From 510e41ee2f8bff78351357d0526bf8891b51b534 Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Mon, 15 Apr 2024 08:14:53 +0000 Subject: [PATCH 01/13] update cron --- .github/workflows/deploy_tre.yml | 2 +- setup_tre.sh | 45 ++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 setup_tre.sh diff --git a/.github/workflows/deploy_tre.yml b/.github/workflows/deploy_tre.yml index aa90181..e6a0143 100644 --- a/.github/workflows/deploy_tre.yml +++ b/.github/workflows/deploy_tre.yml @@ -6,7 +6,7 @@ name: Deploy Azure TRE on: # yamllint disable-line rule:truthy schedule: # midnight every day https://crontab.guru/#0_0_*_*_* - - cron: "0 0 * * *" + # - cron: "0 0 * * *" push: branches: [main] workflow_dispatch: diff --git a/setup_tre.sh b/setup_tre.sh new file mode 100644 index 0000000..13bc01b --- /dev/null +++ b/setup_tre.sh @@ -0,0 +1,45 @@ +# gh auth login -w + +REPO="CloudKubed/AzureTRE-Deployment" +GH_ENV="Demo001" +AAD_TENANT_ID="5b705f2e-fa01-4f0d-b5ef-54e9251b4b2f" +TRE_ID="treckd001" +ACR_NAME="acrtreckd001" +LOCATION="eastus" +TERRAFORM_STATE_CONTAINER_NAME="tfstate" + +# Configure Core Secrets +gh secret set TRE_ID --env $GH_ENV --body $TRE_ID -R $REPO +gh secret set MGMT_RESOURCE_GROUP_NAME --env $GH_ENV --body "rg-${TRE_ID}mgmt" -R $REPO +gh secret set MGMT_STORAGE_ACCOUNT_NAME --env $GH_ENV --body "sta${TRE_ID}mgmt" -R $REPO +gh secret set ACR_NAME --env $GH_ENV --body $ACR_NAME -R $REPO +gh secret set AZURE_CREDENTIALS --env $GH_ENV --body "dummy" -R $REPO + +#Configure Core Variables +gh variable set LOCATION --env $GH_ENV --body $LOCATION -R $REPO +gh variable set TERRAFORM_STATE_CONTAINER_NAME --env $GH_ENV --body $TERRAFORM_STATE_CONTAINER_NAME -R $REPO +gh variable set CORE_ADDRESS_SPACE --env $GH_ENV --body "10.0.0.0/22" -R $REPO +gh variable set TRE_ADDRESS_SPACE --env $GH_ENV --body "10.0.0.0/16" -R $REPO +gh variable set AZURE_ENVIRONMENT --env $GH_ENV --body "AzureCloud" -R $REPO +gh variable set CORE_APP_SERVICE_PLAN_SKU --env $GH_ENV --body "P1v2" -R $REPO +gh variable set RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE --env $GH_ENV --body "5" -R $REPO +gh variable set ENABLE_SWAGGER --env $GH_ENV --body "true" -R $REPO +gh variable set STATEFUL_RESOURCES_LOCKED --env $GH_ENV --body "true" -R $REPO +gh variable set KV_PURGE_PROTECTION_ENABLED --env $GH_ENV --body "true" -R $REPO + +#Configure Authentication Secrets +gh secret set AAD_TENANT_ID --env $GH_ENV --body $AAD_TENANT_ID -R $REPO + +gh secret set APPLICATION_ADMIN_CLIENT_ID --env $GH_ENV --body "dummy" -R $REPO +gh secret set APPLICATION_ADMIN_CLIENT_SECRET --env $GH_ENV --body "dummy" -R $REPO +gh secret set TEST_ACCOUNT_CLIENT_ID --env $GH_ENV --body "dummy" -R $REPO +gh secret set TEST_ACCOUNT_CLIENT_SECRET --env $GH_ENV --body "dummy" -R $REPO +gh secret set API_CLIENT_ID --env $GH_ENV --body "dummy" -R $REPO +gh secret set API_CLIENT_SECRET --env $GH_ENV --body "dummy" -R $REPO +gh secret set SWAGGER_UI_CLIENT_ID --env $GH_ENV --body "dummy" -R $REPO +gh secret set TEST_WORKSPACE_APP_ID --env $GH_ENV --body "dummy" -R $REPO +gh secret set TEST_APP_ID --env $GH_ENV --body "dummy" -R $REPO +gh secret set TEST_WORKSPACE_APP_SECRET --env $GH_ENV --body "dummy" -R $REPO + +#Create a Teams Webhook for deployment notifications +gh secret set MS_TEAMS_WEBHOOK_URI --env $GH_ENV --body "dummy" -R $REPO From 7415f2b42b61c0927f1fd7e089a8e16411145346 Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Mon, 15 Apr 2024 09:17:22 +0100 Subject: [PATCH 02/13] update --- .github/workflows/deploy_tre.