Merge pull request #115 from PerfectThymeTech/marvinbuss/enhancements

Enhance Management Zone - Secure-by-default

Author: marvinbuss

.github/workflows/terraform.yml

@@ -18,7 +18,7 @@ jobs:
     name: "Terraform Deploy"
     with:
       environment: "dev"
-      terraform_version: "1.9.8"
+      terraform_version: "1.10.2"
       node_version: 20
       working_directory: "./tests/e2e"
       tenant_id: "37963dd4-f4e6-40f8-a7d6-24b97919e452"
@@ -33,7 +33,7 @@ jobs:
     if: github.event_name == 'push' || github.event_name == 'release'
     with:
       environment: "dev"
-      terraform_version: "1.9.8"
+      terraform_version: "1.10.2"
       node_version: 20
       working_directory: "./tests/e2e"
       tenant_id: "37963dd4-f4e6-40f8-a7d6-24b97919e452"

README.md

@@ -125,61 +125,23 @@ The following requirements are needed by this module:
 
 - <a name="requirement_databricks"></a> [databricks](#requirement\_databricks) (~> 1.58)
 
-- <a name="requirement_external"></a> [external](#requirement\_external) (~> 2.3)
-
 - <a name="requirement_time"></a> [time](#requirement\_time) (~> 0.9)
 
 ## Modules
 
 The following Modules are called:
 
-### <a name="module_container_registry"></a> [container\_registry](#module\_container\_registry)
-
-Source: github.com/PerfectThymeTech/terraform-azurerm-modules//modules/containerregistry
-
-Version: main
-
-### <a name="module_databricks_access_connector"></a> [databricks\_access\_connector](#module\_databricks\_access\_connector)
-
-Source: github.com/PerfectThymeTech/terraform-azurerm-modules//modules/databricksaccessconnector
-
-Version: main
-
-### <a name="module_databricks_workspace"></a> [databricks\_workspace](#module\_databricks\_workspace)
-
-Source: github.com/PerfectThymeTech/terraform-azurerm-modules//modules/databricksworkspace
-
-Version: main
-
-### <a name="module_key_vault_purview"></a> [key\_vault\_purview](#module\_key\_vault\_purview)
+### <a name="module_datamanagement"></a> [datamanagement](#module\_datamanagement)
 
-Source: github.com/PerfectThymeTech/terraform-azurerm-modules//modules/keyvault
+Source: ./modules/datamanagement
 
-Version: main
+Version:
 
-### <a name="module_key_vault_scim"></a> [key\_vault\_scim](#module\_key\_vault\_scim)
+### <a name="module_platform"></a> [platform](#module\_platform)
 
-Source: github.com/PerfectThymeTech/terraform-azurerm-modules//modules/keyvault
+Source: ./modules/platform
 
-Version: main
-
-### <a name="module_purview_account"></a> [purview\_account](#module\_purview\_account)
-
-Source: github.com/PerfectThymeTech/terraform-azurerm-modules//modules/purview
-
-Version: main
-
-### <a name="module_synapse_private_link_hub"></a> [synapse\_private\_link\_hub](#module\_synapse\_private\_link\_hub)
-
-Source: github.com/PerfectThymeTech/terraform-azurerm-modules//modules/synapseprivetlinkhub
-
-Version: main
-
-### <a name="module_user_assigned_identity"></a> [user\_assigned\_identity](#module\_user\_assigned\_identity)
-
-Source: github.com/PerfectThymeTech/terraform-azurerm-modules//modules/userassignedidentity
-
-Version: main
+Version:
 
 <!-- markdownlint-disable MD013 -->
 <!-- markdownlint-disable MD034 -->
@@ -306,6 +268,14 @@ Type: `string`
 
 Default: `""`
 
+### <a name="input_private_dns_zone_id_dfs"></a> [private\_dns\_zone\_id\_dfs](#input\_private\_dns\_zone\_id\_dfs)
+
+Description: Specifies the resource ID of the private DNS zone for Azure Storage dfs endpoints. Not required if DNS A-records get created via Azure Policy.
+
+Type: `string`
+
+Default: `""`
+
 ### <a name="input_private_dns_zone_id_purview_platform"></a> [private\_dns\_zone\_id\_purview\_platform](#input\_private\_dns\_zone\_id\_purview\_platform)
 
 Description: Specifies the resource ID of the private DNS zone for Azure Key Vault. Not required if DNS A-records get created via Azure Policy.
@@ -394,35 +364,7 @@ Default: `true`
 
