databricks · ilyakuz-db · Mar 25, 2025 · Mar 21, 2025 · Mar 22, 2025 · Mar 22, 2025
@@ -11,5 +11,6 @@
 * Added support for volumes in deployment bind/unbind commands ([#2527](https://github.com/databricks/cli/pull/2527))
 * Added support for dashboards in deployment bind/unbind commands ([#2516](https://github.com/databricks/cli/pull/2516))
 * Added support for registered models in deployment bind/unbind commands ([#2556](https://github.com/databricks/cli/pull/2556))
+* Added a mismatch check when host is defined in config and as an env variable ([#2549](https://github.com/databricks/cli/pull/2549))
 
 ### API Changes
@@ -0,0 +1,5 @@
+[DEFAULT]
+host = https://bar.com
+
+[profile_with_matching_host]
+host = $DATABRICKS_HOST
@@ -0,0 +1,11 @@
+bundle:
+  name: test-auth
+
+targets:
+  match:
+    default: true
+    workspace:
+      host: $DATABRICKS_HOST
+  not_match:
+    workspace:
+      host: https://foo.com
@@ -0,0 +1,35 @@
+
+=== Bundle commands load bundle configuration with DATABRICKS_HOST defined, validation not OK (env-defined host doesn't match bundle host)
+>>> errcode [CLI] bundle validate -t not_match
+Error: cannot resolve bundle auth configuration: config host mismatch: DATABRICKS_HOST is defined as [DATABRICKS_HOST], but CLI configured to use https://foo.com
+
+Name: test-auth
+Target: not_match
+Workspace:
+  Host: https://foo.com
+
+Found 1 error
+
+Exit code: 1
+
+=== Bundle commands load bundle configuration with DATABRICKS_HOST defined, validation OK (env-defined host matches bundle host)
+>>> errcode [CLI] bundle validate -t match
+Name: test-auth
+Target: match
+Workspace:
+  Host: [DATABRICKS_HOST]
+  User: [USERNAME]
+  Path: /Workspace/Users/[USERNAME]/.bundle/test-auth/match
+
+Validation OK!
+
+=== Bundle commands load bundle configuration with -p flag with DATABRICKS_HOST defined, host in profile matches bundle host but env-defined host doesn't
+>>> errcode [CLI] bundle validate -t match -p profile_with_matching_host
+Name: test-auth
+Target: match
+Workspace:
+  Host: [DATABRICKS_HOST]
+  User: [USERNAME]
+  Path: /Workspace/Users/[USERNAME]/.bundle/test-auth/match
+
+Validation OK!
@@ -0,0 +1,15 @@
+# Replace placeholder with an actual host URL
+envsubst < databricks.yml > out.yml && mv out.yml databricks.yml
+envsubst < .databrickscfg > out && mv out .databrickscfg
+
+export DATABRICKS_CONFIG_FILE=.databrickscfg
+
+title "Bundle commands load bundle configuration with DATABRICKS_HOST defined, validation not OK (env-defined host doesn't match bundle host)"
+trace errcode $CLI bundle validate -t not_match
+
+title "Bundle commands load bundle configuration with DATABRICKS_HOST defined, validation OK (env-defined host matches bundle host)"
+trace errcode $CLI bundle validate -t match
+
+export DATABRICKS_HOST="https://baz.com"
+title "Bundle commands load bundle configuration with -p flag with DATABRICKS_HOST defined, host in profile matches bundle host but env-defined host doesn't"
+trace errcode $CLI bundle validate -t match -p profile_with_matching_host
@@ -0,0 +1,5 @@
+# Some of the clouds have DATABRICKS_HOST variable setup without https:// prefix
+# In the result, output is replaced with DATABRICKS_URL variable instead of DATABRICKS_HOST
+[[Repls]]
+Old='DATABRICKS_URL'
+New='DATABRICKS_HOST'
@@ -17,7 +17,6 @@
 10:07:59 Debug: Apply pid=12345 mutator=<func>
 10:07:59 Info: Phase: initialize pid=12345
 10:07:59 Debug: Apply pid=12345 mutator=validate:AllResourcesHaveValues
-10:07:59 Debug: Apply pid=12345 mutator=validate:interpolation_in_auth_config
 10:07:59 Debug: Apply pid=12345 mutator=RewriteSyncPaths
 10:07:59 Debug: Apply pid=12345 mutator=SyncDefaultPath
 10:07:59 Debug: Apply pid=12345 mutator=SyncInferRoot

@@ -7,19 +7,14 @@ Warning: Variable interpolation is not supported for fields that configure authe
 Interpolation is not supported for the field workspace.host. Please set
 the DATABRICKS_HOST environment variable if you wish to configure this field at runtime.
 
-Error: failed during request visitor: parse "https://${var.host}": invalid character "{" in host name
+Error: cannot resolve bundle auth configuration: config host mismatch: DATABRICKS_HOST is defined as [DATABRICKS_URL], but CLI configured to use ${var.host}
 
 {
   "bundle": {
     "environment": "default",
     "name": "host",
     "target": "default"
   },
-  "sync": {
-    "paths": [
-      "."
-    ]
-  },
   "targets": null,
   "variables": {
     "host": {
@@ -41,7 +36,7 @@ Warning: Variable interpolation is not supported for fields that configure authe
 Interpolation is not supported for the field workspace.host. Please set
 the DATABRICKS_HOST environment variable if you wish to configure this field at runtime.
 
