feat: disable access to DBFS root

README.md

@@ -374,6 +374,7 @@ No modules.
 | [databricks_cluster_policy.overrides](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster_policy) | resource |
 | [databricks_cluster_policy.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster_policy) | resource |
 | [databricks_database_instance.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/database_instance) | resource |
+| [databricks_disable_legacy_dbfs_setting.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/disable_legacy_dbfs_setting) | resource |
 | [databricks_entitlements.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/entitlements) | resource |
 | [databricks_group.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/group) | resource |
 | [databricks_ip_access_list.allowed_list](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/ip_access_list) | resource |
@@ -387,7 +388,6 @@ No modules.
 | [databricks_secret_scope.main](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret_scope) | resource |
 | [databricks_secret_scope.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret_scope) | resource |
 | [databricks_sql_endpoint.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/sql_endpoint) | resource |
-| [databricks_system_schema.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/system_schema) | resource |
 | [databricks_token.pat](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/token) | resource |
 | [databricks_workspace_conf.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/workspace_conf) | resource |
 | [databricks_current_metastore.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/data-sources/current_metastore) | data source |
@@ -403,6 +403,7 @@ No modules.
 | <a name="input_custom_cluster_policies"></a> [custom\_cluster\_policies](#input\_custom\_cluster\_policies) | Provides an ability to create custom cluster policy, assign it to cluster and grant CAN\_USE permissions on it to certain custom groups<br/>name - name of custom cluster policy to create<br/>can\_use - list of string, where values are custom group names, there groups have to be created with Terraform;<br/>definition - JSON document expressed in Databricks Policy Definition Language. No need to call 'jsonencode()' function on it when providing a value; | <pre>list(object({<br/>    name       = string<br/>    can_use    = list(string)<br/>    definition = any<br/>  }))</pre> | <pre>[<br/>  {<br/>    "can_use": null,<br/>    "definition": null,<br/>    "name": null<br/>  }<br/>]</pre> | no |
 | <a name="input_custom_config"></a> [custom\_config](#input\_custom\_config) | Map of AD databricks workspace custom config | `map(string)` | <pre>{<br/>  "enable-X-Content-Type-Options": "true",<br/>  "enable-X-Frame-Options": "true",<br/>  "enable-X-XSS-Protection": "true",<br/>  "enableDbfsFileBrowser": "false",<br/>  "enableExportNotebook": "false",<br/>  "enableIpAccessLists": "true",<br/>  "enableNotebookTableClipboard": "false",<br/>  "enableResultsDownloading": "false",<br/>  "enableUploadDataUis": "false",<br/>  "enableVerboseAuditLogs": "true",<br/>  "enforceUserIsolation": "true",<br/>  "storeInteractiveNotebookResultsInCustomerAccount": "true"<br/>}</pre> | no |
 | <a name="input_default_cluster_policies_override"></a> [default\_cluster\_policies\_override](#input\_default\_cluster\_policies\_override) | Provides an ability to override default cluster policy<br/>name - name of cluster policy to override<br/>family\_id - family id of corresponding policy<br/>definition - JSON document expressed in Databricks Policy Definition Language. No need to call 'jsonencode()' function on it when providing a value; | <pre>list(object({<br/>    name       = string<br/>    family_id  = string<br/>    definition = any<br/>  }))</pre> | <pre>[<br/>  {<br/>    "definition": null,<br/>    "family_id": null,<br/>    "name": null<br/>  }<br/>]</pre> | no |
+| <a name="input_disable_legacy_dbfs"></a> [disable\_legacy\_dbfs](#input\_disable\_legacy\_dbfs) | Disables access to DBFS root and mounts in your existing Databricks workspace.<br/>When set to true:<br/>- Access to DBFS root and mounted paths is blocked.<br/>- Manual restart of all-purpose compute clusters and SQL warehouses is required after enabling this setting.<br/>- Note: This setting only takes effect when disabling access. Re-enabling must be done manually via the Databricks UI. | `bool` | `false` | no |
 | <a name="input_iam_account_groups"></a> [iam\_account\_groups](#input\_iam\_account\_groups) | List of objects with group name and entitlements for this group | <pre>list(object({<br/>    group_name   = optional(string)<br/>    entitlements = optional(list(string))<br/>  }))</pre> | `[]` | no |
 | <a name="input_iam_workspace_groups"></a> [iam\_workspace\_groups](#input\_iam\_workspace\_groups) | Used to create workspace group. Map of group name and its parameters, such as users and service principals added to the group. Also possible to configure group entitlements. | <pre>map(object({<br/>    user              = optional(list(string))<br/>    service_principal = optional(list(string))<br/>    entitlements      = optional(list(string))<br/>  }))</pre> | `{}` | no |
 | <a name="input_ip_addresses"></a> [ip\_addresses](#input\_ip\_addresses) | A map of IP address ranges | `map(string)` | <pre>{<br/>  "all": "0.0.0.0/0"<br/>}</pre> | no |
@@ -415,8 +416,6 @@ No modules.
 | <a name="input_secret_scope"></a> [secret\_scope](#input\_secret\_scope) | Provides an ability to create custom Secret Scope, store secrets in it and assigning ACL for access management<br/>scope\_name - name of Secret Scope to create;<br/>acl - list of objects, where 'principal' custom group name, this group is created in 'Premium' module; 'permission' is one of "READ", "WRITE", "MANAGE";<br/>secrets - list of objects, where object's 'key' param is created key name and 'string\_value' is a value for it; | <pre>list(object({<br/>    scope_name = string<br/>    scope_acl = optional(list(object({<br/>      principal  = string<br/>      permission = string<br/>    })))<br/>    secrets = optional(list(object({<br/>      key          = string<br/>      string_value = string<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_sql_endpoint"></a> [sql\_endpoint](#input\_sql\_endpoint) | Set of objects with parameters to configure SQL Endpoint and assign permissions to it for certain custom groups | <pre>set(object({<br/>    name                      = string<br/>    cluster_size              = optional(string, "2X-Small")<br/>    min_num_clusters          = optional(number, 0)<br/>    max_num_clusters          = optional(number, 1)<br/>    auto_stop_mins            = optional(string, "30")<br/>    enable_photon             = optional(bool, false)<br/>    enable_serverless_compute = optional(bool, false)<br/>    spot_instance_policy      = optional(string, "COST_OPTIMIZED")<br/>    warehouse_type            = optional(string, "PRO")<br/>    permissions = optional(set(object({<br/>      group_name       = string<br/>      permission_level = string<br/>    })), [])<br/>  }))</pre> | `[]` | no |
 | <a name="input_suffix"></a> [suffix](#input\_suffix) | Optional suffix that would be added to the end of resources names. | `string` | `""` | no |
-| <a name="input_system_schemas"></a> [system\_schemas](#input\_system\_schemas) | Set of strings with all possible System Schema names | `set(string)` | <pre>[<br/>  "access",<br/>  "compute",<br/>  "marketplace",<br/>  "storage",<br/>  "serving",<br/>  "query",<br/>  "lakeflow"<br/>]</pre> | no |
-| <a name="input_system_schemas_enabled"></a> [system\_schemas\_enabled](#input\_system\_schemas\_enabled) | System Schemas only works with assigned Unity Catalog Metastore. Boolean flag to enabled this feature | `bool` | `false` | no |
 | <a name="input_workspace_admin_token_enabled"></a> [workspace\_admin\_token\_enabled](#input\_workspace\_admin\_token\_enabled) | Boolean flag to specify whether to create Workspace Admin Token | `bool` | n/a | yes |
 