 ## Outputs
 
-The following outputs are exported:
-
-### <a name="output_container_registry_id"></a> [container\_registry\_id](#output\_container\_registry\_id)
-
-Description: Specifies the id of the container registry.
-
-### <a name="output_databricks_access_connector_id"></a> [databricks\_access\_connector\_id](#output\_databricks\_access\_connector\_id)
-
-Description: Specifies the ids of the databricks access connectors.
-
-### <a name="output_databricks_workspace_ids"></a> [databricks\_workspace\_ids](#output\_databricks\_workspace\_ids)
-
-Description: Specifies the ids of the databricks workspaces.
-
-### <a name="output_key_vault_purview_id"></a> [key\_vault\_purview\_id](#output\_key\_vault\_purview\_id)
-
-Description: Specifies the id of the Azure key vault provisioned for Microsoft Purview.
-
-### <a name="output_key_vault_scim_id"></a> [key\_vault\_scim\_id](#output\_key\_vault\_scim\_id)
-
-Description: Specifies the id of the Azure key vault provisioned for SCIM.
-
-### <a name="output_purview_id"></a> [purview\_id](#output\_purview\_id)
-
-Description: Specifies the id of the Microsoft Purview account.
-
-### <a name="output_synapse_private_link_hub_id"></a> [synapse\_private\_link\_hub\_id](#output\_synapse\_private\_link\_hub\_id)
-
-Description: Specifies the id of the Azure synapse private link hub.
+No outputs.
 
 <!-- markdownlint-enable -->
 ## License

locals.tf

@@ -1,35 +1,18 @@
 locals {
+  # General locals
   prefix = "${lower(var.prefix)}-${var.environment}"
 
-  # General locals
+  # Diagnostics locals
   diagnostics_configurations = var.log_analytics_workspace_id == null ? [] : [
     {
       log_analytics_workspace_id = var.log_analytics_workspace_id
       storage_account_id         = ""
     }
   ]
+
+  # Customer managed key locals
   customer_managed_key = null
 
   # Network locals
-  virtual_network = {
-    resource_group_name = split("/", var.vnet_id)[4]
-    name                = split("/", var.vnet_id)[8]
-  }
-  network_security_group = {
-    resource_group_name = try(split("/", var.nsg_id)[4], "")
-    name                = try(split("/", var.nsg_id)[8], "")
-  }
-  route_table = {
-    resource_group_name = try(split("/", var.route_table_id)[4], "")
-    name                = try(split("/", var.route_table_id)[8], "")
-  }
-  subnet_cidr_ranges = {
-    private_endpoint_subnet = var.subnet_cidr_ranges.private_endpoint_subnet != "" ? var.subnet_cidr_ranges.private_endpoint_subnet : tostring(cidrsubnet(data.azurerm_virtual_network.virtual_network.address_space[0], 27 - tonumber(reverse(split("/", data.azurerm_virtual_network.virtual_network.address_space[0]))[0]), 0))
-  }
-  connectivity_delay_in_seconds  = 30
-  databricks_private_subnet_name = "DatabricksPrivateSubnet"
-  databricks_public_subnet_name  = "DatabricksPublicSubnet"
-
-  # Databricks locals
-  databricks_account_scim_secret_name = "scim-token"
+  connectivity_delay_in_seconds = 30
 }

main.tf

@@ -1,39 +1,70 @@
-data "azurerm_client_config" "current" {}
+module "platform" {
+  source = "./modules/platform"
 
-resource "azurerm_resource_group" "governance_rg" {
-  name     = "${local.prefix}-governance-rg"
-  location = var.location
-  tags     = var.tags
-}
+  providers = {
+    azurerm = azurerm
+    azapi   = azapi
+  }
 
-resource "azurerm_resource_group" "connectivity_adb_rg" {
-  for_each = toset(var.locations_databricks)
+  # General variables
+  location             = var.location
+  locations_databricks = var.locations_databricks
+  environment          = var.environment
+  prefix               = var.prefix
+  tags                 = var.tags
 
-  name     = "${local.prefix}-connectivity-adb-${each.value}-rg"
-  location = var.location
-  tags     = var.tags
+  # Service variables
+  vnet_id                             = var.vnet_id
+  nsg_id                              = var.nsg_id
+  route_table_id                      = var.route_table_id
+  subnet_cidr_range_private_endpoints = var.subnet_cidr_ranges.private_endpoint_subnet
 }
 
