Merge pull request #5 from data-platform-hq/unity_catalog

feat: unity catalog

Author: owlleg6

README.md

@@ -101,18 +101,3 @@ resource "databricks_permissions" "sql_endpoint" {
 
   depends_on = [databricks_group.this]
 }
-
-resource "databricks_permissions" "token" {
-  authorization = "tokens"
-
-  dynamic "access_control" {
-    for_each = { for entry in flatten([for resource, permissions in var.iam_permissions : [for permission, groups in permissions : [for group in groups : {
-      resource = resource, permission = permission, group = group
-    } if resource == "token"]]]) : "${entry.resource}.${entry.permission}.${entry.group}" => entry }
-    content {
-      group_name       = access_control.value.group
-      permission_level = access_control.value.permission
-    }
-  }
-  depends_on = [databricks_group.this]
-}

iam.tf

@@ -1,5 +1,6 @@
 locals {
   ip_rules = var.ip_rules == null ? null : values(var.ip_rules)
+  suffix   = length(var.suffix) == 0 ? "" : "-${var.suffix}"
 }
 
 resource "databricks_workspace_conf" "this" {
@@ -23,7 +24,7 @@ resource "databricks_ip_access_list" "this" {
 resource "databricks_sql_endpoint" "this" {
   for_each = var.sql_endpoint
 
-  name                      = "${each.key}-${var.project}-${var.env}"
+  name                      = "${each.key}-${var.project}-${var.env}${local.suffix}"
   cluster_size              = lookup(each.value, "cluster_size", var.default_values_sql_endpoint["cluster_size"])
   min_num_clusters          = lookup(each.value, "min_num_clusters", var.default_values_sql_endpoint["min_num_clusters"])
   max_num_clusters          = lookup(each.value, "max_num_clusters", var.default_values_sql_endpoint["max_num_clusters"])

main.tf

@@ -7,3 +7,8 @@ output "sql_endpoint_data_source_id" {
   value       = [for n in databricks_sql_endpoint.this : n.data_source_id]
   description = "ID of the data source for this endpoint"
 }
+
+output "metastore_id" {
+  value       = var.create_metastore ? databricks_metastore.this[0].id : ""
+  description = "Unity Catalog Metastore Id"
+}

