feat: refactor

Author: dmytro_velychko3

iam.tf

@@ -0,0 +1,84 @@
+locals {
+  admin_user_map = var.workspace_admins.user == null ? {} : {
+    for user in var.workspace_admins.user : "user.${user}" => user if user != null
+  }
+
+  admin_sp_map = var.workspace_admins.service_principal == null ? {} : {
+    for sp in var.workspace_admins.service_principal : "service_principal.${sp}" => sp if sp != null
+  }
+
+  members_object_list = concat(
+    flatten([for group, params in var.iam : [
+      for pair in setproduct([group], params.user) : {
+        type = "user", group = pair[0], member = pair[1]
+      }] if params.user != null
+    ]),
+    flatten([for group, params in var.iam : [
+      for pair in setproduct([group], params.service_principal) : {
+        type = "service_principal", group = pair[0], member = pair[1]
+      }] if params.service_principal != null
+    ])
+  )
+}
+
+data "databricks_group" "admin" {
+  display_name = "admins"
+}
+
+resource "databricks_group" "this" {
+  for_each = toset(keys(var.iam))
+
+  display_name = each.key
+  lifecycle { ignore_changes = [external_id, allow_cluster_create, allow_instance_pool_create, databricks_sql_access, workspace_access] }
+}
+
+resource "databricks_user" "this" {
+  for_each = toset(flatten(concat(
+    values({ for group, member in var.iam : group => member.user if member.user != null }),
+    values(local.admin_user_map)
+  )))
+
+  user_name = each.key
+  lifecycle { ignore_changes = [external_id, allow_cluster_create, allow_instance_pool_create, databricks_sql_access, workspace_access] }
+}
+
+resource "databricks_service_principal" "this" {
+  for_each = toset(flatten(concat(
+    values({ for group, member in var.iam : group => member.service_principal if member.service_principal != null }),
+    values(local.admin_sp_map)
+  )))
+
+  display_name   = each.key
+  application_id = lookup(var.user_object_ids, each.value)
+  lifecycle { ignore_changes = [external_id, allow_cluster_create, allow_instance_pool_create, databricks_sql_access, workspace_access] }
+}
+
+resource "databricks_group_member" "admin" {
+  for_each = merge(local.admin_user_map, local.admin_sp_map)
+
+  group_id  = data.databricks_group.admin.id
+  member_id = startswith(each.key, "user") ? databricks_user.this[each.value].id : databricks_service_principal.this[each.value].id
+}
+
+resource "databricks_group_member" "this" {
+  for_each = {
+    for entry in local.members_object_list : "${entry.type}.${entry.group}.${entry.member}" => entry
+  }
+
+  group_id  = databricks_group.this[each.value.group].id
+  member_id = startswith(each.key, "user") ? databricks_user.this[each.value.member].id : databricks_service_principal.this[each.value.member].id
+}
+
+resource "databricks_entitlements" "this" {
+  for_each = {
+    for group, params in var.iam : group => params
+  }
+
+  group_id                   = databricks_group.this[each.key].id
+  allow_cluster_create       = contains(coalesce(each.value.entitlements, ["none"]), "allow_cluster_create")
+  allow_instance_pool_create = contains(coalesce(each.value.entitlements, ["none"]), "allow_instance_pool_create")
+  databricks_sql_access      = contains(coalesce(each.value.entitlements, ["none"]), "databricks_sql_access")
+  workspace_access           = true
+
+  depends_on = [databricks_group_member.this]
+}

main.tf

@@ -1,3 +1,9 @@
+/* Premium
+locals {
+  ip_rules = var.ip_rules == null ? null : values(var.ip_rules)
+}
+*/
+
 data "azurerm_key_vault_secret" "sp_client_id" {
   name         = var.sp_client_id_secret_name
   key_vault_id = var.key_vault_id
@@ -13,18 +19,19 @@ data "azurerm_key_vault_secret" "tenant_id" {
   key_vault_id = var.key_vault_id
 }
 
-resource "databricks_token" "pat" {
+resource "databricks_token" "pat" { #
   comment          = "Terraform Provisioning"
   lifetime_seconds = var.pat_token_lifetime_seconds
 }
 
-resource "databricks_user" "this" {
-  for_each  = var.sku == "premium" ? [] : toset(var.users)
-  user_name = each.value
-  lifecycle { ignore_changes = [external_id] }
-}
+#resource "databricks_user" "this" { # Only for 'Standard' SKU type
+#  #for_each  = var.sku == "premium" ? [] : toset(var.users)
+#  for_each  = toset(var.users)
+#  user_name = each.value
+#  lifecycle { ignore_changes = [external_id] }
+#}
 
