feat: databricks aws runtime

Author: MyroslavLevchyk

README.md

@@ -1,10 +1,63 @@
-# Azure <> Terraform module
-Terraform module for creation Azure <>
+# Databricks Runtime Terraform module
+Terraform module used for management of Databricks Runtime Resources
 
 ## Usage
 
 <!-- BEGIN_TF_DOCS -->
+## Requirements
 
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~>5.0 |
+| <a name="requirement_databricks"></a> [databricks](#requirement\_databricks) | ~>1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_databricks"></a> [databricks](#provider\_databricks) | ~>1.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [databricks_cluster.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster) | resource |
+| [databricks_entitlements.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/entitlements) | resource |
+| [databricks_ip_access_list.allowed_list](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/ip_access_list) | resource |
+| [databricks_permissions.clusters](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource |
+| [databricks_permissions.sql_endpoints](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource |
+| [databricks_secret.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret) | resource |
+| [databricks_secret_scope.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret_scope) | resource |
+| [databricks_sql_endpoint.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/sql_endpoint) | resource |
+| [databricks_workspace_conf.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/workspace_conf) | resource |
+| [databricks_current_metastore.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/data-sources/current_metastore) | data source |
+| [databricks_group.account_groups](https://registry.terraform.io/providers/databricks/databricks/latest/docs/data-sources/group) | data source |
+| [databricks_sql_warehouses.all](https://registry.terraform.io/providers/databricks/databricks/latest/docs/data-sources/sql_warehouses) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cloud_name"></a> [cloud\_name](#input\_cloud\_name) | Cloud Name | `string` | n/a | yes |
+| <a name="input_clusters"></a> [clusters](#input\_clusters) | Set of objects with parameters to configure Databricks clusters and assign permissions to it for certain custom groups | <pre>set(object({<br/>    cluster_name            = string<br/>    spark_version           = optional(string, "14.3.x-scala2.12")<br/>    node_type_id            = optional(string, "m5d.large")<br/>    autotermination_minutes = optional(number, 20)<br/>    min_workers             = optional(number, 1)<br/>    max_workers             = optional(number, 2)<br/>    availability            = optional(string, "ON_DEMAND")<br/>    zone_id                 = optional(string, "auto")<br/>    first_on_demand         = optional(number, 1)<br/>    spot_bid_price_percent  = optional(number, 100)<br/>    data_security_mode      = optional(string, "USER_ISOLATION")<br/>    ebs_volume_count        = optional(number, 1)<br/>    ebs_volume_size         = optional(number, 100)<br/>    ebs_volume_type         = optional(string, "GENERAL_PURPOSE_SSD")<br/>    permissions = optional(list(object({<br/>      group_name       = string,<br/>      permission_level = string<br/>    })), []),<br/>  }))</pre> | `[]` | no |
+| <a name="input_custom_config"></a> [custom\_config](#input\_custom\_config) | Map of AD databricks workspace custom config | `map(string)` | <pre>{<br/>  "enable-X-Content-Type-Options": "true",<br/>  "enable-X-Frame-Options": "true",<br/>  "enable-X-XSS-Protection": "true",<br/>  "enableDbfsFileBrowser": "false",<br/>  "enableExportNotebook": "false",<br/>  "enableIpAccessLists": "true",<br/>  "enableNotebookTableClipboard": "false",<br/>  "enableResultsDownloading": "false",<br/>  "enableUploadDataUis": "false",<br/>  "enableVerboseAuditLogs": "true",<br/>  "enforceUserIsolation": "true",<br/>  "storeInteractiveNotebookResultsInCustomerAccount": "true"<br/>}</pre> | no |
+| <a name="input_iam_account_groups"></a> [iam\_account\_groups](#input\_iam\_account\_groups) | List of objects with group name and entitlements for this group | <pre>list(object({<br/>    group_name   = optional(string)<br/>    entitlements = optional(list(string))<br/>  }))</pre> | `[]` | no |
+| <a name="input_ip_addresses"></a> [ip\_addresses](#input\_ip\_addresses) | A map of IP address ranges | `map(string)` | <pre>{<br/>  "all": "0.0.0.0/0"<br/>}</pre> | no |
+| <a name="input_secret_scopes"></a> [secret\_scopes](#input\_secret\_scopes) | A list of secret scopes to be created | <pre>list(object({<br/>    scope_name = string<br/>    scope_permissions = optional(set(object({<br/>      group_name       = string<br/>      permission_level = string<br/>    })))<br/>    secrets = optional(list(object({<br/>      key   = string<br/>      value = string<br/>    })), [])<br/>  }))</pre> | `[]` | no |
+| <a name="input_sql_endpoint"></a> [sql\_endpoint](#input\_sql\_endpoint) | Set of objects with parameters to configure SQL Endpoint and assign permissions to it for certain custom groups | <pre>set(object({<br/>    name                      = string<br/>    cluster_size              = optional(string, "2X-Small")<br/>    auto_stop_mins            = optional(number, 15)<br/>    max_num_clusters          = optional(number, 1)<br/>    enable_photon             = optional(bool, false)<br/>    enable_serverless_compute = optional(bool, true)<br/>    spot_instance_policy      = optional(string, "COST_OPTIMIZED")<br/>    warehouse_type            = optional(string, "PRO")<br/>    key                       = optional(string, "user")<br/>    value                     = optional(string, "terraform")<br/>    permissions = optional(list(object({<br/>      group_name       = string,<br/>      permission_level = string<br/>    })), []),<br/>  }))</pre> | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_metastore_id"></a> [metastore\_id](#output\_metastore\_id) | The ID of the current metastore in the Databricks workspace. |
+| <a name="output_sql_warehouses_list"></a> [sql\_warehouses\_list](#output\_sql\_warehouses\_list) | List of IDs of all SQL warehouses in the Databricks workspace. |
+| <a name="output_test"></a> [test](#output\_test) | Full list of IAM account groups for the workspace. |
 <!-- END_TF_DOCS -->
 
