├── aws-terragrunt-simple-mws
    ├── live
    │   ├── environments
    │   │   └── dev
    │   │   │   ├── eu-central-1
    │   │   │       ├── region.hcl
    │   │   │       ├── bu-1
    │   │   │       │   ├── business-unit.hcl
    │   │   │       │   ├── workspace-config
    │   │   │       │   │   └── terragrunt.hcl
    │   │   │       │   └── workspace
    │   │   │       │   │   └── terragrunt.hcl
    │   │   │       └── common
    │   │   │       │   ├── business-unit.hcl
    │   │   │       │   └── account-config
    │   │   │       │       └── terragrunt.hcl
    │   │   │   └── environment.hcl
    │   └── root.hcl
    ├── diagram.png
    ├── modules
    │   ├── account-config
    │   │   ├── main.tf
    │   │   ├── locals.tf
    │   │   ├── outputs.tf
    │   │   ├── metastore.tf
    │   │   ├── data.tf
    │   │   ├── groups.tf
    │   │   ├── variables.tf
    │   │   └── s3.tf
    │   ├── workspace
    │   │   ├── outputs.tf
    │   │   ├── locals.tf
    │   │   ├── main.tf
    │   │   ├── iam.tf
    │   │   ├── s3.tf
    │   │   ├── vpc.tf
    │   │   ├── privatelink.tf
    │   │   ├── workspace.tf
    │   │   ├── variables.tf
    │   │   └── data.tf
    │   └── workspace-config
    │   │   ├── system-schema.tf
    │   │   ├── data.tf
    │   │   ├── main.tf
    │   │   ├── catalog.tf
    │   │   ├── variables.tf
    │   │   └── compute.tf
    └── README.md
├── .gitignore
├── README.md
└── LICENSE


/aws-terragrunt-simple-mws/live/environments/dev/eu-central-1/region.hcl:
--------------------------------------------------------------------------------
1 | locals {
2 |   name = "eu-central-1"
3 | }
4 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/live/environments/dev/eu-central-1/bu-1/business-unit.hcl:
--------------------------------------------------------------------------------
1 | locals {
2 |   name = "bu-1"
3 | }
4 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/live/environments/dev/eu-central-1/common/business-unit.hcl:
--------------------------------------------------------------------------------
1 | locals {
2 |   name = "common"
3 | }
4 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alexott/dnks-terraform-lab/main/aws-terragrunt-simple-mws/diagram.png


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/live/environments/dev/environment.hcl:
--------------------------------------------------------------------------------
1 | locals {
2 |   name            = "dev"
3 |   aws_account_id  = ""  # fill-in!
4 | }
5 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .terraform-version
2 | .terragrunt-version
3 | 
4 | **/.dnks
5 | **/.idea
6 | 
7 | **/.terragrunt-cache
8 | **/.terraform.lock.hcl
9 | **/error-signals.json


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/account-config/main.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 |   required_providers {
3 |     databricks = {
4 |       source = "databricks/databricks"
5 |     }
6 |   }
7 | }
8 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/account-config/locals.tf:
--------------------------------------------------------------------------------
1 | locals {
2 |   databricks_account_admins = var.databricks_account_admins == [] ? [data.databricks_service_principal.this.id] : var.databricks_account_admins
3 | }
4 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace/outputs.tf:
--------------------------------------------------------------------------------
1 | output "workspace_id" {
2 |   value = databricks_mws_workspaces.this.workspace_id
3 | }
4 | 
5 | output "workspace_host" {
6 |   value = databricks_mws_workspaces.this.workspace_url
7 | }
8 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace/locals.tf:
--------------------------------------------------------------------------------
1 | locals {
2 |   availability_zones  = [
3 |     data.aws_availability_zones.this.names[0],
4 |     data.aws_availability_zones.this.names[1],
5 |     data.aws_availability_zones.this.names[2]
6 |   ]
7 | }
8 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     aws = {
 4 |       source  = "hashicorp/aws"
 5 |     }
 6 | 
 7 |     databricks = {
 8 |       source = "databricks/databricks"
 9 |     }
10 |   }
11 | }
12 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace-config/system-schema.tf:
--------------------------------------------------------------------------------
 1 | resource "databricks_system_schema" "this" {
 2 |   for_each  = toset(var.system_schemas)
 3 |   provider  = databricks.workspace
 4 |   schema    = each.value
 5 | 
 6 |   lifecycle {
 7 |     prevent_destroy = true
 8 |   }
 9 | 
10 | }
11 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace-config/data.tf:
--------------------------------------------------------------------------------
 1 | data "databricks_node_type" "smallest" {
 2 |   provider  = databricks.workspace
 3 |   local_disk = true
 4 | }
 5 | 
 6 | data "databricks_spark_version" "latest-lts" {
 7 |   provider  = databricks.workspace
 8 |   long_term_support = true
 9 | }
10 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace-config/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     databricks = {
 4 |       source = "databricks/databricks"
 5 |     }
 6 |   }
 7 | }
 8 | 
 9 | provider "databricks" {
10 |   # authentication configured via env!
11 |   alias   = "workspace"
12 |   host    = var.workspace_host
13 | }
14 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/account-config/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "metastore_id" {
 2 |   value = databricks_metastore.this.id
 3 | }
 4 | 
 5 | output "metastore_bucket_arn" {
 6 |   value = aws_s3_bucket.this.arn
 7 | }
 8 | 
 9 | output "account_admin_group_id" {
10 |   value = databricks_group.admin_group.id
11 | }
12 | 
13 | output "account_admin_group_name" {
14 |   value = databricks_group.admin_group.display_name
15 | }
16 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/account-config/metastore.tf:
--------------------------------------------------------------------------------
 1 | resource "databricks_metastore" "this" {
 2 |   provider      = databricks.mws
 3 |   name          = "${var.prefix}-metastore"
 4 |   storage_root  = "s3://${aws_s3_bucket.this.id}/metastore"
 5 |   owner         = databricks_group.admin_group.display_name
 6 |   region        = var.region
 7 |   force_destroy = true
 8 | 
 9 |   depends_on = [
10 |     databricks_group.admin_group,
11 |   ]
12 | }
13 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # dnks-terraform-lab
2 | 
3 | Curated collection of reusable Terraform snippets, samples, blueprints, examples, etc. designed
4 | to simplify and accelerate Infrastructure as Code (IaC) development. This repository aims to
5 | showcase best practices and providing modular examples for real-world infrastructure deployments.
6 | 
7 | * [aws-terragrunt-simple-mws](aws-terragrunt-simple-mws) demonstrates a terragrunt setup to enable scalable databricks workspace deployments.


