fix: make defining permissions optional

README.md

@@ -101,8 +101,10 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_external_locations"></a> [external\_locations](#input\_external\_locations) | List of object with external location configuration attributes | <pre>list(object({<br/>    index            = string # Index of instance, for example short name, used later to access exact external location in output map<br/>    name             = string # Custom whole name of resource<br/>    url              = string # Path URL in cloud storage<br/>    credentials_name = optional(string)<br/>    owner            = optional(string)      # Owner of resource<br/>    skip_validation  = optional(bool, true)  # Suppress validation errors if any & force save the external location<br/>    read_only        = optional(bool, false) # Indicates whether the external location is read-only.<br/>    force_destroy    = optional(bool, true)<br/>    force_update     = optional(bool, true)<br/>    comment          = optional(string, "External location provisioned by Terraform")<br/>    permissions = optional(set(object({<br/>      principal  = string<br/>      privileges = list(string)<br/>    })), [])<br/>    isolation_mode = optional(string, "ISOLATION_MODE_OPEN")<br/>  }))</pre> | `[]` | no |
-| <a name="input_storage_credential"></a> [storage\_credential](#input\_storage\_credential) | Object with storage credentials configuration attributes | <pre>object({<br/>    azure_access_connector_id = optional(string, null) # Azure Databricks Access Connector Id<br/>    cloud                     = optional(string, "")<br/>    name                      = optional(string, null) # Custom whole name of resource    <br/>    owner                     = optional(string)       # Owner of resource<br/>    force_destroy             = optional(bool, true)<br/>    comment                   = optional(string, "Managed identity credential provisioned by Terraform")<br/>    permissions = optional(set(object({<br/>      principal  = string<br/>      privileges = list(string)<br/>    })), [])<br/>    isolation_mode = optional(string, "ISOLATION_MODE_OPEN")<br/>  })</pre> | n/a | yes |
+| <a name="input_cloud"></a> [cloud](#input\_cloud) | Cloud (azure, aws or gcp) | `string` | n/a | yes |
+| <a name="input_create_storage_credential"></a> [create\_storage\_credential](#input\_create\_storage\_credential) | Boolean flag that determines whether to create storage credential or use the existing one | `bool` | `true` | no |
+| <a name="input_external_locations"></a> [external\_locations](#input\_external\_locations) | List of object with external location configuration attributes | <pre>list(object({<br/>    index            = string                # Index of instance, for example short name, used later to access exact external location in output map<br/>    name             = string                # Custom whole name of resource<br/>    url              = string                # Path URL in cloud storage<br/>    credentials_name = optional(string)      # If create_storage_credential is set to false, provide id of existing storage credential here<br/>    owner            = optional(string)      # Owner of resource<br/>    skip_validation  = optional(bool, true)  # Suppress validation errors if any & force save the external location<br/>    read_only        = optional(bool, false) # Indicates whether the external location is read-only.<br/>    force_destroy    = optional(bool, true)<br/>    force_update     = optional(bool, true)<br/>    comment          = optional(string, "External location provisioned by Terraform")<br/>    permissions = optional(set(object({<br/>      principal  = string<br/>      privileges = list(string)<br/>    })), [])<br/>    isolation_mode = optional(string, "ISOLATION_MODE_OPEN")<br/>  }))</pre> | `[]` | no |
+| <a name="input_storage_credential"></a> [storage\_credential](#input\_storage\_credential) | Object with storage credentials configuration attributes | <pre>object({<br/>    azure_access_connector_id = optional(string, null) # Azure Databricks Access Connector Id<br/>    name                      = optional(string, null) # Custom whole name of resource<br/>    owner                     = optional(string)       # Owner of resource<br/>    force_destroy             = optional(bool, true)<br/>    comment                   = optional(string, "Managed identity credential provisioned by Terraform")<br/>    permissions = optional(set(object({<br/>      principal  = string<br/>      privileges = list(string)<br/>    })), [])<br/>    isolation_mode = optional(string, "ISOLATION_MODE_OPEN")<br/>  })</pre> | `{}` | no |
 
 ## Outputs
 

main.tf

@@ -13,32 +13,32 @@ locals {
 }
 
 resource "databricks_storage_credential" "this" {
-  count = var.storage_credential.cloud != "" ? 1 : 0
+  count = var.create_storage_credential == true ? 1 : 0
 
   name  = var.storage_credential.name
   owner = var.storage_credential.owner
 
   # Dynamic block for Azure
   dynamic "azure_managed_identity" {
-    for_each = var.storage_credential.cloud == "azure" ? [1] : []
+    for_each = var.cloud == "azure" ? [1] : []
     content {
       access_connector_id = var.storage_credential.azure_access_connector_id
     }
   }
 
   # Dynamic block for GCP
   dynamic "databricks_gcp_service_account" {
-    for_each = var.storage_credential.cloud == "gcp" ? [1] : []
+    for_each = var.cloud == "gcp" ? [1] : []
     content {}
   }
 
   force_destroy  = var.storage_credential.force_destroy
   comment        = var.storage_credential.comment
-  isolation_mode = var.storage_credential.cloud == "azure" ? var.storage_credential.isolation_mode : null
+  isolation_mode = var.cloud == "azure" ? var.storage_credential.isolation_mode : null
 }
 
 resource "databricks_grants" "credential" {
-  count = var.storage_credential.cloud != "" ? 1 : 0
+  count = var.create_storage_credential == true ? (length(var.storage_credential.permissions) != 0 ? 1 : 0) : 0
 
   storage_credential = try(databricks_storage_credential.this[0].id, null)
   dynamic "grant" {

variables.tf

@@ -1,8 +1,7 @@
 variable "storage_credential" {
   type = object({
     azure_access_connector_id = optional(string, null) # Azure Databricks Access Connector Id
-    cloud                     = optional(string, "")
-    name                      = optional(string, null) # Custom whole name of resource    
+    name                      = optional(string, null) # Custom whole name of resource
     owner                     = optional(string)       # Owner of resource
     force_destroy             = optional(bool, true)
     comment                   = optional(string, "Managed identity credential provisioned by Terraform")
@@ -13,14 +12,26 @@ variable "storage_credential" {
     isolation_mode = optional(string, "ISOLATION_MODE_OPEN")
   })
   description = "Object with storage credentials configuration attributes"
+  default     = {}
+}
+
+variable "cloud" {
+  type        = string
+  description = "Cloud (azure, aws or gcp)"
+}
+
+variable "create_storage_credential" {
+  type        = bool
+  default     = true
+  description = "Boolean flag that determines whether to create storage credential or use the existing one"
 }
 
 variable "external_locations" {
   type = list(object({
-    index            = string # Index of instance, for example short name, used later to access exact external location in output map
-    name             = string # Custom whole name of resource
-    url              = string # Path URL in cloud storage
-    credentials_name = optional(string)
+    index            = string                # Index of instance, for example short name, used later to access exact external location in output map
+    name             = string                # Custom whole name of resource
+    url              = string                # Path URL in cloud storage
+    credentials_name = optional(string)      # If create_storage_credential is set to false, provide id of existing storage credential here
     owner            = optional(string)      # Owner of resource
     skip_validation  = optional(bool, true)  # Suppress validation errors if any & force save the external location
     read_only        = optional(bool, false) # Indicates whether the external location is read-only.