Merge pull request #2 from data-platform-hq/unity

owlleg6 · web-flow · commit 585610cc5db5 · 2023-05-18T15:20:24.000+03:00
feat: unity catalog
diff --git a/README.md b/README.md
@@ -1,12 +1,124 @@
-# Azure <> Terraform module
-Terraform module for creation Azure <>
+# Azure Unity Catalog Terraform module
+Terraform module for creation Azure Unity Catalog
 
 ## Usage
+```hcl
+# Prerequisite resources
 
+# Configure Databricks Provider
+data "azurerm_databricks_workspace" "example" {
+  name                = "example-workspace"
+  resource_group_name = "example-rg"
+}
+
+provider "databricks" {
+  alias                       = "main"
+  host                        = data.databricks_workspace.example.workspace_url
+  azure_workspace_resource_id = data.databricks_workspace.example.id
+}
+
+# Databricks Access Connector (managed identity)
+resource "azurerm_databricks_access_connector" "example" {
+  name                = "example-resource"
+  resource_group_name = "example-rg"
+  location            = "eastus"
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+# Storage Account
+data "azurerm_storage_account" "example" {
+  name                = "example-storage-account"
+  resource_group_name = "example-rg"
+}
+
+locals {
+  catalog = {
+    example_catalog = {
+      catalog_grants = {
+        "example@username.com" = ["USE_CATALOG", "USE_SCHEMA", "CREATE_SCHEMA", "CREATE_TABLE", "SELECT", "MODIFY"]
+      }
+      schema_name = ["raw", "refined", "data_product"]
+    }
+  }
+}
+
+module "unity_catalog" {
+  source = "../environment/modules/unity"
+
+  project               = "datahq"
+  env                   = "example"
+  location              = "eastus"
+  access_connector_id   = azurerm_databricks_access_connector.example.id
+  storage_account_id    = data.azurerm_storage_account.example.id
+  storage_account_name  = data.azurerm_storage_account.example.name
+  catalog               = local.catalog
+
+  providers = {
+    databricks = databricks.main
+  }
+}
+```
 <!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name                                                                      | Version   |
+| ------------------------------------------------------------------------- | --------- |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform)    | >= 1.0.0  |
+| <a name="requirement_databricks"></a> [databricks](#requirement\_databricks) | >= 1.14.2  |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm)          | >= 3.40.0 |
+
+## Providers
+
+| Name                                                          | Version   |
+| ------------------------------------------------------------- | --------- |
+| <a name="provider_databricks"></a> [databricks](#provider\_databricks) | 1.14.2   |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm)          | 3.40.0  |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name                                                                                                                                                    | Type     |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- |
+| [azurerm_storage_data_lake_gen2_filesystem.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_data_lake_gen2_filesystem) | resource |
+| [databricks_metastore.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/metastore)                                          | resource |
+| [databricks_grants.metastore](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grants)                                           | resource |
+| [databricks_metastore_data_access.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/metastore_data_access)                  | resource |
+| [databricks_catalog.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/catalog)                                              | resource |
+| [databricks_grants.catalog](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grants)                                             | resource |
+| [databricks_schema.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/sql_endpoint)                                          | resource |
+| [databricks_grants.schema](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/schema)                                              | resource |
+
+## Inputs
+
+| Name                                                                                   | Description                                                                                     | Type           | Default | Required |
+| -------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | -------------- | ------- | :------: |
+| <a name="input_project"></a> [project](#input\_project)                                | Project name                                                                                    | `string`       | n/a     |   yes    |
+| <a name="input_env"></a> [env](#input\_env)                                            | Environment name                                                                                | `string`       | n/a     |   yes    |
+| <a name="input_location"></a> [location](#input\_location)                             | Azure location                                                                                  | `string`       | n/a     |   yes    |
+| <a name="input_suffix"></a> [suffix](#input\_suffix)                             | Optional suffix that would be added to the end of resources names. | `string`       | " "     |   no    |
+| <a name="input_create_metastore"></a> [create\_metastore](#input\_create\_metastore)         | Boolean flag for Unity Catalog Metastore current in this environment. One Metastore per region | `bool`  | true  |   no    |
+| <a name="input_access_connector_id"></a> [access\_connector\_id](#input\_access\_connector\_id) | Databricks Access Connector Id that lets you to connect managed identities to an Azure Databricks account. Provides an ability to access Unity Catalog with assigned identity  | `string` | " " |    no    |
+| <a name="input_storage_account_id"></a> [storage\_account\_id](#input\_storage\_account\_id) | Storage Account Id where Unity Catalog Metastore would be provisioned | `string` | " "  |    no    |
+| <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Storage Account Name where Unity Catalog Metastore would be provisioned   | `string` | " "   |    no    |
+| <a name="input_external_metastore_id"></a> [external\_metastore\_id](#input\_external\_metastore\_id) | Unity Catalog Metastore Id that is located in separate environment. Provide this value to associate Databricks Workspace with target Metastore | `string` | " " | no |
+| <a name="input_catalog"></a> [catalog](#input\_catalog)  | Map of objects which parameters refers to certain catalog and schema attributes | <pre> map(object({ <br>   catalog_grants     = optional(map(list(string))) <br>   catalog_comment    = optional(string) <br>   catalog_properties = optional(map(string)) <br>   schema_name        = optional(list(string)) <br>   schema_grants      = optional(map(list(string))) <br>   schema_comment     = optional(string) <br>   schema_properties  = optional(map(string))<br>})) </pre> | {} | no |
+| <a name="input_metastore_grants"></a> [metastore\_grants](#input\_metastore\_grants) | Permissions to give on metastore to group  | `map(list(string))` | {} | no |
+| <a name="input_custom_databricks_metastore_name"></a> [custom\_databricks\_metastore\_name](#input\_custom\_databricks\_metastore\_name) | The name to provide for your Databricks Metastore | `string` | null | no |
+
+## Outputs
 
