Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Modules] Updated Databricks module to support more individual properties, PE & CMK #3561

Merged
merged 30 commits into from
Sep 6, 2023
Merged
Show file tree
Hide file tree
Changes from 23 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
e5764a2
First draft & test
AlexanderSehr Aug 7, 2023
b266c9e
Latest draft
AlexanderSehr Aug 8, 2023
64afc9e
Latest working draft
AlexanderSehr Aug 8, 2023
4f5d766
Latest working draft
AlexanderSehr Aug 8, 2023
7567bec
Latest working draft
AlexanderSehr Aug 9, 2023
cfd3db7
Latest working draft
AlexanderSehr Aug 9, 2023
575cc48
Latest working draft
AlexanderSehr Aug 9, 2023
f30c7f2
Updated template & readme
AlexanderSehr Aug 9, 2023
5ba02f0
Updated test
AlexanderSehr Aug 9, 2023
9099f1d
Attempted alternative property usage
AlexanderSehr Aug 9, 2023
30ae393
Addressed static issues
AlexanderSehr Aug 9, 2023
d13197e
Update to latest
AlexanderSehr Aug 9, 2023
abea786
Latest working draft
AlexanderSehr Aug 9, 2023
42d4afb
Merge branch 'main' into users/alsehr/3550_databricksCMK
AlexanderSehr Aug 9, 2023
54ec5a4
Updated preview removal flag
AlexanderSehr Aug 11, 2023
c72e9cf
Updated parameter handling
AlexanderSehr Aug 11, 2023
8e36217
Resolved conflicts
AlexanderSehr Aug 26, 2023
1362c87
Rollback unrelated change
AlexanderSehr Aug 26, 2023
bba0781
Moved dislocated code
AlexanderSehr Aug 26, 2023
e282f10
Update to latest
AlexanderSehr Aug 26, 2023
6a0cdbe
Updated docs
AlexanderSehr Aug 26, 2023
288c463
Updated PE module API version to unblock PR
AlexanderSehr Aug 26, 2023
b17cec8
Resolved conflicts
AlexanderSehr Sep 4, 2023
b8db825
Update modules/databricks/workspace/.test/common/dependencies.bicep
AlexanderSehr Sep 6, 2023
701b23a
Update modules/databricks/workspace/.test/common/dependencies.bicep
AlexanderSehr Sep 6, 2023
30a03ac
Update modules/databricks/workspace/.test/common/dependencies.bicep
AlexanderSehr Sep 6, 2023
bfc7b8c
Merge branch 'main' into users/alsehr/3550_databricksCMK
AlexanderSehr Sep 6, 2023
c4d078e
Added CIDR function
AlexanderSehr Sep 6, 2023
e3b84a9
Update modules/databricks/workspace/main.bicep
AlexanderSehr Sep 6, 2023
4cf8c49
Updated docs
AlexanderSehr Sep 6, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ trigger:
- '/.azuredevops/modulePipelines/ms.databricks.workspaces.yml'
- '/.azuredevops/pipelineTemplates/*.yml'
- '/modules/databricks/workspace/*'
- '/modules/network/private-endpoint/*'
- '/utilities/pipelines/*'
exclude:
- '/utilities/pipelines/deploymentRemoval/*'
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/ms.databricks.workspaces.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ on:
- '.github/workflows/template.module.yml'
- '.github/workflows/ms.databricks.workspaces.yml'
- 'modules/databricks/workspace/**'
- 'modules/network/private-endpoint/**'
- 'utilities/pipelines/**'
- '!utilities/pipelines/deploymentRemoval/**'
- '!*/**/README.md'
Expand Down
323 changes: 323 additions & 0 deletions modules/databricks/workspace/.test/common/dependencies.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,333 @@ param location string = resourceGroup().location
@description('Required. The name of the Managed Identity to create.')
param managedIdentityName string

@description('Required. The name of the Key Vault to create.')
param keyVaultName string

@description('Required. The name of the Azure Machine Learning Workspace to create.')
param amlWorkspaceName string

@description('Required. The name of the Load Balancer to create.')
param loadBalancerName string

@description('Required. The name of the Network Security Group to create.')
param networkSecurityGroupName string

@description('Required. The name of the Storage Account to create.')
param storageAccountName string

@description('Required. The name of the Application Insights Instanec to create.')
param applicationInsightsName string

@description('Required. The name of the Virtual Network to create.')
param virtualNetworkName string

var addressPrefix = '10.0.0.0/16'
var defaultAddressPrefix = '10.0.0.0/20'
var publicAddressPrefix = '10.0.16.0/20'
var privateAddressPrefix = '10.0.32.0/20'

resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: managedIdentityName
location: location
}

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
name: keyVaultName
location: location
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: tenant().tenantId
enablePurgeProtection: true // Required by batch account
softDeleteRetentionInDays: 7
enabledForTemplateDeployment: true
enabledForDiskEncryption: true
enabledForDeployment: true
enableRbacAuthorization: true
accessPolicies: []
}

resource key 'keys@2022-07-01' = {
name: 'keyEncryptionKey'
properties: {
kty: 'RSA'
}
}
}

resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Key-Vault-Crypto-User-RoleAssignment')
scope: keyVault::key
properties: {
principalId: '5167ea7a-355a-466f-ae8b-8ea60f718b35' // AzureDatabricks Enterprise Application Object Id
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User
principalType: 'ServicePrincipal'
}
}

resource amlPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-Key-Vault-Contributor')
scope: keyVault
properties: {
principalId: managedIdentity.properties.principalId
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor
principalType: 'ServicePrincipal'
}
}

