hashicorp · WodansSon · Aug 22, 2023 · Jul 18, 2023 · Jul 21, 2023 · Jul 21, 2023
@@ -1,6 +1,6 @@
-## Example: Databricks Workspace Databricks File System Customer Managed Keys
+## Example: Databricks Workspace Root Databricks File System Customer Managed Keys
 
-This example provisions a Databricks Workspace within Azure with Databricks File System Customer Managed Keys enabled.
+This example provisions a Databricks Workspace within Azure with Root Databricks File System Customer Managed Keys enabled.
 
 ### Variables
 

@@ -26,7 +26,7 @@ resource "azurerm_databricks_workspace" "example" {
   }
 }
 
-resource "azurerm_databricks_workspace_customer_managed_key" "example" {
+resource "azurerm_databricks_workspace_root_dbfs_customer_managed_key" "example" {
   depends_on = [azurerm_key_vault_access_policy.databricks]
 
   workspace_id     = azurerm_databricks_workspace.example.id

@@ -117,14 +117,16 @@ resource "azurerm_databricks_workspace" "example" {
   }
 }
 
-resource "azurerm_databricks_workspace_customer_managed_key" "example" {
+resource "azurerm_databricks_workspace_root_dbfs_customer_managed_key" "example" {
   depends_on = [azurerm_key_vault_access_policy.databricks]
 
   workspace_id     = azurerm_databricks_workspace.example.id
   key_vault_key_id = azurerm_key_vault_key.example.id
 }
 
 resource "azurerm_private_endpoint" "databricks" {
+  depends_on = [azurerm_databricks_workspace_root_dbfs_customer_managed_key.example]
+
   name                = "${var.prefix}-pe-databricks"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name

@@ -10,6 +10,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/hashicorp/go-azure-helpers/lang/pointer"
 	"github.com/hashicorp/go-azure-helpers/lang/response"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/databricks/2023-02-01/workspaces"
 	"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
@@ -61,6 +62,7 @@ func resourceDatabricksWorkspaceCustomerManagedKey() *pluginsdk.Resource {
 		Schema: map[string]*pluginsdk.Schema{
 			"workspace_id": {
 				Type:         pluginsdk.TypeString,
+				Deprecated:   "this resource has been deprecated in favour of the `azurerm_databricks_workspace_root_dbfs_customer_managed_key` resource and will be removed from the v4.0 azurerm provider.",
 				Required:     true,
 				ValidateFunc: workspaces.ValidateWorkspaceID,
 			},
@@ -102,12 +104,24 @@ func databricksWorkspaceCustomerManagedKeyCreateUpdate(d *pluginsdk.ResourceData
 	if err != nil {
 		return fmt.Errorf("retrieving %s: %+v", *id, err)
 	}
+
+	keySource := workspaces.KeySourceDefault
+	var params *workspaces.WorkspaceCustomParameters
+
 	if model := workspace.Model; model != nil {
-		if parameters := model.Properties.Parameters; parameters != nil {
-			if parameters.PrepareEncryption != nil {
+		if params = model.Properties.Parameters; params != nil {
+			if params.PrepareEncryption != nil {
 				encryptionEnabled = model.Properties.Parameters.PrepareEncryption.Value
 			}
+
+			if params.Encryption != nil && params.Encryption.Value != nil && params.Encryption.Value.KeySource != nil {
+				keySource = pointer.From(params.Encryption.Value.KeySource)
+			}
+		} else {
+			return fmt.Errorf("`WorkspaceCustomParameters` were nil")
 		}
+	} else {
+		return fmt.Errorf("`Workspace` was nil")
 	}
 
 	if !encryptionEnabled {
@@ -120,10 +134,9 @@ func databricksWorkspaceCustomerManagedKeyCreateUpdate(d *pluginsdk.ResourceData
 		return fmt.Errorf("retrieving the Resource ID for the Key Vault at URL %q: %+v", key.KeyVaultBaseUrl, err)
 	}
 
-	if d.IsNewResource() {
-		if workspace.Model != nil && workspace.Model.Properties.Parameters != nil && workspace.Model.Properties.Parameters.Encryption != nil {
-			return tf.ImportAsExistsError("azurerm_databricks_workspace_customer_managed_key", id.ID())
-		}
+	// Only throw the import error if the keysource value has been set to something other than default...
+	if params.Encryption != nil && params.Encryption.Value != nil && keySource != workspaces.KeySourceDefault {
+		return tf.ImportAsExistsError("azurerm_databricks_workspace_customer_managed_key", id.ID())
 	}
 
