UNPKG

@pulumi/databricks

Version:

A Pulumi package for creating and managing databricks cloud resources.

www.pulumi.com

pulumi/pulumi-databricks

133 lines 6.63 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
"use strict"; // *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); exports.OboToken = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("./utilities"); /** * > This resource can only be used with a workspace-level provider! * * This resource creates [On-Behalf-Of tokens](https://docs.databricks.com/administration-guide/users-groups/service-principals.html#manage-personal-access-tokens-for-a-service-principal) for a databricks.ServicePrincipal in Databricks workspaces on AWS and GCP. In general it's best to use OAuth authentication using client ID and secret, and use this resource mostly for integrations that doesn't support OAuth. * * > To create On-Behalf-Of token for Azure Service Principal, configure Pulumi provider to use Azure service principal's client ID and secret, and use `databricks.Token` resource to create a personal access token. * * ## Example Usage * * Creating a token for a narrowly-scoped service principal, that would be the only one (besides admins) allowed to use PAT token in this given workspace, keeping your automated deployment highly secure. * * > A given declaration of `databricks_permissions.token_usage` would OVERWRITE permissions to use PAT tokens from any existing groups with token usage permissions such as the `users` group. To avoid this, be sure to include any desired groups in additional `accessControl` blocks in the Pulumi configuration file. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const _this = new databricks.ServicePrincipal("this", {displayName: "Automation-only SP"}); * const tokenUsage = new databricks.Permissions("token_usage", { * authorization: "tokens", * accessControls: [{ * servicePrincipalName: _this.applicationId, * permissionLevel: "CAN_USE", * }], * }); * const thisOboToken = new databricks.OboToken("this", { * applicationId: _this.applicationId, * comment: pulumi.interpolate`PAT on behalf of ${_this.displayName}`, * lifetimeSeconds: 3600, * }, { * dependsOn: [tokenUsage], * }); * export const obo = thisOboToken.tokenValue; * ``` * * Creating a token for a service principal with admin privileges * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const _this = new databricks.ServicePrincipal("this", {displayName: "Pulumi"}); * const admins = databricks.getGroup({ * displayName: "admins", * }); * const thisGroupMember = new databricks.GroupMember("this", { * groupId: admins.then(admins => admins.id), * memberId: _this.id, * }); * const thisOboToken = new databricks.OboToken("this", { * applicationId: _this.applicationId, * comment: pulumi.interpolate`PAT on behalf of ${_this.displayName}`, * lifetimeSeconds: 3600, * }, { * dependsOn: [thisGroupMember], * }); * ``` * * ## Related Resources * * The following resources are often used in the same context: * * * End to end workspace management guide. * * databricks.Group data to retrieve information about databricks.Group members, entitlements and instance profiles. * * databricks.GroupMember to attach users and groups as group members. * * databricks.Permissions to manage [access control](https://docs.databricks.com/security/access-control/index.html) in Databricks workspace. * * databricks.ServicePrincipal to manage [Service Principals](https://docs.databricks.com/administration-guide/users-groups/service-principals.html) that could be added to databricks.Group within workspace. * * databricks.SqlPermissions to manage data object access control lists in Databricks workspaces for things like tables, views, databases, and [more](https://docs.databricks.com/security/access-control/table-acls/object-privileges.html). * * ## Import * * !> Importing this resource is not currently supported. */ class OboToken extends pulumi.CustomResource { /** * Get an existing OboToken resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, state, opts) { return new OboToken(name, state, Object.assign(Object.assign({}, opts), { id: id })); } /** * Returns true if the given object is an instance of OboToken. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } return obj['__pulumiType'] === OboToken.__pulumiType; } constructor(name, argsOrState, opts) { let resourceInputs = {}; opts = opts || {}; if (opts.id) { const state = argsOrState; resourceInputs["applicationId"] = state ? state.applicationId : undefined; resourceInputs["comment"] = state ? state.comment : undefined; resourceInputs["lifetimeSeconds"] = state ? state.lifetimeSeconds : undefined; resourceInputs["tokenValue"] = state ? state.tokenValue : undefined; } else { const args = argsOrState; if ((!args || args.applicationId === undefined) && !opts.urn) { throw new Error("Missing required property 'applicationId'"); } resourceInputs["applicationId"] = args ? args.applicationId : undefined; resourceInputs["comment"] = args ? args.comment : undefined; resourceInputs["lifetimeSeconds"] = args ? args.lifetimeSeconds : undefined; resourceInputs["tokenValue"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); const secretOpts = { additionalSecretOutputs: ["tokenValue"] }; opts = pulumi.mergeOptions(opts, secretOpts); super(OboToken.__pulumiType, name, resourceInputs, opts); } } exports.OboToken = OboToken; /** @internal */ OboToken.__pulumiType = 'databricks:index/oboToken:OboToken'; //# sourceMappingURL=oboToken.js.map