-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add databricks-cluster-policy (#530)
- Loading branch information
Showing
5 changed files
with
145 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# README | ||
<!-- START --> | ||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_databricks"></a> [databricks](#provider\_databricks) | n/a | | ||
|
||
## Modules | ||
|
||
No modules. | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [databricks_cluster_policy.custom_cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster_policy) | resource | | ||
| [databricks_cluster_policy.inherited_cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster_policy) | resource | | ||
| [databricks_permissions.can_use_custom_cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource | | ||
| [databricks_permissions.can_use_inherited_cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| <a name="input_databricks_host"></a> [databricks\_host](#input\_databricks\_host) | Databricks host name for tagging | `string` | n/a | yes | | ||
| <a name="input_databricks_workspace_id"></a> [databricks\_workspace\_id](#input\_databricks\_workspace\_id) | Databricks workspace\_id for tagging | `string` | n/a | yes | | ||
| <a name="input_grantees"></a> [grantees](#input\_grantees) | Names of groups to be granted use access to the policy - must already exist | `list(string)` | `[]` | no | | ||
| <a name="input_policy_family_id"></a> [policy\_family\_id](#input\_policy\_family\_id) | ID of policy family to inherit from | `string` | `null` | no | | ||
| <a name="input_policy_name"></a> [policy\_name](#input\_policy\_name) | Name of cluster policy | `string` | n/a | yes | | ||
| <a name="input_policy_overrides"></a> [policy\_overrides](#input\_policy\_overrides) | Cluster policy overrides | `any` | `{}` | no | | ||
|
||
## Outputs | ||
|
||
No outputs. | ||
<!-- END --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
locals { | ||
# default policy attributes that can be overridden but are otherwise | ||
# included for each policy | ||
default_policy = { | ||
"custom_tags.Cluster_Policy" : { | ||
"type" : "fixed", | ||
"value" : var.policy_name | ||
}, | ||
"custom_tags.Databricks_Workspace_Id" : { | ||
"type" : "fixed", | ||
"value" : var.databricks_workspace_id | ||
}, | ||
"custom_tags.Databricks_Host" : { | ||
"type" : "fixed", | ||
"value" : var.databricks_host | ||
}, | ||
} | ||
|
||
# Workaround for looping over grantees and setting resource count | ||
inherited_cluster_policy_grantees = toset([for grantee in var.grantees : grantee if var.policy_family_id != null]) | ||
custom_cluster_policy_grantees = toset([for grantee in var.grantees : grantee if var.policy_family_id == null]) | ||
} | ||
|
||
## Messy implementation below - cannot set policy_family_id and/or policy_family_definiton_overrides | ||
## if definition is present, and setting them to null still triggers an error from the provider, so | ||
## we duplicate the setup and set a count on the var being present | ||
|
||
### if inherited cluster policy | ||
resource "databricks_cluster_policy" "inherited_cluster_policy" { | ||
count = var.policy_family_id != null ? 1 : 0 | ||
|
||
name = var.policy_name | ||
policy_family_definition_overrides = jsonencode(merge(local.default_policy, var.policy_overrides)) | ||
policy_family_id = var.policy_family_id | ||
} | ||
|
||
resource "databricks_permissions" "can_use_inherited_cluster_policy" { | ||
for_each = local.inherited_cluster_policy_grantees | ||
|
||
cluster_policy_id = databricks_cluster_policy.inherited_cluster_policy[0].id | ||
access_control { | ||
group_name = each.value | ||
permission_level = "CAN_USE" | ||
} | ||
} | ||
|
||
### if custom cluster policy | ||
resource "databricks_cluster_policy" "custom_cluster_policy" { | ||
count = var.policy_family_id == null ? 1 : 0 | ||
|
||
name = var.policy_name | ||
definition = jsonencode(merge(local.default_policy, var.policy_overrides)) | ||
} | ||
|
||
resource "databricks_permissions" "can_use_custom_cluster_policy" { | ||
for_each = local.custom_cluster_policy_grantees | ||
|
||
cluster_policy_id = databricks_cluster_policy.custom_cluster_policy[0].id | ||
access_control { | ||
group_name = each.value | ||
permission_level = "CAN_USE" | ||
} | ||
} |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
variable "policy_name" { | ||
description = "Name of cluster policy" | ||
type = string | ||
} | ||
|
||
variable "databricks_workspace_id" { | ||
description = "Databricks workspace_id for tagging" | ||
type = string | ||
} | ||
|
||
variable "databricks_host" { | ||
description = "Databricks host name for tagging" | ||
type = string | ||
} | ||
|
||
variable "policy_family_id" { | ||
description = "ID of policy family to inherit from" | ||
type = string | ||
default = null | ||
} | ||
|
||
variable "policy_overrides" { | ||
description = "Cluster policy overrides" | ||
type = any | ||
default = {} | ||
} | ||
|
||
variable "grantees" { | ||
description = "Names of groups to be granted use access to the policy - must already exist" | ||
type = list(string) | ||
default = [] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
terraform { | ||
required_providers { | ||
databricks = { | ||
source = "databricks/databricks" | ||
} | ||
} | ||
required_version = ">= 0.13" | ||
} |