Merge pull request #94 from PerfectThymeTech/marvinbuss/add_dfs_pes

Add Databricks DBFS Private Endpoints
PerfectThymeTech · Nov 22, 2024 · ef6177a · ef6177a
2 parents 31dfe2a + 0af02eb
commit ef6177a
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 1 deletion.
diff --git a/modules/databricksworkspace/README.md b/modules/databricksworkspace/README.md
@@ -160,6 +160,14 @@ Type: `string`
 
 Default: `null`
 
+### <a name="input_private_dns_zone_id_blob"></a> [private\_dns\_zone\_id\_blob](#input\_private\_dns\_zone\_id\_blob)
+
+Description: Specifies the resource ID of the private DNS zone for Azure Storage blob endpoints. Not required if DNS A-records get created via Azure Policy.
+
+Type: `string`
+
+Default: `""`
+
 ### <a name="input_private_dns_zone_id_databricks"></a> [private\_dns\_zone\_id\_databricks](#input\_private\_dns\_zone\_id\_databricks)
 
 Description: Specifies the resource ID of the private DNS zone for Azure Databricks. Not required if DNS A-records get created via Azure Policy.
@@ -168,6 +176,14 @@ Type: `string`
 
 Default: `""`
 
+### <a name="input_private_dns_zone_id_dfs"></a> [private\_dns\_zone\_id\_dfs](#input\_private\_dns\_zone\_id\_dfs)
+
+Description: Specifies the resource ID of the private DNS zone for Azure Storage dfs endpoints. Not required if DNS A-records get created via Azure Policy.
+
+Type: `string`
+
+Default: `""`
+
 ### <a name="input_tags"></a> [tags](#input\_tags)
 
 Description: Specifies a key value map of tags to set on every taggable resources.

diff --git a/modules/databricksworkspace/connectivity.tf b/modules/databricksworkspace/connectivity.tf
@@ -66,11 +66,75 @@ resource "azurerm_private_endpoint" "private_endpoint_databricks_workspace_brows
   ]
 }
 
+resource "azurerm_private_endpoint" "private_endpoint_databricks_workspace_dbfs_blob" {
+  name                = "${azurerm_databricks_workspace.databricks_workspace.name}-blob-pe"
+  location            = var.location_private_endpoint != null ? var.location_private_endpoint : var.location
+  resource_group_name = azurerm_databricks_workspace.databricks_workspace.resource_group_name
+  tags                = var.tags
+
+  custom_network_interface_name = "${azurerm_databricks_workspace.databricks_workspace.name}-blob-nic"
+  private_service_connection {
+    name                           = "${azurerm_databricks_workspace.databricks_workspace.name}-blob-svc"
+    is_manual_connection           = false
+    private_connection_resource_id = "${azurerm_databricks_workspace.databricks_workspace.managed_resource_group_id}/providers/Microsoft.Storage/storageAccounts/${azurerm_databricks_workspace.databricks_workspace.custom_parameters[0].storage_account_name}"
+    subresource_names              = ["blob"]
+  }
+  subnet_id = var.subnet_id
+  dynamic "private_dns_zone_group" {
+    for_each = var.private_dns_zone_id_blob == "" ? [] : [1]
+    content {
+      name = "${azurerm_databricks_workspace.databricks_workspace.name}-arecord"
+      private_dns_zone_ids = [
+        var.private_dns_zone_id_blob
+      ]
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      private_dns_zone_group
+    ]
+  }
+}
+
+resource "azurerm_private_endpoint" "private_endpoint_databricks_workspace_dbfs_dfs" {
+  name                = "${azurerm_databricks_workspace.databricks_workspace.name}-dfs-pe"
+  location            = var.location_private_endpoint != null ? var.location_private_endpoint : var.location
+  resource_group_name = azurerm_databricks_workspace.databricks_workspace.resource_group_name
+  tags                = var.tags
+
+  custom_network_interface_name = "${azurerm_databricks_workspace.databricks_workspace.name}-dfs-nic"
+  private_service_connection {
+    name                           = "${azurerm_databricks_workspace.databricks_workspace.name}-dfs-svc"
+    is_manual_connection           = false
+    private_connection_resource_id = "${azurerm_databricks_workspace.databricks_workspace.managed_resource_group_id}/providers/Microsoft.Storage/storageAccounts/${azurerm_databricks_workspace.databricks_workspace.custom_parameters[0].storage_account_name}"
+    subresource_names              = ["dfs"]
+  }
+  subnet_id = var.subnet_id
+  dynamic "private_dns_zone_group" {
+    for_each = var.private_dns_zone_id_dfs == "" ? [] : [1]
+    content {
+      name = "${azurerm_databricks_workspace.databricks_workspace.name}-arecord"
+      private_dns_zone_ids = [
+        var.private_dns_zone_id_dfs
+      ]
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      private_dns_zone_group
+    ]
+  }
+}
+
 resource "time_sleep" "sleep_connectivity" {
   create_duration = "${var.connectivity_delay_in_seconds}s"
 
   depends_on = [
     azurerm_private_endpoint.private_endpoint_databricks_workspace_browser_authentication,
     azurerm_private_endpoint.private_endpoint_databricks_workspace_databricks_ui_api,
+    azurerm_private_endpoint.private_endpoint_databricks_workspace_dbfs_blob,
+    azurerm_private_endpoint.private_endpoint_databricks_workspace_dbfs_dfs,
   ]
 }
diff --git a/modules/databricksworkspace/outputs.tf b/modules/databricksworkspace/outputs.tf
@@ -13,7 +13,7 @@ output "databricks_workspace_name" {
 output "databricks_workspace_workspace_id" {
   description = "Specifies the workspace id of the Azure Databricks workspace."
   value       = azurerm_databricks_workspace.databricks_workspace.workspace_id
-  sensitive   = true
+  sensitive   = false
 }
 
 output "databricks_workspace_workspace_url" {

diff --git a/modules/databricksworkspace/variables.tf b/modules/databricksworkspace/variables.tf
@@ -195,6 +195,28 @@ variable "private_dns_zone_id_databricks" {
   }
 }
 
+variable "private_dns_zone_id_blob" {
+  description = "Specifies the resource ID of the private DNS zone for Azure Storage blob endpoints. Not required if DNS A-records get created via Azure Policy."
+  type        = string
+  sensitive   = false
+  default     = ""
+  validation {
+    condition     = var.private_dns_zone_id_blob == "" || (length(split("/", var.private_dns_zone_id_blob)) == 9 && endswith(var.private_dns_zone_id_blob, "privatelink.blob.core.windows.net"))
+    error_message = "Please specify a valid resource ID for the private DNS Zone."
+  }
+}
+
+variable "private_dns_zone_id_dfs" {
+  description = "Specifies the resource ID of the private DNS zone for Azure Storage dfs endpoints. Not required if DNS A-records get created via Azure Policy."
+  type        = string
+  sensitive   = false
+  default     = ""
+  validation {
+    condition     = var.private_dns_zone_id_dfs == "" || (length(split("/", var.private_dns_zone_id_dfs)) == 9 && endswith(var.private_dns_zone_id_dfs, "privatelink.dfs.core.windows.net"))
+    error_message = "Please specify a valid resource ID for the private DNS Zone."
+  }
+}
+
 # Customer-managed key variables
 variable "customer_managed_key" {
   description = "Specifies the customer managed key configurations."