Merge pull request #17 from data-platform-hq/fix_refactor

feat: refactoring

Author: owlleg6

README.md

@@ -0,0 +1,37 @@
+resource "databricks_cluster" "cluster" {
+  for_each = { for cluster in var.clusters : cluster.cluster_name => cluster }
+
+  cluster_name            = each.value.cluster_name
+  spark_version           = each.value.spark_version
+  spark_conf              = each.value.spark_conf
+  spark_env_vars          = each.value.spark_env_vars
+  data_security_mode      = each.value.data_security_mode
+  node_type_id            = each.value.node_type_id
+  autotermination_minutes = each.value.autotermination_minutes
+
+  autoscale {
+    min_workers = each.value.min_workers
+    max_workers = each.value.max_workers
+  }
+
+  azure_attributes {
+    availability       = each.value.availability
+    first_on_demand    = each.value.first_on_demand
+    spot_bid_max_price = each.value.spot_bid_max_price
+  }
+
+  dynamic "cluster_log_conf" {
+    for_each = each.value.cluster_log_conf_destination != null ? [each.value.cluster_log_conf_destination] : []
+    content {
+      dbfs {
+        destination = cluster_log_conf.value
+      }
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      state
+    ]
+  }
+}

cluster.tf

@@ -3,6 +3,21 @@ locals {
   suffix   = length(var.suffix) == 0 ? "" : "-${var.suffix}"
 }
 
+data "azurerm_key_vault_secret" "sp_client_id" {
+  name         = var.sp_client_id_secret_name
+  key_vault_id = var.key_vault_id
+}
+
+data "azurerm_key_vault_secret" "sp_key" {
+  name         = var.sp_key_secret_name
+  key_vault_id = var.key_vault_id
+}
+
+data "azurerm_key_vault_secret" "tenant_id" {
+  name         = var.tenant_id_secret_name
+  key_vault_id = var.key_vault_id
+}
+
 resource "databricks_workspace_conf" "this" {
   count = local.ip_rules == null ? 0 : 1
 
@@ -32,14 +47,14 @@ resource "databricks_sql_endpoint" "this" {
   for_each = { for endpoint in var.sql_endpoint : (endpoint.name) => endpoint }
 
   name                      = "${each.key}${local.suffix}"
-  cluster_size              = coalesce(each.value.cluster_size, "2X-Small")
-  min_num_clusters          = coalesce(each.value.min_num_clusters, 0)
-  max_num_clusters          = coalesce(each.value.max_num_clusters, 1)
-  auto_stop_mins            = coalesce(each.value.auto_stop_mins, "30")
-  enable_photon             = coalesce(each.value.enable_photon, false)
-  enable_serverless_compute = coalesce(each.value.enable_serverless_compute, false)
-  spot_instance_policy      = coalesce(each.value.spot_instance_policy, "COST_OPTIMIZED")
-  warehouse_type            = coalesce(each.value.warehouse_type, "PRO")
+  cluster_size              = each.value.cluster_size
+  min_num_clusters          = each.value.min_num_clusters
+  max_num_clusters          = each.value.max_num_clusters
+  auto_stop_mins            = each.value.auto_stop_mins
+  enable_photon             = each.value.enable_photon
+  enable_serverless_compute = each.value.enable_serverless_compute
+  spot_instance_policy      = each.value.spot_instance_policy
+  warehouse_type            = each.value.warehouse_type
 
   lifecycle {
     ignore_changes = [state, num_clusters]

main.tf

@@ -0,0 +1,16 @@
+resource "databricks_mount" "adls" {
+  for_each = var.mountpoints
+
+  name = each.key
+  uri  = "abfss://${each.value["container_name"]}@${each.value["storage_account_name"]}.dfs.core.windows.net"
+  extra_configs = {
+    "fs.azure.account.auth.type" : "OAuth",
+    "fs.azure.account.oauth.provider.type" : "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider",
+    "fs.azure.account.oauth2.client.id" : data.azurerm_key_vault_secret.sp_client_id.value,
+    "fs.azure.account.oauth2.client.secret" : databricks_secret.main[data.azurerm_key_vault_secret.sp_key.name].config_reference,
+    "fs.azure.account.oauth2.client.endpoint" : "https://login.microsoftonline.com/${data.azurerm_key_vault_secret.tenant_id.value}/oauth2/token",
+    "fs.azure.createRemoteFileSystemDuringInitialization" : "false",
+    "spark.databricks.sqldw.jdbc.service.principal.client.id" : data.azurerm_key_vault_secret.sp_client_id.value,
+    "spark.databricks.sqldw.jdbc.service.principal.client.secret" : databricks_secret.main[data.azurerm_key_vault_secret.sp_key.name].config_reference
+  }
+}

mount.tf

@@ -6,44 +6,26 @@ locals {
   ])
 }
 
-resource "databricks_permissions" "default_cluster" {
-  for_each = coalesce(flatten([values(var.iam)[*].default_cluster_permission, "none"])...) != "none" ? var.default_cluster_id : {}
-
-  cluster_id = each.value
-
-  dynamic "access_control" {
-    for_each = { for k, v in var.iam : k => v.default_cluster_permission if v.default_cluster_permission != null }
-    content {
-      group_name       = databricks_group.this[access_control.key].display_name
-      permission_level = access_control.value
-    }
-  }
-}
-
-resource "databricks_permissions" "cluster_policy" {
+resource "databricks_cluster_policy" "this" {
   for_each = {
-    for policy in var.cluster_policies_object : (policy.name) => policy
-    if policy.can_use != null
+    for param in var.custom_cluster_policies : (param.name) => param.definition
+    if param.definition != null
   }
 
