Merge pull request #175 from PerfectThymeTech/marvinbuss/bugfix_starter_wh

Fix Bug for starter WH

Author: marvinbuss

databricks.tf

@@ -14,11 +14,12 @@ module "databricks_core" {
   tags        = var.tags
 
   # Service variables
-  databricks_workspace_details                = local.databricks_workspace_details
-  databricks_private_endpoint_rules           = local.databricks_private_endpoint_rules
-  databricks_ip_access_list_allow             = []
-  databricks_ip_access_list_deny              = []
-  databricks_network_connectivity_config_name = var.databricks_network_connectivity_config_name
+  databricks_workspace_details                     = local.databricks_workspace_details
+  databricks_private_endpoint_rules                = local.databricks_private_endpoint_rules
+  databricks_ip_access_list_allow                  = []
+  databricks_ip_access_list_deny                   = []
+  databricks_network_connectivity_config_name      = var.databricks_network_connectivity_config_name
+  databricks_compliance_security_profile_standards = var.databricks_compliance_security_profile_standards
 
   # Identity variables
   service_principal_name_terraform_plan = var.service_principal_name_terraform_plan
@@ -65,12 +66,12 @@ module "databricks_data_application" {
   data_provider_details = try(each.value.data_providers, {})
 
   # Identity variables
-  admin_group_name                                           = try(each.value.identity.admin_group_name, "")
-  developer_group_name                                       = try(each.value.identity.developer_group_name, "")
-  reader_group_name                                          = try(each.value.identity.reader_group_name, "")
-  service_principal_name                                     = try(each.value.identity.service_principal_name, "")
-  databricks_service_principal_terraform_plan_application_id = module.databricks_core.databricks_service_principal_terraform_plan_application_id
-  service_principal_name_terraform_plan                      = var.service_principal_name_terraform_plan
+  admin_group_name                                    = try(each.value.identity.admin_group_name, "")
+  developer_group_name                                = try(each.value.identity.developer_group_name, "")
+  reader_group_name                                   = try(each.value.identity.reader_group_name, "")
+  service_principal_name                              = try(each.value.identity.service_principal_name, "")
+  service_principal_name_terraform_plan               = var.service_principal_name_terraform_plan
+  databricks_service_principal_terraform_plan_details = module.databricks_core.databricks_service_principal_terraform_plan_details
 
   # Budget variables
   budget = try(each.value.budget, 100)

modules/databrickscore/data.tf

@@ -13,5 +13,5 @@ data "azuread_service_principal" "service_principal_terraform_plan" {
 }
 
 data "databricks_sql_warehouse" "sql_endpoint_starter" {
-  name = "Starter Warehouse"
+  name = contains(var.databricks_compliance_security_profile_standards, "PCI_DSS") ? "Starter Warehouse" : "Serverless Starter Warehouse"
 }

modules/databrickscore/output.tf

@@ -4,8 +4,11 @@ output "databricks_network_connectivity_config_id" {
   sensitive   = false
 }
 
-output "databricks_service_principal_terraform_plan_application_id" {
-  description = "Specifies the application id of the service principal used for Terraform Plan."
-  value       = one(databricks_service_principal.service_principal_terraform_plan[*].application_id)
-  sensitive   = false
+output "databricks_service_principal_terraform_plan_details" {
+  description = "Specifies the details of the service principal used for Terraform Plan."
+  value = {
+    application_id   = var.service_principal_name_terraform_plan == "" ? "" : one(databricks_service_principal.service_principal_terraform_plan[*].application_id)
+    acl_principal_id = var.service_principal_name_terraform_plan == "" ? "" : one(databricks_service_principal.service_principal_terraform_plan[*].acl_principal_id)
+  }
+  sensitive = false
 }

modules/databrickscore/variables.tf

@@ -82,6 +82,20 @@ variable "databricks_network_connectivity_config_name" {
   }
 }
 