outputs.tf

@@ -0,0 +1,135 @@
+resource "azurerm_storage_data_lake_gen2_filesystem" "this" {
+  count = var.create_metastore ? 1 : 0
+
+  name               = "meta-${var.project}-${var.env}"
+  storage_account_id = var.storage_account_id
+
+  lifecycle {
+    precondition {
+      condition = alltrue([
+        for variable in [var.storage_account_id, var.access_connector_id, var.storage_account_name] : false if length(variable) == 0
+      ])
+      error_message = "To create Metastore in a Region it is required to provide proper values for these variables: access_connector_id, storage_account_id, storage_account_name"
+    }
+  }
+}
+
+resource "databricks_metastore" "this" {
+  count = var.create_metastore ? 1 : 0
+
+  name          = "meta-${var.project}-${var.env}-${var.location}${local.suffix}"
+  storage_root  = format("abfss://%s@%s.dfs.core.windows.net/", azurerm_storage_data_lake_gen2_filesystem.this[0].name, var.storage_account_name)
+  force_destroy = true
+}
+
+resource "databricks_grants" "metastore" {
+  for_each = !var.create_metastore && length(var.external_metastore_id) == 0 ? {} : {
+    for k, v in var.metastore_grants : k => v
+    if v != null
+  }
+
+  metastore = length(var.external_metastore_id) == 0 ? databricks_metastore.this[0].id : var.external_metastore_id
+  grant {
+    principal  = each.key
+    privileges = each.value
+  }
+}
+
+resource "databricks_metastore_data_access" "this" {
+  count = var.create_metastore ? 1 : 0
+
+  metastore_id = databricks_metastore.this[0].id
+  name         = "data-access-${var.project}-${var.env}-${var.location}${local.suffix}"
+  azure_managed_identity {
+    access_connector_id = var.access_connector_id
+  }
+  is_default = true
+}
+
+resource "databricks_metastore_assignment" "this" {
+  count = !var.create_metastore && length(var.external_metastore_id) == 0 ? 0 : 1
+
+  workspace_id         = var.workspace_id
+  metastore_id         = length(var.external_metastore_id) == 0 ? databricks_metastore.this[0].id : var.external_metastore_id
+  default_catalog_name = "hive_metastore"
+}
+
+# Catalog
+resource "databricks_catalog" "this" {
+  for_each = !var.create_metastore && length(var.external_metastore_id) == 0 ? {} : var.catalog
+
+  metastore_id  = length(var.external_metastore_id) == 0 ? databricks_metastore.this[0].id : var.external_metastore_id
+  name          = each.key
+  comment       = lookup(each.value, "catalog_comment", "default comment")
+  properties    = merge(lookup(each.value, "catalog_properties", {}), { env = var.env })
+  force_destroy = true
+
+  depends_on = [databricks_metastore_assignment.this[0]]
+}
+
+# Catalog grants
+resource "databricks_grants" "catalog" {
+  for_each = !var.create_metastore && length(var.external_metastore_id) == 0 ? {} : {
+    for name, params in var.catalog : name => params.catalog_grants
+    if params.catalog_grants != null
+  }
+
+  catalog = databricks_catalog.this[each.key].name
+  dynamic "grant" {
+    for_each = each.value
+    content {
+      principal  = grant.key
+      privileges = grant.value
+    }
+  }
+}
+
+# Schema
+locals {
+  schema = flatten([
+    for catalog, params in var.catalog : [
+      for schema in params.schema_name : {
+        catalog    = catalog,
+        schema     = schema,
+        comment    = lookup(params, "schema_comment", "default comment"),
+        properties = lookup(params, "schema_properties", {})
+      }
+    ] if params.schema_name != null
+  ])
+}
+
+resource "databricks_schema" "this" {
+  for_each = !var.create_metastore && length(var.external_metastore_id) == 0 ? {} : {
+    for entry in local.schema : "${entry.catalog}.${entry.schema}" => entry
+  }
+
+  catalog_name  = databricks_catalog.this[each.value.catalog].name
+  name          = each.value.schema
+  comment       = each.value.comment
+  properties    = merge(each.value.properties, { env = var.env })
+  force_destroy = true
+}
+
+# Schema grants
+locals {
+  schema_grants = flatten([
+    for catalog, params in var.catalog : [for schema in params.schema_name : [for principal in flatten(keys(params.schema_grants)) : {
+      catalog    = catalog,
+      schema     = schema,
+      principal  = principal,
+      permission = flatten(values(params.schema_grants)),
+    }]] if params.schema_grants != null
+  ])
+}
+
+resource "databricks_grants" "schema" {
+  for_each = !var.create_metastore && length(var.external_metastore_id) == 0 ? {} : {
+    for entry in local.schema_grants : "${entry.catalog}.${entry.schema}.${entry.principal}" => entry
+  }
+
+  schema = databricks_schema.this["${each.value.catalog}.${each.value.schema}"].id
+  grant {
+    principal  = each.value.principal
+    privileges = each.value.permission
+  }
+}

unity.tf

@@ -1,11 +1,21 @@
+variable "project" {
+  type        = string
+  description = "Project name"
+}
+
 variable "env" {
   type        = string
   description = "Environment name"
 }
 