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace/iam.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_role" "this" {
 2 |   name               = "${var.prefix}-crossaccount-role"
 3 |   assume_role_policy = data.databricks_aws_assume_role_policy.this.json
 4 |   tags               = var.tags
 5 | }
 6 | 
 7 | 
 8 | resource "aws_iam_role_policy" "this" {
 9 |   name   = "${var.prefix}-crossaccount-policy"
10 |   role   = aws_iam_role.this.id
11 |   policy = data.databricks_aws_crossaccount_policy.this.json
12 | }
13 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/account-config/data.tf:
--------------------------------------------------------------------------------
 1 | data "databricks_service_principal" "this" {
 2 |   provider        = databricks.mws
 3 |   application_id  = var.databricks_account_client_id
 4 | }
 5 | 
 6 | data "databricks_user" "account-admins" {
 7 |   provider  = databricks.mws
 8 |   for_each  = toset(concat(local.databricks_account_admins))
 9 |   user_name = each.key
10 | }
11 | 
12 | data "databricks_aws_bucket_policy" "this" {
13 |   bucket = aws_s3_bucket.this.bucket
14 | }
15 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace-config/catalog.tf:
--------------------------------------------------------------------------------
 1 | resource "databricks_catalog" "this" {
 2 |   name      = replace(var.business_unit, "-", "_")
 3 |   provider  = databricks.workspace
 4 | }
 5 | 
 6 | resource "databricks_default_namespace_setting" "this" {
 7 |   provider  = databricks.workspace
 8 |   namespace {
 9 |     value = databricks_catalog.this.name
10 |   }
11 | }
12 | 
13 | resource "databricks_grant" "this" {
14 |   catalog = databricks_catalog.this.name
15 |   provider  = databricks.workspace
16 |   principal  = var.admin_group
17 |   privileges = ["ALL_PRIVILEGES", "MANAGE"]
18 | }
19 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace-config/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "business_unit" {
 2 |   type        = string
 3 |   description = "Name of the BU"
 4 | }
 5 | 
 6 | variable "admin_group" {
 7 |   type        = string
 8 |   description = "Name of the Databricks admin group"
 9 | }
10 | 
11 | variable "workspace_host" {
12 |   type        = string
13 |   description = "Workspace Host URL"
14 | }
15 | 
16 | variable "system_schemas" {
17 |   type        = list(string)
18 |   description = "List of system schemas to enable"
19 |   default  = ["access", "billing", "compute", "lakeflow", "marketplace", "storage", "query", "serving"]
20 | }
21 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/account-config/groups.tf:
--------------------------------------------------------------------------------
 1 | resource "databricks_group" "admin_group" {
 2 |   provider      = databricks.mws
 3 |   display_name  = "${var.prefix}-admins"
 4 | }
 5 | 
 6 | resource "databricks_group_member" "service-principal-admin-member" {
 7 |   provider  = databricks.mws
 8 |   group_id  = databricks_group.admin_group.id
 9 |   member_id = data.databricks_service_principal.this.id
10 | }
11 | 
12 | resource "databricks_group_member" "account-admin-members" {
13 |   for_each  = toset(local.databricks_account_admins)
14 |   provider  = databricks.mws
15 |   group_id  = databricks_group.admin_group.id
16 |   member_id = data.databricks_user.account-admins[each.value].id
17 | }
18 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/live/environments/dev/eu-central-1/common/account-config/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | include "root" {
 2 |   path    = find_in_parent_folders("root.hcl")
 3 |   expose  = true
 4 | }
 5 | 
 6 | terraform {
 7 |   source = "${dirname(find_in_parent_folders("root.hcl"))}/../modules/account-config"
 8 |   # Deploy versions via git
 9 |   # source = "git::git@github.com:path/to/repo.git//path/to/module?ref=v0.0.1"
10 | }
11 | 
12 | inputs = {
13 |   prefix                        = "${include.root.locals.prefix}-dbx"
14 |   region                        = include.root.locals.region.name
15 |   tags                          = include.root.locals.default_tags
16 |   databricks_account_id         = include.root.locals.databricks_account_id
17 |   databricks_account_client_id  = include.root.locals.databricks_account_client_id
18 |   databricks_account_admins     = []  # add account-admins if required! default will use the current service-principal used for deployments
19 | }
20 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/account-config/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "prefix" {
 2 |   type        = string
 3 |   description = "Prefix to use for any resources"
 4 | }
 5 | 
 6 | variable "region" {
 7 |   type        = string
 8 |   description = "The AWS region to deploy to"
 9 | }
10 | 
11 | variable "tags" {
12 |   type        = map(string)
13 |   description = "Optional tags to add to created resources"
14 | }
15 | 
16 | variable "databricks_account_id" {
17 |   type        = string
18 |   description = "Databricks Account ID"
19 | }
20 | 
21 | variable "databricks_account_client_id" {
22 |   type        = string
23 |   description = "Service Principal Client-ID"
24 | }
25 | 
26 | variable "databricks_account_admins" {
27 |   type        = list(string)
28 |   description = <<EOT
29 |   List of Admins to be added at account-level for Unity Catalog.
30 |   Enter with square brackets and double quotes
31 |   e.g ["first.admin@domain.com", "second.admin@domain.com"]
32 |   EOT
33 | }
34 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace-config/compute.tf:
--------------------------------------------------------------------------------
 1 | resource "databricks_cluster" "default-classic-single-node" {
 2 |   provider                = databricks.workspace
 3 |   cluster_name            = "${var.business_unit}-sn-lts"
 4 |   spark_version           = data.databricks_spark_version.latest-lts.id
 5 |   node_type_id            = data.databricks_node_type.smallest.id
 6 |   autotermination_minutes = 10
 7 |   spark_conf              = {
 8 |     "spark.databricks.cluster.profile" : "singleNode"
 9 |     "spark.master" : "local[*]"
10 |   }
11 | 
12 |   custom_tags = {
13 |     "ResourceClass" = "SingleNode"
14 |   }
15 | }
16 | 
17 | resource "databricks_sql_endpoint" "default-serverless-warehouse-small" {
18 |   provider                  = databricks.workspace
19 |   name                      = "${var.business_unit}-serverless-warehouse"
20 |   cluster_size              = "Small"
21 |   max_num_clusters          = 1
22 |   auto_stop_mins            = 10
23 |   enable_serverless_compute = true
24 | }
25 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2025 Dominik Schuessele
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/README.md:
--------------------------------------------------------------------------------
 1 | # aws-terragrunt-simple-mws
 2 | 
 3 | Simple terragrunt setup to deploy multiple isolated databricks workspaces with individual configurations for different
 4 | business-units, cloud-regions and environments.
