Merge pull request #10 from data-platform-hq/feat_removed_metastore_creation

feat: removed metastore creation resources

Author: owlleg6

README.md

@@ -2,39 +2,28 @@
 Terraform module for creation Azure Unity Catalog
 
 ## Usage
+This module manages Unity Catalog resources like Catalogs, Schemas. In addition, it is possible to manage permissions within Metastore, Catalog and Schemas.
 ```hcl
-# Prerequisite resources
-
 # Configure Databricks Provider
 data "azurerm_databricks_workspace" "example" {
   name                = "example-workspace"
   resource_group_name = "example-rg"
 }
 
 provider "databricks" {
-  alias                       = "main"
+  alias                       = "workspace"
   host                        = data.databricks_workspace.example.workspace_url
   azure_workspace_resource_id = data.databricks_workspace.example.id
 }
 
-# Databricks Access Connector (managed identity)
-resource "azurerm_databricks_access_connector" "example" {
-  name                = "example-resource"
-  resource_group_name = "example-rg"
-  location            = "eastus"
-
-  identity {
-    type = "SystemAssigned"
-  }
-}
-
-# Storage Account
-data "azurerm_storage_account" "example" {
-  name                = "example-storage-account"
-  resource_group_name = "example-rg"
-}
-
 locals {
+  metastore_id = "10000000-0000-0000-0000-0000000000"
+  
+  metastore_grants = [
+    { principal = "<user1@email.com>", privileges = ["CREATE_CATALOG","CREATE_EXTERNAL_LOCATION"] }, 
+    { principal = "<user2@epam.com>", privileges = ["CREATE_SHARE", "CREATE_RECIPIENT", "CREATE_PROVIDER"] }
+  ]
+  
   catalog = {
     example_catalog = {
       catalog_grants = {
@@ -45,20 +34,34 @@ locals {
   }
 }
 
+# Prerequisite module.
+# NOTE! It is required to assign Metastore to Workspace before creating Unity Catalog resources.
+module "metastore_assignment" {
+  source  = "data-platform-hq/metastore-assignment/databricks"
+  version = "~> 1.0.0"
+
+  workspace_id = data.databricks_workspace.example.id
+  metastore_id = local.metastore_id
+
+  providers = {
+    databricks = databricks.workspace
+  }
+}
+
 module "unity_catalog" {
-  source = "../environment/modules/unity"
+  source  = "data-platform/unity-catalog/databricks"
+  version = "~> 1.1.0"
 
-  project               = "datahq"
-  env                   = "example"
-  location              = "eastus"
-  access_connector_id   = azurerm_databricks_access_connector.example.id
-  storage_account_id    = data.azurerm_storage_account.example.id
-  storage_account_name  = data.azurerm_storage_account.example.name
-  catalog               = local.catalog
+  env              = "example"
+  metastore_id     = local.metastore_id
+  metastore_grants = local.metastore_grants
+  catalog          = local.catalog
 
   providers = {
-    databricks = databricks.main
+    databricks = databricks.workspace
   }
+  
+  depends_on = [module.metastore_assignment]
 }
 ```
 <!-- BEGIN_TF_DOCS -->
@@ -68,14 +71,14 @@ module "unity_catalog" {
 | ------------------------------------------------------------------------- | --------- |
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform)    | >= 1.0.0  |
 | <a name="requirement_databricks"></a> [databricks](#requirement\_databricks) | >= 1.14.2  |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm)          | >= 3.40.0 |
+
 
 ## Providers
 
 | Name                                                          | Version   |
 | ------------------------------------------------------------- | --------- |
 | <a name="provider_databricks"></a> [databricks](#provider\_databricks) | 1.14.2   |
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm)          | 3.40.0  |
+
 
 ## Modules
 
@@ -85,38 +88,29 @@ No modules.
 
 | Name                                                                                                                                                    | Type     |
 | ------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- |
-| [azurerm_storage_data_lake_gen2_filesystem.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_data_lake_gen2_filesystem) | resource |
-| [databricks_metastore.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/metastore)                                          | resource |
-| [databricks_grants.metastore](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grants)                                           | resource |
-| [databricks_metastore_data_access.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/metastore_data_access)                  | resource |
-| [databricks_catalog.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/catalog)                                              | resource |
-| [databricks_grants.catalog](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grants)                                             | resource |
-| [databricks_schema.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/sql_endpoint)                                          | resource |
-| [databricks_grants.schema](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/schema)                                              | resource |
+| [databricks_grants.metastore](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grants)                               | resource |
+| [databricks_catalog.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/catalog)                                  | resource |
+| [databricks_grants.catalog](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grants)                                 | resource |
+| [databricks_schema.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/schema)                                    | resource |
+| [databricks_grants.schema](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grants)                                  | resource |
+
 