-  cluster_policy_id = each.value.id
-
-  dynamic "access_control" {
-    for_each = each.value.can_use
-    content {
-      group_name       = databricks_group.this[access_control.value].display_name
-      permission_level = "CAN_USE"
-    }
-  }
+  name       = each.key
+  definition = jsonencode(each.value)
 }
 
-resource "databricks_permissions" "unity_cluster" {
-  count = var.unity_cluster_config.permissions != null && var.unity_cluster_enabled ? 1 : 0
+resource "databricks_permissions" "clusters" {
+  for_each = {
+    for v in var.clusters : (v.cluster_name) => v
+    if length(v.permissions) != 0
+  }
 
-  cluster_id = databricks_cluster.this[0].id
+  cluster_id = databricks_cluster.cluster[each.key].id
 
   dynamic "access_control" {
-    for_each = var.unity_cluster_config.permissions
+    for_each = each.value.permissions
     content {
       group_name       = databricks_group.this[access_control.value.group_name].display_name
       permission_level = access_control.value.permission_level
@@ -54,7 +36,7 @@ resource "databricks_permissions" "unity_cluster" {
 resource "databricks_permissions" "sql_endpoint" {
   for_each = {
     for endpoint in var.sql_endpoint : (endpoint.name) => endpoint
-    if endpoint.permissions != null
+    if length(endpoint.permissions) != 0
   }
 
   sql_endpoint_id = databricks_sql_endpoint.this[each.key].id

permissions.tf

@@ -0,0 +1,74 @@
+locals {
+  sp_secrets = {
+    (var.sp_client_id_secret_name) = { value = data.azurerm_key_vault_secret.sp_client_id.value }
+    (var.sp_key_secret_name)       = { value = data.azurerm_key_vault_secret.sp_key.value }
+  }
+
+  secrets_objects_list = flatten([for param in var.secret_scope : [
+    for secret in param.secrets : {
+      scope_name = param.scope_name, key = secret.key, string_value = secret.string_value
+    }] if param.secrets != null
+  ])
+}
+
+# Secret Scope with SP secrets for mounting Azure Data Lake Storage
+resource "databricks_secret_scope" "main" {
+  name                     = "main"
+  initial_manage_principal = null
+}
+
+resource "databricks_secret" "main" {
+  for_each = local.sp_secrets
+
+  key          = each.key
+  string_value = each.value["value"]
+  scope        = databricks_secret_scope.main.id
+}
+
+# Custom additional Databricks Secret Scope
+resource "databricks_secret_scope" "this" {
+  for_each = {
+    for param in var.secret_scope : (param.scope_name) => param
+    if param.scope_name != null
+  }
+
+  name                     = each.key
+  initial_manage_principal = null
+}
+
+resource "databricks_secret" "this" {
+  for_each = { for entry in local.secrets_objects_list : "${entry.scope_name}.${entry.key}" => entry }
+
+  key          = each.value.key
+  string_value = each.value.string_value
+  scope        = databricks_secret_scope.this[each.value.scope_name].id
+}
+
+# At the nearest future, Azure will allow acquiring AAD tokens by service principals,
+# thus providing an ability to create Azure backed Key Vault with Terraform
+# https://github.com/databricks/terraform-provider-databricks/pull/1965
+
+## Azure Key Vault-backed Scope
+#resource "azurerm_key_vault_access_policy" "databricks" {
+#  count = var.key_vault_secret_scope.key_vault_id != null ? 1 : 0
+
+#  key_vault_id = var.key_vault_secret_scope.key_vault_id
+#  object_id    = "9b38785a-6e08-4087-a0c4-20634343f21f" # Global 'AzureDatabricks' SP object id
+#  tenant_id    = data.azurerm_key_vault_secret.tenant_id.value
+#
+#  secret_permissions = [
+#    "Get",
+#    "List",
+#  ]
+#}
+#
+#resource "databricks_secret_scope" "external" {
+#  count = var.key_vault_secret_scope.key_vault_id != null ? 1 : 0
+#
+#  name = "external"
+#  keyvault_metadata {
+#    resource_id = var.key_vault_secret_scope.key_vault_id
+#    dns_name    = var.key_vault_secret_scope.dns_name
+#  }
+#  depends_on = [azurerm_key_vault_access_policy.databricks]
+#}

secrets.tf

@@ -133,41 +133,3 @@ resource "databricks_grants" "schema" {
     privileges = each.value.permission
   }
 }
-
-resource "databricks_cluster" "this" {
-  count = var.unity_cluster_enabled ? 1 : 0
-
-  cluster_name            = var.unity_cluster_config.cluster_name
-  spark_version           = var.unity_cluster_config.spark_version
-  spark_conf              = var.unity_cluster_config.spark_conf
-  spark_env_vars          = var.unity_cluster_config.spark_env_vars
-  data_security_mode      = var.unity_cluster_config.data_security_mode
-  node_type_id            = var.unity_cluster_config.node_type_id
-  autotermination_minutes = var.unity_cluster_config.autotermination_minutes
-
-  autoscale {
-    min_workers = var.unity_cluster_config.min_workers
-    max_workers = var.unity_cluster_config.max_workers
-  }
-
-  azure_attributes {
-    availability       = var.unity_cluster_config.availability
-    first_on_demand    = var.unity_cluster_config.first_on_demand
-    spot_bid_max_price = var.unity_cluster_config.spot_bid_max_price
-  }
-
-  dynamic "cluster_log_conf" {
-    for_each = var.unity_cluster_config.cluster_log_conf_destination != null ? [var.unity_cluster_config.cluster_log_conf_destination] : []
-    content {
-      dbfs {
-        destination = cluster_log_conf.value
-      }
-    }
-  }
-
-  lifecycle {
-    ignore_changes = [
-      state
-    ]
-  }
-}