 ## License

cluster.tf

@@ -0,0 +1,42 @@
+resource "databricks_cluster" "this" {
+  for_each = { for cluster in var.clusters : cluster.cluster_name => cluster }
+
+  cluster_name            = each.value.cluster_name
+  spark_version           = each.value.spark_version
+  node_type_id            = each.value.node_type_id
+  autotermination_minutes = each.value.autotermination_minutes
+  data_security_mode      = each.value.data_security_mode
+  autoscale {
+    min_workers = each.value.min_workers
+    max_workers = each.value.max_workers
+  }
+
+  # Dynamic block for AWS
+  dynamic "aws_attributes" {
+    for_each = var.cloud_name == "aws" ? [each.value] : []
+    content {
+      availability           = each.value.availability
+      zone_id                = each.value.zone_id
+      first_on_demand        = each.value.first_on_demand
+      spot_bid_price_percent = each.value.spot_bid_price_percent
+      ebs_volume_count       = each.value.ebs_volume_count
+      ebs_volume_size        = each.value.ebs_volume_size
+      ebs_volume_type        = each.value.ebs_volume_type
+    }
+  }
+}
+
+# Cluster permissions
+resource "databricks_permissions" "clusters" {
+  for_each = { for cluster in var.clusters : cluster.cluster_name => cluster.permissions }
+
+  cluster_id = databricks_cluster.this[each.key].id
+
+  dynamic "access_control" {
+    for_each = each.value
+    content {
+      group_name       = access_control.value.group_name
+      permission_level = access_control.value.permission_level
+    }
+  }
+}

data.tf

@@ -0,0 +1,3 @@
+data "databricks_current_metastore" "this" {}
+
+data "databricks_sql_warehouses" "all" {}

iam.tf

@@ -0,0 +1,24 @@
+locals {
+  iam_account_groups_full_list = distinct(flatten([var.clusters[*].permissions[*].group_name]))
+
+  iam_account_map = tomap({
+    for group in var.iam_account_groups : group.group_name => group.entitlements
+    if group.group_name != null
+  })
+}
+
+data "databricks_group" "account_groups" {
+  for_each = local.iam_account_map
+
+  display_name = each.key
+}
+
+resource "databricks_entitlements" "this" {
+  for_each = local.iam_account_map
+
+  group_id                   = data.databricks_group.account_groups[each.key].id
+  allow_cluster_create       = contains(coalesce(each.value, ["none"]), "allow_cluster_create")
+  allow_instance_pool_create = contains(coalesce(each.value, ["none"]), "allow_instance_pool_create")
+  databricks_sql_access      = contains(coalesce(each.value, ["none"]), "databricks_sql_access")
+  workspace_access           = true
+}