 5 | 
 6 | ![](diagram.png)
 7 | 
 8 | 
 9 | ### How-to
10 | By default, the stack uses `AWS_PROFILE` to authenticate with AWS and environment variables to authenticate with Databricks.
11 | You can change both according to your needs in the respective provider configurations. Follow the steps below to deploy this stack:
12 | 
13 | - Authenticate with your AWS Profile against your environment and make sure to set `AWS_PROFILE`. Alternatively, adjust the authentication method in the AWS provider configuration in `live/root.hcl`
14 | - Set `DATABRICKS_ACCOUNT_ID`, `DATABRICKS_CLIENT_ID`, `DATABRICKS_CLIENT_SECRET` based on your service-principal used for deployments. Alternatively, adjust the authentication method in the Databricks provider configuration in `live/root.hcl`
15 | - (Optional) Fill the `aws_account_id` in all `environment.hcl` configuration files to match your environments.
16 | - Run the stack with
17 | ```shell
18 | cd live
19 | terragrunt run-all plan
20 | terragrunt run-all apply
21 | ```
22 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/live/environments/dev/eu-central-1/bu-1/workspace-config/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | include "root" {
 2 |   path    = find_in_parent_folders("root.hcl")
 3 |   expose  = true
 4 | }
 5 | 
 6 | terraform {
 7 |   source = "${dirname(find_in_parent_folders("root.hcl"))}/../modules/workspace-config"
 8 |   # Deploy versions via git
 9 |   # source = "git::git@github.com:path/to/repo.git//path/to/module?ref=v0.0.1"
10 | }
11 | 
12 | dependency "account-config" {
13 |   config_path = "../../common/account-config"
14 | 
15 |    mock_outputs = {
16 |      metastore_id             = "mock-metastore-id"
17 |      metastore_bucket_arn     = "mock-bucket-arn"
18 |      account_admin_group_id   = 00000
19 |      account_admin_group_name = "mock-group-name"
20 |    }
21 | }
22 | 
23 | dependency "workspace" {
24 |   config_path = "../workspace"
25 | 
26 |    mock_outputs = {
27 |      workspace_id  = "mock-workspace-id"
28 |      workspace_host = "https://mock.workspace.host"
29 |    }
30 | }
31 | 
32 | inputs = {
33 |   business_unit   = include.root.locals.business_unit.name
34 |   admin_group     = dependency.account-config.outputs.account_admin_group_name
35 |   workspace_host  = dependency.workspace.outputs.workspace_host
36 |   system_schemas  = ["access", "billing", "compute", "lakeflow", "marketplace", "storage", "query", "serving"]
37 | }
38 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/account-config/s3.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_s3_bucket" "this" {
 2 |   bucket        = "${var.prefix}-metastore-bucket"
 3 |   force_destroy = true
 4 | }
 5 | 
 6 | resource "aws_s3_bucket_ownership_controls" "this" {
 7 |   bucket = aws_s3_bucket.this.bucket
 8 |   rule {
 9 |     object_ownership = "BucketOwnerEnforced"
10 |   }
11 | }
12 | 
13 | resource "aws_s3_bucket_public_access_block" "this" {
14 |   bucket             = aws_s3_bucket.this.id
15 |   block_public_acls       = true
16 |   block_public_policy     = true
17 |   ignore_public_acls      = true
18 |   restrict_public_buckets = true
19 |   depends_on         = [aws_s3_bucket.this]
20 | }
21 | 
22 | resource "aws_s3_bucket_versioning" "this" {
23 |   bucket = aws_s3_bucket.this.id
24 |   versioning_configuration {
25 |     status = "Enabled"
26 |   }
27 |   depends_on = [aws_s3_bucket.this]
28 | }
29 | 
30 | resource "aws_s3_bucket_policy" "this" {
31 |   bucket      = aws_s3_bucket.this.id
32 |   policy      = data.databricks_aws_bucket_policy.this.json
33 |   depends_on  = [aws_s3_bucket.this]
34 | }
35 | 
36 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
37 |   bucket = aws_s3_bucket.this.bucket
38 | 
39 |   rule {
40 |     apply_server_side_encryption_by_default {
41 |       sse_algorithm = "AES256"
42 |     }
43 |   }
44 | }
45 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace/s3.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_s3_bucket" "this" {
 2 |   bucket        = "${var.prefix}-workspace-root-bucket"
 3 |   force_destroy = true
 4 | }
 5 | 
 6 | resource "aws_s3_bucket_ownership_controls" "root" {
 7 |   bucket = aws_s3_bucket.this.bucket
 8 |   rule {
 9 |     object_ownership = "BucketOwnerEnforced"
10 |   }
11 | }
12 | 
13 | resource "aws_s3_bucket_public_access_block" "this" {
14 |   bucket             = aws_s3_bucket.this.id
15 |   block_public_acls       = true
16 |   block_public_policy     = true
17 |   ignore_public_acls      = true
18 |   restrict_public_buckets = true
19 |   depends_on         = [aws_s3_bucket.this]
20 | }
21 | 
22 | resource "aws_s3_bucket_versioning" "this" {
23 |   bucket = aws_s3_bucket.this.id
24 |   versioning_configuration {
25 |     status = "Enabled"
26 |   }
27 |   depends_on = [aws_s3_bucket.this]
28 | }
29 | 
30 | resource "aws_s3_bucket_policy" "this" {
31 |   bucket      = aws_s3_bucket.this.id
32 |   policy      = data.databricks_aws_bucket_policy.this.json
33 |   depends_on  = [aws_s3_bucket.this]
34 | }
35 | 
36 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
37 |   bucket = aws_s3_bucket.this.bucket
38 | 
39 |   rule {
40 |     apply_server_side_encryption_by_default {
41 |       sse_algorithm = "AES256"
42 |     }
43 |   }
44 | }
45 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/live/environments/dev/eu-central-1/bu-1/workspace/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | include "root" {
 2 |   path    = find_in_parent_folders("root.hcl")
 3 |   expose  = true
 4 | }
 5 | 
 6 | terraform {
 7 |   source = "${dirname(find_in_parent_folders("root.hcl"))}/../modules/workspace"
 8 |   # Deploy versions via git
 9 |   # source = "git::git@github.com:path/to/repo.git//path/to/module?ref=v0.0.1"
10 | }
11 | 
12 | dependency "account-config" {
13 |   config_path = "../../common/account-config"
14 | 
15 |    mock_outputs = {
16 |      metastore_id             = "mock-metastore-id"
17 |      metastore_bucket_arn     = "mock-bucket-arn"
18 |      account_admin_group_id   = 00000
19 |      account_admin_group_name = "mock-group-name"
20 |    }
21 | }
22 | 
23 | inputs = {