-variable "project" {
+variable "location" {
   type        = string
-  description = "Project name"
+  description = "Azure location"
+}
+
+variable "workspace_id" {
+  type        = string
+  description = "Id of Azure Databricks workspace"
 }
 
 variable "user_object_ids" {
@@ -19,7 +29,7 @@ variable "workspace_admins" {
     user              = list(string)
     service_principal = list(string)
   })
-  description = "Provide users or service principals to grant them Admin permissions."
+  description = "Provide users or service principals to grant them Admin permissions in Workspace."
   default = {
     user              = null
     service_principal = null
@@ -54,10 +64,6 @@ variable "iam_permissions" {
       "CAN_USE"    = ["default"]
       "CAN_MANAGE" = []
     }
-    "token" = {
-      "CAN_USE"    = ["default"]
-      "CAN_MANAGE" = []
-    }
   }
 }
 
@@ -68,7 +74,14 @@ variable "ip_rules" {
 }
 
 variable "sql_endpoint" {
-  type        = map(map(string))
+  type = map(object({
+    cluster_size              = string
+    min_num_clusters          = optional(number)
+    max_num_clusters          = optional(number)
+    auto_stop_mins            = optional(string)
+    enable_photon             = optional(bool)
+    enable_serverless_compute = optional(bool)
+  }))
   description = "Map of SQL Endoints to be deployed in Databricks Workspace"
   default     = {}
 }
@@ -92,3 +105,70 @@ variable "default_values_sql_endpoint" {
     enable_serverless_compute = false
   }
 }
+
+variable "create_metastore" {
+  type        = bool
+  description = "Boolean flag for Unity Catalog Metastore current in this environment. One Metastore per region"
+  default     = false
+}
+
+variable "access_connector_id" {
+  type        = string
+  description = "Databricks Access Connector Id that lets you to connect managed identities to an Azure Databricks account. Provides an ability to access Unity Catalog with assigned identity"
+  default     = ""
+}
+
+variable "storage_account_id" {
+  type        = string
+  description = "Storage Account Id where Unity Catalog Metastore would be provisioned"
+  default     = ""
+}
+variable "storage_account_name" {
+  type        = string
+  description = "Storage Account Name where Unity Catalog Metastore would be provisioned"
+  default     = ""
+}
+
+variable "catalog" {
+  type = map(object({
+    catalog_grants     = optional(map(list(string)))
+    catalog_comment    = optional(string)
+    catalog_properties = optional(map(string))
+    schema_name        = optional(list(string))
+    schema_grants      = optional(map(list(string)))
+    schema_comment     = optional(string)
+    schema_properties  = optional(map(string))
+  }))
+  description = "Map of catalog name and its parameters"
+  default     = {}
+}
+
+variable "suffix" {
+  type        = string
+  description = "Optional suffix that would be added to the end of resources names."
+  default     = ""
+}
+
+variable "external_metastore_id" {
+  type        = string
+  description = "Unity Catalog Metastore Id that is located in separate environment. Provide this value to associate Databricks Workspace with target Metastore"
+  default     = ""
+  validation {
+    condition     = length(var.external_metastore_id) == 36 || length(var.external_metastore_id) == 0
+    error_message = "UUID has to be either in nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn format or empty string"
+  }
+}
+
+variable "metastore_grants" {
+  type        = map(list(string))
+  description = "Permissions to give on metastore to group"
+  default     = {}
+  validation {
+    condition = values(var.metastore_grants) != null ? alltrue([
+      for item in toset(flatten([for group, params in var.metastore_grants : params if params != null])) : contains([
+        "CREATE_CATALOG", "CREATE_EXTERNAL_LOCATION", "CREATE_SHARE", "CREATE_RECIPIENT", "CREATE_PROVIDER"
+      ], item)
+    ]) : true
+    error_message = "Metastore permission validation. The only possible values for permissions are: CREATE_CATALOG, CREATE_EXTERNAL_LOCATION, CREATE_SHARE, CREATE_RECIPIENT, CREATE_PROVIDER"
+  }
+}

variables.tf

@@ -2,6 +2,10 @@ terraform {
   required_version = ">=1.0.0"
 
   required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.40.0"
+    }
     databricks = {
       source  = "databricks/databricks"
       version = ">=1.9.0"