 ## Inputs
 
 | Name                                                                                   | Description                                                                                     | Type           | Default | Required |
 | -------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | -------------- | ------- | :------: |
-| <a name="input_project"></a> [project](#input\_project)                                | Project name                                                                                    | `string`       | n/a     |   yes    |
-| <a name="input_env"></a> [env](#input\_env)                                            | Environment name                                                                                | `string`       | n/a     |   yes    |
-| <a name="input_location"></a> [location](#input\_location)                             | Azure location                                                                                  | `string`       | n/a     |   yes    |
-| <a name="input_suffix"></a> [suffix](#input\_suffix)                             | Optional suffix that would be added to the end of resources names. | `string`       | " "     |   no    |
-| <a name="input_create_metastore"></a> [create\_metastore](#input\_create\_metastore)         | Boolean flag for Unity Catalog Metastore current in this environment. One Metastore per region | `bool`  | true  |   no    |
-| <a name="input_access_connector_id"></a> [access\_connector\_id](#input\_access\_connector\_id) | Databricks Access Connector Id that lets you to connect managed identities to an Azure Databricks account. Provides an ability to access Unity Catalog with assigned identity  | `string` | " " |    no    |
-| <a name="input_storage_account_id"></a> [storage\_account\_id](#input\_storage\_account\_id) | Storage Account Id where Unity Catalog Metastore would be provisioned | `string` | " "  |    no    |
-| <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Storage Account Name where Unity Catalog Metastore would be provisioned   | `string` | " "   |    no    |
-| <a name="input_external_metastore_id"></a> [external\_metastore\_id](#input\_external\_metastore\_id) | Unity Catalog Metastore Id that is located in separate environment. Provide this value to associate Databricks Workspace with target Metastore | `string` | " " | no |
-| <a name="input_catalog"></a> [catalog](#input\_catalog)  | Map of objects which parameters refers to certain catalog and schema attributes | <pre> map(object({ <br>   catalog_grants     = optional(map(list(string))) <br>   catalog_comment    = optional(string) <br>   catalog_properties = optional(map(string)) <br>   schema_name        = optional(list(string)) <br>   schema_grants      = optional(map(list(string))) <br>   schema_comment     = optional(string) <br>   schema_properties  = optional(map(string))<br>})) </pre> | {} | no |
-| <a name="input_metastore_grants"></a> [metastore\_grants](#input\_metastore\_grants) | Permissions to give on metastore to group  | `map(list(string))` | {} | no |
-| <a name="input_custom_databricks_metastore_name"></a> [custom\_databricks\_metastore\_name](#input\_custom\_databricks\_metastore\_name) | The name to provide for your Databricks Metastore | `string` | null | no |
+| <a name="input_env"></a> [env](#input\_project)| Environment name | `string`| n/a |   yes    |
+| <a name="input_metastore_id"></a> [metastore\_id](#input\_metastore\_id)| Unity Catalog Metastore Id that is located in separate environment. Provide this value to associate Databricks Workspace with target Metastore| `string` | n/a |   yes    |
+| <a name="input_metastore_grants"></a> [metastore\_grants](#input\_metastore\_grants)| Permissions to give on metastore to group | <pre>set(object({<br>  principal  = string<br>  privileges = list(string)<br>}))</pre>| [] |   no    |
+| <a name="input_catalog"></a> [catalog](#input\_catalog)| Map of catalog name and its parameters | <pre>map(object({<br>  catalog_grants     = optional(map(list(string)))<br>  catalog_comment    = optional(string)<br>  catalog_properties = optional(map(string))<br>  schema_name        = optional(list(string))<br>  schema_grants      = optional(map(list(string)))<br>  schema_comment     = optional(string)<br>  schema_properties  = optional(map(string))<br>}))</pre>|{} |  no  |
+
 
 ## Outputs
 
 | Name                                                                       | Description                            |
 | -------------------------------------------------------------------------- | -------------------------------------- |
-| <a name="output_metastore_id"></a> [metastore\_id](#output\_metastore\_id)                                 | Unity Catalog Metastore Id. |
-| <a name="output_data_lake_gen2_file_system_id"></a> [data\_lake\_gen2\_file\_syste_id](#output\_data\_lake\_gen2\_file\_syste_id)   | The ID of the Data Lake Gen2 File System.  |
+
+No outputs.
 <!-- END_TF_DOCS -->
 
