databricks_service_principal_federation_policy #4635
Conversation
|
@rauchy Would you be able to review this? |
| return err | ||
| } | ||
| name := spfp.Name | ||
| d.SetId(name[strings.LastIndex(name, "/")+1:]) |
There was a problem hiding this comment.
I'm not sure I understand this. If name is optional and can be user-specified then I don't think we can assume it is the ID ("uid" field). Though, Databricks docs say "if specified in a request, must match the value in the request URL", but they must be referring to account ID and SP ID because policy ID is not in the URL and is not known until the policy is created.
https://docs.databricks.com/api/account/serviceprincipalfederationpolicy/create
It seems simpler to just use the uid field, directly, since this is what the API expects for update/delete requests, not necessarily the last part of the name.
https://pkg.go.dev/github.com/databricks/[email protected]/service/oauth2#FederationPolicy
| d.SetId(name[strings.LastIndex(name, "/")+1:]) | |
| d.SetId(spfp.Uid) |
There was a problem hiding this comment.
Thank you for taking the time to review my pull request. This part was very confusing to me as well, and I’d like to explain what I’ve understood.
So, if the name is not set, then the generated name looks like:
accounts/482323ec-21a2-4d23-a4bb-4fdacf0ee506/servicePrincipals/2479342822644814/federationPolicies/388f001e-5f0a-42c3-bc0d-5da1a33a3798,
where the last part equals the value of the uid field. and available at the link https://accounts.cloud.databricks.com/api/2.0/accounts/482323ec-21a2-4d23-a4bb-4fdacf0ee506/servicePrincipals/2479342822644814/federationPolicies/388f001e-5f0a-42c3-bc0d-5da1a33a3798
Now let’s consider a example where the user sets the name manually. Any name that does not start with
accounts/482323ec-21a2-4d23-a4bb-4fdacf0ee506/servicePrincipals/2479342822644814/federationPolicies/
will be rejected.
The last part of the name may only contain letters, numbers, and hyphens.
For example, if I create a policy with the name:
accounts/482323ec-21a2-4d23-a4bb-4fdacf0ee506/servicePrincipals/2479342822644814/federationPolicies/fdfsd,
then it will be accessible via:
https://accounts.cloud.databricks.com/api/2.0/accounts/482323ec-21a2-4d23-a4bb-4fdacf0ee506/servicePrincipals/2479342822644814/federationPolicies/fdfsd
Whereas the link:
https://accounts.cloud.databricks.com/api/2.0/accounts/482323ec-21a2-4d23-a4bb-4fdacf0ee506/servicePrincipals/2479342822644814/federationPolicies/4e09f9a3-bb95-4e3d-a47c-9c437803d7cd
will return 404.
There was a problem hiding this comment.
Oh, you are right, I just double checked with the CLI. Thanks for explaining! It's quite strange because Databricks calls this part "policy id" in their API docs, but the examples suggest it is the end part of the name, like you say.
https://docs.databricks.com/api/account/serviceprincipalfederationpolicy/get
There was a problem hiding this comment.
I’ve updated the code so that the UUID is used as the ID and is unique. I’d really appreciate it if you could review it
AntonBarkan
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Co-authored-by: Gary Fernie <[email protected]>
Co-authored-by: Gary Fernie <[email protected]>
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
| ) | ||
|
|
||
| func ResourceServicePrincipalFederationPolicy() common.Resource { | ||
| s := map[string]*schema.Schema{ |
There was a problem hiding this comment.
As I understand it, the contribution guide asks that the schema is created using common.StructToSchema.
For example:
This looks like the correct struct to use:
Changes
#4489
Tests
make testrun locallydocs/folderinternal/acceptance