From 7eaaa0670e7c8f271544dcf999ca3d3459120611 Mon Sep 17 00:00:00 2001 From: Leonid_Frolov1 Date: Tue, 17 Sep 2024 13:34:04 +0300 Subject: [PATCH 1/2] feat: cluster policies override --- cluster.tf | 11 +++++++++++ variables.tf | 19 +++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/cluster.tf b/cluster.tf index e55eba2..eaf4d56 100644 --- a/cluster.tf +++ b/cluster.tf @@ -115,3 +115,14 @@ resource "databricks_cluster_policy" "this" { name = each.key definition = jsonencode(each.value) } + +resource "databricks_cluster_policy" "overrides" { + for_each = { + for param in var.default_cluster_policies_override : (param.name) => param + if param.definition != null + } + + policy_family_id = each.value.family_id + policy_family_definition_overrides = jsonencode(each.value.definition) + name = each.key +} diff --git a/variables.tf b/variables.tf index 96b478e..86ba882 100644 --- a/variables.tf +++ b/variables.tf @@ -245,3 +245,22 @@ variable "system_schemas_enabled" { description = "System Schemas only works with assigned Unity Catalog Metastore. Boolean flag to enabled this feature" default = false } + +variable "default_cluster_policies_override" { + type = list(object({ + name = string + family_id = string + definition = any + })) + description = <<-EOT +Provides an ability to override default cluster policy +name - name of cluster policy to override +family_id - family id of corresponding policy +definition - JSON document expressed in Databricks Policy Definition Language. No need to call 'jsonencode()' function on it when providing a value; +EOT + default = [{ + name = null + family_id = null + definition = null + }] +} From 707099377e92a43b99fecabe4ef78d063bcd84f9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 17 Sep 2024 10:36:07 +0000 Subject: [PATCH 2/2] terraform-docs: automated action --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index c39b1fb..47a0db7 100644 --- a/README.md +++ b/README.md @@ -183,6 +183,7 @@ No modules. |------|------| | [azurerm_key_vault_access_policy.databricks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [databricks_cluster.cluster](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster) | resource | +| [databricks_cluster_policy.overrides](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster_policy) | resource | | [databricks_cluster_policy.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster_policy) | resource | | [databricks_entitlements.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/entitlements) | resource | | [databricks_group.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/group) | resource | @@ -215,6 +216,7 @@ No modules. | [clusters](#input\_clusters) | Set of objects with parameters to configure Databricks clusters and assign permissions to it for certain custom groups | 
set(object({
    cluster_name                 = string
    spark_version                = optional(string, "13.3.x-scala2.12")
    spark_conf                   = optional(map(any), {})
    cluster_conf_passthrought    = optional(bool, false)
    spark_env_vars               = optional(map(any), {})
    data_security_mode           = optional(string, "USER_ISOLATION")
    node_type_id                 = optional(string, "Standard_D3_v2")
    autotermination_minutes      = optional(number, 30)
    min_workers                  = optional(number, 1)
    max_workers                  = optional(number, 2)
    availability                 = optional(string, "ON_DEMAND_AZURE")
    first_on_demand              = optional(number, 0)
    spot_bid_max_price           = optional(number, 1)
    cluster_log_conf_destination = optional(string, null)
    init_scripts_workspace       = optional(set(string), [])
    init_scripts_volumes         = optional(set(string), [])
    init_scripts_dbfs            = optional(set(string), [])
    init_scripts_abfss           = optional(set(string), [])
    single_user_name             = optional(string, null)
    single_node_enable           = optional(bool, false)
    custom_tags                  = optional(map(string), {})
    permissions = optional(set(object({
      group_name       = string
      permission_level = string
    })), [])
    pypi_library_repository = optional(set(string), [])
    maven_library_repository = optional(set(object({
      coordinates = string
      exclusions  = set(string)
    })), [])
  }))
| `[]` | no | | [create\_databricks\_access\_policy\_to\_key\_vault](#input\_create\_databricks\_access\_policy\_to\_key\_vault) | Boolean flag to enable creation of Key Vault Access Policy for Databricks Global Service Principal. | `bool` | `true` | no | | [custom\_cluster\_policies](#input\_custom\_cluster\_policies) | Provides an ability to create custom cluster policy, assign it to cluster and grant CAN\_USE permissions on it to certain custom groups
name - name of custom cluster policy to create
can\_use - list of string, where values are custom group names, there groups have to be created with Terraform;
definition - JSON document expressed in Databricks Policy Definition Language. No need to call 'jsonencode()' function on it when providing a value; | 
list(object({
    name       = string
    can_use    = list(string)
    definition = any
  }))
| 
[
  {
    "can_use": null,
    "definition": null,
    "name": null
  }
]
| no | +| [default\_cluster\_policies\_override](#input\_default\_cluster\_policies\_override) | Provides an ability to override default cluster policy
name - name of cluster policy to override
family\_id - family id of corresponding policy
definition - JSON document expressed in Databricks Policy Definition Language. No need to call 'jsonencode()' function on it when providing a value; | 
list(object({
    name       = string
    family_id  = string
    definition = any
  }))
| 
[
  {
    "definition": null,
    "family_id": null,
    "name": null
  }
]
| no | | [global\_databricks\_sp\_object\_id](#input\_global\_databricks\_sp\_object\_id) | Global 'AzureDatabricks' SP object id. Used to create Key Vault Access Policy for Secret Scope | `string` | `"9b38785a-6e08-4087-a0c4-20634343f21f"` | no | | [iam\_account\_groups](#input\_iam\_account\_groups) | List of objects with group name and entitlements for this group | 
list(object({
    group_name   = optional(string)
    entitlements = optional(list(string))
  }))
| `[]` | no | | [iam\_workspace\_groups](#input\_iam\_workspace\_groups) | Used to create workspace group. Map of group name and its parameters, such as users and service principals added to the group. Also possible to configure group entitlements. | 
map(object({
    user              = optional(list(string))
    service_principal = optional(list(string))
    entitlements      = optional(list(string))
  }))
| `{}` | no |