[FEATURE] Support creating tokens on behalf of Service Principals

[mikedias]

Hello,

It would be really useful to be able to use Databricks terraform to create a Service Principal, generate a token on behalf of it, and save it as a secret. The missing piece on this workflow is the on behalf token creation that can be done via /api/2.0/token-management/on-behalf-of/tokens API.

The design could be something like this:

resource "databricks_service_principal" "this" {
  // TODO: currently not possible to change service principal name and it has to be re-created
  display_name = "Automation-only SP"
}

resource "databricks_permissions" "token_usage" {
  authorization = "tokens"
  access_control {
    service_principal_name = databricks_service_principal.this.application_id
    permission_level = "CAN_USE"
  }
}

// OBO won't be created until this specific SP (or all users) will have permission to create a token
resource "databricks_obo_token" "this" {
  depends_on = [databricks_permissions.token_usage]
  application_id = databricks_service_principal.this.application_id
  comment = "PAT on behalf of ${databricks_service_principal.this.display_name}"
  lifetime_seconds = 3600
}

output "obo" {
  value = databricks_obo_token.this.token_value
  sensitive = true
}

Please let me know if this makes sense or if there are other ways to achieve this.

Terraform Version

• Terraform v0.14.5

Affected Resource(s)

• databricks_obo_token
• databricks_service_principal

[nfx]

From design perspective, the backing API for SP OBO token is different from user PAT token. Therefore a new resource should be implemented.