databricks-cli/bundle/config/mutator/run_as.go

package mutator

import (
	"context"
	"slices"

	"github.com/databricks/cli/bundle"
	"github.com/databricks/cli/bundle/config/resources"
	"github.com/databricks/cli/libs/diag"
	"github.com/databricks/databricks-sdk-go/service/jobs"
)

type setRunAs struct {
}

// SetRunAs mutator is used to go over defined resources such as Jobs and DLT Pipelines
// And set correct execution identity ("run_as" for a job or "is_owner" permission for DLT)
// if top-level "run-as" section is defined in the configuration.
func SetRunAs() bundle.Mutator {
	return &setRunAs{}
}

func (m *setRunAs) Name() string {
	return "SetRunAs"
}

func (m *setRunAs) Apply(_ context.Context, b *bundle.Bundle) diag.Diagnostics {
	runAs := b.Config.RunAs
	if runAs == nil {
		return nil
	}

	for i := range b.Config.Resources.Jobs {
		job := b.Config.Resources.Jobs[i]
		if job.RunAs != nil {
			continue
		}
		job.RunAs = &jobs.JobRunAs{
			ServicePrincipalName: runAs.ServicePrincipalName,
			UserName:             runAs.UserName,
		}
	}

	me := b.Config.Workspace.CurrentUser.UserName
	// If user deploying the bundle and the one defined in run_as are the same
	// Do not add IS_OWNER permission. Current user is implied to be an owner in this case.
	// Otherwise, it will fail due to this bug https://github.com/databricks/terraform-provider-databricks/issues/2407
	if runAs.UserName == me || runAs.ServicePrincipalName == me {
		return nil
	}

	for i := range b.Config.Resources.Pipelines {
		pipeline := b.Config.Resources.Pipelines[i]
		pipeline.Permissions = slices.DeleteFunc(pipeline.Permissions, func(p resources.Permission) bool {
			return (runAs.ServicePrincipalName != "" && p.ServicePrincipalName == runAs.ServicePrincipalName) ||
				(runAs.UserName != "" && p.UserName == runAs.UserName)
		})
		pipeline.Permissions = append(pipeline.Permissions, resources.Permission{
			Level:                "IS_OWNER",
			ServicePrincipalName: runAs.ServicePrincipalName,
			UserName:             runAs.UserName,
		})
	}

	return nil
}
Added run_as section for bundle configuration (#692) ## Changes Added run_as section for bundle configuration. This section allows to define an user name or service principal which will be applied as an execution identity for jobs and DLT pipelines. In the case of DLT, identity defined in `run_as` will be assigned `IS_OWNER` permission on this pipeline. ## Tests Added unit tests for configuration. Also ran deploy for the following bundle configuration ``` bundle: name: "run_as" run_as: # service_principal_name: "f7263fcc-56d0-4981-8baf-c2a45296690b" user_name: "lennart.kats@databricks.com" resources: pipelines: andrew_pipeline: name: "Andrew Nester pipeline" libraries: - notebook: path: ./test.py jobs: job_one: name: Job One tasks: - task_key: "task" new_cluster: num_workers: 1 spark_version: 13.2.x-snapshot-scala2.12 node_type_id: i3.xlarge runtime_engine: PHOTON notebook_task: notebook_path: "./test.py" ``` 2023-08-23 16:47:07 +00:00			`package mutator`

			`import (`
			`"context"`
			`"slices"`

			`"github.com/databricks/cli/bundle"`
			`"github.com/databricks/cli/bundle/config/resources"`
Return `diag.Diagnostics` from mutators (#1305) ## Changes This diagnostics type allows us to capture multiple warnings as well as errors in the return value. This is a preparation for returning additional warnings from mutators in case we detect non-fatal problems. * All return statements that previously returned an error now return `diag.FromErr` * All return statements that previously returned `fmt.Errorf` now return `diag.Errorf` * All `err != nil` checks now use `diags.HasError()` or `diags.Error()` ## Tests * Existing tests pass. * I confirmed no call site under `./bundle` or `./cmd/bundle` uses `errors.Is` on the return value from mutators. This is relevant because we cannot wrap errors with `%w` when calling `diag.Errorf` (like `fmt.Errorf`; context in https://github.com/golang/go/issues/47641). 2024-03-25 14:18:47 +00:00			`"github.com/databricks/cli/libs/diag"`
Added run_as section for bundle configuration (#692) ## Changes Added run_as section for bundle configuration. This section allows to define an user name or service principal which will be applied as an execution identity for jobs and DLT pipelines. In the case of DLT, identity defined in `run_as` will be assigned `IS_OWNER` permission on this pipeline. ## Tests Added unit tests for configuration. Also ran deploy for the following bundle configuration ``` bundle: name: "run_as" run_as: # service_principal_name: "f7263fcc-56d0-4981-8baf-c2a45296690b" user_name: "lennart.kats@databricks.com" resources: pipelines: andrew_pipeline: name: "Andrew Nester pipeline" libraries: - notebook: path: ./test.py jobs: job_one: name: Job One tasks: - task_key: "task" new_cluster: num_workers: 1 spark_version: 13.2.x-snapshot-scala2.12 node_type_id: i3.xlarge runtime_engine: PHOTON notebook_task: notebook_path: "./test.py" ``` 2023-08-23 16:47:07 +00:00			`"github.com/databricks/databricks-sdk-go/service/jobs"`
			`)`