24 |   prefix                            = "${include.root.locals.prefix}-${include.root.locals.environment.name}-${include.root.locals.business_unit.name}-dbx"
25 |   region                            = include.root.locals.region.name
26 |   tags                              = include.root.locals.default_tags
27 |   databricks_account_id             = include.root.locals.databricks_account_id
28 |   databricks_metastore_ids          = [dependency.account-config.outputs.metastore_id]
29 |   databricks_metastore_bucket_arn   = dependency.account-config.outputs.metastore_bucket_arn
30 |   databricks_account_admin_group_id = dependency.account-config.outputs.account_admin_group_id
31 |   vpc_cidr                          = "10.0.0.0/18"
32 |   private_subnets_cidr              = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"]
33 |   public_subnets_cidr               = ["10.0.29.0/26", "10.0.29.64/26", "10.0.29.128/26"]
34 |   privatelink_subnets_cidr          = ["10.0.28.0/26", "10.0.28.64/26", "10.0.28.128/26"]
35 |   sg_egress_ports                   = [443, 3306, 6666, 8443, 8444, 8445, 8446, 8447, 8448, 8449, 8450, 8451]
36 | }
37 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace/vpc.tf:
--------------------------------------------------------------------------------
 1 | module "vpc" {
 2 |   source  = "terraform-aws-modules/vpc/aws"
 3 |   version = "5.17.0"
 4 | 
 5 |   count = 1
 6 | 
 7 |   name = "${var.prefix}-vpc"
 8 |   cidr = var.vpc_cidr
 9 |   azs  = local.availability_zones
10 | 
11 |   enable_dns_hostnames   = true
12 |   enable_nat_gateway     = true
13 |   single_nat_gateway     = false
14 |   one_nat_gateway_per_az = true
15 |   create_igw             = true
16 | 
17 |   private_subnet_names = [for az in local.availability_zones : format("%s-private-snt-%s", var.prefix, az)]
18 |   private_subnets      = var.private_subnets_cidr
19 | 
20 |   public_subnet_names =[for az in local.availability_zones : format("%s-public-snt-%s", var.prefix, az)]
21 |   public_subnets      = var.public_subnets_cidr
22 | 
23 |   intra_subnet_names = [for az in local.availability_zones : format("%s-privatelink-%s", var.prefix, az)]
24 |   intra_subnets      = var.privatelink_subnets_cidr
25 | 
26 | }
27 | 
28 | resource "aws_security_group" "this" {
29 |   count = 1
30 | 
31 |   vpc_id     = module.vpc[0].vpc_id
32 |   depends_on = [module.vpc]
33 | 
34 |   dynamic "ingress" {
35 |     for_each = ["tcp", "udp"]
36 |     content {
37 |       description = "Databricks - Workspace SG - Internode Communication"
38 |       from_port   = 0
39 |       to_port     = 65535
40 |       protocol    = ingress.value
41 |       self        = true
42 |     }
43 |   }
44 | 
45 |   dynamic "egress" {
46 |     for_each = ["tcp", "udp"]
47 |     content {
48 |       description = "Databricks - Workspace SG - Internode Communication"
49 |       from_port   = 0
50 |       to_port     = 65535
51 |       protocol    = egress.value
52 |       self        = true
53 |     }
54 |   }
55 | 
56 |   dynamic "egress" {
57 |     for_each = var.sg_egress_ports
58 |     content {
59 |       description = "Databricks - Workspace SG - REST (443), Secure Cluster Connectivity (6666), Future Extendability (8443-8451)"
60 |       from_port   = egress.value
61 |       to_port     = egress.value
62 |       protocol    = "tcp"
63 |       cidr_blocks = ["0.0.0.0/0"]
64 |     }
65 |   }
66 | 
67 |   tags = merge(
68 |     var.tags,
69 |     {
70 |       Name = "${var.prefix}-sg"
71 |     }
72 |   )
73 | }
74 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/live/root.hcl:
--------------------------------------------------------------------------------
 1 | locals {
 2 |   prefix                            = "dnks-tg-simple-mws"
 3 |   environment                       = read_terragrunt_config(find_in_parent_folders("environment.hcl")).locals
 4 |   region                            = read_terragrunt_config(find_in_parent_folders("region.hcl")).locals
 5 |   business_unit                     = read_terragrunt_config(find_in_parent_folders("business-unit.hcl")).locals
 6 | 
 7 |   owner                             = ""  # fill-in if required!
 8 | 
 9 |   databricks_account_id             = get_env("DATABRICKS_ACCOUNT_ID")
10 |   databricks_account_client_id      = get_env("DATABRICKS_CLIENT_ID")
11 |   databricks_account_client_secret  = get_env("DATABRICKS_CLIENT_SECRET")
12 | 
13 |   default_tags                      = merge(
14 |     local.owner == "" ? {} : {Owner = local.owner},  # fill-in if required!
15 |     {
16 |       Business-Unit = local.business_unit.name
17 |       Environment   = local.environment.name
18 |     }
19 |   )
20 | }
21 | 
22 | generate "aws-provider" {
23 |   path      = "aws-provider.tf"
24 |   if_exists = "overwrite_terragrunt"
25 | 
26 |   contents = <<EOF
27 | provider "aws" {
28 |   # authentication configured via env!
29 |   region  = "${local.region.name}"
30 | 
31 |   default_tags {
32 |     tags = ${jsonencode(local.default_tags)}
33 |   }
34 | 
35 |   # only these AWS account IDs may be operated on by this template
36 |   allowed_account_ids = ["${local.environment.aws_account_id}"]
37 | }
38 | EOF
39 | }
40 | 
41 | generate "dbx-mws-provider" {
42 |   path      = "dbx-mws-provider.tf"
43 |   if_exists = "overwrite_terragrunt"
44 | 
45 |   contents = <<EOF
46 | provider "databricks" {
47 |   # authentication configured via env!
48 |   alias         = "mws"
49 |   host          = "https://accounts.cloud.databricks.com"
50 | }
51 | EOF
52 | }
53 | 
54 | remote_state {
55 |   backend = "s3"
56 |   generate = {
57 |       path    = "backend.tf"
58 |       if_exists = "overwrite_terragrunt"
59 |   }
60 | 
61 |   config = {
62 |       encrypt = true
63 |       bucket  = "${local.prefix}-dbx-shared-tf-states"
64 |       key     = "${path_relative_to_include()}/terraform.tfstate"
65 |       region  = local.region.name
66 |       #dynamodb_table  = "shared-terraform-locks"
67 |   }
68 | }
69 | 
70 | errors {
71 |   # ignore block for known safe-to-ignore errors
72 |   ignore "known-safe-errors" {
73 |     ignorable_errors = [".*Error:.*mock.*"]
74 |     message = "Ignoring safe warning errors related to mock output."
