feat: add use / manage privilege groups. expose external location and catalogs as output (#755)

cjbraley · web-flow · commit 5d225f581e95 · 2025-11-19T12:21:51.000-08:00
* Add use group. Expose external location and catalogs as output

* add manage group
diff --git a/databricks-catalog-external-location/catalogs.tf b/databricks-catalog-external-location/catalogs.tf
@@ -18,6 +18,17 @@ resource "databricks_grants" "grants" {
     databricks_catalog.catalog
   ]
 
+  dynamic "grant" {
+    for_each = toset(each.value.manage_privileges_groups)
+    content {
+      principal = grant.value
+      privileges = [
+        "ALL_PRIVILEGES",
+        "MANAGE",
+      ]
+    }
+  }
+
   dynamic "grant" {
     for_each = toset(each.value.all_privileges_groups)
     content {
@@ -29,31 +40,41 @@ resource "databricks_grants" "grants" {
   }
 
   dynamic "grant" {
-    for_each = toset(each.value.read_privileges_groups)
+    for_each = toset(each.value.write_privileges_groups)
     content {
       principal = grant.value
       privileges = [
         "USE_CATALOG",
         "USE_SCHEMA",
         "SELECT",
+        "CREATE_TABLE",
+        "CREATE_SCHEMA",
+        "MODIFY",
         "BROWSE",
       ]
     }
   }
 
   dynamic "grant" {
-    for_each = toset(each.value.write_privileges_groups)
+    for_each = toset(each.value.read_privileges_groups)
     content {
       principal = grant.value
       privileges = [
         "USE_CATALOG",
         "USE_SCHEMA",
         "SELECT",
-        "CREATE_TABLE",
-        "CREATE_SCHEMA",
-        "MODIFY",
         "BROWSE",
       ]
     }
   }
+
+  dynamic "grant" {
+    for_each = toset(each.value.use_privileges_groups)
+    content {
+      principal = grant.value
+      privileges = [
+        "USE_CATALOG",
+      ]
+    }
+  }
 }
diff --git a/databricks-catalog-external-location/outputs.tf b/databricks-catalog-external-location/outputs.tf
@@ -0,0 +1,9 @@
+output "catalogs" {
+  description = "Map of created Databricks catalogs, keyed by catalog name"
+  value       = databricks_catalog.catalog
+}
+
+output "external_location" {
+  description = "The Databricks external location"
+  value       = databricks_external_location.external_locations
+}
diff --git a/databricks-catalog-external-location/variables.tf b/databricks-catalog-external-location/variables.tf
@@ -45,8 +45,10 @@ variable "catalogs" {
       enable_predictive_optimization = optional(string, "INHERIT")
       owner                          = string
       all_privileges_groups          = list(string)
+      manage_privileges_groups       = optional(list(string), [])
       read_privileges_groups         = optional(list(string), [])
       write_privileges_groups        = optional(list(string), [])
+      use_privileges_groups          = optional(list(string), [])
       catalog_prefix                 = optional(string, "")
   }))
 }