+variable "databricks_compliance_security_profile_standards" {
+  description = "Specifies which enhanced compliance security profiles ('HIPAA', 'PCI_DSS') should be enabled for the Azure Databricks workspace."
+  type        = list(string)
+  sensitive   = false
+  nullable    = false
+  default     = []
+  validation {
+    condition = alltrue([
+      length([for compliance_security_profile_standard in toset(var.databricks_compliance_security_profile_standards) : compliance_security_profile_standard if !contains(["HIPAA", "PCI_DSS"], compliance_security_profile_standard)]) <= 0
+    ])
+    error_message = "Please specify a valid compliance security profile."
+  }
+}
+
 # Identity variables
 variable "service_principal_name_terraform_plan" {
   description = "Specifies the name of the service principal used for the Terraform plan in PRs."

modules/databricksdataapplication/roleassignment_service_principal_terraform_plan.tf

@@ -1,7 +1,7 @@
 resource "databricks_secret_acl" "secret_acl_service_principal_terraform_plan" {
   count = var.service_principal_name_terraform_plan == "" ? 0 : 1
 
-  principal  = var.databricks_service_principal_terraform_plan_application_id
+  principal  = var.databricks_service_principal_terraform_plan_details.application_id
   permission = "READ"
   scope      = databricks_secret_scope.secret_scope.id
 }
@@ -10,7 +10,7 @@ resource "databricks_grant" "grant_catalog_internal_service_principal_terraform_
   count = var.service_principal_name_terraform_plan == "" ? 0 : 1
 
   catalog   = databricks_catalog.catalog_internal.id
-  principal = var.databricks_service_principal_terraform_plan_application_id
+  principal = var.databricks_service_principal_terraform_plan_details.application_id
   privileges = [
     # General
     # "ALL_PRIVILIGES", # Use specific permissions instead of allowing all permissions by default
@@ -49,7 +49,7 @@ resource "databricks_grant" "grant_catalog_external_service_principal_terraform_
   count = var.service_principal_name_terraform_plan == "" ? 0 : 1
 
   catalog   = databricks_catalog.catalog_external.id
-  principal = var.databricks_service_principal_terraform_plan_application_id
+  principal = var.databricks_service_principal_terraform_plan_details.application_id
   privileges = [
     # General
     # "ALL_PRIVILIGES", # Use specific permissions instead of allowing all permissions by default
@@ -88,7 +88,7 @@ resource "databricks_grant" "grant_external_location_external_service_principal_
   for_each = var.service_principal_name_terraform_plan == "" ? {} : var.data_provider_details
 
   external_location = databricks_external_location.external_location_external[each.key].id
-  principal         = var.databricks_service_principal_terraform_plan_application_id
+  principal         = var.databricks_service_principal_terraform_plan_details.application_id
   privileges = [
     # General
     # "ALL_PRIVILIGES", # Use specific permissions instead of allowing all permissions by default
@@ -115,7 +115,7 @@ resource "databricks_grant" "grant_external_location_raw_service_principal_terra
   count = var.service_principal_name_terraform_plan == "" ? 0 : 1
 
   external_location = databricks_external_location.external_location_raw.id
-  principal         = var.databricks_service_principal_terraform_plan_application_id
+  principal         = var.databricks_service_principal_terraform_plan_details.application_id
   privileges = [
     # General
     # "ALL_PRIVILIGES", # Use specific permissions instead of allowing all permissions by default
@@ -142,7 +142,7 @@ resource "databricks_grant" "grant_external_location_enriched_service_principal_
   count = var.service_principal_name_terraform_plan == "" ? 0 : 1
 
   external_location = databricks_external_location.external_location_enriched.id
-  principal         = var.databricks_service_principal_terraform_plan_application_id
+  principal         = var.databricks_service_principal_terraform_plan_details.application_id
   privileges = [
     # General
     # "ALL_PRIVILIGES", # Use specific permissions instead of allowing all permissions by default
@@ -169,7 +169,7 @@ resource "databricks_grant" "grant_external_location_curated_service_principal_t
   count = var.service_principal_name_terraform_plan == "" ? 0 : 1
 