main.tf

@@ -0,0 +1,11 @@
+resource "databricks_workspace_conf" "this" {
+  custom_config = var.custom_config
+}
+
+resource "databricks_ip_access_list" "allowed_list" {
+  label        = "allow_in"
+  list_type    = "ALLOW"
+  ip_addresses = flatten([for v in values(var.ip_addresses) : v])
+
+  depends_on = [databricks_workspace_conf.this]
+}

outputs.tf

@@ -0,0 +1,14 @@
+output "sql_warehouses_list" {
+  value       = data.databricks_sql_warehouses.all.ids
+  description = "List of IDs of all SQL warehouses in the Databricks workspace."
+}
+
+output "metastore_id" {
+  value       = data.databricks_current_metastore.this.id
+  description = "The ID of the current metastore in the Databricks workspace."
+}
+
+output "test" {
+  value       = local.iam_account_groups_full_list
+  description = "Full list of IAM account groups for the workspace."
+}

secrets.tf

@@ -0,0 +1,39 @@
+locals {
+  secret_scope_config = { for object in var.secret_scopes : object.scope_name => object }
+
+  # TODO: Secret ACLs
+  #  secret_scope_config_acl = { for object in flatten([for k, v in local.secret_scope_config : [for permission in v.scope_permissions : {
+  #    scope_name           = k,
+  #    acl_group_name       = permission.group_name,
+  #    acl_permission_level = permission.permission_level,
+  #  }]]) : "${object.scope_name}:${object.acl_group_name}:${object.acl_pemission_level}" => object }
+
+  secret_scope_config_secrets = { for object in flatten([for k, v in local.secret_scope_config : [for secret in v.secrets : {
+    scope_name   = k,
+    secret_key   = secret.key,
+    secret_value = secret.value,
+  }]]) : "${object.scope_name}:${object.secret_key}" => object }
+}
+
+resource "databricks_secret_scope" "this" {
+  for_each = local.secret_scope_config
+
+  name = each.key
+}
+
+# TODO: Secret ACLs
+#resource "databricks_secret_acl" "this" {
+#  for_each = local.secret_scope_config_acl
+#
+#  principal  = databricks_group.ds.display_name
+#  permission = "READ"
+#  scope      = databricks_secret_scope.app.name
+#}
+
+resource "databricks_secret" "this" {
+  for_each = local.secret_scope_config_secrets
+
+  key          = each.value.secret_key
+  string_value = each.value.secret_value
+  scope        = databricks_secret_scope.this[each.value.scope_name].name
+}

