Merge pull request #39 from Azure/features/adb-ws-ip-access-list

Enable ip access list to Databricks Workspace module
Azure · Dec 22, 2022 · 6e97528 · 6e97528
2 parents f298e01 + 22189ef
commit 6e97528
Show file tree

Hide file tree

Showing 7 changed files with 84 additions and 5 deletions.
diff --git a/terraform/databricks/main.tf b/terraform/databricks/main.tf
@@ -8,8 +8,8 @@ resource "azurerm_databricks_workspace" "adl_databricks" {
   sku                         = var.sku
   managed_resource_group_name = "${var.rg_name}-adb-managed"
 
-  public_network_access_enabled         = var.is_sec_module && var.public_network_enabled ? false : true
-  network_security_group_rules_required = var.is_sec_module && var.public_network_enabled ? "NoAzureDatabricksRules" : "AllRules"
+  public_network_access_enabled         = var.is_sec_module && !(var.public_network_enabled) ? false : true
+  network_security_group_rules_required = var.is_sec_module ? "NoAzureDatabricksRules" : "AllRules"
 
   custom_parameters {
     no_public_ip        = var.is_sec_module ? true : false
@@ -45,7 +45,7 @@ resource "azurerm_private_endpoint" "databricks_pe_be" {
   }
 
   # Only deploy if backend and frontend use different private endpoints
-  count = var.is_sec_module && (var.maximum_network_security) ? 1 : 0
+  count = var.is_sec_module && var.maximum_network_security ? 1 : 0
 
   tags = var.tags
 }
@@ -94,4 +94,40 @@ resource "azurerm_private_endpoint" "databricks_pe_sso" {
   count = var.is_sec_module ? 1 : 0
 
   tags = var.tags
+}
+
+provider "databricks" {
+  alias                       = "adl-adb"
+  host                        = azurerm_databricks_workspace.adl_databricks.workspace_url
+  azure_workspace_resource_id = azurerm_databricks_workspace.adl_databricks.id
+}
+
+resource "databricks_workspace_conf" "adb_ws_conf" {
+  provider = databricks.adl-adb
+  custom_config = {
+    "enableIpAccessLists" : var.enable_ip_access_list
+  }
+  depends_on = [azurerm_databricks_workspace.adl_databricks]
+}
+
+resource "databricks_ip_access_list" "adb_ws_allow-list" {
+  provider = databricks.adl-adb
+
+  label        = "allow_in"
+  list_type    = "ALLOW"
+  ip_addresses = var.allow_ip_list
+  depends_on   = [databricks_workspace_conf.adb_ws_conf]
+
+  count = var.enable_ip_access_list && length(var.allow_ip_list) > 0 ? 1 : 0
+}
+
+resource "databricks_ip_access_list" "adb_ws_block-list" {
+  provider = databricks.adl-adb
+
+  label        = "block_in"
+  list_type    = "BLOCK"
+  ip_addresses = var.block_ip_list
+  depends_on   = [databricks_workspace_conf.adb_ws_conf]
+
+  count = var.enable_ip_access_list && length(var.block_ip_list) > 0 ? 1 : 0
 }
diff --git a/terraform/databricks/outputs.tf b/terraform/databricks/outputs.tf
@@ -1,3 +1,7 @@
 output "id" {
   value = azurerm_databricks_workspace.adl_databricks.id
+}
+
+output "workspace_url" {
+  value = azurerm_databricks_workspace.adl_databricks.workspace_url
 }
diff --git a/terraform/databricks/providers.tf b/terraform/databricks/providers.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    databricks = {
+      source = "databricks/databricks"
+    }
+  }
+}
diff --git a/terraform/databricks/test/databricks.tf b/terraform/databricks/test/databricks.tf
@@ -15,11 +15,19 @@ module "databricks" {
   public_subnet_network_security_group_association_id  = module.local_snet_nsg_association_public.id
   private_subnet_network_security_group_association_id = module.local_snet_nsg_association_private.id
 
+  public_network_enabled   = true
+  enable_ip_access_list    = true
+  allow_ip_list            = ["${data.http.ip.body}/32"]
+
   tags = {}
 }
 
 # Modules dependencies
 
+data "http" "ip" {
+  url = "https://ifconfig.me"
+}
+
 module "local_rg" {
   source = "../../resource-group"
 

diff --git a/terraform/databricks/test/outputs.tf b/terraform/databricks/test/outputs.tf
@@ -1,3 +1,7 @@
 output "id" {
   value = module.databricks.id
+}
+
+output "workspace_url" {
+  value = module.databricks.workspace_url
 }
diff --git a/terraform/databricks/test/providers.tf b/terraform/databricks/test/providers.tf
@@ -11,8 +11,10 @@ terraform {
       source  = "hashicorp/azurerm"
       version = "= 3.36.0"
     }
+    databricks = {
+      source = "databricks/databricks"
+    }
   }
-
 }
 
 provider "azurerm" {

diff --git a/terraform/databricks/variables.tf b/terraform/databricks/variables.tf
@@ -40,7 +40,7 @@ variable "backend_subnet_id" {
 variable "public_network_enabled" {
   type        = bool
   description = "Should the Purview Account be visible to the public network?"
-  default     = false
+  default     = true
 }
 
 variable "private_dns_zone_ids" {
@@ -90,4 +90,22 @@ variable "public_subnet_network_security_group_association_id" {
 variable "private_subnet_network_security_group_association_id" {
   type        = string
   description = "The resource ID of the azurerm_subnet_network_security_group_association resource which is referred to by the private_subnet_name field"
+}
+
+variable "enable_ip_access_list" {
+  type        = bool
+  description = "Enable IP access lists"
+  default     = false
+}
+
+variable "allow_ip_list" {
+  type        = list(string)
+  description = "Specifies the list of IPs allowed to the workspace"
+  default     = []
+}
+
+variable "block_ip_list" {
+  type        = list(string)
+  description = "Specifies the list of IPs blocked to the workspace"
+  default     = []
 }