+| Name                                                                       | Description                            |
+| -------------------------------------------------------------------------- | -------------------------------------- |
+| <a name="output_metastore_id"></a> [metastore\_id](#output\_metastore\_id)                                 | Unity Catalog Metastore Id. |
+| <a name="output_data_lake_gen2_file_system_id"></a> [data\_lake\_gen2\_file\_syste_id](#output\_data\_lake\_gen2\_file\_syste_id)   | The ID of the Data Lake Gen2 File System.  |
 <!-- END_TF_DOCS -->
 
 ## License
 
-Apache 2 Licensed. For more information please see [LICENSE](https://github.com/data-platform-hq/terraform-azurerm<>/tree/master/LICENSE)
+Apache 2 Licensed. For more information please see [LICENSE](https://github.com/data-platform-hq/terraform-databricks-unity-catalog/tree/master/LICENSE)
diff --git a/main.tf b/main.tf
@@ -0,0 +1,132 @@
+locals {
+  # This optional suffix is added to the end of resource names. 
+  suffix                    = length(var.suffix) == 0 ? "" : "-${var.suffix}"
+  databricks_metastore_name = var.custom_databricks_metastore_name == null ? "meta-${var.project}-${var.env}-${var.location}${local.suffix}" : var.custom_databricks_metastore_name
+}
+
+resource "azurerm_storage_data_lake_gen2_filesystem" "this" {
+  count = var.create_metastore ? 1 : 0
+
+  name               = "meta-${var.project}-${var.env}"
+  storage_account_id = var.storage_account_id
+
+  lifecycle {
+    precondition {
+      condition = alltrue([
+        for variable in [var.storage_account_id, var.access_connector_id, var.storage_account_name] : false if length(variable) == 0
+      ])
+      error_message = "To create Metastore in a Region it is required to provide proper values for these variables: access_connector_id, storage_account_id, storage_account_name"
+    }
+  }
+
+}
+
+resource "databricks_metastore" "this" {
+  count = var.create_metastore ? 1 : 0
+
+  name          = local.databricks_metastore_name
+  storage_root  = format("abfss://%s@%s.dfs.core.windows.net/", azurerm_storage_data_lake_gen2_filesystem.this[0].name, var.storage_account_name)
+  force_destroy = true
+}
+
+resource "databricks_grants" "metastore" {
+  for_each = alltrue([!var.create_metastore, length(var.external_metastore_id) == 0]) ? {} : {
+    for k, v in var.metastore_grants : k => v
+    if v != null
+  }
+
+  metastore = length(var.external_metastore_id) == 0 ? databricks_metastore.this[0].id : var.external_metastore_id
+  grant {
+    principal  = each.key
+    privileges = each.value
+  }
+}
+
+resource "databricks_metastore_data_access" "this" {
+  count = var.create_metastore ? 1 : 0
+
+  metastore_id = databricks_metastore.this[0].id
+  name         = "data-access-${var.project}-${var.env}-${var.location}${local.suffix}"
+  azure_managed_identity {
+    access_connector_id = var.access_connector_id
+  }
+  is_default = true
+}
+
+# Catalog
+resource "databricks_catalog" "this" {
+  for_each = alltrue([!var.create_metastore, length(var.external_metastore_id) == 0]) ? {} : var.catalog
+
+  metastore_id  = length(var.external_metastore_id) == 0 ? databricks_metastore.this[0].id : var.external_metastore_id
+  name          = each.key
+  comment       = lookup(each.value, "catalog_comment", "default comment")
+  properties    = merge(lookup(each.value, "catalog_properties", {}), { env = var.env })
+  force_destroy = true
+}
+
+# Catalog grants
+resource "databricks_grants" "catalog" {
+  for_each = alltrue([!var.create_metastore, length(var.external_metastore_id) == 0]) ? {} : {
+    for name, params in var.catalog : name => params.catalog_grants
+    if params.catalog_grants != null
+  }
+
+  catalog = databricks_catalog.this[each.key].name
+  dynamic "grant" {
+    for_each = each.value
+    content {
+      principal  = grant.key
+      privileges = grant.value
+    }
+  }
+}
+
+# Schema
+locals {
+  schema = flatten([
+    for catalog, params in var.catalog : [
+      for schema in params.schema_name : {
+        catalog    = catalog,
+        schema     = schema,
+        comment    = lookup(params, "schema_comment", "default comment"),
+        properties = lookup(params, "schema_properties", {})
+      }
+    ] if params.schema_name != null
+  ])
+}
+
+resource "databricks_schema" "this" {
+  for_each = alltrue([!var.create_metastore, length(var.external_metastore_id) == 0]) ? {} : {
+    for entry in local.schema : "${entry.catalog}.${entry.schema}" => entry
+  }
+
+  catalog_name  = databricks_catalog.this[each.value.catalog].name
+  name          = each.value.schema
+  comment       = each.value.comment
