diff --git a/docs/guides/experimental-exporter.md b/docs/guides/experimental-exporter.md index b013bc7d9..bc6f94486 100644 --- a/docs/guides/experimental-exporter.md +++ b/docs/guides/experimental-exporter.md @@ -113,7 +113,7 @@ Services are just logical groups of resources used for filtering and organizatio -> **Note** Please note that for services not marked with **listing**, we'll export resources only if they are referenced from other resources. -* `access` - [databricks_permissions](../resources/permissions.md), [databricks_instance_profile](../resources/instance_profile.md), [databricks_ip_access_list](../resources/ip_access_list.md), [databricks_mws_permission_assignment](../resources/mws_permission_assignment.md) and [databricks_access_control_rule_set](../resources/access_control_rule_set.md). +* `access` - **listing** [databricks_permissions](../resources/permissions.md), [databricks_instance_profile](../resources/instance_profile.md), [databricks_ip_access_list](../resources/ip_access_list.md), [databricks_mws_permission_assignment](../resources/mws_permission_assignment.md) and [databricks_access_control_rule_set](../resources/access_control_rule_set.md). *Please note that for `databricks_permissions` we list only `authorization = "tokens"`, the permissions for other objects (notebooks, ...) will be emitted when corresponding objects are processed!* * `alerts` - **listing** [databricks_alert](../resources/alert.md). * `compute` - **listing** [databricks_cluster](../resources/cluster.md). * `dashboards` - **listing** [databricks_dashboard](../resources/dashboard.md). diff --git a/exporter/exporter_test.go b/exporter/exporter_test.go index 8d6d076ca..05142b993 100644 --- a/exporter/exporter_test.go +++ b/exporter/exporter_test.go @@ -236,6 +236,13 @@ var meAdminFixture = qa.HTTPFixture{ }, } +var getTokensPermissionsFixture = qa.HTTPFixture{ + Method: "GET", + Resource: "/api/2.0/permissions/authorization/tokens?", + Response: getJSONObject("test-data/get-tokens-permissions.json"), + ReuseRequest: true, +} + var emptyPipelines = qa.HTTPFixture{ Method: "GET", ReuseRequest: true, @@ -737,6 +744,7 @@ func TestImportingUsersGroupsSecretScopes(t *testing.T) { Key: "b", }, }, + getTokensPermissionsFixture, }, func(ctx context.Context, client *common.DatabricksClient) { tmpDir := fmt.Sprintf("/tmp/tf-%s", qa.RandomName()) defer os.RemoveAll(tmpDir) @@ -1830,6 +1838,7 @@ func TestImportingIPAccessLists(t *testing.T) { emptyWorkspaceConf, dummyWorkspaceConf, allKnownWorkspaceConfs, + getTokensPermissionsFixture, { Method: "GET", Resource: "/api/2.0/global-init-scripts", diff --git a/exporter/importables.go b/exporter/importables.go index fedc1b8fa..c60c59d3d 100644 --- a/exporter/importables.go +++ b/exporter/importables.go @@ -1106,6 +1106,16 @@ var resourcesMap map[string]importable = map[string]importable{ s := strings.Split(d.Id(), "/") return s[len(s)-1] }, + List: func(ic *importContext) error { + if ic.meAdmin { + ic.Emit(&resource{ + Resource: "databricks_permissions", + ID: "/authorization/tokens", + Name: "tokens_usage", + }) + } + return nil + }, Depends: []reference{ {Path: "job_id", Resource: "databricks_job"}, {Path: "pipeline_id", Resource: "databricks_pipeline"}, diff --git a/exporter/test-data/get-tokens-permissions.json b/exporter/test-data/get-tokens-permissions.json new file mode 100644 index 000000000..11b3a1f08 --- /dev/null +++ b/exporter/test-data/get-tokens-permissions.json @@ -0,0 +1,15 @@ +{ + "access_control_list": [ + { + "all_permissions": [ + { + "inherited":false, + "permission_level":"CAN_MANAGE" + } + ], + "group_name":"admins" + } + ], + "object_id":"/authorization/tokens", + "object_type":"tokens" +}