|
| 1 | +# manual-approve-with-github-actions |
| 2 | + |
| 3 | +This directory contains Terraform code that shows how to use [databricks-department-clusters](../../modules/databricks-department-clusters) to create Databricks resources, together with CI/CD pipeline that demonstrate how to validate pull request changes before applying them & using approvals before deploying changes to production system. Please note that existing Terraform code is cross-platform and could be deployed to a Databricks workspace at any supported cloud. |
| 4 | + |
| 5 | +## Workflow |
| 6 | + |
| 7 | +The general workflow looks as following: |
| 8 | + |
| 9 | + |
| 10 | + |
| 11 | +* Changes to code in this directory or in the module are made in a separate Git branch & when changes are ready, a pull request is opened |
| 12 | +* Upon opening of the pull request, the build pipeline is triggered, and following operations are performed: |
| 13 | + * Initializes Terraform using a remote backend to store a [Terraform state](https://www.terraform.io/language/state). |
| 14 | + * Perform check of the Terraform code for formatting consistence. |
| 15 | + * Performs check of the Terraform code using [terraform validate](https://www.terraform.io/cli/commands/validate). |
| 16 | + * Executes `terraform plan` to get the list changes that will be made. |
| 17 | +* If build pipeline executed without errors, results of `terraform plan` and code could be reviewed by reviewer, and merged into the `main` branch. |
| 18 | +* When code is merged into the `main` branch, the release pipeline is triggered, and after a manual approval, changes are applied to the deployment using the `terraform apply` command. |
| 19 | + |
| 20 | +As result of the pipeline execution, following resources will be created: |
| 21 | + |
| 22 | +* A user group for a department with specific users added to it |
| 23 | +* A shared Databricks cluster that could be used by users of the group |
| 24 | +* A Databricks SQL Endpoint |
| 25 | +* A Databricks cluster policy that could be used by the user group |
| 26 | + |
| 27 | + |
| 28 | +### Configuring Terraform code |
| 29 | + |
| 30 | +You can customize this project by modifying the `terraform.tfvars` file that defines following variables necessary for the `databricks-department-clusters` module: |
| 31 | + |
| 32 | +* `cluster_name` - Name of the shared cluster to create |
| 33 | +* `department` - Department name |
| 34 | +* `group_name`|Name of the group to create|string||yes| |
| 35 | +* `user_names` - List of users to create in the specified group |
| 36 | +* `tags` - Additional tags applied to all resources created |
| 37 | + |
| 38 | +## Configuring Github Actions pipeline |
| 39 | + |
| 40 | +As described above, we need two jobs in the Github actions workflow: |
| 41 | + |
| 42 | +* Build job is responsible for validation of changes in pull request. It is triggered by any new pull request event on the `main` branch. |
| 43 | +* Release job is responsible for deploying the changes: |
| 44 | + * It is triggered by any new merge event on the `main` branch. |
| 45 | + * It requires a manual approval before deploying the changes. See [Configuring the Github Actions release job](#configuring-the-github-actions-release-job) for more details. |
| 46 | + |
| 47 | +In order to use this pipeline, we have two prerequisites: |
| 48 | + |
| 49 | +* Create a Service Principale and grant it one of the following permissions: |
| 50 | + * Contributor access to the Azure Databricks workspace and blob contributor access to the storage account used for the remote state. |
| 51 | + * Contributor access to the resource group containing both the Azure Databricks workspace and the storage account. |
| 52 | +* Store credentials for the Service Principale and the Databricks workspace where ressources will be deployed. |
| 53 | + |
| 54 | +### List of Github Actions secrets |
| 55 | + |
| 56 | +We need to define the following secrets: |
| 57 | + |
| 58 | + |
| 59 | + |
| 60 | +* `DATABRICKS_HOST` - URL of the Databricks workspace where resources will be deployed. |
| 61 | +* `DATABRICKS_TOKEN` - personal access token for the Databricks workspace (follow [documentation](https://docs.databricks.com/dev-tools/api/latest/authentication.html) for instructions on how to obtain it). |
| 62 | +* `AZURE_AD_CLIENT_ID` – ID of the Azure service principal. |
| 63 | +* `AZURE_AD_CLIENT_SECRET` – Secret of the Azure Service Principal. |
| 64 | +* `AZURE_AD_TENANT_ID` – Azure AD tenant ID to where the service principal was created. |
| 65 | +* `AZURE_SUBSCRIPTION_ID` – Subscription ID of where you want to deploy the Terraform |
| 66 | +* `BACKEND_RG_NAME` - name of resource group containing storage account. |
| 67 | +* `BACKEND_SA_NAME` - name of the storage account. |
| 68 | +* `BACKEND_CONTAINER_NAME` - name of the container inside the storage account. |
| 69 | +* `BACKEND_KEY` - name of the blob (file) object that will be used to store Terraform state of our deployment. |
| 70 | + |
| 71 | + |
| 72 | +### Configuring the Github Actions workflow |
| 73 | + |
| 74 | +In order to create a new Github Actions workflow, follow these steps: |
| 75 | + |
| 76 | +* Create a .github/workflows directory in your repository on GitHub if this directory does not already exist. |
| 77 | +* In the .github/workflows directory, create a file named terraform-databricks-demo.yml. |
| 78 | +* Copy the [github-actions.yml](github-actions.yml) into the ``terraform-databricks-demo.yml`` file. |
| 79 | +* Commit and push your changes to the `main` branch. This will automatically create a new Github Actions workflow. |
| 80 | + |
| 81 | + |
| 82 | +### Configuring the Github Actions release job |
| 83 | + |
| 84 | +The release job requires a manual approval before deploying the changes. Once the reviewers approve the request, the release job will start deploying the changes. |
| 85 | +In order to configure the manual approval, follow these steps: |
| 86 | + |
| 87 | +* On GitHub.com, navigate to the main page of the repository and click "Settings". |
| 88 | +* In the left sidebar, click Environments and click "New environment". |
| 89 | +* Name the environment `production`. This name is used in the [github-actions.yml](github-actions.yml) file. |
| 90 | +* Specify people or teams that must approve release job. |
0 commit comments