add all privileges group

chanzuckerberg · Dec 4, 2024 · 4f58b2e · 4f58b2e
1 parent 0ef7122
commit 4f58b2e
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/databricks-s3-volume/grants.tf b/databricks-s3-volume/grants.tf
@@ -1,12 +1,24 @@
 locals {
   # Only set the grant principals if the catalog and/or schema doesn't already exist
+  catalog_all_priv_grant_principals = var.create_catalog ? var.catalog_all_priv_grant_principals : []
+  catalog_all_priv_grant_principals = concat(local.catalog_all_priv_grant_principals, [var.owner])
   catalog_r_grant_principals = var.create_catalog ? var.catalog_r_grant_principals : []
   catalog_rw_grant_principals = var.create_catalog ? var.catalog_rw_grant_principals : []
   schema_r_grant_principals = var.create_schema ? var.schema_r_grant_principals : []
   schema_rw_grant_principals = var.create_schema ? var.schema_rw_grant_principals : []
 }
 
 # catalog
+
+resource "databricks_grant" "catalog_all_privileges" {
+  depends_on = [databricks_catalog.volume[0]]
+  for_each   = toset(local.catalog_all_priv_grant_principals)
+
+  catalog    = local.catalog_name
+  principal  = each.value
+  privileges = ["ALL_PRIVILEGES"]
+}
+
 resource "databricks_grant" "catalog_r" {
   depends_on = [databricks_catalog.volume[0]]
   for_each   = toset(local.catalog_r_grant_principals)

diff --git a/databricks-s3-volume/variables.tf b/databricks-s3-volume/variables.tf
@@ -70,6 +70,12 @@ variable "bucket_object_ownership" {
   }
 }
 
+variable "catalog_all_priv_grant_principals" {
+  description = "(Optional) Databricks groups to grant all-privileges permission to on the catalog. Owner is included"
+  type        = list(string)
+  default     = []
+}
+
 variable "catalog_r_grant_principals" {
   description = "(Optional) Databricks groups to grant read-only permissions to on the catalog"
   type        = list(string)