Fix workspace owners unable to access Databricks workspace

CHANGELOG.md

@@ -7,7 +7,7 @@ ENHANCEMENTS:
 * _No changes yet_
 
 BUG FIXES:
-* _No changes yet_
+* Fix workspace owners unable to access Databricks workspace by adding Azure RBAC Contributor role assignment ([#4854](https://github.com/microsoft/AzureTRE/issues/4854))
 
 ## 0.27.0 (February 5, 2026)
 **BREAKING CHANGES**

templates/workspace_services/databricks/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-databricks
-version: 1.0.14
+version: 1.3.0
 description: "An Azure TRE service for Azure Databricks."
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@@ -47,6 +47,12 @@ parameters:
     env: ARM_ENVIRONMENT
     type: string
     default: "public"
+  - name: workspace_owners_group_id
+    type: string
+    description: "The object ID of the Entra ID group for TRE workspace owners"
+  - name: workspace_researchers_group_id
+    type: string
+    description: "The object ID of the Entra ID group for TRE workspace researchers"
 
 outputs:
   - name: databricks_workspace_name
@@ -114,6 +120,8 @@ install:
         address_space: ${ bundle.parameters.address_space }
         is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
         arm_environment: ${ bundle.parameters.arm_environment }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -143,6 +151,8 @@ upgrade:
         address_space: ${ bundle.parameters.address_space }
         is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
         arm_environment: ${ bundle.parameters.arm_environment }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -172,6 +182,8 @@ uninstall:
         address_space: ${ bundle.parameters.address_space }
         is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
         arm_environment: ${ bundle.parameters.arm_environment }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"

templates/workspace_services/databricks/template_schema.json

@@ -39,11 +39,29 @@
       "type": "string",
       "title": "Address space",
       "description": "The address space of the databricks subnets"
+    },
+    "workspace_owners_group_id": {
+      "$id": "#/properties/workspace_owners_group_id",
+      "type": "string",
+      "title": "Workspace Owners Group ID",
+      "description": "The object ID of the Entra ID group for TRE workspace owners"
+    },
+    "workspace_researchers_group_id": {
+      "$id": "#/properties/workspace_researchers_group_id",
+      "type": "string",
+      "title": "Workspace Researchers Group ID",
+      "description": "The object ID of the Entra ID group for TRE workspace researchers"
     }
   },
   "uiSchema": {
     "address_space": {
       "classNames": "tre-hidden"
+    },
+    "workspace_owners_group_id": {
+      "classNames": "tre-hidden"
+    },
+    "workspace_researchers_group_id": {
+      "classNames": "tre-hidden"
     }
   },
   "pipeline": {
@@ -56,7 +74,19 @@
         "properties": []
       },
       {
-        "stepId": "main"
+        "stepId": "main",
+        "properties": [
+          {
+            "name": "workspace_owners_group_id",
+            "type": "string",
+            "value": "{{ resource.parent.properties.workspace_owners_group_id }}"
+          },
+          {
+            "name": "workspace_researchers_group_id",
+            "type": "string",
+            "value": "{{ resource.parent.properties.workspace_researchers_group_id }}"
+          }
+        ]
       },
       {
         "stepId": "7ec5fa90-23bd-4809-b0d7-2d32c94016b1",
@@ -78,7 +108,9 @@
                   "name": "databricks",
                   "description": "Communication with Azure Databricks dependancies.",
                   "source_addresses": "{{ resource.properties.databricks_address_prefixes }}",
-                  "destination_addresses": [ "AzureDatabricks"],
+                  "destination_addresses": [
+                    "AzureDatabricks"
+                  ],
                   "destination_ports": [
                     "443"
                   ],
@@ -114,9 +146,15 @@
                   "name": "AzureAD",
                   "description": "AAD access",
                   "source_addresses": "{{ resource.properties.workspace_address_spaces }}",
-                  "destination_addresses": ["AzureActiveDirectory"],
-                  "destination_ports": ["*"],
-                  "protocols": ["TCP"]
+                  "destination_addresses": [
+                    "AzureActiveDirectory"
+                  ],
+                  "destination_ports": [
+                    "*"
+                  ],
+                  "protocols": [
+                    "TCP"
+                  ]
                 }
               ]
             }
@@ -212,7 +250,9 @@
                   "name": "databricks",
                   "description": "Communication with Azure Databricks dependancies.",
                   "source_addresses": "{{ resource.properties.databricks_address_prefixes }}",
-                  "destination_addresses": [ "AzureDatabricks"],
+                  "destination_addresses": [
+                    "AzureDatabricks"
+                  ],
                   "destination_ports": [
                     "443"
                   ],
@@ -248,9 +288,15 @@
                   "name": "AzureAD",
                   "description": "AAD access",
                   "source_addresses": "{{ resource.properties.workspace_address_spaces }}",
-                  "destination_addresses": ["AzureActiveDirectory"],
-                  "destination_ports": ["*"],
-                  "protocols": ["TCP"]
+                  "destination_addresses": [
+                    "AzureActiveDirectory"
+                  ],
+                  "destination_ports": [
+                    "*"
+                  ],
+                  "protocols": [
+                    "TCP"
+                  ]
                 }
               ]
             }

