updating to include #25091 fixes #24883

* Initial Check-in... * Update ValidateFunc for new field... * Updated the name of new field... * Add note to documentation... * Update var name to align with new field name... * Remove redundant validation... * Update read function set values even if nil... * Update var name... * Add new example for cross subscription... * Expose managed_cmk_key_vault_id in azurerm_databricks_workspace_root_dbfs_customer_managed_key * Fix documentation typo... * Remove TODO comment from code... * Fix documentation object_id lint error... * Update code to allow all three keys to exist in different subscriptions... * Update field names to be more unified in the resources... * Fix lint error and add additional note to documentation... * Fix typo... * Missed one... * Terraform fmt databricks directory... * Add test cases... * Update altSubscriptionCheck function... * Update test cases... * Replace the the with the... * Address PR comments, need to add 4.0 test cases... * Update v4.0 RequiredWith schema attribute for managed_disk_cmk_rotation_to_latest_version_enabled field... * Added DBFS test case... * Revert 4.0 resource id changes... * Fix lint error...
hashicorp · Apr 4, 2024 · bb24848 · bb24848
1 parent da7b530
commit bb24848
Show file tree

Hide file tree

Showing 18 changed files with 1,481 additions and 189 deletions.
diff --git a/examples/databricks/customer-managed-key/dbfs-cross-subscription/README.md b/examples/databricks/customer-managed-key/dbfs-cross-subscription/README.md
@@ -0,0 +1,7 @@
+## Example: Databricks Workspace with Root Databricks File System Customer Managed Keys in a Different Subscription
+
+This example provisions a Databricks Workspace within Azure with Root Databricks File System Customer Managed Keys enabled where the Key Vault and Key are hosted in a different subscription within the same tenant.
+
+### Variables
+
+* `prefix` - (Required) The prefix used for all resources in this example.
diff --git a/examples/databricks/customer-managed-key/dbfs-cross-subscription/main.tf b/examples/databricks/customer-managed-key/dbfs-cross-subscription/main.tf
@@ -0,0 +1,124 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+provider "azurerm" {
+  features {}
+}
+
+provider "azurerm" {
+  features {}
+  alias           = "keyVaultSubscription"
+  subscription_id = "00000000-0000-0000-0000-000000000000" # Subscription where the Key Vault should be hosted
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "example" {
+  name     = "${var.prefix}-databricks-cmk"
+  location = "West Europe"
+}
+
+resource "azurerm_resource_group" "keyVault" {
+  provider = azurerm.keyVaultSubscription
+
+  name     = "${var.prefix}-databricks-cmk"
+  location = "West Europe"
+}
+
+resource "azurerm_databricks_workspace" "example" {
+  name                        = "${var.prefix}-DBW"
+  resource_group_name         = azurerm_resource_group.example.name
+  location                    = azurerm_resource_group.example.location
+  sku                         = "premium"
+  managed_resource_group_name = "${var.prefix}-DBW-managed-dbfs"
+
+  customer_managed_key_enabled = true
+
+  tags = {
+    Environment = "Sandbox"
+  }
+}
+
+resource "azurerm_databricks_workspace_root_dbfs_customer_managed_key" "example" {
+  depends_on = [azurerm_key_vault_access_policy.databricks]
+
+  workspace_id     = azurerm_databricks_workspace.example.id
+  key_vault_id     = azurerm_key_vault.example.id
+  key_vault_key_id = azurerm_key_vault_key.dbfs.id
+}
+
+resource "azurerm_key_vault" "example" {
+  provider = azurerm.keyVaultSubscription
+
+  name                = "${var.prefix}-keyvault"
+  location            = azurerm_resource_group.keyVault.location
+  resource_group_name = azurerm_resource_group.keyVault.name
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "premium"
+
+  purge_protection_enabled   = true
+  soft_delete_retention_days = 7
+}
+
+resource "azurerm_key_vault_key" "dbfs" {
+  depends_on = [azurerm_key_vault_access_policy.terraform]
+
+  provider = azurerm.keyVaultSubscription
+
+  name         = "${var.prefix}-certificate"
+  key_vault_id = azurerm_key_vault.example.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "terraform" {
+  provider = azurerm.keyVaultSubscription
+
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = azurerm_key_vault.example.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
+
+  key_permissions = [
+    "Get",
+    "List",
+    "Create",
+    "Decrypt",
+    "Encrypt",
+    "Sign",
+    "UnwrapKey",
+    "Verify",
+    "WrapKey",
+    "Delete",
+    "Restore",
+    "Recover",
+    "Update",
+    "Purge",
+    "GetRotationPolicy",
+    "SetRotationPolicy",
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "databricks" {
+  depends_on = [azurerm_databricks_workspace.example]
+
+  provider = azurerm.keyVaultSubscription
+
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = azurerm_databricks_workspace.example.storage_account_identity.0.tenant_id
+  object_id    = azurerm_databricks_workspace.example.storage_account_identity.0.principal_id
+
+  key_permissions = [
+    "Get",
+    "UnwrapKey",
+    "WrapKey",
+  ]
+}
diff --git a/examples/databricks/customer-managed-key/dbfs-cross-subscription/variables.tf b/examples/databricks/customer-managed-key/dbfs-cross-subscription/variables.tf
@@ -0,0 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+variable "prefix" {
+  description = "The Prefix used for all resources in this example"
+}
diff --git a/examples/databricks/customer-managed-key/dbfs/README.md b/examples/databricks/customer-managed-key/dbfs/README.md
@@ -1,4 +1,4 @@
-## Example: Databricks Workspace Root Databricks File System Customer Managed Keys
+## Example: Databricks Workspace with Root Databricks File System Customer Managed Keys
 