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_ZRS'
}
kind: 'StorageV2'
properties: {}
}

resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = {
name: applicationInsightsName
location: location
kind: 'web'
properties: {
Application_Type: 'web'
}
}

resource machineLearningWorkspace 'Microsoft.MachineLearningServices/workspaces@2023-04-01' = {
name: amlWorkspaceName
location: location
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${managedIdentity.id}': {}
}
}
properties: {
storageAccount: storageAccount.id
keyVault: keyVault.id
applicationInsights: applicationInsights.id
primaryUserAssignedIdentity: managedIdentity.id
}
}

resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = {
name: loadBalancerName
location: location
properties: {
backendAddressPools: [
{
name: 'default'
}
]
frontendIPConfigurations: [
{
name: 'privateIPConfig1'
properties: {
subnet: {
id: virtualNetwork.properties.subnets[0].id
}
}
}
]
}
}

resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = {
name: networkSecurityGroupName
location: location
properties: {
securityRules: [
{
name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-inbound'
properties: {
description: 'Required for worker nodes communication within a cluster.'
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: 'VirtualNetwork'
access: 'Allow'
priority: 100
direction: 'Inbound'
}
}
{
name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp'
properties: {
description: 'Required for workers communication with Databricks Webapp.'
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '443'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: 'AzureDatabricks'
access: 'Allow'
priority: 100
direction: 'Outbound'
}
}
{
name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql'
properties: {
description: 'Required for workers communication with Azure SQL services.'
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '3306'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: 'Sql'
access: 'Allow'
priority: 101
direction: 'Outbound'
}
}
{
name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage'
properties: {
description: 'Required for workers communication with Azure Storage services.'
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '443'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: 'Storage'
access: 'Allow'
priority: 102
direction: 'Outbound'
}
}
{
name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound'
properties: {
description: 'Required for worker nodes communication within a cluster.'
protocol: '*'
sourcePortRange: '*'
destinationPortRange: '*'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: 'VirtualNetwork'
access: 'Allow'
priority: 103
direction: 'Outbound'
}
}
{
name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub'
properties: {
description: 'Required for worker communication with Azure Eventhub services.'
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '9093'
sourceAddressPrefix: 'VirtualNetwork'
destinationAddressPrefix: 'EventHub'
access: 'Allow'
priority: 104
direction: 'Outbound'
}
}
]
}
}

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
name: virtualNetworkName
location: location
properties: {
addressSpace: {
addressPrefixes: [
addressPrefix
]
}
subnets: [
{
name: 'defaultSubnet'
properties: {
addressPrefix: defaultAddressPrefix
AlexanderSehr marked this conversation as resolved.
Show resolved Hide resolved
}
}
{
name: 'custom-public-subnet'
properties: {
addressPrefix: publicAddressPrefix
networkSecurityGroup: {
id: networkSecurityGroup.id
}
delegations: [
{
name: 'databricksDelegation'
properties: {
serviceName: 'Microsoft.Databricks/workspaces'
}
}
]
}
}
{
name: 'custom-private-subnet'
properties: {
addressPrefix: privateAddressPrefix
AlexanderSehr marked this conversation as resolved.
Show resolved Hide resolved
networkSecurityGroup: {
id: networkSecurityGroup.id
}
delegations: [
{
name: 'databricksDelegation'
properties: {
serviceName: 'Microsoft.Databricks/workspaces'
}
}
]
}
}
]
}
}

resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
name: 'privatelink.azuredatabricks.net'
location: 'global'

resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = {
name: '${virtualNetwork.name}-vnetlink'
location: 'global'
properties: {
virtualNetwork: {
id: virtualNetwork.id
}
registrationEnabled: false
}
}
}

@description('The resource ID of the created Virtual Network Default Subnet.')
output defaultSubnetResourceId string = virtualNetwork.properties.subnets[0].id

@description('The resource ID of the created Virtual Network Public Subnet.')
AlexanderSehr marked this conversation as resolved.
Show resolved Hide resolved
output customPublicSubnetName string = virtualNetwork.properties.subnets[1].name

@description('The resource ID of the created Virtual Network Private Subnet.')
AlexanderSehr marked this conversation as resolved.
Show resolved Hide resolved
output customPrivateSubnetName string = virtualNetwork.properties.subnets[2].name

@description('The resource ID of the created Virtual Network.')
output virtualNetworkResourceId string = virtualNetwork.id

@description('The resource ID of the created Private DNS Zone.')
output privateDNSResourceId string = privateDNSZone.id

@description('The resource ID of the created Azure Machine Learning Workspace.')
output machineLearningWorkspaceResourceId string = machineLearningWorkspace.id

@description('The resource ID of the created Key Vault.')
output keyVaultResourceId string = keyVault.id

@description('The resource ID of the created Load Balancer.')
output loadBalancerResourceId string = loadBalancer.id

@description('The name of the created Load Balancer Backend Pool.')
output loadBalancerBackendPoolName string = loadBalancer.properties.backendAddressPools[0].name

@description('The name of the created Key Vault encryption key.')
output keyVaultKeyName string = keyVault::key.name

@description('The principal ID of the created Managed Identity.')
output managedIdentityPrincipalId string = managedIdentity.properties.principalId
Loading
Loading