+  properties    = merge(each.value.properties, { env = var.env })
+  force_destroy = true
+}
+
+# Schema grants
+locals {
+  schema_grants = flatten([
+    for catalog, params in var.catalog : [for schema in params.schema_name : [for principal in flatten(keys(params.schema_grants)) : {
+      catalog    = catalog,
+      schema     = schema,
+      principal  = principal,
+      permission = flatten(values(params.schema_grants)),
+    }]] if params.schema_grants != null
+  ])
+}
+
+resource "databricks_grants" "schema" {
+  for_each = alltrue([!var.create_metastore, length(var.external_metastore_id) == 0]) ? {} : {
+    for entry in local.schema_grants : "${entry.catalog}.${entry.schema}.${entry.principal}" => entry
+  }
+
+  schema = databricks_schema.this["${each.value.catalog}.${each.value.schema}"].id
+  grant {
+    principal  = each.value.principal
+    privileges = each.value.permission
+  }
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,9 @@
+output "metastore_id" {
+  value       = var.create_metastore ? databricks_metastore.this[0].id : ""
+  description = "Unity Catalog Metastore Id"
+}
+
+output "data_lake_gen2_file_system_id" {
+  value       = var.create_metastore ? azurerm_storage_data_lake_gen2_filesystem.this[0].id : ""
+  description = "The ID of the Data Lake Gen2 File System."
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,90 @@
+variable "project" {
+  type        = string
+  description = "Project name"
+}
+
+variable "env" {
+  type        = string
+  description = "Environment name"
+}
+
+variable "location" {
+  type        = string
+  description = "Azure location"
+}
+
+variable "suffix" {
+  type        = string
+  description = "Optional suffix that would be added to the end of resources names."
+  default     = ""
+}
+
+# Unity Catalog variables
+variable "create_metastore" {
+  type        = bool
+  description = "Boolean flag for Unity Catalog Metastore current in this environment. One Metastore per region"
+  default     = true
+}
+
+variable "access_connector_id" {
+  type        = string
+  description = "Databricks Access Connector Id that lets you to connect managed identities to an Azure Databricks account. Provides an ability to access Unity Catalog with assigned identity"
+  default     = ""
+}
+
+variable "storage_account_id" {
+  type        = string
+  description = "Storage Account Id where Unity Catalog Metastore would be provisioned"
+  default     = ""
+}
+
+variable "storage_account_name" {
+  type        = string
+  description = "Storage Account Name where Unity Catalog Metastore would be provisioned"
+  default     = ""
+}
+
+variable "external_metastore_id" {
+  type        = string
+  description = "Unity Catalog Metastore Id that is located in separate environment. Provide this value to associate Databricks Workspace with target Metastore"
+  default     = ""
+  validation {
+    condition     = length(var.external_metastore_id) == 36 || length(var.external_metastore_id) == 0
+    error_message = "UUID has to be either in nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn format or empty string"
+  }
+}
+
+variable "catalog" {
+  type = map(object({
+    catalog_grants     = optional(map(list(string)))
+    catalog_comment    = optional(string)
+    catalog_properties = optional(map(string))
+    schema_name        = optional(list(string))
+    schema_grants      = optional(map(list(string)))
+    schema_comment     = optional(string)
+    schema_properties  = optional(map(string))
+  }))
+  description = "Map of catalog name and its parameters"
+  default     = {}
+}
+
+# Metastore grants
+variable "metastore_grants" {
+  type        = map(list(string))
+  description = "Permissions to give on metastore to group"
+  default     = {}
+  validation {
+    condition = values(var.metastore_grants) != null ? alltrue([
+      for item in toset(flatten([for group, params in var.metastore_grants : params if params != null])) : contains([
+        "CREATE_CATALOG", "CREATE_EXTERNAL_LOCATION", "CREATE_SHARE", "CREATE_RECIPIENT", "CREATE_PROVIDER"
+      ], item)
+    ]) : true
+    error_message = "Metastore permission validation. The only possible values for permissions are: CREATE_CATALOG, CREATE_EXTERNAL_LOCATION, CREATE_SHARE, CREATE_RECIPIENT, CREATE_PROVIDER"
+  }
+}
+
+variable "custom_databricks_metastore_name" {
+  type        = string
+  description = "The name to provide for your Databricks Metastore"
+  default     = null
+}
diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">=1.0.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.40.0"
+    }
+    databricks = {
+      source  = "databricks/databricks"
+      version = ">=1.14.2"
+    }
+  }
+}