 This example provisions a Databricks Workspace within Azure with Root Databricks File System Customer Managed Keys enabled.
 

diff --git a/examples/databricks/customer-managed-key/dbfs/main.tf b/examples/databricks/customer-managed-key/dbfs/main.tf
@@ -82,6 +82,8 @@ resource "azurerm_key_vault_access_policy" "terraform" {
     "Recover",
     "Update",
     "Purge",
+    "GetRotationPolicy",
+    "SetRotationPolicy",
   ]
 }
 
@@ -93,8 +95,8 @@ resource "azurerm_key_vault_access_policy" "databricks" {
   object_id    = azurerm_databricks_workspace.example.storage_account_identity.0.principal_id
 
   key_permissions = [
-    "get",
-    "unwrapKey",
-    "wrapKey",
+    "Get",
+    "UnwrapKey",
+    "WrapKey",
   ]
 }
diff --git a/examples/databricks/customer-managed-key/managed-services/README.md b/examples/databricks/customer-managed-key/managed-services/README.md
@@ -1,8 +1,8 @@
-## Example: Databricks Workspace Customer Managed Keys for Managed Services
+## Example: Databricks Workspace with Customer Managed Keys for Managed Services
 
 This example provisions a Databricks Workspace within Azure with Customer Managed Keys for Managed Services enabled.
 
-To find the correct Object ID to use for the `azurerm_key_vault_access_policy.managed` `object_id` field in your configuration file you will need to go to [portal](https://portal.azure.com/) -> `Azure Active Directory` and in the `search your tenant` bar enter the value `2ff814a6-3304-4ab8-85cb-cd0e6f879c1d`. You will see under `Enterprise application` results `AzureDatabricks`, click on the `AzureDatabricks` search result. This will open the `Enterprise Application` overview blade where you will see three values, the name of the application, the application ID, and the object ID. The value you want is the object ID, copy this value and paste it into the `object_id` field for your `azurerm_key_vault_access_policy.managed` configuration block.
+To find the correct Object ID to use for the `azurerm_key_vault_access_policy.managed` `object_id` field in your configuration file you will need to go to [portal](https://portal.azure.com/) -> `Microsoft Entra ID` and in the `search your tenant` bar enter the value `2ff814a6-3304-4ab8-85cb-cd0e6f879c1d`. You will see under `Enterprise application` results `AzureDatabricks`, click on the `AzureDatabricks` search result. This will open the `Enterprise Application` overview blade where you will see three values, the name of the application, the application ID, and the object ID. The value you want is the object ID, copy this value and paste it into the `object_id` field for your `azurerm_key_vault_access_policy.managed` configuration block.
 
 ### Variables
 

diff --git a/examples/databricks/customer-managed-key/managed-services/main.tf b/examples/databricks/customer-managed-key/managed-services/main.tf
@@ -24,7 +24,7 @@ resource "azurerm_databricks_workspace" "example" {
   managed_services_cmk_key_vault_key_id = azurerm_key_vault_key.example.id
 
   tags = {
-    Environment = "Production"
+    Environment = "Sandbox"
   }
 }
 
@@ -62,31 +62,33 @@ resource "azurerm_key_vault_access_policy" "terraform" {
   object_id    = data.azurerm_client_config.current.object_id
 
   key_permissions = [
-    "get",
-    "list",
-    "create",
-    "decrypt",
-    "encrypt",
-    "sign",
-    "unwrapKey",
-    "verify",
-    "wrapKey",
-    "delete",
-    "restore",
-    "recover",
-    "update",
-    "purge",
+    "Get",
+    "List",
+    "Create",
+    "Decrypt",
+    "Encrypt",
+    "Sign",
+    "UnwrapKey",
+    "Verify",
+    "WrapKey",
+    "Delete",
+    "Restore",
+    "Recover",
+    "Update",
+    "Purge",
+    "GetRotationPolicy",
+    "SetRotationPolicy",
   ]
 }
 
 resource "azurerm_key_vault_access_policy" "managed" {
   key_vault_id = azurerm_key_vault.example.id
   tenant_id    = azurerm_key_vault.example.tenant_id
-  object_id    = "See the README.md file for instructions on how to lookup the correct value to enter here"
+  object_id    = "00000000-0000-0000-0000-000000000000" # See the README.md file for instructions on how to lookup the correct value to enter here.
 