 	// We need to pull all of the custom params from the parent
@@ -132,14 +145,12 @@ func databricksWorkspaceCustomerManagedKeyCreateUpdate(d *pluginsdk.ResourceData
 	// resource will be lost and overwritten as nil. ¯\_(ツ)_/¯
 	// NOTE: 'workspace.Parameters' will never be nil as 'customer_managed_key_enabled' and 'infrastructure_encryption_enabled'
 	// fields have a default value in the parent workspace resource.
-	keySource := workspaces.KeySourceMicrosoftPointKeyvault
-	params := workspace.Model.Properties.Parameters
 	params.Encryption = &workspaces.WorkspaceEncryptionParameter{
 		Value: &workspaces.Encryption{
-			KeySource:   &keySource,
-			KeyName:     &key.Name,
-			Keyversion:  &key.Version,
-			Keyvaulturi: &key.KeyVaultBaseUrl,
+			KeySource:   pointer.To(workspaces.KeySourceMicrosoftPointKeyvault),
+			KeyName:     pointer.To(key.Name),
+			Keyversion:  pointer.To(key.Version),
+			Keyvaulturi: pointer.To(key.KeyVaultBaseUrl),
 		},
 	}
 
@@ -182,6 +193,7 @@ func databricksWorkspaceCustomerManagedKeyRead(d *pluginsdk.ResourceData, meta i
 	if model := resp.Model; model != nil {
 		if model.Properties.Parameters != nil {
 			if props := model.Properties.Parameters.Encryption; props != nil {
+
 				if props.Value.KeySource != nil {
 					keySource = string(*props.Value.KeySource)
 				}

@@ -126,8 +126,20 @@ func (DatabricksWorkspaceCustomerManagedKeyResource) Exists(ctx context.Context,
 	return utils.Bool(false), nil
 }
 
-func (DatabricksWorkspaceCustomerManagedKeyResource) basic(data acceptance.TestData, cmk string) string {
-	keyVault := DatabricksWorkspaceCustomerManagedKeyResource{}.keyVaultTemplate(data)
+func (r DatabricksWorkspaceCustomerManagedKeyResource) requiresImport(data acceptance.TestData) string {
+	cmkTemplate := r.cmkTemplate()
+	template := r.basic(data, cmkTemplate)
+	return fmt.Sprintf(`
+%s
+resource "azurerm_databricks_workspace_customer_managed_key" "import" {
+  workspace_id     = azurerm_databricks_workspace.test.id
+  key_vault_key_id = azurerm_key_vault_key.test.id
+}
+`, template)
+}
+
+func (r DatabricksWorkspaceCustomerManagedKeyResource) basic(data acceptance.TestData, cmk string) string {
+	keyVault := r.keyVaultTemplate(data)
 	return fmt.Sprintf(`
 provider "azurerm" {
   features {}
@@ -156,21 +168,8 @@ resource "azurerm_databricks_workspace" "test" {
 `, data.RandomInteger, "eastus2", keyVault, cmk)
 }
 
-func (DatabricksWorkspaceCustomerManagedKeyResource) requiresImport(data acceptance.TestData) string {
-	cmkTemplate := DatabricksWorkspaceCustomerManagedKeyResource{}.cmkTemplate()
-	template := DatabricksWorkspaceCustomerManagedKeyResource{}.basic(data, cmkTemplate)
-	return fmt.Sprintf(`
-%s
-
-resource "azurerm_databricks_workspace_customer_managed_key" "import" {
-  workspace_id     = azurerm_databricks_workspace.test.id
-  key_vault_key_id = azurerm_key_vault_key.test.id
-}
-`, template)
-}
-
-func (DatabricksWorkspaceCustomerManagedKeyResource) noip(data acceptance.TestData, cmk string) string {
-	keyVault := DatabricksWorkspaceCustomerManagedKeyResource{}.keyVaultTemplate(data)
+func (r DatabricksWorkspaceCustomerManagedKeyResource) noip(data acceptance.TestData, cmk string) string {
+	keyVault := r.keyVaultTemplate(data)
 	return fmt.Sprintf(`
 provider "azurerm" {
   features {}