-resource "azurerm_role_assignment" "this" {
+resource "azurerm_role_assignment" "this" { ### 
   for_each = {
     for permission in var.permissions : "${permission.object_id}-${permission.role}" => permission
     if permission.role != null
@@ -35,10 +42,11 @@ resource "azurerm_role_assignment" "this" {
 }
 
 resource "databricks_cluster_policy" "this" {
-  for_each = var.sku == "premium" ? {
+  #for_each = var.sku == "premium" ? {
+  for_each =  {
     for param in var.custom_cluster_policies : (param.name) => param.definition
     if param.definition != null
-  } : {}
+  } # : {}
 
   name       = each.key
   definition = jsonencode(each.value)
@@ -50,8 +58,6 @@ resource "databricks_cluster" "this" {
   spark_conf     = var.spark_conf
   spark_env_vars = var.spark_env_vars
 
-  policy_id = var.sku == "premium" ? one([for policy in var.custom_cluster_policies : databricks_cluster_policy.this[policy.name].id if policy.assigned]) : null
-
   data_security_mode      = var.data_security_mode
   node_type_id            = var.node_type
   autotermination_minutes = var.autotermination_minutes
@@ -86,3 +92,22 @@ resource "databricks_cluster" "this" {
     }
   }
 }
+/* Premium
+resource "databricks_workspace_conf" "this" {
+  count = local.ip_rules == null ? 0 : 1
+
+  custom_config = {
+    "enableIpAccessLists" : true
+  }
+}
+
+resource "databricks_ip_access_list" "this" {
+  count = local.ip_rules == null ? 0 : 1
+
+  label        = "allow_in"
+  list_type    = "ALLOW"
+  ip_addresses = local.ip_rules
+
+  depends_on = [databricks_workspace_conf.this]
+}
+*/

outputs.tf

@@ -16,11 +16,12 @@ output "cluster_policies_object" {
   } if policy.definition != null && var.sku == "premium"]
   description = "Databricks Cluster Policies object map"
 }
-
+/*
 output "secret_scope_object" {
   value = [for param in var.secret_scope : {
     scope_name = databricks_secret_scope.this[param.scope_name].name
     acl        = param.acl
   } if param.acl != null]
   description = "Databricks-managed Secret Scope object map to create ACLs"
 }
+*/

secrets.tf

@@ -1,3 +1,4 @@
+
 locals {
   sp_secrets = {
     (var.sp_client_id_secret_name) = { value = data.azurerm_key_vault_secret.sp_client_id.value }
@@ -14,7 +15,7 @@ locals {
 # Secret Scope with SP secrets for mounting Azure Data Lake Storage
 resource "databricks_secret_scope" "main" {
   name                     = "main"
-  initial_manage_principal = var.sku == "premium" ? null : "users"
+  initial_manage_principal = "users" #var.sku == "premium" ? null : "users"
 }
 
 resource "databricks_secret" "main" {
@@ -33,7 +34,7 @@ resource "databricks_secret_scope" "this" {
   }
 
   name                     = each.key
-  initial_manage_principal = var.sku == "premium" ? null : "users"
+  initial_manage_principal = "users"
 }
 
 resource "databricks_secret" "this" {

variables.tf

@@ -216,3 +216,48 @@ EOT
 #    dns_name     = null
 #  }
 #}
+
+# Identity Access Management variables
+variable "user_object_ids" {
+  type        = map(string)
+  description = "Map of AD usernames and corresponding object IDs"
+  default     = {}
+}
+
+variable "workspace_admins" {
+  type = object({
+    user              = list(string)
+    service_principal = list(string)
+  })
+  description = "Provide users or service principals to grant them Admin permissions in Workspace."
+  default = {
+    user              = null
+    service_principal = null
+  }
+}
+
+variable "iam" {
+  type = map(object({
+    user                       = optional(list(string))
+    service_principal          = optional(list(string))
+    entitlements               = optional(list(string))
+    default_cluster_permission = optional(string)
+  }))
+  description = "Used to create workspace group. Map of group name and its parameters, such as users and service principals added to the group. Also possible to configure group entitlements."
+  default     = {}
+
+  validation {
+    condition = length([for item in values(var.iam)[*] : item.entitlements if item.entitlements != null]) != 0 ? alltrue([
+      for entry in flatten(values(var.iam)[*].entitlements) : contains(["allow_cluster_create", "allow_instance_pool_create", "databricks_sql_access"], entry) if entry != null
+    ]) : true
+    error_message = "Entitlements validation. The only suitable values are: databricks_sql_access, allow_instance_pool_create, allow_cluster_create"
+  }
+}
+
+/* Premium
+variable "ip_rules" {
+  type        = map(string)
+  description = "Map of IP addresses permitted for access to DB"
+  default     = {}
+}
+*/