   key_permissions = [
-    "get",
-    "unwrapKey",
-    "wrapKey",
+    "Get",
+    "UnwrapKey",
+    "WrapKey",
   ]
 }
diff --git a/examples/databricks/managed-services-cross-subscription/README.md b/examples/databricks/managed-services-cross-subscription/README.md
@@ -0,0 +1,9 @@
+## Example: Databricks Workspace with Customer Managed Keys for Managed Services with Key Vault and Key in a Different Subscription
+
+This example provisions a Databricks Workspace within Azure with Customer Managed Keys for Managed Services enabled where the Key Vault and Key are hosted in a different subscription within the same tenant.
+
+To find the correct Object ID to use for the `azurerm_key_vault_access_policy.managed` `object_id` field in your configuration file you will need to go to [portal](https://portal.azure.com/) -> `Microsoft Entra ID` and in the `search your tenant` bar enter the value `2ff814a6-3304-4ab8-85cb-cd0e6f879c1d`. You will see under `Enterprise application` results `AzureDatabricks`, click on the `AzureDatabricks` search result. This will open the `Enterprise Application` overview blade where you will see three values, the name of the application, the application ID, and the object ID. The value you want is the object ID, copy this value and paste it into the `object_id` field for your `azurerm_key_vault_access_policy.managed` configuration block.
+
+### Variables
+
+* `prefix` - (Required) The prefix used for all resources in this example.
diff --git a/examples/databricks/managed-services-cross-subscription/main.tf b/examples/databricks/managed-services-cross-subscription/main.tf
@@ -0,0 +1,139 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+provider "azurerm" {
+  features {}
+}
+
+provider "azurerm" {
+  features {}
+  alias           = "keyVaultSubscription"
+  subscription_id = "00000000-0000-0000-0000-000000000000" # Subscription where the Key Vault should be hosted
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "example" {
+  name     = "${var.prefix}-databricks-managed-services"
+  location = "West Europe"
+}
+
+resource "azurerm_resource_group" "keyVault" {
+  provider = azurerm.keyVaultSubscription
+
+  name     = "${var.prefix}-databricks-managed-services"
+  location = "West Europe"
+}
+
+resource "azurerm_databricks_workspace" "example" {
+  depends_on = [azurerm_key_vault_access_policy.managed]
+
+  name                        = "${var.prefix}-DBW"
+  resource_group_name         = azurerm_resource_group.example.name
+  location                    = azurerm_resource_group.example.location
+  sku                         = "premium"
+  managed_resource_group_name = "${var.prefix}-DBW-managed-services"
+
+  managed_services_cmk_key_vault_id     = azurerm_key_vault.example.id
+  managed_services_cmk_key_vault_key_id = azurerm_key_vault_key.services.id
+
+  managed_disk_cmk_key_vault_id     = azurerm_key_vault.example.id
+  managed_disk_cmk_key_vault_key_id = azurerm_key_vault_key.disk.id
+
+  tags = {
+    Environment = "Sandbox"
+  }
+}
+
+resource "azurerm_key_vault" "example" {
+  provider = azurerm.keyVaultSubscription
+
+  name                = "${var.prefix}-keyvault"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "premium"
+
+  soft_delete_retention_days = 7
+}
+
+resource "azurerm_key_vault_key" "services" {
+  depends_on = [azurerm_key_vault_access_policy.terraform]
+
+  provider = azurerm.keyVaultSubscription
+
+  name         = "${var.prefix}-certificate"
+  key_vault_id = azurerm_key_vault.example.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+}
+
+resource "azurerm_key_vault_key" "disk" {
+  depends_on = [azurerm_key_vault_access_policy.terraform]
+
+  provider = azurerm.keyVaultSubscription
+
+  name         = "${var.prefix}-certificate"
+  key_vault_id = azurerm_key_vault.example.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "terraform" {
+  provider = azurerm.keyVaultSubscription
+
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = azurerm_key_vault.example.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
+
+  key_permissions = [
+    "Get",
+    "List",
+    "Create",
+    "Decrypt",
+    "Encrypt",
+    "Sign",
+    "UnwrapKey",
+    "Verify",
+    "WrapKey",
+    "Delete",
+    "Restore",
+    "Recover",
+    "Update",
+    "Purge",
+    "GetRotationPolicy",
+    "SetRotationPolicy",
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "managed" {
+  provider = azurerm.keyVaultSubscription
+
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = azurerm_key_vault.example.tenant_id
+  object_id    = "00000000-0000-0000-0000-000000000000" # See the README.md file for instructions on how to lookup the correct value to enter here.
+
+  key_permissions = [
+    "Get",
+    "UnwrapKey",
+    "WrapKey",
+  ]
+}
diff --git a/examples/databricks/managed-services-cross-subscription/variables.tf b/examples/databricks/managed-services-cross-subscription/variables.tf
@@ -0,0 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+variable "prefix" {
+  description = "The Prefix used for all resources in this example"
+}