 ## License

main.tf

@@ -1,63 +1,29 @@
+# Metastore grants
 locals {
-  # This optional suffix is added to the end of resource names.
-  suffix                              = length(var.suffix) == 0 ? "" : "-${var.suffix}"
-  databricks_metastore_name           = var.custom_databricks_metastore_name == null ? "meta-${var.project}-${var.env}-${var.location}${local.suffix}" : var.custom_databricks_metastore_name
-  databricks_metastore_container_name = var.custom_databricks_metastore_container_name == null ? "meta-${var.project}-${var.env}" : var.custom_databricks_metastore_container_name
-}
-
-resource "azurerm_storage_data_lake_gen2_filesystem" "this" {
-  count = var.create_metastore ? 1 : 0
-
-  name               = local.databricks_metastore_container_name
-  storage_account_id = var.storage_account_id
-
-  lifecycle {
-    precondition {
-      condition = alltrue([
-        for variable in [var.storage_account_id, var.access_connector_id, var.storage_account_name] : false if length(variable) == 0
-      ])
-      error_message = "To create Metastore in a Region it is required to provide proper values for these variables: access_connector_id, storage_account_id, storage_account_name"
-    }
+  mapped_metastore_grants = {
+    for object in var.metastore_grants : object.principal => object
+    if object.principal != null
   }
 }
 
-resource "databricks_metastore" "this" {
-  count = var.create_metastore ? 1 : 0
-
-  name          = local.databricks_metastore_name
-  storage_root  = format("abfss://%s@%s.dfs.core.windows.net/", azurerm_storage_data_lake_gen2_filesystem.this[0].name, var.storage_account_name)
-  force_destroy = true
-}
-
 resource "databricks_grants" "metastore" {
-  count = length(var.metastore_grants) != 0 ? 1 : 0
+  count = length(local.mapped_metastore_grants) != 0 ? 1 : 0
 
-  metastore = length(var.external_metastore_id) == 0 ? databricks_metastore.this[0].id : var.external_metastore_id
+  metastore = var.metastore_id
   dynamic "grant" {
-    for_each = var.metastore_grants
+    for_each = local.mapped_metastore_grants
     content {
-      principal  = grant.key
-      privileges = grant.value
+      principal  = grant.value.principal
+      privileges = grant.value.privileges
     }
   }
 }
 
-resource "databricks_metastore_data_access" "this" {
-  count = var.create_metastore ? 1 : 0
-
-  metastore_id = databricks_metastore.this[0].id
-  name         = "data-access-${var.project}-${var.env}-${var.location}${local.suffix}"
-  azure_managed_identity {
-    access_connector_id = var.access_connector_id
-  }
-  is_default = true
-}
-
-# Catalog
+# Catalog creation
 resource "databricks_catalog" "this" {
-  for_each = anytrue([var.create_metastore, length(var.external_metastore_id) != 0]) ? var.catalog : {}
+  for_each = var.catalog
 
-  metastore_id  = length(var.external_metastore_id) == 0 ? databricks_metastore.this[0].id : var.external_metastore_id
+  metastore_id  = var.metastore_id
   name          = each.key
   comment       = lookup(each.value, "catalog_comment", "default comment")
   properties    = merge(lookup(each.value, "catalog_properties", {}), { env = var.env })
@@ -66,10 +32,10 @@ resource "databricks_catalog" "this" {
 
 # Catalog grants
 resource "databricks_grants" "catalog" {
-  for_each = anytrue([var.create_metastore, length(var.external_metastore_id) != 0]) ? {
+  for_each = {
     for name, params in var.catalog : name => params.catalog_grants
     if params.catalog_grants != null
-  } : {}
+  }
 
   catalog = databricks_catalog.this[each.key].name
   dynamic "grant" {
@@ -81,7 +47,7 @@ resource "databricks_grants" "catalog" {
   }
 }
 
