Add support for automatic provisioning using synchronization jobs

[JoostvDoorn]

Fixes #744. This adds support for the synchronization job endpoints documented here.

A partially working example for databricks SCIM provisioning (you'll need to add app roles and assign users/group to app roles to make it work 100%):

terraform {
  required_providers {
    databricks = {
      source = "databricks/databricks"
    }
  }
}

provider "azuread" {

}
provider "azurerm" {
  features {
  }
}
provider "databricks" {
  host = azurerm_databricks_workspace.test.workspace_url
}

resource "azurerm_resource_group" "test" {
  name     = "databricks-test"
  location = "westeurope"
}

data "azuread_application_template" "test" {
  display_name = "Azure Databricks SCIM Provisioning Connector"
}

resource "azurerm_databricks_workspace" "test" {
  name                = "databricks-test"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
  sku                 = "trial"

  managed_resource_group_name = "databricks-test-rg"
}

resource "databricks_token" "scim" {
  comment = "SCIM Integration"
}

resource "azuread_application" "test" {
  display_name = "test-databricks"
  template_id  = data.azuread_application_template.test.template_id
  feature_tags {
    enterprise = true
    gallery    = true
  }
}

resource "azuread_service_principal" "test" {
  application_id = azuread_application.test.application_id
  use_existing   = true
}

resource "azuread_synchronization_secret" "test" {
  service_principal_id = azuread_service_principal.test.id

  credentials {
    key   = "BaseAddress"
    value = "https://${azurerm_databricks_workspace.test.workspace_url}/api/2.0/preview/scim"
  }
  credentials {
    key   = "SecretToken"
    value = databricks_token.scim.token_value
  }
}

resource "azuread_synchronization_job" "test" {
  service_principal_id = azuread_service_principal.test.id
  template_id          = "dataBricks"
  state                = "Active"
}

[JoostvDoorn]

The PR should be ready for review now. I ran into a typing issue after some further testing which I solved in the vendored library manicminer/hamilton#172

[manicminer]

@JoostvDoorn Thanks for this contribution, and for your patience with the delay on reviewing this. This is looking really great, I have some comments below which are largely related to each other. Your Hamilton fix was merged earlier today and this should be vendored into main fairly soon.

If you could take a look at the suggested changes, and also if we can add an acceptance test for a disabled synchronization job, then this should be good to merge. Thanks again!

[JoostvDoorn]

@manicminer I refactored this over the weekend (and squashed the history). This should be good to go, let me know if there is still some issues.

[manicminer]

Thanks for making those changes @JoostvDoorn.

I see that you have changed the owners property for both azuread_application and azuread_service_principal to be optional & computed. Whilst there are some bugs related to these properties, this is not our preferred way to dismiss an unwanted diff and I am hoping to be able to fix some of these bugs separately. Accordingly, I've reverted these additions but this PR otherwise LGTM and I'm happy to merge this. Thanks again!

[github-actions]

This functionality has been released in v2.30.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[akansha23191]

Hi, I have used the above example to implement SCIM configuration for Syncing AAD users with Databricks Workspace but am not able to pass the value of Databricks URL programmatically. The above syntax throws below error:

Error: Invalid template interpolation value
│
│   on ..\modules\databricks\main.tf line 84, in resource "azuread_synchronization_secret" "test":
│   84:     value = "https://${azurerm_databricks_workspace.dbricks.workspace_url}/api/2.0/preview/scim"
│     ├────────────────
│     │ azurerm_databricks_workspace.dbricks.workspace_url is null
│
│ The expression result is null. Cannot include a null value in a string template.

Could you please help me understand why it might be appearing?

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.