Merge pull request #22 from data-platform-hq/feat/secret_scope

owlleg6 · web-flow · commit 15573ddbff8d · 2023-05-15T21:22:18.000+03:00
feat: azure backed databricks secret scope
diff --git a/README.md b/README.md
@@ -251,14 +251,14 @@ module "databricks_runtime_premium" {
 | Name                                                                         | Version   |
 | ---------------------------------------------------------------------------- | --------- |
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform)    | >= 1.0.0  |
-| <a name="requirement_databricks"></a> [databricks](#requirement\_databricks) | >= 1.9.2  |
+| <a name="requirement_databricks"></a> [databricks](#requirement\_databricks) | >= 1.14.2 |
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm)          | >= 3.40.0 |
 
 ## Providers
 
 | Name                                                                   | Version |
 | ---------------------------------------------------------------------- | ------- |
-| <a name="provider_databricks"></a> [databricks](#provider\_databricks) | 1.9.2   |
+| <a name="provider_databricks"></a> [databricks](#provider\_databricks) | 1.14.2  |
 | <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm)          | 3.40.0  |
 
 ## Modules
@@ -302,7 +302,8 @@ No modules.
 | [databricks_secret_scope.main](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret_scope)                                    | resource |
 | [databricks_secret_scope.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret_scope)                                    | resource |
 | [databricks_secret.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret)                                                | resource |
-
+| [azurerm_key_vault_access_policy.databricks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy)               | resource |
+| [databricks_secret_scope.external](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret_scope)                                | resource |
 
 
 
@@ -338,6 +339,7 @@ No modules.
 | <a name="input_pat_token_lifetime_seconds"></a> [pat\_token\_lifetime\_seconds](#input\_pat\_token\_lifetime\_seconds) | The lifetime of the token, in seconds. If no lifetime is specified, the token remains valid indefinitely                                                                                                                                                                                                                                                                                    | `number`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | 315569520                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |    no    |
 | <a name="input_mount_adls_passthrough"></a> [mount\_adls\_passthrough](#input\_mount\_adls\_passthrough)               | Boolean flag to use mount options for credentals passthrough. Should be used with mount_cluster_name, specified cluster should have option cluster_conf_passthrought == true                                                                                                                                                                                                                | `bool`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | false                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |    no    |
 | <a name="input_mount_cluster_name"></a> [mount\_cluster\_name](#input\_mount\_cluster\_name)                           | Name of the cluster that will be used during storage mounting. If mount_adls_passthrough == true, cluster should also have option cluster_conf_passthrought == true. When mount_cluster_name is not specified, it will create the smallest possible cluster in the default availability zone with name equal to or starting with terraform-mount for the shortest possible amount of time.  | `string`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | null                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |    no    |
+| <a name="input_key_vault_secret_scope"></a> [key\_vault\_secret\_scope](#input\_key\_vault\_secret\_scope) | Object with Azure Key Vault parameters required for creation of Azure-backed Databricks Secret scope. | <pre>object({<br>  key_vault_id = string<br>  dns_name     = string<br>})<br></pre> | <pre>{<br>  key_vault_id = null<br>  dns_name     = null<br>}</pre> |    no    |
 
 
 
diff --git a/secrets.tf b/secrets.tf
@@ -44,31 +44,27 @@ resource "databricks_secret" "this" {
   scope        = databricks_secret_scope.this[each.value.scope_name].id
 }
 
-# At the nearest future, Azure will allow acquiring AAD tokens by service principals,
-# thus providing an ability to create Azure backed Key Vault with Terraform
-# https://github.com/databricks/terraform-provider-databricks/pull/1965
+# Azure Key Vault-backed Scope
+resource "azurerm_key_vault_access_policy" "databricks" {
+  count = var.key_vault_secret_scope.key_vault_id != null ? 1 : 0
 
-## Azure Key Vault-backed Scope
-#resource "azurerm_key_vault_access_policy" "databricks" {
-#  count = var.key_vault_secret_scope.key_vault_id != null ? 1 : 0
+  key_vault_id = var.key_vault_secret_scope.key_vault_id
+  object_id    = "9b38785a-6e08-4087-a0c4-20634343f21f" # Global 'AzureDatabricks' SP object id
+  tenant_id    = data.azurerm_key_vault_secret.tenant_id.value
 
-#  key_vault_id = var.key_vault_secret_scope.key_vault_id
-#  object_id    = "9b38785a-6e08-4087-a0c4-20634343f21f" # Global 'AzureDatabricks' SP object id
-#  tenant_id    = data.azurerm_key_vault_secret.tenant_id.value
-#
-#  secret_permissions = [
-#    "Get",
-#    "List",
-#  ]
-#}
-#
-#resource "databricks_secret_scope" "external" {
-#  count = var.key_vault_secret_scope.key_vault_id != null ? 1 : 0
-#
-#  name = "external"
-#  keyvault_metadata {
-#    resource_id = var.key_vault_secret_scope.key_vault_id
-#    dns_name    = var.key_vault_secret_scope.dns_name
-#  }
-#  depends_on = [azurerm_key_vault_access_policy.databricks]
-#}
+  secret_permissions = [
+    "Get",
+    "List",
+  ]
+}
+
+resource "databricks_secret_scope" "external" {
+  count = var.key_vault_secret_scope.key_vault_id != null ? 1 : 0
+
+  name = "external"
+  keyvault_metadata {
+    resource_id = var.key_vault_secret_scope.key_vault_id
+    dns_name    = var.key_vault_secret_scope.dns_name
+  }
+  depends_on = [azurerm_key_vault_access_policy.databricks]
+}
diff --git a/variables.tf b/variables.tf
@@ -265,3 +265,15 @@ variable "mount_cluster_name" {
   description = "Name of the cluster that will be used during storage mounting. If mount_adls_passthrough == true, cluster should also have option cluster_conf_passthrought == true"
   default     = null
 }
+
+variable "key_vault_secret_scope" {
+  type = object({
+    key_vault_id = string
+    dns_name     = string
+  })
+  description = "Object with Azure Key Vault parameters required for creation of Azure-backed Databricks Secret scope"
+  default = {
+    key_vault_id = null
+    dns_name     = null
+  }
+}
diff --git a/versions.tf b/versions.tf
@@ -8,7 +8,7 @@ terraform {
     }
     databricks = {
       source  = "databricks/databricks"
-      version = ">=1.9.2"
+      version = ">=1.14.2"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ terraform {`
`8`	`8`	`}`
`9`	`9`	`databricks = {`
`10`	`10`	`source = "databricks/databricks"`
`11`		`- version = ">=1.9.2"`
	`11`	`+ version = ">=1.14.2"`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`	`}`