subcategory |
---|
Unity Catalog |
Optionally, each databricks_metastore can have root storage credential defined as databricks_metastore_data_access
. This will be used by Unity Catalog to access data in the root storage location if defined.
For AWS
resource "databricks_metastore" "this" {
name = "primary"
storage_root = "s3://${aws_s3_bucket.metastore.id}/metastore"
owner = "uc admins"
region = "us-east-1"
force_destroy = true
}
resource "databricks_metastore_data_access" "this" {
metastore_id = databricks_metastore.this.id
name = aws_iam_role.metastore_data_access.name
aws_iam_role {
role_arn = aws_iam_role.metastore_data_access.arn
}
is_default = true
}
For Azure using managed identity as credential (recommended)
resource "databricks_metastore" "this" {
name = "primary"
storage_root = format("abfss://%s@%s.dfs.core.windows.net/",
azurerm_storage_container.unity_catalog.name,
azurerm_storage_account.unity_catalog.name)
owner = "uc admins"
region = "eastus"
force_destroy = true
}
resource "databricks_metastore_data_access" "this" {
metastore_id = databricks_metastore.this.id
name = "mi_dac"
azure_managed_identity {
access_connector_id = var.access_connector_id
}
is_default = true
}
The following arguments are required:
name
- Name of Data Access Configuration, which must be unique within the databricks_metastore. Change forces creation of a new resource.metastore_id
- Unique identifier of the parent Metastoreowner
- (Optional) Username/groupname/sp application_id of the data access configuration owner.force_destroy
- (Optional) Delete the data access configuration regardless of its dependencies.
aws_iam_role
optional configuration block for credential details for AWS:
role_arn
- The Amazon Resource Name (ARN) of the AWS IAM role for S3 data access, of the formarn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF
azure_managed_identity
optional configuration block for using managed identity as credential details for Azure (Recommended):
access_connector_id
- The Resource ID of the Azure Databricks Access Connector resource, of the form/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name/providers/Microsoft.Databricks/accessConnectors/connector-name
.managed_identity_id
- (Optional) The Resource ID of the Azure User Assigned Managed Identity associated with Azure Databricks Access Connector, of the form/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/user-managed-identity-name
.
databricks_gcp_service_account
optional configuration block for creating a Databricks-managed GCP Service Account:
email
(output only) - The email of the GCP service account created, to be granted access to relevant buckets.
azure_service_principal
optional configuration block for credential details for Azure (Legacy):
directory_id
- The directory ID corresponding to the Azure Active Directory (AAD) tenant of the applicationapplication_id
- The application ID of the application registration within the referenced AAD tenantclient_secret
- The client secret generated for the above app ID in AAD. This field is redacted on output
In addition to all arguments above, the following attributes are exported:
id
- ID of this data access configuration in form of<metastore_id>|<name>
.
This resource can be imported by combination of metastore id and the data access name.
terraform import databricks_metastore_data_access.this '<metastore_id>|<name>'