-resource "azurerm_resource_group" "container_rg" {
-  name     = "${local.prefix}-container-rg"
-  location = var.location
-  tags     = var.tags
-}
+module "datamanagement" {
+  source = "./modules/datamanagement"
 
-resource "azurerm_resource_group" "connectivity_synapse_rg" {
-  name     = "${local.prefix}-connectivity-syn-rg"
-  location = var.location
-  tags     = var.tags
-}
+  providers = {
+    azurerm = azurerm
+    azapi   = azapi
+    time    = time
+  }
 
-resource "azurerm_resource_group" "automation_rg" {
-  name     = "${local.prefix}-automation-rg"
-  location = var.location
-  tags     = var.tags
-}
+  # General variables
+  company_name         = var.company_name
+  location             = var.location
+  location_purview     = var.location_purview
+  locations_databricks = var.locations_databricks
+  environment          = var.environment
+  prefix               = var.prefix
+  tags                 = var.tags
+
+  # Service variables
+  purview_enabled                        = var.purview_enabled
+  purview_account_root_collection_admins = var.purview_account_root_collection_admins
+  databricks_account_id                  = var.databricks_account_id
+
+  # HA/DR variables
+  zone_redundancy_enabled = var.zone_redundancy_enabled
+
+  # Logging and monitoring variables
+  diagnostics_configurations = local.diagnostics_configurations
+
+  # Network variables
+  subnet_id_private_endpoints   = module.platform.subnet_id_private_endpoints
+  subnet_ids_databricks         = module.platform.subnet_ids_databricks
+  connectivity_delay_in_seconds = local.connectivity_delay_in_seconds
+
+  # DNS variables
+  private_dns_zone_id_purview_platform   = var.private_dns_zone_id_purview_platform
+  private_dns_zone_id_blob               = var.private_dns_zone_id_blob
+  private_dns_zone_id_dfs                = var.private_dns_zone_id_dfs
+  private_dns_zone_id_queue              = var.private_dns_zone_id_queue
+  private_dns_zone_id_databricks         = var.private_dns_zone_id_databricks
+  private_dns_zone_id_container_registry = var.private_dns_zone_id_container_registry
+  private_dns_zone_id_vault              = var.private_dns_zone_id_vault
+  private_dns_zone_id_synapse_portal     = var.private_dns_zone_id_synapse_portal
+  databricks_private_dns_zone_ids        = module.platform.private_dns_zone_ids
 
-resource "azurerm_resource_group" "scim_rg" {
-  name     = "${local.prefix}-scim-rg"
-  location = var.location
-  tags     = var.tags
+  # Customer-managed key variables
+  customer_managed_key = var.customer_managed_key
 }

containerregistry.tf renamed to modules/datamanagement/containerregistry.tf

@@ -17,9 +17,9 @@ module "container_registry" {
   container_registry_retention_policy_in_days  = 7
   container_registry_trust_policy_enabled      = false
   container_registry_zone_redundancy_enabled   = var.zone_redundancy_enabled
-  diagnostics_configurations                   = local.diagnostics_configurations
-  subnet_id                                    = azapi_resource.private_endpoint_subnet.id
-  connectivity_delay_in_seconds                = local.connectivity_delay_in_seconds
+  diagnostics_configurations                   = var.diagnostics_configurations
+  subnet_id                                    = var.subnet_id_private_endpoints
+  connectivity_delay_in_seconds                = var.connectivity_delay_in_seconds
   private_dns_zone_id_container_registry       = var.private_dns_zone_id_container_registry
-  customer_managed_key                         = null
+  customer_managed_key                         = var.customer_managed_key
 }

modules/datamanagement/data.tf

@@ -0,0 +1,10 @@
+data "azurerm_client_config" "current" {}
+
+data "azurerm_key_vault_secret" "key_vault_secret_databricks_account_scim_token" {
+  key_vault_id = module.key_vault_scim.key_vault_id
+  name         = local.databricks_account_scim_secret_name
+
+  depends_on = [
+    null_resource.databricks_account_scim_token,
+  ]
+}

databricksaccessconnector.tf renamed to modules/datamanagement/databricksaccessconnector.tf