75 |     signals = {
76 |       alert_team = false
77 |       send_notification = true
78 |     }
79 |   }
80 | }
81 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace/privatelink.tf:
--------------------------------------------------------------------------------
  1 | // Security group for privatelink
  2 | resource "aws_security_group" "privatelink" {
  3 |   count   = 1
  4 |   vpc_id  = module.vpc[0].vpc_id
  5 | 
  6 |   ingress {
  7 |     description     = "Databricks - PrivateLink Endpoint SG - REST API"
  8 |     from_port       = 443
  9 |     to_port         = 443
 10 |     protocol        = "tcp"
 11 |     security_groups = [aws_security_group.this[0].id]
 12 |   }
 13 | 
 14 |   ingress {
 15 |     description     = "Databricks - PrivateLink Endpoint SG - Secure Cluster Connectivity"
 16 |     from_port       = 6666
 17 |     to_port         = 6666
 18 |     protocol        = "tcp"
 19 |     security_groups = [aws_security_group.this[0].id]
 20 |   }
 21 | 
 22 |   ingress {
 23 |     description     = "Databricks - PrivateLink Endpoint SG - Future Extendability"
 24 |     from_port       = 8443
 25 |     to_port         = 8451
 26 |     protocol        = "tcp"
 27 |     security_groups = [aws_security_group.this[0].id]
 28 |   }
 29 | 
 30 |   tags = merge(
 31 |     var.tags,
 32 |     {
 33 |       Name = "${var.prefix}-pl-sg"
 34 |     }
 35 |   )
 36 | }
 37 | 
 38 | module "vpc_endpoints" {
 39 |   count   = 1
 40 |   source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
 41 |   version = "3.11.0"
 42 | 
 43 |   vpc_id             = module.vpc[0].vpc_id
 44 |   security_group_ids = [aws_security_group.privatelink[0].id]
 45 | 
 46 |   endpoints = {
 47 |     s3 = {
 48 |       service         = "s3"
 49 |       service_type    = "Gateway"
 50 |       route_table_ids = module.vpc[0].private_route_table_ids
 51 |       policy          = data.aws_iam_policy_document.s3-vpc-endpoint-policy[0].json
 52 |       tags = merge(
 53 |         var.tags,
 54 |         {
 55 |           Name        = "${var.prefix}-s3"
 56 |         }
 57 |       )
 58 |     },
 59 |     sts = {
 60 |       service             = "sts"
 61 |       private_dns_enabled = true
 62 |       subnet_ids          = module.vpc[0].intra_subnets
 63 |       policy              = data.aws_iam_policy_document.sts-vpc-endpoint-policy[0].json
 64 |       tags = merge(
 65 |         var.tags,
 66 |         {
 67 |           Name            = "${var.prefix}-sts"
 68 |         }
 69 |       )
 70 |     },
 71 |     kinesis-streams = {
 72 |       service             = "kinesis-streams"
 73 |       private_dns_enabled = true
 74 |       subnet_ids          = module.vpc[0].intra_subnets
 75 |       policy              = data.aws_iam_policy_document.kinesis-vpc-endpoint-policy[0].json
 76 |       tags = merge(
 77 |         var.tags,
 78 |         {
 79 |           Name            = "${var.prefix}-kinesis"
 80 |         }
 81 |       )
 82 |     }
 83 |   }
 84 | }
 85 | 
 86 | resource "aws_vpc_endpoint" "backend_rest" {
 87 |   vpc_id              = module.vpc[0].vpc_id
 88 |   service_name        = var.backend_rest_vpc_endpoint_service_names[var.region]
 89 |   vpc_endpoint_type   = "Interface"
 90 |   security_group_ids  = [aws_security_group.privatelink[0].id]
 91 |   subnet_ids          = module.vpc[0].intra_subnets
 92 |   private_dns_enabled = true
 93 |   depends_on          = [module.vpc.vpc_id]
 94 |   tags = merge(
 95 |     var.tags,
 96 |     {
 97 |       Name    = "${var.prefix}-backend-rest"
 98 |     }
 99 |   )
100 | }
101 | 
102 | // Databricks SCC endpoint - skipped in custom operation mode
103 | resource "aws_vpc_endpoint" "backend_relay" {
104 |   vpc_id              = module.vpc[0].vpc_id
105 |   service_name        = var.backend_relay_vpc_endpoint_service_names[var.region]
106 |   vpc_endpoint_type   = "Interface"
107 |   security_group_ids  = [aws_security_group.privatelink[0].id]
108 |   subnet_ids          = module.vpc[0].intra_subnets
109 |   private_dns_enabled = true
110 |   depends_on          = [module.vpc.vpc_id]
111 |   tags = merge(
112 |     var.tags,
113 |     {
114 |       Name    = "${var.prefix}-backend-relay"
115 |     }
116 |   )
117 | }
118 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace/workspace.tf:
--------------------------------------------------------------------------------
  1 | # Wait on Credential Due to Race Condition
  2 | # https://kb.databricks.com/en_US/terraform/failed-credential-validation-checks-error-with-terraform
  3 | resource "null_resource" "previous" {}
  4 | 
  5 | resource "time_sleep" "wait_30_seconds" {
  6 |   depends_on = [null_resource.previous]
  7 |   create_duration = "30s"
  8 | }
  9 | 
 10 | # Credential Configuration
 11 | resource "databricks_mws_credentials" "this" {
 12 |   provider          = databricks.mws
 13 |   role_arn          = aws_iam_role.this.arn
 14 |   credentials_name  = "${var.prefix}-credentials"
 15 |   depends_on        = [time_sleep.wait_30_seconds]
 16 | }
 17 | 
 18 | # Storage Configuration
 19 | resource "databricks_mws_storage_configurations" "this" {
 20 |   provider                    = databricks.mws
 21 |   account_id                  = var.databricks_account_id
 22 |   bucket_name                 = aws_s3_bucket.this.id
 23 |   storage_configuration_name  = "${var.prefix}-storage"
 24 | }
 25 | 
 26 | # Backend REST VPC Endpoint Configuration
 27 | resource "databricks_mws_vpc_endpoint" "backend_rest" {
