CMK Support for Databricks (#9869)

Azure · Jun 24, 2020 · 37a9ad8 · 37a9ad8
1 parent 92ee01a
commit 37a9ad8
Show file tree

Hide file tree

Showing 4 changed files with 459 additions and 1 deletion.
diff --git a/...cation/databricks/resource-manager/Microsoft.Databricks/stable/2018-04-01/databricks.json b/...cation/databricks/resource-manager/Microsoft.Databricks/stable/2018-04-01/databricks.json
@@ -134,6 +134,15 @@
           },
           "Create or update workspace with custom parameters": {
             "$ref": "./examples/WorkspaceCreateWithParameters.json"
+          },
+          "Create a workspace which is ready for Customer-Managed Key (CMK) encryption": {
+            "$ref": "./examples/PrepareEncryption.json"
+          },
+          "Enable Customer-Managed Key (CMK) encryption on a workspace which is prepared for encryption": {
+            "$ref": "./examples/EnableEncryption.json"
+          },
+          "Revert Customer-Managed Key (CMK) encryption to Microsoft Managed Keys encryption on a workspace": {
+            "$ref": "./examples/DisableEncryption.json"
           }
         },
         "parameters": [
@@ -466,7 +475,8 @@
               "$ref": "#/definitions/ErrorResponse"
             }
           }
-        }
+        },
+        "x-ms-long-running-operation": true
       }
     },
     "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Databricks/workspaces/{workspaceName}/virtualNetworkPeerings": {
@@ -621,6 +631,10 @@
           "readOnly": true,
           "description": "The workspace URL which is of the format 'adb-{workspaceId}.{random}.azuredatabricks.net'",
           "type": "string"
+        },
+        "storageAccountIdentity": {
+          "description": "The details of Managed Identity of Storage Account",
+          "$ref": "#/definitions/ManagedIdentityConfiguration"
         }
       },
       "required": [
@@ -735,6 +749,28 @@
         "modelAsString": true
       }
     },
+    "ManagedIdentityConfiguration": {
+      "description": "The Managed Identity details for storage account.",
+      "properties": {
+        "principalId": {
+          "type": "string",
+          "format": "uuid",
+          "description": "The objectId of the Managed Identity that is linked to the Managed Storage account.",
+          "readOnly": true
+        },
+        "tenantId": {
+          "type": "string",
+          "format": "uuid",
+          "description": "The tenant Id where the Managed Identity is created.",
+          "readOnly": true
+        },
+        "type": {
+          "type": "string",
+          "description": "The type of Identity created. It can be either SystemAssigned or UserAssigned.",
+          "readOnly": true
+        }
+      }
+    },
     "WorkspaceCustomParameterType": {
       "description": "Provisioning status of the workspace.",
       "readOnly": true,
@@ -814,6 +850,14 @@
         "enableNoPublicIp": {
           "$ref": "#/definitions/WorkspaceCustomBooleanParameter",
           "description": "Should the Public IP be Disabled?"
+        },
+        "prepareEncryption": {
+          "$ref": "#/definitions/WorkspaceCustomBooleanParameter",
+          "description": "Prepare the workspace for encryption. Enables the Managed Identity for managed storage account."
+        },
+        "encryption": {
+          "$ref": "#/definitions/WorkspaceEncryptionParameter",
+          "description": "Contains the encryption details for Customer-Managed Key (CMK) enabled workspace."
         }
       },
       "description": "Custom Parameters used for Cluster Creation."
@@ -846,6 +890,51 @@
       },
       "description": "Provides details of the entity that created/updated the workspace."
     },
+    "WorkspaceEncryptionParameter": {
+      "properties": {
+        "type": {
+          "$ref": "#/definitions/WorkspaceCustomParameterType",
+          "description": "The type of variable that this is"
+        },
+        "value": {
+          "$ref": "#/definitions/Encryption",
+          "description": "The value which should be used for this field."
+        }
+      },
+      "description": "The object that contains details of encryption used on the workspace."
+    },
+    "Encryption": {
+      "properties": {
+        "keySource": {
+          "type": "string",
+          "description": "The encryption keySource (provider). Possible values (case-insensitive):  Default, Microsoft.Keyvault",
+          "enum": [
+            "Default",
+            "Microsoft.Keyvault"
+          ],
+          "x-ms-enum": {
+            "name": "KeySource",
+            "modelAsString": true
+          },
+          "default": "Default"
+        },
+        "KeyName": {
+          "type": "string",
+          "description": "The name of KeyVault key."
+        },
+        "keyversion": {
+          "type": "string",
+          "description": "The version of KeyVault key.",
+          "x-ms-client-name": "KeyVersion"
+        },
+        "keyvaulturi": {
+          "type": "string",
+          "description": "The Uri of KeyVault.",
+          "x-ms-client-name": "KeyVaultUri"
+        }
+      },
+      "description": "The object that contains details of encryption used on the workspace."
+    },
     "WorkspaceProviderAuthorization": {
       "properties": {
         "principalId": {

