“Cannot create grants” Terraform error when using multiple databricks_grants blocks for the same catalog

Use dynamic blocks within a single databricks_grants resource or use databricks_grant for ad-hoc permission assignment from Terraform.

Written by parth.sundarka

Last published at: April 7th, 2025

Problem

When applying Terraform configurations using multiple databricks_grants resource blocks for assigning permissions to a single Databricks catalog, you encounter an error similar to the following. 

“Error: cannot create grants: permissions for catalog-<catalog-name> are &{[{group-or-user-name [PERMISSION] [Principal]} ...]}, but have to be {[{group-or-user-name [PERMISSION] []} ...]}”

 

Example code

resource "databricks_grants" "catalog_permissions_1" {
  catalog = "example_catalog"
  grant {
    principal  = "group_a"
    privileges = ["USE_CATALOG"]
  }
}

resource "databricks_grants" "catalog_permissions_2" {
  catalog = "example_catalog"
  grant {
    principal  = "group_b"
    privileges = ["USE_CATALOG"]
  }
}

 

Cause

Starting with Databricks Terraform provider version 1.23.0 (released August 2023), changes to permission handling result in issues when multiple databricks_grants resource blocks are used for the same catalog. A fix was implemented in version 1.34.0 (released January 2024), introducing a new resource type: databricks_grant.

 

For more information, review the details in the Github issue [ISSUE] different databricks_grants inside different modules overwrite each other #2704.

 

For more information on the version 1.34.0 release, review the Github Release v1.34.0 #3105 documentation.

 

Solution

There are two options available. 

 

The recommended approach is to use dynamic blocks within a single databricks_grants resource to handle multiple principals and privileges simultaneously. For more information, refer to the databricks_grants Resource documentation.

 

Alternatively, if you use Terraform version 1.34.0, replace the use of multiple databricks_grants resource blocks for the same catalog with the new resource type databricks_grant.

 

Example code using databricks_grant 

resource "databricks_grant" "catalog_permission_group_a" {
  catalog    = "<example-catalog>"
  principal  = "group_a"
  privileges = ["USE_CATALOG"]
}

resource "databricks_grant" "catalog_permission_group_b" {
  catalog    = "<example-catalog>"
  principal  = "group_b"
  privileges = ["USE_CATALOG"]
}

 

For more information, refer to the databricks_grant Resource documentation.