Introduction
The Databricks Security Analysis Tool (SAT) is a pretty handy tool developed by databricks to scan your workspaces and produce alerts where your configuration deviates from best practices. To remediate some of these issues you need to modify your workspace configuration. Some things can be done from the UI, others I believe require calling the API. In either case, it would be preferable to automate these configurations as part of workspace provisioning. The databricks_workspace_conf resource in terraform can be used to accomplish this. Unfortunately, similar to the issue I documented trying to configure cluster policies, the docs are pretty limited and it’s difficult to figure out what the actual config changes should be. After some poking around and following a trail of forum posts to a random powershell script that happened to document the settings I wanted, I was able to create a config that worked. I’ve reproduced it below as a reference to both myself and anyone else interested in remediating SAT issues with terraform.
The code
resource "databricks_workspace_conf" "this" {
custom_config = {
"maxTokenLifetimeDays" : "180"
"enableTokensConfig" : true
"enableDeprecatedClusterNamedInitScripts" : false
"enableDeprecatedGlobalInitScripts" : false
"enforceUserIsolation" : true
# set at account level, can't be done at workspace level
# DO NOT UNCOMMENT OR OTHERWISE ADD THIS, IT WILL BREAK YOUR STATE
# "enableWebTerminal" : true
"enableNotebookTableClipboard" : false
"enableResultsDownloading" : false
}
}
Conclusion
That’s it, I just spent a lot of time figuring out how to make that little block of code so I wanted to share it. Put something like the above in your workspace provisioning script and you’ll address the SAT issues that are related to your workspace config.