onehouse_catalog

Configures an external catalog. Onehouse syncs table metadata to the catalog so external query engines (Spark, Trino, Athena, etc.) can discover and read Onehouse tables.

Canonical reference

This page documents Terraform-specific behavior (HCL syntax, types, mutability, drift, import). For full parameter semantics, valid values, and defaults, see CREATE CATALOG and DELETE CATALOG.

Example Usage

AWS Glue catalog

resource "onehouse_catalog" "glue" {
  name = "prod-glue"
  type = "GLUE"
  glue {
    region = "us-west-2"
  }
}

Hive Metastore catalog

resource "onehouse_catalog" "hive" {
  name = "internal-hive"
  type = "HIVE"
  hive {
    metastore_servers = [
      "thrift://hms.internal.example.com:9083",
    ]
  }
}

Unity Catalog (with secret-managed token)

resource "onehouse_catalog" "unity" {
  name = "prod-unity"
  type = "UNITY"
  unity {
    databricks_host       = "https://dbc-91697e55-175d.cloud.databricks.com"
    http_path             = "sql/protocolv1/o/4044103294663248/0923-070957-cgil4gk"
    catalog_name          = "production_data"
    credential_type       = "SECRET_MANAGER"
    auth_token_reference  = "arn:aws:secretsmanager:us-west-2:111122223333:secret:databricks-token-AbCdEf"
  }
}

warning

With credential_type = "ONEHOUSE", the auth_token is stored in Terraform state in plain text. Use credential_type = "SECRET_MANAGER" in production and reference a cloud-provider secret manager ARN/ID via auth_token_reference.

OneTable catalog

resource "onehouse_catalog" "onetable" {
  name = "onetable-prod"
  type = "ONETABLE"
  onetable {
    target_formats = ["iceberg", "delta"]
  }
}

DataHub catalog

resource "onehouse_catalog" "datahub" {
  name = "datahub-prod"
  type = "DATAHUB"
  datahub {
    server_url              = "https://datahub.internal.example.com"
    credential_type         = "SECRET_MANAGER"
    auth_token_reference    = "arn:aws:secretsmanager:us-west-2:111122223333:secret:datahub-AbCdEf"
  }
}

Argument Reference

Top-level

Argument	Type	Required	Mutability	Description
`name`	string	✅	Immutable	Catalog name.
`type`	string	✅	Immutable	One of `GLUE`, `HIVE`, `UNITY`, `ONETABLE`, `DATAHUB`. → details below

Exactly one of glue {}, hive {}, unity {}, onetable {}, or datahub {} must be set, matching the type value.

`type` — when to pick each value

Value	Use when
`GLUE`	You want AWS Glue Data Catalog discovery for Athena, EMR, Redshift Spectrum. → details
`HIVE`	You have a Hive Metastore (e.g., internal Spark/Hive deployments). → details
`UNITY`	You use Databricks Unity Catalog. → details
`ONETABLE`	Cross-format table interop via OneTable (Hudi / Iceberg / Delta interop). → details
`DATAHUB`	You use DataHub for data discovery and lineage. → details

`glue {}` block

Argument	Type	Required	Description
`region`	string		AWS region of the Glue Data Catalog. Defaults to the project region when omitted.
`arn`	string		Glue catalog ARN. Required for cross-account access; omit for same-account.

`hive {}` block

Argument	Type	Required	Description
`metastore_servers`	list(string)	✅	One or more Thrift URIs (`thrift://host:port`). Server tries to connect on CREATE, so URIs must be reachable from the Onehouse control plane. → details

`unity {}` block

Argument	Type	Required	Description
`databricks_host`	string	✅	Databricks workspace URL (e.g. `https://dbc-xxx.cloud.databricks.com`).
`http_path`	string	✅	Databricks SQL warehouse HTTP path. → details
`catalog_name`	string	✅	Name of the catalog inside Unity.
`credential_type`	string	✅	`ONEHOUSE` (token stored in state — testing only) or `SECRET_MANAGER` (cloud-secret-manager reference). → details
`auth_token`	string	when `credential_type = "ONEHOUSE"`	Databricks personal access token. Sensitive.
`auth_token_reference`	string	when `credential_type = "SECRET_MANAGER"`	Cloud secret ARN/ID containing the PAT.

`onetable {}` block

Argument	Type	Required	Description
`target_formats`	set(string)		Target table formats. Subset of `delta`, `iceberg`. → details

`datahub {}` block

Argument	Type	Required	Description
`server_url`	string		DataHub server URL.
`data_platform_name`	string		Identifier for the Hudi platform in DataHub.
`dataset_environment`	string		DataHub environment (e.g. `prod`, `dev`).
`credential_type`	string		`ONEHOUSE` (default) or `SECRET_MANAGER`. → details
`auth_token`	string	when `credential_type = "ONEHOUSE"`	DataHub auth token. Sensitive.
`auth_token_reference`	string	when `credential_type = "SECRET_MANAGER"`	Cloud secret ARN/ID.

Attribute Reference

Attribute	Type	Description
`id`	string	Catalog UUID assigned by Onehouse.
`created_at`	string	Creation time in RFC3339.
`created_by`	string	Identity that created the catalog.

Import

terraform import onehouse_catalog.glue prod-glue

After import, the server does not return sensitive fields (unity.auth_token, datahub.auth_token, etc.). Re-supply them in your .tf file before the next terraform apply to avoid a forced replacement.

Data Source

data "onehouse_catalog" "lookup" {
  name = "prod-glue"
}

output "catalog_type" {
  value = data.onehouse_catalog.lookup.type
}

Limitations

No Update. The API has no ALTER CATALOG — any field change forces destroy + recreate.
BIGQUERY and DATAPROC catalog types are tracked under ENG-41407 and not yet supported by the provider.

Example Usage​

AWS Glue catalog​

Hive Metastore catalog​

Unity Catalog (with secret-managed token)​

OneTable catalog​

DataHub catalog​

Argument Reference​

Top-level​

type — when to pick each value​

glue {} block​

hive {} block​

unity {} block​

onetable {} block​

datahub {} block​

Attribute Reference​

Import​

Data Source​

Limitations​