   external_location = databricks_external_location.external_location_curated.id
-  principal         = var.databricks_service_principal_terraform_plan_application_id
+  principal         = var.databricks_service_principal_terraform_plan_details.application_id
   privileges = [
     # General
     # "ALL_PRIVILIGES", # Use specific permissions instead of allowing all permissions by default
@@ -196,7 +196,7 @@ resource "databricks_grant" "grant_external_location_workspace_service_principal
   count = var.service_principal_name_terraform_plan == "" ? 0 : 1
 
   external_location = databricks_external_location.external_location_workspace.id
-  principal         = var.databricks_service_principal_terraform_plan_application_id
+  principal         = var.databricks_service_principal_terraform_plan_details.application_id
   privileges = [
     # General
     # "ALL_PRIVILIGES", # Use specific permissions instead of allowing all permissions by default
@@ -223,7 +223,7 @@ resource "databricks_grant" "grant_storage_credential_service_principal_terrafor
   count = var.service_principal_name_terraform_plan == "" ? 0 : 1
 
   storage_credential = databricks_storage_credential.storage_credential.id
-  principal          = var.databricks_service_principal_terraform_plan_application_id
+  principal          = var.databricks_service_principal_terraform_plan_details.application_id
   privileges = [
     # General
     # "ALL_PRIVILIGES", # Use specific permissions instead of allowing all permissions by default
@@ -245,7 +245,7 @@ resource "databricks_grant" "grant_credential_service_principal_terraform_plan"
   count = var.service_principal_name_terraform_plan == "" ? 0 : 1
 
   credential = databricks_credential.credential.id
-  principal  = var.databricks_service_principal_terraform_plan_application_id
+  principal  = var.databricks_service_principal_terraform_plan_details.application_id
   privileges = [
     # General
     # "ALL_PRIVILIGES", # Use specific permissions instead of allowing all permissions by default

modules/databricksdataapplication/roleassignments_common.tf

@@ -165,6 +165,7 @@ resource "databricks_access_control_rule_set" "access_control_rule_set_budget_po
       one(databricks_service_principal.service_principal[*].acl_principal_id),
       one(databricks_service_principal.service_principal_data_factory[*].acl_principal_id),
       databricks_service_principal.service_principal_uai.acl_principal_id,
+      var.databricks_service_principal_terraform_plan_details.acl_principal_id,
     ])
     role = "roles/budgetPolicy.user"
   }

modules/databricksdataapplication/variables.tf

@@ -256,14 +256,21 @@ variable "service_principal_name" {
   }
 }
 
-variable "databricks_service_principal_terraform_plan_application_id" {
+variable "databricks_service_principal_terraform_plan_details" {
   description = "Specifies the application id of the service principal used for Terraform Plan."
-  type        = string
-  sensitive   = false
-  default     = ""
+  type = object({
+    application_id   = optional(string, "")
+    acl_principal_id = optional(string, "")
+  })
+  sensitive = false
+  default   = {}
   validation {
-    condition     = var.databricks_service_principal_terraform_plan_application_id == "" || length(var.databricks_service_principal_terraform_plan_application_id) >= 2
-    error_message = "Please specify a valid name."
+    condition     = var.databricks_service_principal_terraform_plan_details.application_id == "" || length(var.databricks_service_principal_terraform_plan_details.application_id) >= 2
+    error_message = "Please specify a valid application id."
+  }
+  validation {
+    condition     = var.databricks_service_principal_terraform_plan_details.acl_principal_id == "" || length(var.databricks_service_principal_terraform_plan_details.acl_principal_id) >= 2
+    error_message = "Please specify a valid acl principal id."
   }
 }