Skip to content

[ISSUE] Issue with databricks_model_serving resource #5074

New issue
New issue
Open
#5125
Open
[ISSUE] Issue with databricks_model_serving resource#5074
#5125
@bix-1

Description

@bix-1
bix-1
opened on Oct 3, 2025

Configuration

We want to centrally manage Databricks model servings referencing an Azure OpenAI deployment, without giving the permission to the Databricks Workspace admins to manage the model servings in their workspace. This can be achieved by the following configuration, where we configure the authentication for the model serving to OpenAI with Microsoft Entra ID client credentials, instead of Databricks secrets (where the workspace admins could access them, and thus manage the model servings).

resource "databricks_model_serving" "openai" {
  name = "gpt-4o"
 
  config {
    served_entities {
      external_model {
        provider = "openai"
        name     = "gpt-4o"
        task     = "llm/v1/chat"
        openai_config {
          microsoft_entra_tenant_id               = "<microsoft_entra_tenant_id>"
          microsoft_entra_client_id               = "<microsoft_entra_client_id>"
          microsoft_entra_client_secret_plaintext = var.microsoft_entra_client_secret_plaintext # from Terraform Enterprise secrets
          openai_api_type                         = "azuread"
          openai_api_base                         = "https://<...>.openai.azure.com/"
          openai_api_version                      = "2025-03-01-preview"
          openai_deployment_name                  = "gpt-4o"
        }
      }
    }
  }
}

Expected Behavior

Unless the value of the variable microsoft_entra_client_secret_plaintext is updated, don't mark the attribute for change in terraform plan.

Actual Behavior

On each subsequent terraform plan after the initial deployment, the attribute config.served_entities.external_model.openai_config.microsoft_entra_client_secret_plaintext is marked for update, even though the secret value didn't change.

# module.dbx_model_serving["gpt4o"].databricks_model_serving.openai will be updated in-place
  ~ resource "databricks_model_serving" "openai" {
        id                  = "gpt4o"
        name                = "gpt4o"
        # (3 unchanged attributes hidden)
 
      ~ config {
          ~ served_entities {
                name                        = "gpt-4o"
                # (7 unchanged attributes hidden)
 
              ~ external_model {
                    name     = "gpt-4o"
                    # (2 unchanged attributes hidden)
 
                  ~ openai_config {
                      ~ microsoft_entra_client_secret_plaintext = (sensitive value)
                        # (6 unchanged attributes hidden)
                    }
                }
            }
 
            # (1 unchanged block hidden)
        }
 
        # (1 unchanged block hidden)
    }

Steps to Reproduce

  1. Fill out the missing credentials variables
  2. terraform apply
  3. terraform plan

Terraform and provider versions

Terraform v1.7.4
on windows_amd64

  • provider registry.terraform.io/azure/azapi v1.15.0
  • provider registry.terraform.io/databricks/databricks v1.91.0
  • provider registry.terraform.io/hashicorp/azurerm v4.47.0
  • provider registry.terraform.io/hashicorp/null v3.2.4
  • provider registry.terraform.io/hashicorp/time v0.13.1

Is it a regression?

No

Debug Output

Important Factoids

Deployment is in a Terraform Enterprise workspace, using secret variables as some of the values

Would you like to implement a fix?

No

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions