Skip to content

Commit

Permalink
add databricks-cluster-policy (#530)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jayengee
jayengee authored Oct 31, 2023
1 parent 2e5974a commit 5f42e9b
Show file tree
Hide file tree
Showing 5 changed files with 145 additions and 0 deletions.
42 changes: 42 additions & 0 deletions databricks-cluster-policy/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# README
<!-- START -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_databricks"></a> [databricks](#provider\_databricks) | n/a |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [databricks_cluster_policy.custom_cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster_policy) | resource |
| [databricks_cluster_policy.inherited_cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster_policy) | resource |
| [databricks_permissions.can_use_custom_cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource |
| [databricks_permissions.can_use_inherited_cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_databricks_host"></a> [databricks\_host](#input\_databricks\_host) | Databricks host name for tagging | `string` | n/a | yes |
| <a name="input_databricks_workspace_id"></a> [databricks\_workspace\_id](#input\_databricks\_workspace\_id) | Databricks workspace\_id for tagging | `string` | n/a | yes |
| <a name="input_grantees"></a> [grantees](#input\_grantees) | Names of groups to be granted use access to the policy - must already exist | `list(string)` | `[]` | no |
| <a name="input_policy_family_id"></a> [policy\_family\_id](#input\_policy\_family\_id) | ID of policy family to inherit from | `string` | `null` | no |
| <a name="input_policy_name"></a> [policy\_name](#input\_policy\_name) | Name of cluster policy | `string` | n/a | yes |
| <a name="input_policy_overrides"></a> [policy\_overrides](#input\_policy\_overrides) | Cluster policy overrides | `any` | `{}` | no |

## Outputs

No outputs.
<!-- END -->
63 changes: 63 additions & 0 deletions databricks-cluster-policy/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
locals {
# default policy attributes that can be overridden but are otherwise
# included for each policy
default_policy = {
"custom_tags.Cluster_Policy" : {
"type" : "fixed",
"value" : var.policy_name
},
"custom_tags.Databricks_Workspace_Id" : {
"type" : "fixed",
"value" : var.databricks_workspace_id
},
"custom_tags.Databricks_Host" : {
"type" : "fixed",
"value" : var.databricks_host
},
}

# Workaround for looping over grantees and setting resource count
inherited_cluster_policy_grantees = toset([for grantee in var.grantees : grantee if var.policy_family_id != null])
custom_cluster_policy_grantees = toset([for grantee in var.grantees : grantee if var.policy_family_id == null])
}

## Messy implementation below - cannot set policy_family_id and/or policy_family_definiton_overrides
## if definition is present, and setting them to null still triggers an error from the provider, so
## we duplicate the setup and set a count on the var being present

### if inherited cluster policy
resource "databricks_cluster_policy" "inherited_cluster_policy" {
count = var.policy_family_id != null ? 1 : 0

name = var.policy_name
policy_family_definition_overrides = jsonencode(merge(local.default_policy, var.policy_overrides))
policy_family_id = var.policy_family_id
}

resource "databricks_permissions" "can_use_inherited_cluster_policy" {
for_each = local.inherited_cluster_policy_grantees

cluster_policy_id = databricks_cluster_policy.inherited_cluster_policy[0].id
access_control {
group_name = each.value
permission_level = "CAN_USE"
}
}

### if custom cluster policy
resource "databricks_cluster_policy" "custom_cluster_policy" {
count = var.policy_family_id == null ? 1 : 0

name = var.policy_name
definition = jsonencode(merge(local.default_policy, var.policy_overrides))
}

resource "databricks_permissions" "can_use_custom_cluster_policy" {
for_each = local.custom_cluster_policy_grantees

cluster_policy_id = databricks_cluster_policy.custom_cluster_policy[0].id
access_control {
group_name = each.value
permission_level = "CAN_USE"
}
}
Empty file added databricks-cluster-policy/outputs.tf
View file
Empty file.
32 changes: 32 additions & 0 deletions databricks-cluster-policy/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
variable "policy_name" {
description = "Name of cluster policy"
type = string
}

variable "databricks_workspace_id" {
description = "Databricks workspace_id for tagging"
type = string
}

variable "databricks_host" {
description = "Databricks host name for tagging"
type = string
}

variable "policy_family_id" {
description = "ID of policy family to inherit from"
type = string
default = null
}

variable "policy_overrides" {
description = "Cluster policy overrides"
type = any
default = {}
}

variable "grantees" {
description = "Names of groups to be granted use access to the policy - must already exist"
type = list(string)
default = []
}
8 changes: 8 additions & 0 deletions databricks-cluster-policy/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
terraform {
required_providers {
databricks = {
source = "databricks/databricks"
}
}
required_version = ">= 0.13"
}

0 comments on commit 5f42e9b

Please sign in to comment.