diff --git a/...s/resource-manager/Microsoft.Databricks/stable/2018-04-01/examples/DisableEncryption.json b/...s/resource-manager/Microsoft.Databricks/stable/2018-04-01/examples/DisableEncryption.json
@@ -0,0 +1,130 @@
+{
+  "parameters": {
+    "subscriptionId": "subid",
+    "resourceGroupName": "rg",
+    "workspaceName": "myWorkspace",
+    "api-version": "2018-04-01",
+    "parameters": {
+      "properties": {
+        "managedResourceGroupId": "/subscriptions/subid/resourceGroups/myManagedRG",
+        "parameters": {
+          "encryption": {
+            "value": {
+              "keySource": "Default"
+            }
+          }
+        }
+      },
+      "location": "westus"
+    }
+  },
+  "responses": {
+    "200": {
+      "headers": {},
+      "body": {
+        "name": "myWorkspace",
+        "id": "/subscriptions/subid/resourceGroups/rg/providers/Microsoft.Databricks/workspaces/myWorkspace",
+        "type": "Microsoft.Databricks/workspaces",
+        "sku": {
+          "name": "premium"
+        },
+        "location": "East US 2",
+        "properties": {
+          "managedResourceGroupId": "/subscriptions/subid/resourceGroups/myManagedRG",
+          "parameters": {
+            "customPrivateSubnetName": {
+              "type": "String",
+              "value": "PrivateBob"
+            },
+            "customPublicSubnetName": {
+              "type": "String",
+              "value": "PublicSarah"
+            },
+            "customVirtualNetworkId": {
+              "type": "String",
+              "value": "/subscriptions/subid/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/myNetwork"
+            },
+            "prepareEncryption": {
+              "type": "Bool",
+              "value": true
+            },
+            "encryption": {
+              "type": "Object",
+              "value": {
+                "keySource": "Default"
+              }
+            }
+          },
+          "provisioningState": "Succeeded",
+          "uiDefinitionUri": "https://path/to/workspaceCreateUiDefinition.json",
+          "authorizations": [
+            {
+              "principalId": "00000000-0000-0000-0000-000000000000",
+              "roleDefinitionId": "11111111-1111-1111-1111-111111111111"
+            }
+          ],
+          "createdBy": {
+            "oid": "22222222-2222-2222-2222-222222222222",
+            "puid": "33333333",
+            "applicationId": "44444444-4444-4444-4444-444444444444"
+          },
+          "storageAccountIdentity": {
+            "principalId": "55555555-5555-5555-5555-555555555555",
+            "tenantId": "66666666-6666-6666-6666-666666666666",
+            "type": "SystemAssigned"
+          },
+          "updatedBy": {
+            "oid": "22222222-2222-2222-2222-222222222222",
+            "puid": "33333333",
+            "applicationId": "44444444-4444-4444-4444-444444444444"
+          },
+          "createdDateTime": "2020-02-20T00:10:29.2858439Z",
+          "workspaceId": "5555555555555555",
+          "workspaceUrl": "adb-5555555555555555.19.azuredatabricks.net"
+        }
+      }
+    },
+    "201": {
+      "headers": {},
+      "body": {
+        "name": "myWorkspace",
+        "id": "/subscriptions/subid/resourceGroups/rg/providers/Microsoft.Databricks/workspaces/myWorkspace",
+        "type": "Microsoft.Databricks/workspaces",
+        "location": "East US 2",
+        "tags": {
+          "environment": "dev"
+        },
+        "sku": {
+          "name": "premium"
+        },
+        "properties": {
+          "managedResourceGroupId": "/subscriptions/subid/resourceGroups/myManagedRG",
+          "provisioningState": "Accepted",
+          "uiDefinitionUri": "https://path/to/workspaceCreateUiDefinition.json",
+          "authorizations": [
+            {
+              "principalId": "00000000-0000-0000-0000-000000000000",
+              "roleDefinitionId": "11111111-1111-1111-1111-111111111111"
+            }
+          ],
+          "createdBy": {
+            "oid": "22222222-2222-2222-2222-222222222222",
+            "puid": "33333333",
+            "applicationId": "44444444-4444-4444-4444-444444444444"
+          },
+          "updatedBy": {
+            "oid": "22222222-2222-2222-2222-222222222222",
+            "puid": "33333333",
+            "applicationId": "44444444-4444-4444-4444-444444444444"
+          },
+          "createdDateTime": "2020-02-20T00:10:29.2858439Z",
+          "storageAccountIdentity": {
+            "principalId": "55555555-5555-5555-5555-555555555555",
+            "tenantId": "66666666-6666-6666-6666-666666666666",
+            "type": "SystemAssigned"
+          }
+        }
+      }
+    }
+  }
+}