Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Data-Analytics-Workspace - Several smaller adjustments to enable testing #3651

Merged
merged 13 commits into from
Nov 6, 2024
Merged

fix: Data-Analytics-Workspace - Several smaller adjustments to enable testing #3651

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
97e37b1
Updated files
AlexanderSehr Oct 28, 2024
379cfde
Update to latest
AlexanderSehr Oct 28, 2024
2669ad1
Updated test file to not test for purge protection
AlexanderSehr Oct 29, 2024
4b0ec2f
Small updates to test & alignment with latest subnet structure
AlexanderSehr Oct 29, 2024
fd65812
Updated deployment names
AlexanderSehr Oct 29, 2024
3d48c7d
Update to latest
AlexanderSehr Oct 29, 2024
5118f78
Merge branch 'main' into users/alsehr/pawFix
AlexanderSehr Oct 30, 2024
98cc541
Added purge protection test (with false)
AlexanderSehr Oct 30, 2024
34a898e
Update to latest
AlexanderSehr Oct 30, 2024
8eccfd7
Small test update
AlexanderSehr Oct 30, 2024
ca01abb
Merge branch 'main' into users/alsehr/pawFix
eriqua Oct 30, 2024
130e66a
Merge branch 'main' into users/alsehr/pawFix
eriqua Oct 30, 2024
9e77d3b
Merge branch 'main' into users/alsehr/pawFix
eriqua Nov 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
201 changes: 151 additions & 50 deletions avm/ptn/data/private-analytical-workspace/README.md
View file
Open in desktop

Large diffs are not rendered by default.

142 changes: 76 additions & 66 deletions avm/ptn/data/private-analytical-workspace/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,9 @@ param name string
@description('Optional. Location for all Resources in the solution.')
param location string = resourceGroup().location

import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.2.1'
@description('Optional. The lock settings for all Resources in the solution.')
param lock lockType
param lock lockType?

@description('Optional. Tags for all Resources in the solution.')
param tags object?
Expand All @@ -30,7 +31,7 @@ param logAnalyticsWorkspaceResourceId string?
param keyVaultResourceId string?

@description('Optional. Array of users or groups who are in charge of the solution.')
param solutionAdministrators userGroupRoleAssignmentType?
param solutionAdministrators userGroupRoleAssignmentType[]?

@description('Optional. Additional options that can affect some components of the solution and how they are configured.')
param advancedOptions advancedOptionsType?
Expand Down Expand Up @@ -272,28 +273,14 @@ var subnets = concat(
name: subnetNameDbwFrontend
addressPrefix: subnetDbwFrontendDefaultAddressPrefix
networkSecurityGroupResourceId: nsgDbwFrontend.outputs.resourceId
delegations: [
{
name: 'Microsoft.Databricks/workspaces'
properties: {
serviceName: 'Microsoft.Databricks/workspaces'
}
}
]
delegation: 'Microsoft.Databricks/workspaces'
}
{
// a container subnet (sometimes called the private subnet)
name: subnetNameDbwBackend
addressPrefix: subnetDbwBackendDefaultAddressPrefix
networkSecurityGroupResourceId: nsgDbwBackend.outputs.resourceId
delegations: [
{
name: 'Microsoft.Databricks/workspaces'
properties: {
serviceName: 'Microsoft.Databricks/workspaces'
}
}
]
delegation: 'Microsoft.Databricks/workspaces'
}
]
: []
Expand Down Expand Up @@ -365,8 +352,8 @@ resource kvExisting 'Microsoft.KeyVault/vaults@2023-07-01' existing = if (!creat
)
}

module vnet 'br/public:avm/res/network/virtual-network:0.2.0' = if (createNewVNET) {
name: vnetName
module vnet 'br/public:avm/res/network/virtual-network:0.5.0' = if (createNewVNET) {
name: '${uniqueString(deployment().name, location)}-vnet-${vnetName}'
params: {
// Required parameters
addressPrefixes: [
Expand All @@ -393,15 +380,15 @@ module vnet 'br/public:avm/res/network/virtual-network:0.2.0' = if (createNewVNE
dnsServers: []
enableTelemetry: enableTelemetry
location: location
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
lock: lock
subnets: subnets
tags: tags
}
}

module nsgPrivateLink 'br/public:avm/res/network/network-security-group:0.4.0' = if (createNewVNET) {
name: nsgNamePrivateLink
module nsgPrivateLink 'br/public:avm/res/network/network-security-group:0.5.0' = if (createNewVNET) {
name: '${uniqueString(deployment().name, location)}-nsg-${nsgNamePrivateLink}'
params: {
// Required parameters
name: nsgNamePrivateLink
Expand All @@ -419,15 +406,15 @@ module nsgPrivateLink 'br/public:avm/res/network/network-security-group:0.4.0' =
]
enableTelemetry: enableTelemetry
location: location
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
lock: lock
tags: tags
securityRules: nsgRulesPrivateLink
}
}