variables.tf

@@ -0,0 +1,102 @@
+variable "cloud_name" {
+  type        = string
+  description = "Cloud Name"
+}
+
+variable "sql_endpoint" {
+  type = set(object({
+    name                      = string
+    cluster_size              = optional(string, "2X-Small")
+    auto_stop_mins            = optional(number, 15)
+    max_num_clusters          = optional(number, 1)
+    enable_photon             = optional(bool, false)
+    enable_serverless_compute = optional(bool, true)
+    spot_instance_policy      = optional(string, "COST_OPTIMIZED")
+    warehouse_type            = optional(string, "PRO")
+    key                       = optional(string, "user")
+    value                     = optional(string, "terraform")
+    permissions = optional(list(object({
+      group_name       = string,
+      permission_level = string
+    })), []),
+  }))
+  description = "Set of objects with parameters to configure SQL Endpoint and assign permissions to it for certain custom groups"
+  default     = []
+}
+
+variable "clusters" {
+  type = set(object({
+    cluster_name            = string
+    spark_version           = optional(string, "14.3.x-scala2.12")
+    node_type_id            = optional(string, "m5d.large")
+    autotermination_minutes = optional(number, 20)
+    min_workers             = optional(number, 1)
+    max_workers             = optional(number, 2)
+    availability            = optional(string, "ON_DEMAND")
+    zone_id                 = optional(string, "auto")
+    first_on_demand         = optional(number, 1)
+    spot_bid_price_percent  = optional(number, 100)
+    data_security_mode      = optional(string, "USER_ISOLATION")
+    ebs_volume_count        = optional(number, 1)
+    ebs_volume_size         = optional(number, 100)
+    ebs_volume_type         = optional(string, "GENERAL_PURPOSE_SSD")
+    permissions = optional(list(object({
+      group_name       = string,
+      permission_level = string
+    })), []),
+  }))
+  description = "Set of objects with parameters to configure Databricks clusters and assign permissions to it for certain custom groups"
+  default     = []
+}
+
+variable "custom_config" {
+  type        = map(string)
+  description = "Map of AD databricks workspace custom config"
+  default = {
+    "enableResultsDownloading"                         = "false", # https://docs.databricks.com/en/notebooks/notebook-outputs.html#download-results
+    "enableNotebookTableClipboard"                     = "false", # https://docs.databricks.com/en/administration-guide/workspace-settings/notebooks.html#enable-users-to-copy-data-to-the-clipboard-from-notebooks
+    "enableVerboseAuditLogs"                           = "true",  # https://docs.databricks.com/en/administration-guide/account-settings/verbose-logs.html
+    "enable-X-Frame-Options"                           = "true",
+    "enable-X-Content-Type-Options"                    = "true",
+    "enable-X-XSS-Protection"                          = "true",
+    "enableDbfsFileBrowser"                            = "false", # https://docs.databricks.com/en/administration-guide/workspace-settings/dbfs-browser.html
+    "enableExportNotebook"                             = "false", # https://docs.databricks.com/en/administration-guide/workspace-settings/notebooks.html#enable-users-to-export-notebooks
+    "enforceUserIsolation"                             = "true",  # https://docs.databricks.com/en/administration-guide/workspace-settings/enforce-user-isolation.html
+    "storeInteractiveNotebookResultsInCustomerAccount" = "true",  # https://docs.databricks.com/en/administration-guide/workspace-settings/notebooks.html#manage-where-notebook-results-are-stored
+    "enableUploadDataUis"                              = "false", # https://docs.databricks.com/en/ingestion/add-data/index.html
+    "enableIpAccessLists"                              = "true"
+  }
+}
+
+variable "ip_addresses" {
+  type        = map(string)
+  description = "A map of IP address ranges"
+  default = {
+    "all" = "0.0.0.0/0"
+  }
+}
+
+variable "secret_scopes" {
+  type = list(object({
+    scope_name = string
+    scope_permissions = optional(set(object({
+      group_name       = string
+      permission_level = string
+    })))
+    secrets = optional(list(object({
+      key   = string
+      value = string
+    })), [])
+  }))
+  description = "A list of secret scopes to be created"
+  default     = []
+}
+
+variable "iam_account_groups" {
+  type = list(object({
+    group_name   = optional(string)
+    entitlements = optional(list(string))
+  }))
+  description = "List of objects with group name and entitlements for this group"
+  default     = []
+}

versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~>5.0"
+    }
+    databricks = {
+      source  = "databricks/databricks"
+      version = "~>1.0"
+    }
+  }
+}

warehouses.tf

@@ -0,0 +1,43 @@
+# SQL Endpoint
+resource "databricks_sql_endpoint" "this" {
+  for_each = { for endpoint in var.sql_endpoint : endpoint.name => endpoint }
+
+  name                      = each.key
+  cluster_size              = each.value.cluster_size
+  auto_stop_mins            = each.value.auto_stop_mins
+  max_num_clusters          = each.value.max_num_clusters
+  enable_photon             = each.value.enable_photon
+  spot_instance_policy      = each.value.spot_instance_policy
+  enable_serverless_compute = each.value.enable_serverless_compute
+  warehouse_type            = each.value.warehouse_type
+
+  tags {
+    custom_tags {
+      key   = each.value.key
+      value = each.value.value
+    }
+  }
+}
+
+# SQL Endpoint permissions
+resource "databricks_permissions" "sql_endpoints" {
+  for_each = { for sql in var.sql_endpoint : sql.name => sql.permissions }
+
+  sql_endpoint_id = databricks_sql_endpoint.this[each.key].id
+
+  dynamic "access_control" {
+    for_each = each.value
+    content {
+      group_name       = access_control.value.group_name
+      permission_level = access_control.value.permission_level
+    }
+  }
+}
+
+# NOTE: Waiting for resource to get NCC ID
+# resource "databricks_mws_ncc_binding" "ncc_binding" {  
+#   network_connectivity_config_id = databricks_mws_network_connectivity_config.ncc.network_connectivity_config_id
+#   workspace_id                   = var.databricks_workspace_id
+
+#   provider                       = databricks.account
+# }