 28 |   provider            = databricks.mws
 29 |   account_id          = var.databricks_account_id
 30 |   aws_vpc_endpoint_id = aws_vpc_endpoint.backend_rest.id
 31 |   vpc_endpoint_name   = "${var.prefix}-vpce-backend"
 32 |   region              = var.region
 33 | }
 34 | 
 35 | # Backend Rest VPC Endpoint Configuration
 36 | resource "databricks_mws_vpc_endpoint" "backend_relay" {
 37 |   provider            = databricks.mws
 38 |   account_id          = var.databricks_account_id
 39 |   aws_vpc_endpoint_id = aws_vpc_endpoint.backend_relay.id
 40 |   vpc_endpoint_name   = "${var.prefix}-vpce-relay"
 41 |   region              = var.region
 42 | }
 43 | 
 44 | # Network Configuration
 45 | resource "databricks_mws_networks" "this" {
 46 |   provider            = databricks.mws
 47 |   account_id          = var.databricks_account_id
 48 |   network_name        = "${var.prefix}-network"
 49 |   security_group_ids  = [for sg in aws_security_group.this : sg.id]
 50 |   subnet_ids          = module.vpc[0].private_subnets
 51 |   vpc_id              = module.vpc[0].vpc_id
 52 |   vpc_endpoints {
 53 |     dataplane_relay  = [databricks_mws_vpc_endpoint.backend_relay.vpc_endpoint_id]
 54 |     rest_api         = [databricks_mws_vpc_endpoint.backend_rest.vpc_endpoint_id]
 55 |   }
 56 | }
 57 | 
 58 | // Private Access Setting Configuration
 59 | resource "databricks_mws_private_access_settings" "this" {
 60 |   provider                      = databricks.mws
 61 |   private_access_settings_name  = "${var.prefix}-pas"
 62 |   region                        = var.region
 63 |   public_access_enabled         = true
 64 |   private_access_level          = "ACCOUNT"
 65 | }
 66 | 
 67 | resource "databricks_mws_workspaces" "this" {
 68 |   provider                    = databricks.mws
 69 |   account_id                  = var.databricks_account_id
 70 |   aws_region                  = var.region
 71 |   workspace_name              = "${var.prefix}-workspace"
 72 |   pricing_tier                = "ENTERPRISE"
 73 | 
 74 |   credentials_id              = databricks_mws_credentials.this.credentials_id
 75 |   storage_configuration_id    = databricks_mws_storage_configurations.this.storage_configuration_id
 76 |   network_id                  = databricks_mws_networks.this.network_id
 77 |   private_access_settings_id  = databricks_mws_private_access_settings.this.private_access_settings_id
 78 | 
 79 |   depends_on = [
 80 |     databricks_mws_networks.this,
 81 |     databricks_mws_credentials.this,
 82 |     databricks_mws_storage_configurations.this,
 83 |     databricks_mws_private_access_settings.this
 84 |   ]
 85 | }
 86 | 
 87 | resource "databricks_metastore_assignment" "this" {
 88 |   provider              = databricks.mws
 89 |   for_each              = toset(var.databricks_metastore_ids)
 90 |   workspace_id          = databricks_mws_workspaces.this.workspace_id
 91 |   metastore_id          = each.value
 92 | }
 93 | 
 94 | # sleeping for 20s to wait for the workspace to enable identity federation
 95 | resource "time_sleep" "wait_for_permission_apis" {
 96 |   depends_on = [
 97 |     databricks_metastore_assignment.this
 98 |   ]
 99 |   create_duration = "20s"
100 | }
101 | 
102 | resource "databricks_mws_permission_assignment" "account-admins" {
103 |   provider      = databricks.mws
104 |   workspace_id  = databricks_mws_workspaces.this.workspace_id
105 |   principal_id  = var.databricks_account_admin_group_id
106 |   permissions  = ["ADMIN"]
107 |   depends_on = [
108 |     time_sleep.wait_for_permission_apis,
109 |   ]
110 | }
111 | 


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace/variables.tf:
--------------------------------------------------------------------------------
  1 | variable "prefix" {
  2 |   type        = string
  3 |   description = "Prefix to use for any resources"
  4 | }
  5 | 
  6 | variable "region" {
  7 |   type        = string
  8 |   description = "The AWS region to deploy to"
  9 | }
 10 | 
 11 | variable "tags" {
 12 |   type        = map(string)
 13 |   description = "Optional tags to add to created resources"
 14 | }
 15 | 
 16 | variable "databricks_account_id" {
 17 |   type        = string
 18 |   description = "Databricks Account ID"
 19 | }
 20 | 
 21 | variable "databricks_metastore_ids" {
 22 |   type        = list(string)
 23 |   description = "Databricks Metastore IDs"
 24 | }
 25 | 
 26 | variable "databricks_metastore_bucket_arn" {
 27 |   type        = string
 28 |   description = "Databricks Metastore Bucket ARN"
 29 | }
 30 | 
 31 | variable "databricks_account_admin_group_id" {
 32 |   type        = string
 33 |   description = "Databricks Account Admin group ID"
 34 | }
 35 | 
 36 | variable "vpc_cidr" {
 37 |   type        = string
 38 |   description = "(Required) The CIDR block for the Virtual Network"
 39 | 
 40 |   # Add validation for the CIDR block
 41 |   validation {
 42 |     condition     = tonumber(split("/", var.vpc_cidr)[1]) < 24
 43 |     error_message = "CIDR block must be at least as large as /23"
 44 |   }
 45 | }
 46 | 
 47 | variable "private_subnets_cidr" {
 48 |   type        = list(string)
 49 |   description = "(Required) The CIDR block for private subnet"
 50 | }
 51 | 
 52 | variable "public_subnets_cidr" {
 53 |   type        = list(string)
 54 |   description = "(Required) The CIDR block for public subnets"
 55 | }
 56 | 
 57 | variable "privatelink_subnets_cidr" {
 58 |   type        = list(string)