module nsgDbwFrontend 'br/public:avm/res/network/network-security-group:0.4.0' = if (createNewVNET && enableDatabricks) {
name: nsgNameDbwFrontend
module nsgDbwFrontend 'br/public:avm/res/network/network-security-group:0.5.0' = if (createNewVNET && enableDatabricks) {
name: '${uniqueString(deployment().name, location)}-nsg-${nsgNameDbwFrontend}'
params: {
// Required parameters
name: nsgNameDbwFrontend
Expand All @@ -445,15 +432,15 @@ module nsgDbwFrontend 'br/public:avm/res/network/network-security-group:0.4.0' =
]
enableTelemetry: enableTelemetry
location: location
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
lock: lock
tags: tags
securityRules: nsgRulesDbw
}
}

module nsgDbwBackend 'br/public:avm/res/network/network-security-group:0.4.0' = if (createNewVNET && enableDatabricks) {
name: nsgNameDbwBackend
module nsgDbwBackend 'br/public:avm/res/network/network-security-group:0.5.0' = if (createNewVNET && enableDatabricks) {
name: '${uniqueString(deployment().name, location)}-nsg-${nsgNameDbwBackend}'
params: {
// Required parameters
name: nsgNameDbwBackend
Expand All @@ -471,22 +458,22 @@ module nsgDbwBackend 'br/public:avm/res/network/network-security-group:0.4.0' =
]
enableTelemetry: enableTelemetry
location: location
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
lock: lock
tags: tags
securityRules: nsgRulesDbw
}
}

module dnsZoneSaBlob 'br/public:avm/res/network/private-dns-zone:0.5.0' = if (createNewVNET && enableDatabricks) {
name: privateDnsZoneNameSaBlob
name: '${uniqueString(deployment().name, location)}-zone-${privateDnsZoneNameSaBlob}'
params: {
// Required parameters
name: privateDnsZoneNameSaBlob
// Non-required parameters
enableTelemetry: enableTelemetry
location: 'global'
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
lock: lock
tags: tags
virtualNetworkLinks: [
Expand All @@ -498,8 +485,8 @@ module dnsZoneSaBlob 'br/public:avm/res/network/private-dns-zone:0.5.0' = if (cr
}
}

module log 'br/public:avm/res/operational-insights/workspace:0.5.0' = if (createNewLog) {
name: logName
module log 'br/public:avm/res/operational-insights/workspace:0.7.1' = if (createNewLog) {
name: '${uniqueString(deployment().name, location)}-law-${logName}'
params: {
// Required parameters
name: logName
Expand All @@ -509,15 +496,15 @@ module log 'br/public:avm/res/operational-insights/workspace:0.5.0' = if (create
diagnosticSettings: []
enableTelemetry: enableTelemetry
location: location
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
lock: lock
skuName: 'PerGB2018'
tags: tags
}
}

module kv 'br/public:avm/res/key-vault/vault:0.7.0' = if (createNewKV) {
name: kvName
module kv 'br/public:avm/res/key-vault/vault:0.9.0' = if (createNewKV) {
name: '${uniqueString(deployment().name, location)}-vault-${kvName}'
params: {
// Required parameters
name: kvName
Expand Down Expand Up @@ -562,7 +549,15 @@ module kv 'br/public:avm/res/key-vault/vault:0.7.0' = if (createNewKV) {
name: '${name}-kv-pep'
location: location
subnetResourceId: vnetCfg.subnetResourceIdPrivateLink
privateDnsZoneResourceIds: createNewVNET ? [dnsZoneKv.outputs.resourceId] : []
privateDnsZoneGroup: createNewVNET
? {
privateDnsZoneGroupConfigs: [
{
privateDnsZoneResourceId: dnsZoneKv.outputs.resourceId
}
]
}
: null
tags: tags
enableTelemetry: enableTelemetry
lock: lock
Expand All @@ -577,15 +572,15 @@ module kv 'br/public:avm/res/key-vault/vault:0.7.0' = if (createNewKV) {
}
}

module dnsZoneKv 'br/public:avm/res/network/private-dns-zone:0.5.0' = if (createNewVNET && createNewKV) {
name: privateDnsZoneNameKv
module dnsZoneKv 'br/public:avm/res/network/private-dns-zone:0.6.0' = if (createNewVNET && createNewKV) {
name: '${uniqueString(deployment().name, location)}-zone-${privateDnsZoneNameKv}'
params: {
// Required parameters
name: privateDnsZoneNameKv
// Non-required parameters
enableTelemetry: enableTelemetry
location: 'global'
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
lock: lock
tags: tags
virtualNetworkLinks: [
Expand All @@ -597,8 +592,8 @@ module dnsZoneKv 'br/public:avm/res/network/private-dns-zone:0.5.0' = if (create
}
}

