[PLAT-76309]Add doc guide to create a gcp private service connect workspace. #2091
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #2091 +/- ##
==========================================
- Coverage 89.78% 89.60% -0.19%
==========================================
Files 136 136
Lines 11077 11055 -22
==========================================
- Hits 9946 9906 -40
- Misses 732 743 +11
- Partials 399 406 +7
|
grayluck
suggested changes
Mar 9, 2023
Comment on lines
9
to
147
| service_account_id = google_service_account.sa2.name | ||
| policy_data = data.google_iam_policy.this.policy_data | ||
| } | ||
|
|
||
| resource "google_project_iam_custom_role" "workspace_creator" { | ||
| role_id = "${var.prefix}_workspace_creator" | ||
| title = "Databricks Workspace Creator" | ||
| permissions = [ | ||
| "iam.serviceAccounts.getIamPolicy", | ||
| "iam.serviceAccounts.setIamPolicy", | ||
| "iam.roles.create", | ||
| "iam.roles.delete", | ||
| "iam.roles.get", | ||
| "iam.roles.update", | ||
| "resourcemanager.projects.get", | ||
| "resourcemanager.projects.getIamPolicy", | ||
| "resourcemanager.projects.setIamPolicy", | ||
| "serviceusage.services.get", | ||
| "serviceusage.services.list", | ||
| "serviceusage.services.enable", | ||
| "compute.networks.get", | ||
| "compute.projects.get", | ||
| "compute.subnetworks.get", | ||
| ] | ||
| } | ||
|
|
||
| data "google_client_config" "current" {} | ||
|
|
||
| output "custom_role_url" { | ||
| value = "https://console.cloud.google.com/iam-admin/roles/details/projects%3C${data.google_client_config.current.project}%3Croles%3C${google_project_iam_custom_role.workspace_creator.role_id}" | ||
| } | ||
|
|
||
| resource "google_project_iam_member" "sa2_can_create_workspaces" { | ||
| project = var.project | ||
| role = google_project_iam_custom_role.workspace_creator.id | ||
| member = "serviceAccount:${google_service_account.sa2.email}" | ||
| } | ||
| ``` | ||
|
|
||
| After you’ve added Service Account to Databricks Accounts Console, please copy its name into `databricks_google_service_account` variable. If you prefer environment variables - `DATABRICKS_GOOGLE_SERVICE_ACCOUNT` is the one you’ll use instead. Please also copy Account ID into `databricks_account_id` variable. | ||
|
|
||
| ## Authenticate with Databricks account API | ||
|
|
||
| Databricks account-level APIs can only be called by account owners and account admins, and can only be authenticated using Google-issued OIDC tokens. The simplest way to do this would be via [Google Cloud CLI](https://cloud.google.com/sdk/gcloud). The `gcloud` command is available after installing the SDK. Then run the following commands | ||
|
|
||
| * `gcloud auth application-default login` to authorise your user with Google Cloud Platform. (If you want to use your [service account's credentials instead](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-key), set the environment variable `GOOGLE_APPLICATION_CREDENTIALS` to the path of the JSON file that contains your service account key) | ||
| * `terraform init` to load Google and Databricks Terraform providers. | ||
| * `terraform apply` to apply the configuration changes. Terraform will use your credential to impersonate the service account specified in `databricks_google_service_account` to call the Databricks account-level API. | ||
|
|
||
| Alternatively, if you cannot use impersonation and [Application Default Credentials](https://cloud.google.com/docs/authentication/production) as configured by `gcloud`, consider using the service account key directly by passing it to `google_credentials` parameter (or `GOOGLE_CREDENTIALS` environment variable) to avoid using `gcloud`, impersonation, and ADC altogether. The content of this parameter must be either the path to `.json` file or the full JSON content of the Google service account key. | ||
|
|
||
| ## Provider initialization | ||
|
|
||
| ```hcl | ||
| variable "databricks_account_id" {} | ||
| variable "databricks_google_service_account" {} | ||
| variable "google_project" {} | ||
| variable "google_region" {} | ||
| variable "google_zone" {} | ||
|
|
||
|
|
||
| terraform { | ||
| required_providers { | ||
| databricks = { | ||
| source = "databricks/databricks" | ||
| } | ||
| google = { | ||
| source = "hashicorp/google" | ||
| version = "4.47.0" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| provider "google" { | ||
| project = var.google_project | ||
| region = var.google_region | ||
| zone = var.google_zone | ||
| } | ||
|
|
||
| // initialize provider in "accounts" mode to provision new workspace | ||
|
|
||
| provider "databricks" { | ||
| alias = "accounts" | ||
| host = "https://accounts.gcp.databricks.com" | ||
| google_service_account = var.databricks_google_service_account | ||
| account_id = var.databricks_account_id | ||
| } | ||
|
|
||
| data "google_client_openid_userinfo" "me" { | ||
| } | ||
|
|
||
| data "google_client_config" "current" { | ||
| } | ||
|
|
||
| resource "random_string" "suffix" { | ||
| special = false | ||
| upper = false | ||
| length = 6 | ||
| } | ||
| ``` |
There was a problem hiding this comment.