 59 |   description = "(Required) The CIDR block for privatelink subnets"
 60 | }
 61 | 
 62 | variable "sg_egress_ports" {
 63 |   type        = list(string)
 64 |   description = "List of egress ports for security groups"
 65 | }
 66 | 
 67 | variable "backend_rest_vpc_endpoint_service_names" {
 68 |   type = map(string)
 69 |   description = "Map of all relevant VPC endpoint service names"
 70 |   default = {
 71 |     "ap-northeast-1" = "com.amazonaws.vpce.ap-northeast-1.vpce-svc-02691fd610d24fd64"
 72 |     "ap-northeast-2" = "com.amazonaws.vpce.ap-northeast-2.vpce-svc-0babb9bde64f34d7e"
 73 |     "ap-south-1"     = "com.amazonaws.vpce.ap-south-1.vpce-svc-0dbfe5d9ee18d6411"
 74 |     "ap-southeast-1" = "com.amazonaws.vpce.ap-southeast-1.vpce-svc-02535b257fc253ff4"
 75 |     "ap-southeast-2" = "com.amazonaws.vpce.ap-southeast-2.vpce-svc-0b87155ddd6954974"
 76 |     "ca-central-1"   = "com.amazonaws.vpce.ca-central-1.vpce-svc-0205f197ec0e28d65"
 77 |     "eu-central-1"   = "com.amazonaws.vpce.eu-central-1.vpce-svc-081f78503812597f7"
 78 |     "eu-west-1"      = "com.amazonaws.vpce.eu-west-1.vpce-svc-0da6ebf1461278016"
 79 |     "eu-west-2"      = "com.amazonaws.vpce.eu-west-2.vpce-svc-01148c7cdc1d1326c"
 80 |     "eu-west-3"      = "com.amazonaws.vpce.eu-west-3.vpce-svc-008b9368d1d011f37"
 81 |     "sa-east-1"      = "com.amazonaws.vpce.sa-east-1.vpce-svc-0bafcea8cdfe11b66"
 82 |     "us-east-1"      = "com.amazonaws.vpce.us-east-1.vpce-svc-09143d1e626de2f04"
 83 |     "us-east-2"      = "com.amazonaws.vpce.us-east-2.vpce-svc-041dc2b4d7796b8d3"
 84 |     "us-west-2"      = "com.amazonaws.vpce.us-west-2.vpce-svc-0129f463fcfbc46c5"
 85 |     #"us-west-1" = ""
 86 |   }
 87 | }
 88 | 
 89 | variable "backend_relay_vpc_endpoint_service_names" {
 90 |   type = map(string)
 91 |   default = {
 92 |     "ap-northeast-1" = "com.amazonaws.vpce.ap-northeast-1.vpce-svc-02aa633bda3edbec0"
 93 |     "ap-northeast-2" = "com.amazonaws.vpce.ap-northeast-2.vpce-svc-0dc0e98a5800db5c4"
 94 |     "ap-south-1"     = "com.amazonaws.vpce.ap-south-1.vpce-svc-03fd4d9b61414f3de"
 95 |     "ap-southeast-1" = "com.amazonaws.vpce.ap-southeast-1.vpce-svc-0557367c6fc1a0c5c"
 96 |     "ap-southeast-2" = "com.amazonaws.vpce.ap-southeast-2.vpce-svc-0b4a72e8f825495f6"
 97 |     "ca-central-1"   = "com.amazonaws.vpce.ca-central-1.vpce-svc-0c4e25bdbcbfbb684"
 98 |     "eu-central-1"   = "com.amazonaws.vpce.eu-central-1.vpce-svc-08e5dfca9572c85c4"
 99 |     "eu-west-1"      = "com.amazonaws.vpce.eu-west-1.vpce-svc-09b4eb2bc775f4e8c"
100 |     "eu-west-2"      = "com.amazonaws.vpce.eu-west-2.vpce-svc-05279412bf5353a45"
101 |     "eu-west-3"      = "com.amazonaws.vpce.eu-west-3.vpce-svc-005b039dd0b5f857d"
102 |     "sa-east-1"      = "com.amazonaws.vpce.sa-east-1.vpce-svc-0e61564963be1b43f"
103 |     "us-east-1"      = "com.amazonaws.vpce.us-east-1.vpce-svc-00018a8c3ff62ffdf"
104 |     "us-east-2"      = "com.amazonaws.vpce.us-east-2.vpce-svc-090a8fab0d73e39a6"
105 |     "us-west-2"      = "com.amazonaws.vpce.us-west-2.vpce-svc-0158114c0c730c3bb"
106 |   }
107 | }
108 | 
109 | variable "region_bucket_name" {
110 |   description = "Name of the AWS region. (e.g. virginia)"
111 |   type        = map(string)
112 |   default = {
113 |     "ap-northeast-1" = "tokyo"
114 |     "ap-northeast-2" = "seoul"
115 |     "ap-south-1"     = "mumbai"
116 |     "ap-southeast-1" = "singapore"
117 |     "ap-southeast-2" = "sydney"
118 |     "ca-central-1"   = "montreal"
119 |     "eu-central-1"   = "frankfurt"
120 |     "eu-west-1"      = "ireland"
121 |     "eu-west-2"      = "london"
122 |     "eu-west-3"      = "paris"
123 |     "sa-east-1"      = "saopaulo"
124 |     "us-east-1"      = "virginia"
125 |     "us-east-2"      = "ohio"
126 |     "us-west-2"      = "oregon"
127 |     # "us-west-1"      = "oregon"
128 |   }
129 | }


--------------------------------------------------------------------------------
/aws-terragrunt-simple-mws/modules/workspace/data.tf:
--------------------------------------------------------------------------------
  1 | data "aws_availability_zones" "this" {
  2 |   state = "available"
  3 | }
  4 | 
  5 | data "aws_caller_identity" "current" {}
  6 | 
  7 | data "databricks_aws_assume_role_policy" "this" {
  8 |   external_id = var.databricks_account_id
  9 | }
 10 | 
 11 | data "databricks_aws_crossaccount_policy" "this" {}
 12 | 
 13 | data "databricks_aws_bucket_policy" "this" {
 14 |   bucket = aws_s3_bucket.this.bucket
 15 | }
 16 | 
 17 | // Restrictive S3 endpoint policy:
 18 | data "aws_iam_policy_document" "s3-vpc-endpoint-policy" {
 19 |   count = 1
 20 | 
 21 |   statement {
 22 |     sid    = "Grant access to Databricks Root Bucket"
 23 |     effect = "Allow"
 24 |     actions = [
 25 |       "s3:GetObject",
 26 |       "s3:GetObjectVersion",
 27 |       "s3:PutObject",
 28 |       "s3:DeleteObject",
 29 |       "s3:ListBucket",
 30 |       "s3:GetBucketLocation"
 31 |     ]
 32 | 
 33 |     principals {
 34 |       type        = "AWS"
 35 |       identifiers = ["*"]
 36 |     }
 37 | 
 38 |     resources = [
 39 |       "${aws_s3_bucket.this.arn}/*",
 40 |       aws_s3_bucket.this.arn
 41 |     ]
 42 | 
 43 |     condition {
 44 |       test     = "StringEquals"
 45 |       variable = "aws:PrincipalAccount"
 46 |       values   = ["414351767826"]
 47 |     }
 48 |   }
 49 | 
 50 |   statement {
 51 |     sid    = "Grant access to Databricks Unity Catalog Metastore Bucket"
 52 |     effect = "Allow"
 53 |     actions = [
 54 |       "s3:GetObject",