module accessConnector 'br/public:avm/res/databricks/access-connector:0.2.0' = if (enableDatabricks) {
name: dbwAccessConnectorName
module accessConnector 'br/public:avm/res/databricks/access-connector:0.3.0' = if (enableDatabricks) {
name: '${uniqueString(deployment().name, location)}-connector-${dbwAccessConnectorName}'
params: {
// Required parameters
name: dbwAccessConnectorName
Expand All @@ -609,13 +604,13 @@ module accessConnector 'br/public:avm/res/databricks/access-connector:0.2.0' = i
managedIdentities: {
systemAssigned: true
}
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
tags: tags
}
}

module dbw 'br/public:avm/res/databricks/workspace:0.6.0' = if (enableDatabricks) {
name: dbwName
module dbw 'br/public:avm/res/databricks/workspace:0.8.5' = if (enableDatabricks) {
name: '${uniqueString(deployment().name, location)}-workspace-${dbwName}'
params: {
// Required parameters
name: dbwName
Expand Down Expand Up @@ -649,22 +644,38 @@ module dbw 'br/public:avm/res/databricks/workspace:0.6.0' = if (enableDatabricks
location: location
service: 'databricks_ui_api'
subnetResourceId: vnetCfg.subnetResourceIdPrivateLink
privateDnsZoneResourceIds: createNewVNET ? [dnsZoneDbw.outputs.resourceId] : []
privateDnsZoneGroup: createNewVNET
? {
privateDnsZoneGroupConfigs: [
{
privateDnsZoneResourceId: dnsZoneDbw.outputs.resourceId
}
]
}
: null
tags: tags
enableTelemetry: enableTelemetry
lock: lock
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
}
{
name: '${name}-dbw-auth-pep'
location: location
service: 'browser_authentication'
subnetResourceId: vnetCfg.subnetResourceIdPrivateLink
privateDnsZoneResourceIds: createNewVNET ? [dnsZoneDbw.outputs.resourceId] : []
privateDnsZoneGroup: createNewVNET
? {
privateDnsZoneGroupConfigs: [
{
privateDnsZoneResourceId: dnsZoneDbw.outputs.resourceId
}
]
}
: null
tags: tags
enableTelemetry: enableTelemetry
lock: lock
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
}
]
privateStorageAccount: 'Enabled'
Expand All @@ -675,7 +686,7 @@ module dbw 'br/public:avm/res/databricks/workspace:0.6.0' = if (enableDatabricks
// which means that your workspace data plane does not need network security group rules
// to connect to the Azure Databricks control plane. Otherwise, select All Rules.
requiredNsgRules: empty(dbwIpRules) ? 'NoAzureDatabricksRules' : 'AllRules' // In some environments with 'NoAzureDatabricksRules' cluster cannot be created
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
skuName: 'premium' // We need premium to use VNET injection, Private Connectivity (Requires Premium Plan)
storageAccountName: null // TODO add existing one (maybe with PEP) - https://learn.microsoft.com/en-us/azure/databricks/security/network/storage/firewall-support
storageAccountPrivateEndpoints: [
Expand All @@ -684,26 +695,34 @@ module dbw 'br/public:avm/res/databricks/workspace:0.6.0' = if (enableDatabricks
location: location
service: 'blob'
subnetResourceId: vnetCfg.subnetResourceIdPrivateLink
privateDnsZoneResourceIds: createNewVNET ? [dnsZoneSaBlob.outputs.resourceId] : []
privateDnsZoneGroup: createNewVNET
? {
privateDnsZoneGroupConfigs: [
{
privateDnsZoneResourceId: dnsZoneSaBlob.outputs.resourceId
}
]
}
: null
tags: tags
enableTelemetry: enableTelemetry
lock: lock
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
}
]
tags: tags
}
}

module dnsZoneDbw 'br/public:avm/res/network/private-dns-zone:0.5.0' = if (createNewVNET && enableDatabricks) {
name: privateDnsZoneNameDbw
module dnsZoneDbw 'br/public:avm/res/network/private-dns-zone:0.6.0' = if (createNewVNET && enableDatabricks) {
name: '${uniqueString(deployment().name, location)}-zone-${privateDnsZoneNameDbw}'
params: {
// Required parameters
name: privateDnsZoneNameDbw
// Non-required parameters
enableTelemetry: enableTelemetry
location: 'global'
roleAssignments: empty(ownerRoleAssignments) ? [] : ownerRoleAssignments
roleAssignments: !empty(ownerRoleAssignments) ? ownerRoleAssignments : []
lock: lock
tags: tags
virtualNetworkLinks: [
Expand Down Expand Up @@ -783,23 +802,14 @@ output databricksResourceGroupName string = enableDatabricks ? dbw.outputs.resou
// Definitions //
// ================ //

@export()
type lockType = {
@description('Optional. Specify the name of lock.')
name: string?

@description('Optional. Specify the type of lock.')
kind: ('CanNotDelete' | 'ReadOnly' | 'None')?
}?

@export()
type userGroupRoleAssignmentType = {
@description('Required. The principal ID of the principal (user/group) to assign the role to.')
principalId: string

@description('Required. The principal type of the assigned principal ID.')
principalType: ('Group' | 'User')
}[]
}

@export()
type networkAclsType = {
Expand Down
Loading