templates/workspace_services/databricks/terraform/providers.tf

@@ -2,16 +2,12 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "= 3.117.0"
+      version = "= 4.14.0"
     }
     azapi = {
       source  = "Azure/azapi"
       version = "= 2.3.0"
     }
-    databricks = {
-      source  = "databricks/databricks"
-      version = "= 1.48.0"
-    }
     dns = {
       source  = "hashicorp/dns"
       version = "= 3.4.3"
@@ -42,13 +38,6 @@ provider "azurerm" {
 provider "azapi" {
 }
 
-provider "databricks" {
-  host                        = azurerm_databricks_workspace.databricks.workspace_url
-  azure_workspace_resource_id = azurerm_databricks_workspace.databricks.id
-
-  azure_use_msi = true
-}
-
 module "azure_region" {
   source  = "claranet/regions/azurerm"
   version = "=6.1.0"
@@ -60,6 +49,6 @@ provider "dns" {
 }
 
 module "terraform_azurerm_environment_configuration" {
-  source          = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0"
+  source          = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.3.0"
   arm_environment = var.arm_environment
 }

templates/workspace_services/databricks/terraform/roles.tf

@@ -0,0 +1,14 @@
+# TODO: Check what RBAC is needed by Researchers
+resource "azurerm_role_assignment" "researchers_databricks_contributor" {
+  count                = var.workspace_researchers_group_id != "" ? 1 : 0
+  scope                = azurerm_databricks_workspace.databricks.id
+  role_definition_name = "Contributor"
+  principal_id         = var.workspace_researchers_group_id
+}
+
+resource "azurerm_role_assignment" "owners_databricks_contributor" {
+  count                = var.workspace_owners_group_id != "" ? 1 : 0
+  scope                = azurerm_databricks_workspace.databricks.id
+  role_definition_name = "Contributor"
+  principal_id         = var.workspace_owners_group_id
+}

templates/workspace_services/databricks/terraform/variables.tf

@@ -26,3 +26,21 @@ variable "is_exposed_externally" {
 variable "arm_environment" {
   type = string
 }
+
+variable "workspace_owners_group_id" {
+  type        = string
+  description = "The object ID of the Entra ID group for TRE workspace owners"
+  validation {
+    condition     = length(trimspace(var.workspace_owners_group_id)) > 0
+    error_message = "workspace_owners_group_id must be provided; Entra ID workspace groups are required."
+  }
+}
+
+variable "workspace_researchers_group_id" {
+  type        = string
+  description = "The object ID of the Entra ID group for TRE workspace researchers"
+  validation {
+    condition     = length(trimspace(var.workspace_researchers_group_id)) > 0
+    error_message = "workspace_researchers_group_id must be provided; Entra ID workspace groups are required."
+  }
+}