 55 |       "s3:GetObjectVersion",
 56 |       "s3:PutObject",
 57 |       "s3:DeleteObject",
 58 |       "s3:ListBucket",
 59 |       "s3:GetBucketLocation"
 60 |     ]
 61 | 
 62 |     principals {
 63 |       type        = "AWS"
 64 |       identifiers = ["*"]
 65 |     }
 66 | 
 67 |     resources = [
 68 |       "${var.databricks_metastore_bucket_arn}/*",
 69 |       var.databricks_metastore_bucket_arn,
 70 |     ]
 71 | 
 72 |     condition {
 73 |       test     = "StringEquals"
 74 |       variable = "aws:PrincipalAccount"
 75 |       values   = [data.aws_caller_identity.current.account_id]
 76 |     }
 77 |     condition {
 78 |       test     = "StringEquals"
 79 |       variable = "s3:ResourceAccount"
 80 |       values   = [data.aws_caller_identity.current.account_id]
 81 |     }
 82 |   }
 83 | 
 84 |   statement {
 85 |     sid    = "Grant access to Artifact Buckets"
 86 |     effect = "Allow"
 87 |     actions = [
 88 |       "s3:ListBucket",
 89 |       "s3:GetObjectVersion",
 90 |       "s3:GetObject",
 91 |       "s3:GetBucketLocation"
 92 |     ]
 93 | 
 94 |     principals {
 95 |       type        = "AWS"
 96 |       identifiers = ["*"]
 97 |     }
 98 | 
 99 |     resources = [
100 |       "arn:aws:s3:::databricks-prod-artifacts-${var.region}/*",
101 |       "arn:aws:s3:::databricks-prod-artifacts-${var.region}",
102 |     ]
103 | 
104 |     condition {
105 |       test     = "StringEquals"
106 |       variable = "aws:ResourceAccount"
107 |       values   = ["414351767826"]
108 |     }
109 |   }
110 | 
111 |   statement {
112 |     sid    = "Grant access to Databricks System Tables Bucket"
113 |     effect = "Allow"
114 |     actions = [
115 |       "s3:ListBucket",
116 |       "s3:GetObjectVersion",
117 |       "s3:GetObject",
118 |       "s3:GetBucketLocation"
119 |     ]
120 | 
121 |     principals {
122 |       type        = "AWS"
123 |       identifiers = ["*"]
124 |     }
125 | 
126 |     resources = [
127 |       "arn:aws:s3:::system-tables-prod-${var.region}-uc-metastore-bucket/*",
128 |       "arn:aws:s3:::system-tables-prod-${var.region}-uc-metastore-bucket"
129 |     ]
130 | 
131 |     condition {
132 |       test     = "StringEquals"
133 |       variable = "aws:PrincipalAccount"
134 |       values   = ["414351767826"]
135 |     }
136 |   }
137 | 
138 |   statement {
139 |     sid    = "Grant access to Databricks Sample Data Bucket"
140 |     effect = "Allow"
141 |     actions = [
142 |       "s3:ListBucket",
143 |       "s3:GetObjectVersion",
144 |       "s3:GetObject",
145 |       "s3:GetBucketLocation"
146 |     ]
147 | 
148 |     principals {
149 |       type        = "AWS"
150 |       identifiers = ["*"]
151 |     }
152 | 
153 |     resources = [
154 |       "arn:aws:s3:::databricks-datasets-${var.region_bucket_name[var.region]}/*",
155 |       "arn:aws:s3:::databricks-datasets-${var.region_bucket_name[var.region]}"
156 |     ]
157 | 
158 |     condition {
159 |       test     = "StringEquals"
160 |       variable = "aws:PrincipalAccount"
161 |       values   = ["414351767826"]
162 |     }
163 |   }
164 | 
165 |   statement {
166 |     sid    = "Grant access to Databricks Log Bucket"
167 |     effect = "Allow"
168 |     actions = [
169 |       "s3:PutObject",
170 |       "s3:ListBucket",
171 |       "s3:GetBucketLocation"
172 |     ]
173 | 
174 |     principals {
175 |       type        = "AWS"
176 |       identifiers = ["*"]
177 |     }
178 | 
179 |     resources = [
180 |       "arn:aws:s3:::databricks-prod-storage-${var.region_bucket_name[var.region]}/*",
181 |       "arn:aws:s3:::databricks-prod-storage-${var.region_bucket_name[var.region]}"
182 |     ]
183 | 
184 |     condition {
185 |       test     = "StringEquals"
186 |       variable = "aws:PrincipalAccount"
187 |       values   = ["414351767826"]
188 |     }
189 |   }
190 | }
191 | 
192 | // Restrictive STS endpoint policy:
193 | data "aws_iam_policy_document" "sts-vpc-endpoint-policy" {
194 |   count = 1
195 |   statement {
196 |     actions = [
197 |       "sts:AssumeRole",
198 |       "sts:GetAccessKeyInfo",
199 |       "sts:GetSessionToken",
200 |       "sts:DecodeAuthorizationMessage",
201 |       "sts:TagSession"
202 |     ]
203 |     effect    = "Allow"
204 |     resources = ["*"]
205 | 
206 |     principals {
207 |       type        = "AWS"
208 |       identifiers   = [data.aws_caller_identity.current.account_id]
209 |     }
210 |   }
211 | 
212 |   statement {
213 |     actions = [
214 |       "sts:AssumeRole",
215 |       "sts:GetSessionToken",
216 |       "sts:TagSession"
217 |     ]
218 |     effect    = "Allow"
219 |     resources = ["*"]
220 | 
221 |     principals {
222 |       type = "AWS"
223 |       identifiers = [
224 |         "arn:aws:iam::414351767826:user/databricks-datasets-readonly-user-prod",
225 |         "414351767826"
226 |       ]
227 |     }
228 |   }
229 | }
230 | 
231 | // Restrictive Kinesis endpoint policy:
232 | data "aws_iam_policy_document" "kinesis-vpc-endpoint-policy" {
233 |   count = 1
234 |   statement {
235 |     actions = [
236 |       "kinesis:PutRecord",
237 |       "kinesis:PutRecords",
238 |       "kinesis:DescribeStream"
239 |     ]
240 |     effect    = "Allow"
241 |     resources = ["arn:aws:kinesis:${var.region}:414351767826:stream/*"]
242 | 
243 |     principals {
244 |       type        = "AWS"
245 |       identifiers = ["414351767826"]
246 |     }
247 |   }
248 | }
249 | 


--------------------------------------------------------------------------------