Azure · murggu · Mar 17, 2023 · Mar 10, 2023 · Mar 10, 2023 · Mar 10, 2023
diff --git a/terraform/databricks/main.tf b/terraform/databricks/main.tf
@@ -2,15 +2,16 @@
 # https://registry.terraform.io/providers/databricks/databricks/latest/docs
 
 resource "azurerm_databricks_workspace" "adl_databricks" {
-  name                                  = "adb-${var.basename}"
-  resource_group_name                   = var.resource_group_name
-  location                              = var.location
-  sku                                   = var.sku
+  name                = "adb-${var.basename}"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+  sku                 = var.sku
+
   managed_resource_group_name           = "${var.resource_group_name}-adb-managed"
-  public_network_access_enabled         = var.is_sec_module && !(var.public_network_enabled) ? false : true
+  public_network_access_enabled         = var.public_network_enabled
   network_security_group_rules_required = var.is_sec_module ? "NoAzureDatabricksRules" : "AllRules"
   custom_parameters {
-    no_public_ip                                         = var.is_sec_module ? true : false
+    no_public_ip                                         = var.is_sec_module
     public_subnet_name                                   = var.public_subnet_name
     private_subnet_name                                  = var.private_subnet_name
     virtual_network_id                                   = var.virtual_network_id
@@ -20,6 +21,18 @@ resource "azurerm_databricks_workspace" "adl_databricks" {
   tags = var.tags
 
   count = var.module_enabled ? 1 : 0
+
+  lifecycle {
+    precondition {
+      condition     = (var.is_sec_module || var.public_network_enabled)
+      error_message = "Deny public access requires a private link endpoint (is_sec_module set to 'true')"
+    }
+
+    precondition {
+      condition     = (!var.enable_ip_access_list || var.public_network_enabled)
+      error_message = "IP access list only applies to requests made over the Internet (public_network_enabled set to 'true')"
+    }
+  }
 }
 
 provider "databricks" {
@@ -35,7 +48,7 @@ resource "databricks_workspace_conf" "adb_ws_conf" {
   }
   depends_on = [azurerm_databricks_workspace.adl_databricks[0]]
 
-  count = var.module_enabled && var.public_network_enabled ? 1 : 0
+  count = var.module_enabled && var.enable_ip_access_list ? 1 : 0
 }
 
 resource "databricks_ip_access_list" "adb_ws_allow-list" {
@@ -45,7 +58,7 @@ resource "databricks_ip_access_list" "adb_ws_allow-list" {
   ip_addresses = var.allow_ip_list
   depends_on   = [databricks_workspace_conf.adb_ws_conf]
 
-  count = var.module_enabled && var.public_network_enabled && var.enable_ip_access_list && length(var.allow_ip_list) > 0 ? 1 : 0
+  count = var.module_enabled && var.enable_ip_access_list && length(var.allow_ip_list) > 0 ? 1 : 0
 }
 
 resource "databricks_ip_access_list" "adb_ws_block-list" {
@@ -55,7 +68,7 @@ resource "databricks_ip_access_list" "adb_ws_block-list" {
   ip_addresses = var.block_ip_list
   depends_on   = [databricks_workspace_conf.adb_ws_conf]
 
-  count = var.module_enabled && var.public_network_enabled && var.enable_ip_access_list && length(var.block_ip_list) > 0 ? 1 : 0
+  count = var.module_enabled && var.enable_ip_access_list && length(var.block_ip_list) > 0 ? 1 : 0
 }
 
 # Private Endpoint configuration
@@ -100,4 +113,4 @@ module "adb_be_pe" {
   private_dns_zone_ids           = var.backend_private_dns_zone_ids
   tags                           = var.tags
   module_enabled                 = var.module_enabled && var.is_sec_module && var.maximum_network_security
-}
+}