Merge pull request #95 from databricks/gcp

Gcp
databricks · Sep 11, 2024 · d0ca470 · d0ca470
2 parents 8f5356c + cc49cec
commit d0ca470
Show file tree

Hide file tree

Showing 5 changed files with 112 additions and 10 deletions.
diff --git a/gcp/modules/customer_managed_vpc/init.tf b/gcp/modules/customer_managed_vpc/init.tf
@@ -41,7 +41,7 @@ variable "mws_workspace_gke_master_ip_range" {
   default = "10.3.0.0/28"
 }
 
-//Users can connect to workspace only thes list of IP's
+//Users can connect to workspace only from this list of IP's
 variable "ip_addresses" {
   type = list(string)
 }

diff --git a/gcp/modules/make_sa_dbx_admin/init.tf b/gcp/modules/make_sa_dbx_admin/init.tf
@@ -0,0 +1,27 @@
+variable "databricks_account_id" {}
+variable "new_admin_account" {}
+variable "dbx_existing_admin_account" {
+  description = "Existing Databricks SA or user. Allows either user:[email protected], group:[email protected] or serviceAccount:[email protected] to impersonate created service account"
+
+}
+
+terraform {
+  required_providers {
+    databricks = {
+      source = "databricks/databricks"
+      version = ">=1.39.0"
+
+    }
+    google = {
+      source  = "hashicorp/google"
+    }
+
+  }
+}
+provider "databricks" {
+  host       = "https://accounts.gcp.databricks.com"
+  google_service_account = var.dbx_existing_admin_account
+  account_id = var.databricks_account_id
+
+}
+
diff --git a/gcp/modules/make_sa_dbx_admin/main.tf b/gcp/modules/make_sa_dbx_admin/main.tf
@@ -0,0 +1,16 @@
+resource "databricks_user" "sa" {
+  provider = databricks
+  display_name         = "SA for Account Provisionning"
+  user_name = var.new_admin_account
+}
+resource "databricks_user_role" "my_user_account_admin" {
+  provider = databricks
+  user_id = databricks_user.sa.id
+  role    = "account_admin"
+}
+
+output "granted_admin_account" {
+  value       = databricks_user_role.my_user_account_admin.id
+  description = "This email was added to the Databricks account as an admin user."
+
+}
diff --git a/gcp/modules/make_sa_dbx_admin/readme.md b/gcp/modules/make_sa_dbx_admin/readme.md
@@ -0,0 +1,2 @@
+Prerequisite : the current SA (configured via GOOGLE_APPLICATION_CREDENTIALS) needs to have token impersonnation rights over the SA "old_admin_account"
+Do note that this doesn't even check that the google service accounts exist, so it does need to be provisionned somewhere else
diff --git a/gcp/modules/service_account/main.tf b/gcp/modules/service_account/main.tf
@@ -2,13 +2,28 @@ variable "prefix" {}
 
 variable "project" {
   type    = string
-  default = "<my-project-id>"
+}
+
+variable "workspace_creator_creates_cmek"{
+  type = bool
+  default = false
+}
+
+variable "workspace_creator_creates_psc" {
+  type = bool
+  default = false
+}
+
+variable "workspace_create_modifies_compute_SA" {
+  type = bool
+  default = false
 }
 
 provider "google" {
   project = var.project
 }
 
+
 # The user principal can be allowed to impersonate a service account using this parameter.
 #  Set to a user principal who should impersonate a service account for purposes of 
 #  account infrastructure provisioning and workspace setup.
@@ -17,13 +32,13 @@ variable "delegate_from" {
   type        = list(string)
 }
 
-resource "google_service_account" "sa2" {
-  account_id   = "${var.prefix}-sa2"
+resource "google_service_account" "workspace_creator" {
+  account_id   = "${var.prefix}-workspace-creator"
   display_name = "Service Account for Databricks Provisioning"
 }
 
 output "service_account" {
-  value       = google_service_account.sa2.email
+  value       = google_service_account.workspace_creator.email
   description = "Add this email as a user in the Databricks account console"
 }
 
@@ -34,8 +49,8 @@ data "google_iam_policy" "this" {
   }
 }
 
-resource "google_service_account_iam_policy" "impersonatable" {
-  service_account_id = google_service_account.sa2.name
+resource "google_service_account_iam_policy" "impersonate_workspace_creator" {
+  service_account_id = google_service_account.workspace_creator.name
   policy_data        = data.google_iam_policy.this.policy_data
 }
 
@@ -59,6 +74,7 @@ resource "google_project_iam_custom_role" "workspace_creator" {
     "compute.projects.get",
     "compute.subnetworks.get",
     "iam.serviceAccounts.getOpenIdToken",
+
   ]
 }
 
@@ -76,8 +92,49 @@ output "custom_role_url" {
   value = "https://console.cloud.google.com/iam-admin/roles/details/projects%3C${data.google_client_config.current.project}%3Croles%3C${google_project_iam_custom_role.workspace_creator.role_id}"
 }
 
-resource "google_project_iam_member" "sa2_can_create_workspaces" {
+resource "google_project_iam_member" "workspace_creator_can_create_workspaces" {
   project = var.project
   role    = google_project_iam_custom_role.workspace_creator.id
-  member  = "serviceAccount:${google_service_account.sa2.email}"
-}
+  member  = "serviceAccount:${google_service_account.workspace_creator.email}"
+}
+
+
+# GRANTS THE WORKSPACE CREATOR THE CAPACITY TO USE PRE-CREATED PSC ENDPOINTS
+resource "google_project_iam_member" "workspace_creator_can_usePSC" {
+  count = var.workspace_creator_creates_psc ? 0 : 1
+  role    = "roles/compute.networkViewer"
+  member  = "serviceAccount:${google_service_account.workspace_creator.email}"
+  project = var.project
+}
+
+# IF WORKSPACE CREATOR NEEDS TO CREATE THE VPC AND ENDPOINTS, THE FOLLOWING ARE NEEDED 
+resource "google_project_iam_member" "workspace_creator_can_manage_VPC" {
+  count = var.workspace_creator_creates_psc ? 1 : 0
+  role    = "roles/compute.networkAdmin"
+  member  = "serviceAccount:${google_service_account.workspace_creator.email}"
+  project = var.project
+}
+
+# IF WORKSPACE CREATOR NEEDS TO CREATE THE CMEK, THE FOLLOWING ARE NEEDED
+resource "google_project_iam_member" "workspace_creator_is_kms_admin" {
+  count = var.workspace_creator_creates_cmek ? 1 : 0
+  role    = "roles/cloudkms.admin"
+  member  = "serviceAccount:${google_service_account.workspace_creator.email}"
+  project = var.project
+}
+
+resource "google_project_iam_member" "workspace_creator_is_kms_viewer" {
+  count = var.workspace_creator_creates_cmek ? 0 : 1
+  role    = "roles/cloudkms.viewer"
+  member  = "serviceAccount:${google_service_account.workspace_creator.email}"
+  project = var.project
+}
+
+# IF WORKSPACE CREATOR NEEDS TO BRING A DIFFERENT ROLE TO MANAGE THE NODES
+resource "google_project_iam_member" "workspace_creator_is_owner" {
+  count = var.workspace_create_modifies_compute_SA ? 1 : 0
+  role    = "roles/owner"
+  member  = "serviceAccount:${google_service_account.workspace_creator.email}"
+  project = var.project
+
+}