[Exporter] Add listing for databricks_permissions so we can emit pe…

…rmissions for tokens It was a missing functionality when we emitted all permissions on existing objects, but didn't do it for permissions of personal access tokens.
databricks · Jan 16, 2025 · 36688db · 36688db
1 parent 72753b3
commit 36688db
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 1 deletion.
diff --git a/docs/guides/experimental-exporter.md b/docs/guides/experimental-exporter.md
@@ -113,7 +113,7 @@ Services are just logical groups of resources used for filtering and organizatio
 -> **Note**
   Please note that for services not marked with **listing**, we'll export resources only if they are referenced from other resources.
 
-* `access` - [databricks_permissions](../resources/permissions.md), [databricks_instance_profile](../resources/instance_profile.md), [databricks_ip_access_list](../resources/ip_access_list.md), [databricks_mws_permission_assignment](../resources/mws_permission_assignment.md) and [databricks_access_control_rule_set](../resources/access_control_rule_set.md).
+* `access` -  **listing** [databricks_permissions](../resources/permissions.md), [databricks_instance_profile](../resources/instance_profile.md), [databricks_ip_access_list](../resources/ip_access_list.md), [databricks_mws_permission_assignment](../resources/mws_permission_assignment.md) and [databricks_access_control_rule_set](../resources/access_control_rule_set.md).   *Please note that for `databricks_permissions` we list only `authorization = "tokens"`, the permissions for other objects (notebooks, ...) will be emitted when corresponding objects are processed!*
 * `alerts` - **listing** [databricks_alert](../resources/alert.md).
 * `compute` - **listing** [databricks_cluster](../resources/cluster.md).
 * `dashboards` - **listing** [databricks_dashboard](../resources/dashboard.md).

diff --git a/exporter/exporter_test.go b/exporter/exporter_test.go
@@ -236,6 +236,13 @@ var meAdminFixture = qa.HTTPFixture{
 	},
 }
 
+var getTokensPermissionsFixture = qa.HTTPFixture{
+	Method:       "GET",
+	Resource:     "/api/2.0/permissions/authorization/tokens?",
+	Response:     getJSONObject("test-data/get-tokens-permissions.json"),
+	ReuseRequest: true,
+}
+
 var emptyPipelines = qa.HTTPFixture{
 	Method:       "GET",
 	ReuseRequest: true,
@@ -737,6 +744,7 @@ func TestImportingUsersGroupsSecretScopes(t *testing.T) {
 					Key:   "b",
 				},
 			},
+			getTokensPermissionsFixture,
 		}, func(ctx context.Context, client *common.DatabricksClient) {
 			tmpDir := fmt.Sprintf("/tmp/tf-%s", qa.RandomName())
 			defer os.RemoveAll(tmpDir)
@@ -1830,6 +1838,7 @@ func TestImportingIPAccessLists(t *testing.T) {
 			emptyWorkspaceConf,
 			dummyWorkspaceConf,
 			allKnownWorkspaceConfs,
+			getTokensPermissionsFixture,
 			{
 				Method:   "GET",
 				Resource: "/api/2.0/global-init-scripts",

diff --git a/exporter/importables.go b/exporter/importables.go
@@ -1106,6 +1106,16 @@ var resourcesMap map[string]importable = map[string]importable{
 			s := strings.Split(d.Id(), "/")
 			return s[len(s)-1]
 		},
+		List: func(ic *importContext) error {
+			if ic.meAdmin {
+				ic.Emit(&resource{
+					Resource: "databricks_permissions",
+					ID:       "/authorization/tokens",
+					Name:     "tokens_usage",
+				})
+			}
+			return nil
+		},
 		Depends: []reference{
 			{Path: "job_id", Resource: "databricks_job"},
 			{Path: "pipeline_id", Resource: "databricks_pipeline"},

diff --git a/exporter/test-data/get-tokens-permissions.json b/exporter/test-data/get-tokens-permissions.json
@@ -0,0 +1,15 @@
+{
+  "access_control_list": [
+    {
+      "all_permissions": [
+        {
+          "inherited":false,
+          "permission_level":"CAN_MANAGE"
+        }
+      ],
+      "group_name":"admins"
+    }
+  ],
+  "object_id":"/authorization/tokens",
+  "object_type":"tokens"
+}