-# Schema
+# Schema creation
 locals {
   schema = flatten([
     for catalog, params in var.catalog : [
@@ -96,9 +62,9 @@ locals {
 }
 
 resource "databricks_schema" "this" {
-  for_each = anytrue([var.create_metastore, length(var.external_metastore_id) != 0]) ? {
+  for_each = {
     for entry in local.schema : "${entry.catalog}.${entry.schema}" => entry
-  } : {}
+  }
 
   catalog_name  = databricks_catalog.this[each.value.catalog].name
   name          = each.value.schema
@@ -120,9 +86,9 @@ locals {
 }
 
 resource "databricks_grants" "schema" {
-  for_each = anytrue([var.create_metastore, length(var.external_metastore_id) != 0]) ? {
+  for_each = {
     for entry in local.schema_grants : "${entry.catalog}.${entry.schema}.${entry.principal}" => entry
-  } : {}
+  }
 
   schema = databricks_schema.this["${each.value.catalog}.${each.value.schema}"].id
   grant {

outputs.tf

@@ -1,9 +0,0 @@
-output "metastore_id" {
-  value       = var.create_metastore ? databricks_metastore.this[0].id : ""
-  description = "Unity Catalog Metastore Id"
-}
-
-output "data_lake_gen2_file_system_id" {
-  value       = var.create_metastore ? azurerm_storage_data_lake_gen2_filesystem.this[0].id : ""
-  description = "The ID of the Data Lake Gen2 File System."
-}

variables.tf

@@ -1,59 +1,28 @@
-variable "project" {
-  type        = string
-  description = "Project name"
-}
-
 variable "env" {
   type        = string
   description = "Environment name"
 }
 
-variable "location" {
-  type        = string
-  description = "Azure location"
-}
-
-variable "suffix" {
-  type        = string
-  description = "Optional suffix that would be added to the end of resources names."
-  default     = ""
-}
-
-# Unity Catalog variables
-variable "create_metastore" {
-  type        = bool
-  description = "Boolean flag for Unity Catalog Metastore current in this environment. One Metastore per region"
-  default     = false
-}
-
-variable "access_connector_id" {
-  type        = string
-  description = "Databricks Access Connector Id that lets you to connect managed identities to an Azure Databricks account. Provides an ability to access Unity Catalog with assigned identity"
-  default     = ""
-}
-
-variable "storage_account_id" {
-  type        = string
-  description = "Storage Account Id where Unity Catalog Metastore would be provisioned"
-  default     = ""
-}
-
-variable "storage_account_name" {
-  type        = string
-  description = "Storage Account Name where Unity Catalog Metastore would be provisioned"
-  default     = ""
-}
-
-variable "external_metastore_id" {
+variable "metastore_id" {
   type        = string
   description = "Unity Catalog Metastore Id that is located in separate environment. Provide this value to associate Databricks Workspace with target Metastore"
-  default     = ""
+
   validation {
-    condition     = length(var.external_metastore_id) == 36 || length(var.external_metastore_id) == 0
-    error_message = "UUID has to be either in nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn format or empty string"
+    condition     = length(var.metastore_id) == 36
+    error_message = "Create Metastore or connect to existing one in Init Layer using Private Endpoint. In case Unity Catalog is not required, remove 'databricks_catalog' variable from tfvars file."
   }
 }
 
+# Metastore grants
+variable "metastore_grants" {
+  type = set(object({
+    principal  = string
+    privileges = list(string)
+  }))
+  description = "Permissions to give on metastore to group"
+  default     = []
+}
+
 variable "catalog" {
   type = map(object({
     catalog_grants     = optional(map(list(string)))
@@ -67,30 +36,3 @@ variable "catalog" {
   description = "Map of catalog name and its parameters"
   default     = {}
 }
-
-# Metastore grants
-variable "metastore_grants" {
-  type        = map(list(string))
-  description = "Permissions to give on metastore to group"
-  default     = {}
-  validation {
-    condition = values(var.metastore_grants) != null ? alltrue([
-      for item in toset(flatten([for group, params in var.metastore_grants : params if params != null])) : contains([
-        "CREATE_CATALOG", "CREATE_EXTERNAL_LOCATION", "CREATE_SHARE", "CREATE_RECIPIENT", "CREATE_PROVIDER"
-      ], item)
-    ]) : true
-    error_message = "Metastore permission validation. The only possible values for permissions are: CREATE_CATALOG, CREATE_EXTERNAL_LOCATION, CREATE_SHARE, CREATE_RECIPIENT, CREATE_PROVIDER"
-  }
-}
-
-variable "custom_databricks_metastore_name" {
-  type        = string
-  description = "The name to provide for your Databricks Metastore"
-  default     = null
-}
-
-variable "custom_databricks_metastore_container_name" {
-  type        = string
-  description = "The name to provide for your Databricks Metastore Container"
-  default     = null
-}