 ## Outputs

main.tf

@@ -16,8 +16,8 @@ resource "databricks_token" "pat" {
   lifetime_seconds = var.pat_token_lifetime_seconds
 }
 
-resource "databricks_system_schema" "this" {
-  for_each = var.system_schemas_enabled ? var.system_schemas : toset([])
-
-  schema = each.value
+resource "databricks_disable_legacy_dbfs_setting" "this" {
+  disable_legacy_dbfs {
+    value = var.disable_legacy_dbfs
+  }
 }

variables.tf

@@ -215,18 +215,6 @@ variable "mountpoints" {
   default     = {}
 }
 
-variable "system_schemas" {
-  type        = set(string)
-  description = "Set of strings with all possible System Schema names"
-  default     = ["access", "compute", "marketplace", "storage", "serving", "query", "lakeflow"]
-}
-
-variable "system_schemas_enabled" {
-  type        = bool
-  description = "System Schemas only works with assigned Unity Catalog Metastore. Boolean flag to enabled this feature"
-  default     = false
-}
-
 variable "default_cluster_policies_override" {
   type = list(object({
     name       = string
@@ -292,3 +280,16 @@ To deploy and use an OLTP database instance in Databricks:
 - Database instances can only be deleted manually through the Databricks UI or using the Databricks CLI with the --purge option.
 DESCRIPTION
 }
+
+# Disable access to DBFS root
+variable "disable_legacy_dbfs" {
+  type        = bool
+  default     = false
+  description = <<DESCRIPTION
+Disables access to DBFS root and mounts in your existing Databricks workspace.
+When set to true:
+- Access to DBFS root and mounted paths is blocked.
+- Manual restart of all-purpose compute clusters and SQL warehouses is required after enabling this setting.
+- Note: This setting only takes effect when disabling access. Re-enabling must be done manually via the Databricks UI.
+DESCRIPTION
+}