@@ -1,5 +1,5 @@
 resource "time_rotating" "databricks_account_scim_token_regenerate" {
-  rotation_months = 1
+  rotation_months = 12
 }
 
 resource "null_resource" "databricks_account_scim_token" {
@@ -8,7 +8,7 @@ resource "null_resource" "databricks_account_scim_token" {
   }
 
   provisioner "local-exec" {
-    working_dir = "${path.module}/scripts/"
+    working_dir = "${path.module}/../../scripts/"
     command     = "pwsh ./Get-AccountScimToken.ps1 -DatabricksAccountId ${var.databricks_account_id} -KeyVaultName ${module.key_vault_scim.key_vault_name} -KeyVaultSecretName ${local.databricks_account_scim_secret_name}"
     environment = {}
   }

databricksappscim.tf renamed to modules/datamanagement/databricksappscim.tf

@@ -0,0 +1,71 @@
+resource "azurerm_private_endpoint" "private_endpoint_databricks_workspace_databricks_ui_api" {
+  for_each = toset(var.locations_databricks)
+
+  name                = "${module.databricks_workspace[each.key].databricks_workspace_name}-ddctd-uiapi-pe"
+  location            = each.key
+  resource_group_name = azurerm_resource_group.connectivity_adb_rg[each.key].name
+  tags                = var.tags
+
+  custom_network_interface_name = "${module.databricks_workspace[each.key].databricks_workspace_name}-ddctd-uiapi-nic"
+  private_service_connection {
+    name                           = "${module.databricks_workspace[each.key].databricks_workspace_name}-uiapi-svc"
+    is_manual_connection           = false
+    private_connection_resource_id = module.databricks_workspace[each.key].databricks_workspace_id
+    subresource_names              = ["databricks_ui_api"]
+  }
+  private_dns_zone_group {
+    name = "${module.databricks_workspace[each.key].databricks_workspace_name}-arecord"
+    private_dns_zone_ids = [
+      var.databricks_private_dns_zone_ids["databricks"].id
+    ]
+  }
+  subnet_id = var.subnet_ids_databricks[each.key].subnet_databricks_private_endpoint_id
+}
+
+resource "azurerm_private_endpoint" "private_endpoint_databricks_workspace_dbfs_blob" {
+  for_each = toset(var.locations_databricks)
+
+  name                = "${module.databricks_workspace[each.key].databricks_workspace_name}-ddctd-blob-pe"
+  location            = each.key
+  resource_group_name = azurerm_resource_group.connectivity_adb_rg[each.key].name
+  tags                = var.tags
+
+  custom_network_interface_name = "${module.databricks_workspace[each.key].databricks_workspace_name}-ddctd-blob-nic"
+  private_service_connection {
+    name                           = "${module.databricks_workspace[each.key].databricks_workspace_name}-blob-svc"
+    is_manual_connection           = false
+    private_connection_resource_id = "${module.databricks_workspace[each.key].databricks_workspace_managed_resource_group_id}/providers/Microsoft.Storage/storageAccounts/${module.databricks_workspace[each.key].databricks_workspace_managed_storage_account_name}"
+    subresource_names              = ["blob"]
+  }
+  private_dns_zone_group {
+    name = "${module.databricks_workspace[each.key].databricks_workspace_name}-arecord"
+    private_dns_zone_ids = [
+      var.databricks_private_dns_zone_ids["blob"].id
+    ]
+  }
+  subnet_id = var.subnet_ids_databricks[each.key].subnet_databricks_private_endpoint_id
+}
+
+resource "azurerm_private_endpoint" "private_endpoint_databricks_workspace_dbfs_dfs" {
+  for_each = toset(var.locations_databricks)
+
+  name                = "${module.databricks_workspace[each.key].databricks_workspace_name}-ddctd-dfs-pe"
+  location            = each.key
+  resource_group_name = azurerm_resource_group.connectivity_adb_rg[each.key].name
+  tags                = var.tags
+
+  custom_network_interface_name = "${module.databricks_workspace[each.key].databricks_workspace_name}-ddctd-dfs-nic"
+  private_service_connection {
+    name                           = "${module.databricks_workspace[each.key].databricks_workspace_name}-dfs-svc"
+    is_manual_connection           = false
+    private_connection_resource_id = "${module.databricks_workspace[each.key].databricks_workspace_managed_resource_group_id}/providers/Microsoft.Storage/storageAccounts/${module.databricks_workspace[each.key].databricks_workspace_managed_storage_account_name}"
+    subresource_names              = ["dfs"]
+  }
+  private_dns_zone_group {
+    name = "${module.databricks_workspace[each.key].databricks_workspace_name}-arecord"
+    private_dns_zone_ids = [
+      var.databricks_private_dns_zone_ids["dfs"].id
+    ]
+  }
+  subnet_id = var.subnet_ids_databricks[each.key].subnet_databricks_private_endpoint_id
+}