			`type setRunAs struct {`
			`}`

			`// SetRunAs mutator is used to go over defined resources such as Jobs and DLT Pipelines`
			`// And set correct execution identity ("run_as" for a job or "is_owner" permission for DLT)`
			`// if top-level "run-as" section is defined in the configuration.`
			`func SetRunAs() bundle.Mutator {`
			`return &setRunAs{}`
			`}`

			`func (m *setRunAs) Name() string {`
			`return "SetRunAs"`
			`}`

Return `diag.Diagnostics` from mutators (#1305) ## Changes This diagnostics type allows us to capture multiple warnings as well as errors in the return value. This is a preparation for returning additional warnings from mutators in case we detect non-fatal problems. * All return statements that previously returned an error now return `diag.FromErr` * All return statements that previously returned `fmt.Errorf` now return `diag.Errorf` * All `err != nil` checks now use `diags.HasError()` or `diags.Error()` ## Tests * Existing tests pass. * I confirmed no call site under `./bundle` or `./cmd/bundle` uses `errors.Is` on the return value from mutators. This is relevant because we cannot wrap errors with `%w` when calling `diag.Errorf` (like `fmt.Errorf`; context in https://github.com/golang/go/issues/47641). 2024-03-25 14:18:47 +00:00			`func (m setRunAs) Apply(_ context.Context, b bundle.Bundle) diag.Diagnostics {`
Added run_as section for bundle configuration (#692) ## Changes Added run_as section for bundle configuration. This section allows to define an user name or service principal which will be applied as an execution identity for jobs and DLT pipelines. In the case of DLT, identity defined in `run_as` will be assigned `IS_OWNER` permission on this pipeline. ## Tests Added unit tests for configuration. Also ran deploy for the following bundle configuration ``` bundle: name: "run_as" run_as: # service_principal_name: "f7263fcc-56d0-4981-8baf-c2a45296690b" user_name: "lennart.kats@databricks.com" resources: pipelines: andrew_pipeline: name: "Andrew Nester pipeline" libraries: - notebook: path: ./test.py jobs: job_one: name: Job One tasks: - task_key: "task" new_cluster: num_workers: 1 spark_version: 13.2.x-snapshot-scala2.12 node_type_id: i3.xlarge runtime_engine: PHOTON notebook_task: notebook_path: "./test.py" ``` 2023-08-23 16:47:07 +00:00			`runAs := b.Config.RunAs`
			`if runAs == nil {`
			`return nil`
			`}`

			`for i := range b.Config.Resources.Jobs {`
			`job := b.Config.Resources.Jobs[i]`
			`if job.RunAs != nil {`
			`continue`
			`}`
			`job.RunAs = &jobs.JobRunAs{`
			`ServicePrincipalName: runAs.ServicePrincipalName,`
			`UserName: runAs.UserName,`
			`}`
			`}`

			`me := b.Config.Workspace.CurrentUser.UserName`
			`// If user deploying the bundle and the one defined in run_as are the same`
			`// Do not add IS_OWNER permission. Current user is implied to be an owner in this case.`
			`// Otherwise, it will fail due to this bug https://github.com/databricks/terraform-provider-databricks/issues/2407`
			`if runAs.UserName == me \|\| runAs.ServicePrincipalName == me {`
			`return nil`
			`}`

			`for i := range b.Config.Resources.Pipelines {`
			`pipeline := b.Config.Resources.Pipelines[i]`
			`pipeline.Permissions = slices.DeleteFunc(pipeline.Permissions, func(p resources.Permission) bool {`
			`return (runAs.ServicePrincipalName != "" && p.ServicePrincipalName == runAs.ServicePrincipalName) \|\|`
			`(runAs.UserName != "" && p.UserName == runAs.UserName)`
			`})`
			`pipeline.Permissions = append(pipeline.Permissions, resources.Permission{`
			`Level: "IS_OWNER",`
			`ServicePrincipalName: runAs.ServicePrincipalName,`
			`UserName: runAs.UserName,`
			`})`
			`}`

			`return nil`
			`}`