-Error: failed during request visitor: parse "https://${var.host}": invalid character "{" in host name
+Error: cannot resolve bundle auth configuration: config host mismatch: DATABRICKS_HOST is defined as [DATABRICKS_URL], but CLI configured to use ${var.host}
 
 Name: host
 Target: default

@@ -1,10 +1,12 @@
 package config
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 
 	"github.com/databricks/cli/libs/databrickscfg"
+	"github.com/databricks/cli/libs/workspace"
 	"github.com/databricks/databricks-sdk-go"
 	"github.com/databricks/databricks-sdk-go/config"
 	"github.com/databricks/databricks-sdk-go/marshal"
@@ -148,9 +150,34 @@ func (w *Workspace) Client() (*databricks.WorkspaceClient, error) {
 		}
 	}
 
+	if w.Host != "" && w.Profile == "" {
+		err := validateConfigAndEnvHost(cfg)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return databricks.NewWorkspaceClient((*databricks.Config)(cfg))
 }
 
+func validateConfigAndEnvHost(cfg *config.Config) error {
+	var hostEnvName, hostEnvVal string
+	for _, attr := range config.ConfigAttributes {
+		if attr.Name == "host" {
+			hostEnvVal, hostEnvName = attr.ReadEnv()
+			break
+		}
+	}
+	if hostEnvName == "" || hostEnvVal == "" {
+		return nil
+	}
+
+	if !workspace.MatchHost(hostEnvVal, cfg.Host) {
+		return fmt.Errorf("config host mismatch: %s is defined as %s, but CLI configured to use %s", hostEnvName, hostEnvVal, cfg.Host)
+	}
+	return nil
+}
+
 func init() {
 	arg0 := os.Args[0]
 

@@ -27,7 +27,6 @@ func Initialize(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
 
 	return bundle.ApplySeq(ctx, b,
 		validate.AllResourcesHaveValues(),
-		validate.NoInterpolationInAuthConfig(),
 
 		// Update all path fields in the sync block to be relative to the bundle root path.
 		mutator.RewriteSyncPaths(),

@@ -2,12 +2,16 @@ package root
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/databricks/cli/bundle"
 	"github.com/databricks/cli/bundle/env"
 	"github.com/databricks/cli/bundle/phases"
+	"github.com/databricks/cli/libs/auth"
 	"github.com/databricks/cli/libs/cmdctx"
 	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/cli/libs/dyn"
+	"github.com/databricks/cli/libs/dyn/dynvar"
 	envlib "github.com/databricks/cli/libs/env"
 	"github.com/spf13/cobra"
 	"golang.org/x/exp/maps"
@@ -94,6 +98,8 @@ func configureBundle(cmd *cobra.Command, b *bundle.Bundle) (*bundle.Bundle, diag
 		return b, diags
 	}
 
+	diags = diags.Extend(checkVariablesInAuthFields(b))
+
 	// Set the auth configuration in the command context. This can be used
 	// downstream to initialize a API client.
 	//
@@ -181,3 +187,64 @@ func initEnvironmentFlag(cmd *cobra.Command) {
 	cmd.PersistentFlags().MarkDeprecated("environment", "use --target flag instead")
 	cmd.RegisterFlagCompletionFunc("environment", targetCompletion)
 }
+
+func checkVariablesInAuthFields(b *bundle.Bundle) diag.Diagnostics {
+	authFields := []string{
+		// Generic attributes.
+		"host",
+		"profile",
+		"auth_type",
+		"metadata_service_url",
+
+		// OAuth specific attributes.
+		"client_id",
+
+		// Google specific attributes.
+		"google_service_account",
+
+		// Azure specific attributes.
+		"azure_resource_id",
+		"azure_use_msi",
+		"azure_client_id",
+		"azure_tenant_id",
+		"azure_environment",
+		"azure_login_app_id",
+	}
+
+	diags := diag.Diagnostics{}
+
+	for _, fieldName := range authFields {
+		p := dyn.NewPath(dyn.Key("workspace"), dyn.Key(fieldName))
+		v, err := dyn.GetByPath(b.Config.Value(), p)
+		if dyn.IsNoSuchKeyError(err) {
+			continue
+		}
+		if err != nil {
+			return diag.FromErr(err)
+		}
+
+		vv, ok := v.AsString()
+		if !ok {
+			continue
+		}
+
+		// Check if the field contains interpolation.
+		if dynvar.ContainsVariableReference(vv) {
+			envVar, ok := auth.GetEnvFor(fieldName)
+			if !ok {
+				continue
+			}
+
+			diags = append(diags, diag.Diagnostic{
+				Severity: diag.Warning,
+				Summary:  "Variable interpolation is not supported for fields that configure authentication",
+				Detail: fmt.Sprintf(`Interpolation is not supported for the field %s. Please set
+the %s environment variable if you wish to configure this field at runtime.`, p.String(), envVar),
+				Locations: v.Locations(),
+				Paths:     []dyn.Path{p},
+			})
+		}
+	}
+
+	return diags
+}