now remove and apply the same databricks permissios.

Actual Behavior

The following resources were working fine. No configuration drift. Terraform would say "no infrastructure change'.

resource "databricks_permissions" "compass_sql_endpoint_permissions" {
  sql_endpoint_id = databricks_sql_endpoint.compass_sql_endpoint_x_small.id

  dynamic "access_control" {
    for_each = var.databricks_groups_assign_to_sql_endpoint
    content {
      group_name       = access_control.key
      permission_level = access_control.value
    }
  }
  dynamic "access_control" {
    for_each = var.databricks_service_principals_assign_to_sql_endpoint
    content {
      service_principal_name = access_control.key
      permission_level       = access_control.value
    }
  }
  provider = databricks.databricks_ws
}

When I added the user_name, the resource block became as the following

resource "databricks_permissions" "compass_sql_endpoint_permissions" {
  sql_endpoint_id = databricks_sql_endpoint.compass_sql_endpoint_x_small.id

  dynamic "access_control" {
    for_each = var.databricks_groups_assign_to_sql_endpoint
    content {
      group_name       = access_control.key
      permission_level = access_control.value
    }
  }

  dynamic "access_control" {
    for_each = var.databricks_users_assign_to_sql_endpoint
    content {
      user_name        = access_control.key
      permission_level = access_control.value
    }
  }

  dynamic "access_control" {
    for_each = var.databricks_service_principals_assign_to_sql_endpoint
    content {
      service_principal_name = access_control.key
      permission_level       = access_control.value
    }
  }
  provider = databricks.databricks_ws
}

Now with each terraform plan, I see

Steps to Reproduce

Use user_name in a databricks_permission.

  dynamic "access_control" {
    for_each = var.databricks_users_assign_to_sql_endpoint
    content {
      user_name        = access_control.key
      permission_level = access_control.value
    }
  }

The variables are shown below:

databricks_users_assign_to_sql_endpoint = {
  "[email protected]" : "CAN_MANAGE"
}
databricks_groups_assign_to_sql_endpoint = {
  "AadDptITDataPlatformEngineers" : "CAN_MANAGE",
  "AadDptITAnalyticsEngineers" : "CAN_MONITOR",
  "AadDptITReportingEngineers" : "CAN_MONITOR"
}

Terraform and provider versions

Terraform version 1.9.0.

Is it a regression?

Debug Output

If this is enough to reproduce the issue

Image
Image

, I would not like to share it because of sensitive information with subscription_id etc. etc.

Important Factoids

Would you like to implement a fix?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions