UNPKG

@pulumi/databricks

Version:

A Pulumi package for creating and managing databricks cloud resources.

www.pulumi.com

pulumi/pulumi-databricks

154 lines (153 loc) 7.04 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
import * as pulumi from "@pulumi/pulumi"; /** * > This resource can only be used with a workspace-level provider! * * This resource creates [On-Behalf-Of tokens](https://docs.databricks.com/administration-guide/users-groups/service-principals.html#manage-personal-access-tokens-for-a-service-principal) for a databricks.ServicePrincipal in Databricks workspaces on AWS and GCP. In general it's best to use OAuth authentication using client ID and secret, and use this resource mostly for integrations that doesn't support OAuth. * * > To create On-Behalf-Of token for Azure Service Principal, configure Pulumi provider to use Azure service principal's client ID and secret, and use `databricks.Token` resource to create a personal access token. * * ## Example Usage * * Creating a token for a narrowly-scoped service principal, that would be the only one (besides admins) allowed to use PAT token in this given workspace, keeping your automated deployment highly secure. * * > A given declaration of `databricks_permissions.token_usage` would OVERWRITE permissions to use PAT tokens from any existing groups with token usage permissions such as the `users` group. To avoid this, be sure to include any desired groups in additional `accessControl` blocks in the Pulumi configuration file. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const _this = new databricks.ServicePrincipal("this", {displayName: "Automation-only SP"}); * const tokenUsage = new databricks.Permissions("token_usage", { * authorization: "tokens", * accessControls: [{ * servicePrincipalName: _this.applicationId, * permissionLevel: "CAN_USE", * }], * }); * const thisOboToken = new databricks.OboToken("this", { * applicationId: _this.applicationId, * comment: pulumi.interpolate`PAT on behalf of ${_this.displayName}`, * lifetimeSeconds: 3600, * }, { * dependsOn: [tokenUsage], * }); * export const obo = thisOboToken.tokenValue; * ``` * * Creating a token for a service principal with admin privileges * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const _this = new databricks.ServicePrincipal("this", {displayName: "Pulumi"}); * const admins = databricks.getGroup({ * displayName: "admins", * }); * const thisGroupMember = new databricks.GroupMember("this", { * groupId: admins.then(admins => admins.id), * memberId: _this.id, * }); * const thisOboToken = new databricks.OboToken("this", { * applicationId: _this.applicationId, * comment: pulumi.interpolate`PAT on behalf of ${_this.displayName}`, * lifetimeSeconds: 3600, * }, { * dependsOn: [thisGroupMember], * }); * ``` * * ## Related Resources * * The following resources are often used in the same context: * * * End to end workspace management guide. * * databricks.Group data to retrieve information about databricks.Group members, entitlements and instance profiles. * * databricks.GroupMember to attach users and groups as group members. * * databricks.Permissions to manage [access control](https://docs.databricks.com/security/access-control/index.html) in Databricks workspace. * * databricks.ServicePrincipal to manage [Service Principals](https://docs.databricks.com/administration-guide/users-groups/service-principals.html) that could be added to databricks.Group within workspace. * * databricks.SqlPermissions to manage data object access control lists in Databricks workspaces for things like tables, views, databases, and [more](https://docs.databricks.com/security/access-control/table-acls/object-privileges.html). * * ## Import * * !> Importing this resource is not currently supported. */ export declare class OboToken extends pulumi.CustomResource { /** * Get an existing OboToken resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OboTokenState, opts?: pulumi.CustomResourceOptions): OboToken; /** * Returns true if the given object is an instance of OboToken. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is OboToken; /** * Application ID of databricks.ServicePrincipal to create a PAT token for. */ readonly applicationId: pulumi.Output<string>; /** * Comment that describes the purpose of the token. */ readonly comment: pulumi.Output<string | undefined>; /** * The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely. */ readonly lifetimeSeconds: pulumi.Output<number | undefined>; /** * **Sensitive** value of the newly-created token. */ readonly tokenValue: pulumi.Output<string>; /** * Create a OboToken resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: OboTokenArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering OboToken resources. */ export interface OboTokenState { /** * Application ID of databricks.ServicePrincipal to create a PAT token for. */ applicationId?: pulumi.Input<string>; /** * Comment that describes the purpose of the token. */ comment?: pulumi.Input<string>; /** * The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely. */ lifetimeSeconds?: pulumi.Input<number>; /** * **Sensitive** value of the newly-created token. */ tokenValue?: pulumi.Input<string>; } /** * The set of arguments for constructing a OboToken resource. */ export interface OboTokenArgs { /** * Application ID of databricks.ServicePrincipal to create a PAT token for. */ applicationId: pulumi.Input<string>; /** * Comment that describes the purpose of the token. */ comment?: pulumi.Input<string>; /** * The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely. */ lifetimeSeconds?: pulumi.Input<number>; }