Public/Add-DatabricksSecretScope.ps1

<#
 
.SYNOPSIS
    Create a scope to store Databricks secret in.
 
.DESCRIPTION
    Create a scope to store Databricks secret in. Note the the Set-DatabricksSecret command creates the scope if it does not exist.
    Populate KeyVaultResourceId to create a scope from a Key Vault
 
.PARAMETER BearerToken
    Your Databricks Bearer token to authenticate to your workspace (see User Settings in Databricks WebUI)
 
.PARAMETER Region
    Azure Region - must match the URL of your Databricks workspace, example northeurope
 
.PARAMETER ScopeName
    Name for the scope - do not include spaces or special characters.
 
.PARAMETER KeyVaultResourceId
    Resource ID for a Key Vault to attach this scope to an Azure Key Vault. Should be in the URI form,
    see the properties blade of your Key Vault and copy the RESOURCE ID
    THIS IS IN PREVIEW AND NOT OFFICALLY SUPPORTED BY DATABRICKS YET
 
.PARAMETER AllUserAccess
    By default only the user creating the scope has access to secrets. When you set this flag all users will
    have access. Hopefully better permissions controls will come.
 
.EXAMPLE
C:\PS> Add-DatabricksSecretScope -BearerToken $BearerToken -Region $Region -ScopeName "Test1"
 
This example creates a scope called Test1
 
.NOTES
    Author: Simon D'Morias / Data Thirst Ltd
 
#>



Function Add-DatabricksSecretScope
{
    [cmdletbinding()]
    param (
        [parameter(Mandatory=$true)][string]$BearerToken,
        [parameter(Mandatory=$true)][string]$Region,
        [parameter(Mandatory=$true)][string]$ScopeName,
        [parameter(Mandatory=$false)][string]$KeyVaultResourceId,
        [parameter(Mandatory=$false)][switch]$AllUserAccess
    )

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    
    $InternalBearerToken = Format-BearerToken($BearerToken)
    $Region = $Region.Replace(" ","")
    $body = @{}
    $body['scope'] = $ScopeName

    if ($PSBoundParameters.ContainsKey('AllUserAccess')){$body['initial_manage_principal'] = "users"}

    # Key Vault backed Scope (This is in preview only)
    if ($PSBoundParameters.ContainsKey('KeyVaultResourceId')){
        $kv = @{}
        $kv['resource_id'] = $KeyVaultResourceId
        $LastPart = $KeyVaultResourceId.split('/')[-1]
        $kv['dns_name'] = "https://$LastPart.vault.azure.net/"
        
        $body['scope_backend_type'] = 2
        $body['backend_azure_keyvault'] = $kv
    }
    
    $BodyText = $Body | ConvertTo-Json -Depth 10

    Try
    {
        Invoke-RestMethod -Method Post -Body $BodyText -Uri "https://$Region.azuredatabricks.net/api/2.0/secrets/scopes/create" -Headers @{Authorization = $InternalBearerToken} -OutFile $OutFile
        Write-Verbose "Secret Scope $ScopeName created"
    }
    Catch
    {
        $err = $_.ErrorDetails.Message
        if ($err.Contains('already exists'))
        {
            Write-Verbose $err
        }
        else
        {
            throw
        }
    }

}