This block seems to be irrelevant to GCP PSC. Can we refer the https://src.dev.databricks.com/databricks/terraform-provider-databricks/-/blob/docs/guides/gcp-workspace.md#creating-a-gcp-service-account-for-databricks-provisioning pages instead of copy/paste?
| The very first step is VPC creation with necessary resources. Please consult [main documentation page](https://docs.gcp.databricks.com/administration-guide/cloud-configurations/gcp/customer-managed-vpc.html) for **the most complete and up-to-date details on networking**. A GCP VPC is registered as [databricks_mws_networks](../resources/mws_networks.md) resource. | ||
|
|
||
| To enable [back-end Private Service Connect (data plane to control plane)](https://docs.gcp.databricks.com/administration-guide/cloud-configurations/gcp/private-service-connect.html#two-private-service-connect-options), configure network with the two back-end VPC endpoints: | ||
| - Back-end VPC endpoint for SSC relay |
There was a problem hiding this comment.
SCC is not mentioned on the doc. Can we add a link for details?
Comment on lines
290
to
311
| ### Data resources and Authentication is not configured errors | ||
|
|
||
| *In Terraform 0.13 and later*, data resources have the same dependency resolution behavior [as defined for managed resources](https://www.terraform.io/docs/language/resources/behavior.html#resource-dependencies). Most data resources make an API call to a workspace. If a workspace doesn't exist yet, `default auth: cannot configure default credentials` error is raised. To work around this issue and guarantee a proper lazy authentication with data resources, you should add `depends_on = [databricks_mws_workspaces.this]` to the body. This issue doesn't occur if workspace is created *in one module* and resources [within the workspace](workspace-management.md) are created *in another*. We do not recommend using Terraform 0.12 and earlier, if your usage involves data resources. | ||
|
|
||
| ```hcl | ||
| data "databricks_current_user" "me" { | ||
| depends_on = [databricks_mws_workspaces.this] | ||
| } | ||
| ``` | ||
|
|
||
| ## Provider configuration | ||
|
|
||
| In [the next step](workspace-management.md), please use the following configuration for the provider: | ||
|
|
||
| ```hcl | ||
| provider "databricks" { | ||
| host = module.dbx_gcp.workspace_url | ||
| token = module.dbx_gcp.token_value | ||
| } | ||
| ``` | ||
|
|
||
| We assume that you have a terraform module in your project that creats a workspace (using [Databricks Workspace](#creating-a-databricks-workspace) section) and you named it as `dbx_gcp` while calling it in the **main.tf** file of your terraform project. And `workspace_url` and `token_value` are the output attributes of that module. This provider configuration will allow you to use the generated token during workspace creation to authenticate to the created workspace. |
There was a problem hiding this comment.
Unrelated to PSC. Do we need them?
There was a problem hiding this comment.
I copied it from gcp_workspace.md. I don't know what they are. Removed.
nfx
approved these changes
Mar 13, 2023
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PLAT-76309Add doc guide to create a gcp private service connect workspace.