chanzuckerberg · jayengee · Oct 31, 2023 · Oct 31, 2023 · Oct 31, 2023
@@ -0,0 +1,42 @@
+# README
+<!-- START -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_databricks"></a> [databricks](#provider\_databricks) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [databricks_cluster_policy.custom_cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster_policy) | resource |
+| [databricks_cluster_policy.inherited_cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster_policy) | resource |
+| [databricks_permissions.can_use_custom_cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource |
+| [databricks_permissions.can_use_inherited_cluster_policy](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_databricks_host"></a> [databricks\_host](#input\_databricks\_host) | Databricks host name for tagging | `string` | n/a | yes |
+| <a name="input_databricks_workspace_id"></a> [databricks\_workspace\_id](#input\_databricks\_workspace\_id) | Databricks workspace\_id for tagging | `string` | n/a | yes |
+| <a name="input_grantees"></a> [grantees](#input\_grantees) | Names of groups to be granted use access to the policy - must already exist | `list(string)` | `[]` | no |
+| <a name="input_policy_family_id"></a> [policy\_family\_id](#input\_policy\_family\_id) | ID of policy family to inherit from | `string` | `null` | no |
+| <a name="input_policy_name"></a> [policy\_name](#input\_policy\_name) | Name of cluster policy | `string` | n/a | yes |
+| <a name="input_policy_overrides"></a> [policy\_overrides](#input\_policy\_overrides) | Cluster policy overrides | `any` | `{}` | no |
+
+## Outputs
+
+No outputs.
+<!-- END -->
@@ -0,0 +1,63 @@
+locals {
+  # default policy attributes that can be overridden but are otherwise 
+  # included for each policy
+  default_policy = {
+    "custom_tags.Cluster_Policy" : {
+      "type" : "fixed",
+      "value" : var.policy_name
+    },
+    "custom_tags.Databricks_Workspace_Id" : {
+      "type" : "fixed",
+      "value" : var.databricks_workspace_id
+    },
+    "custom_tags.Databricks_Host" : {
+      "type" : "fixed",
+      "value" : var.databricks_host
+    },
+  }
+
+  # Workaround for looping over grantees and setting resource count
+  inherited_cluster_policy_grantees = toset([for grantee in var.grantees : grantee if var.policy_family_id != null])
+  custom_cluster_policy_grantees    = toset([for grantee in var.grantees : grantee if var.policy_family_id == null])
+}
+
+## Messy implementation below - cannot set policy_family_id and/or policy_family_definiton_overrides 
+## if definition is present, and setting them to null still triggers an error from the provider, so 
+## we duplicate the setup and set a count on the var being present
+
+### if inherited cluster policy
+resource "databricks_cluster_policy" "inherited_cluster_policy" {
+  count = var.policy_family_id != null ? 1 : 0
+
+  name                               = var.policy_name
+  policy_family_definition_overrides = jsonencode(merge(local.default_policy, var.policy_overrides))
+  policy_family_id                   = var.policy_family_id
+}
+
+resource "databricks_permissions" "can_use_inherited_cluster_policy" {
+  for_each = local.inherited_cluster_policy_grantees
+
+  cluster_policy_id = databricks_cluster_policy.inherited_cluster_policy[0].id
+  access_control {
+    group_name       = each.value
+    permission_level = "CAN_USE"
+  }
+}
+
+### if custom cluster policy
+resource "databricks_cluster_policy" "custom_cluster_policy" {
+  count = var.policy_family_id == null ? 1 : 0
+
+  name       = var.policy_name
+  definition = jsonencode(merge(local.default_policy, var.policy_overrides))
+}
+
+resource "databricks_permissions" "can_use_custom_cluster_policy" {
+  for_each = local.custom_cluster_policy_grantees
+
+  cluster_policy_id = databricks_cluster_policy.custom_cluster_policy[0].id
+  access_control {
+    group_name       = each.value
+    permission_level = "CAN_USE"
+  }
+}
@@ -0,0 +1,32 @@
+variable "policy_name" {
+  description = "Name of cluster policy"
+  type        = string
+}
+
+variable "databricks_workspace_id" {
+  description = "Databricks workspace_id for tagging"
+  type        = string
+}
+
+variable "databricks_host" {
+  description = "Databricks host name for tagging"
+  type        = string
+}
+
+variable "policy_family_id" {
+  description = "ID of policy family to inherit from"
+  type        = string
+  default     = null
+}
+
+variable "policy_overrides" {
+  description = "Cluster policy overrides"
+  type        = any
+  default     = {}
+}
+
+variable "grantees" {
+  description = "Names of groups to be granted use access to the policy - must already exist"
+  type        = list(string)
+  default     = []
+}
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    databricks = {
+      source = "databricks/databricks"
+    }
+  }
+  required_version = ">= 0.13"
+}
@@ -0,0 +1,48 @@
+<!-- START -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_databricks"></a> [databricks](#provider\_databricks) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_job_compute_cluster_policy"></a> [job\_compute\_cluster\_policy](#module\_job\_compute\_cluster\_policy) | ../databricks-cluster-policy | n/a |
+| <a name="module_large_gpu_large_clusters_cluster_policy"></a> [large\_gpu\_large\_clusters\_cluster\_policy](#module\_large\_gpu\_large\_clusters\_cluster\_policy) | ../databricks-cluster-policy | n/a |
+| <a name="module_large_gpu_personal_cluster_policy"></a> [large\_gpu\_personal\_cluster\_policy](#module\_large\_gpu\_personal\_cluster\_policy) | ../databricks-cluster-policy | n/a |
+| <a name="module_large_gpu_small_clusters_cluster_policy"></a> [large\_gpu\_small\_clusters\_cluster\_policy](#module\_large\_gpu\_small\_clusters\_cluster\_policy) | ../databricks-cluster-policy | n/a |
+| <a name="module_large_personal_compute_cluster_policy"></a> [large\_personal\_compute\_cluster\_policy](#module\_large\_personal\_compute\_cluster\_policy) | ../databricks-cluster-policy | n/a |
+| <a name="module_legacy_shared_compute_cluster_policy"></a> [legacy\_shared\_compute\_cluster\_policy](#module\_legacy\_shared\_compute\_cluster\_policy) | ../databricks-cluster-policy | n/a |
+| <a name="module_personal_compute_cluster_policy"></a> [personal\_compute\_cluster\_policy](#module\_personal\_compute\_cluster\_policy) | ../databricks-cluster-policy | n/a |
+| <a name="module_power_user_compute_cluster_policy"></a> [power\_user\_compute\_cluster\_policy](#module\_power\_user\_compute\_cluster\_policy) | ../databricks-cluster-policy | n/a |
+| <a name="module_small_clusters"></a> [small\_clusters](#module\_small\_clusters) | ../databricks-cluster-policy | n/a |
+| <a name="module_superset_compute_cluster_policy"></a> [superset\_compute\_cluster\_policy](#module\_superset\_compute\_cluster\_policy) | ../databricks-cluster-policy | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [databricks_group.power_user_group](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/group) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_additional_instance_profile_arns"></a> [additional\_instance\_profile\_arns](#input\_additional\_instance\_profile\_arns) | Additional instance profiles to allow clusters to run on | `list(string)` | `[]` | no |
+| <a name="input_databricks_host"></a> [databricks\_host](#input\_databricks\_host) | Databricks host name for tagging | `string` | n/a | yes |
+| <a name="input_databricks_workspace_id"></a> [databricks\_workspace\_id](#input\_databricks\_workspace\_id) | Databricks workspace\_id for tagging | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END -->