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy_tre.yml b/.github/workflows/deploy_tre.yml index e6a0143..0de5420 100644 --- a/.github/workflows/deploy_tre.yml +++ b/.github/workflows/deploy_tre.yml @@ -4,11 +4,11 @@ name: Deploy Azure TRE # It also runs on a schedule, serving as the nightly build on: # yamllint disable-line rule:truthy - schedule: + # schedule: # midnight every day https://crontab.guru/#0_0_*_*_* # - cron: "0 0 * * *" - push: - branches: [main] + # push: + # branches: [main] workflow_dispatch: inputs: environment: From 7d8b19765daf0a271af542a7200180a7f308b4a4 Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Tue, 16 Apr 2024 11:12:04 +0100 Subject: [PATCH 03/13] add in databricks template --- .github/workflows/deploy_tre_reusable.yml | 8 +- .../databricks/.dockerignore | 8 + .../workspace_services/databricks/.env.sample | 5 + .../databricks/Dockerfile.tmpl | 15 + .../workspace_services/databricks/README.md | 47 + .../databricks/parameters.json | 62 + .../workspace_services/databricks/porter.yaml | 176 +++ .../databricks/template_schema.json | 365 ++++++ .../databricks/terraform/.terraform.lock.hcl | 80 ++ .../databricks/terraform/data.tf | 30 + .../databricks/terraform/databricks-udr.json | 1136 +++++++++++++++++ .../databricks/terraform/deploy.sh | 22 + .../databricks/terraform/locals.tf | 28 + .../databricks/terraform/main.tf | 28 + .../databricks/terraform/network.tf | 214 ++++ .../databricks/terraform/outputs.tf | 51 + .../databricks/terraform/providers.tf | 64 + .../databricks/terraform/variables.tf | 28 + 18 files changed, 2365 insertions(+), 2 deletions(-) create mode 100644 templates/workspace_services/databricks/.dockerignore create mode 100644 templates/workspace_services/databricks/.env.sample create mode 100644 templates/workspace_services/databricks/Dockerfile.tmpl create mode 100644 templates/workspace_services/databricks/README.md create mode 100644 templates/workspace_services/databricks/parameters.json create mode 100644 templates/workspace_services/databricks/porter.yaml create mode 100644 templates/workspace_services/databricks/template_schema.json create mode 100644 templates/workspace_services/databricks/terraform/.terraform.lock.hcl create mode 100644 templates/workspace_services/databricks/terraform/data.tf create mode 100644 templates/workspace_services/databricks/terraform/databricks-udr.json create mode 100755 templates/workspace_services/databricks/terraform/deploy.sh create mode 100644 templates/workspace_services/databricks/terraform/locals.tf create mode 100644 templates/workspace_services/databricks/terraform/main.tf create mode 100644 templates/workspace_services/databricks/terraform/network.tf create mode 100644 templates/workspace_services/databricks/terraform/outputs.tf create mode 100644 templates/workspace_services/databricks/terraform/providers.tf create mode 100644 templates/workspace_services/databricks/terraform/variables.tf diff --git a/.github/workflows/deploy_tre_reusable.yml b/.github/workflows/deploy_tre_reusable.yml index c874b92..a6abca3 100644 --- a/.github/workflows/deploy_tre_reusable.yml +++ b/.github/workflows/deploy_tre_reusable.yml @@ -395,7 +395,9 @@ jobs: BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm"} - {BUNDLE_TYPE: "user_resource", BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm"} - # Add your custom Bundles below this + - {BUNDLE_TYPE: "workspace_service", + BUNDLE_DIR: "./templates/workspace_services/databricks"} + # Add your custom Bundles below this environment: ${{ inputs.environmentName }} steps: - name: Checkout @@ -547,7 +549,9 @@ jobs: BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/databricks"} - {BUNDLE_TYPE: "workspace_service", BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/ohdsi"} - # Add your bundles here + - {BUNDLE_TYPE: "workspace_service", + BUNDLE_DIR: "./templates/workspace_services/databricks"} + # Add your bundles here environment: ${{ inputs.environmentName }} steps: - name: Checkout diff --git a/templates/workspace_services/databricks/.dockerignore b/templates/workspace_services/databricks/.dockerignore new file mode 100644 index 0000000..c1234b6 --- /dev/null +++ b/templates/workspace_services/databricks/.dockerignore @@ -0,0 +1,8 @@ +# Local .terraform directories +**/.terraform/* + +# TF backend files +**/*_backend.tf +Dockerfile.tmpl +terraform/deploy.sh +terraform/destroy.sh diff --git a/templates/workspace_services/databricks/.env.sample b/templates/workspace_services/databricks/.env.sample new file mode 100644 index 0000000..15056a9 --- /dev/null +++ b/templates/workspace_services/databricks/.env.sample @@ -0,0 +1,5 @@ +ID=__CHANGE_ME__ +WORKSPACE_ID=__CHANGE_ME__ +AZURE_LOCATION=__CHANGE_ME__ +HOST_SUBNET_ADDRESS_PREFIX=__CHANGE_ME__ +CONTAINER_SUBNET_ADDRESS_PREFIX=__CHANGE_ME__ diff --git a/templates/workspace_services/databricks/Dockerfile.tmpl b/templates/workspace_services/databricks/Dockerfile.tmpl new file mode 100644 index 0000000..076d4cb --- /dev/null +++ b/templates/workspace_services/databricks/Dockerfile.tmpl @@ -0,0 +1,15 @@ +# syntax=docker/dockerfile-upstream:1.4.0 +FROM --platform=linux/amd64 debian:bullseye-slim + +# PORTER_INIT + +RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache + +# Install git - required for https://registry.terraform.io/modules/claranet/regions/azurerm +RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \ + apt-get update && apt-get install --no-install-recommends -y git + +# PORTER_MIXINS + +# Use the BUNDLE_DIR build argument to copy files into the bundle +COPY --link . ${BUNDLE_DIR}/ diff --git a/templates/workspace_services/databricks/README.md b/templates/workspace_services/databricks/README.md new file mode 100644 index 0000000..767bb82 --- /dev/null +++ b/templates/workspace_services/databricks/README.md @@ -0,0 +1,47 @@ +# Contents + +## porter.yaml + +This is the porter manifest. See for +details on every field and how to configure your bundle. This is a required +file. + +## helpers.sh + +This is a bash script where you can place helper functions that you can call +from your porter.yaml file. + +## README.md + +This explains the files created by `porter create`. It is not used by porter and +can be deleted. + +## Dockerfile.tmpl + +This is a template Dockerfile for the bundle's invocation image. You can +customize it to use different base images, install tools and copy configuration +files. Porter will use it as a template and append lines to it for the mixin and to set +the CMD appropriately for the CNAB specification. You can delete this file if you don't +need it. + +Add the following line to **porter.yaml** to enable the Dockerfile template: + +```yaml +dockerfile: Dockerfile.tmpl +``` + +By default, the Dockerfile template is disabled and Porter automatically copies +all of the files in the current directory into the bundle's invocation image. When +you use a custom Dockerfile template, you must manually copy files into the bundle +using COPY statements in the Dockerfile template. + +## .gitignore + +This is a default file that we provide to help remind you which files are +generated by Porter, and shouldn't be committed to source control. You can +delete it if you don't need it. + +## .dockerignore + +This is a default file that controls which files are copied into the bundle's +invocation image by default. You can delete it if you don't need it. diff --git a/templates/workspace_services/databricks/parameters.json b/templates/workspace_services/databricks/parameters.json new file mode 100644 index 0000000..6b25c34 --- /dev/null +++ b/templates/workspace_services/databricks/parameters.json @@ -0,0 +1,62 @@ +{ + "schemaType": "ParameterSet", + "schemaVersion": "1.0.1", + "namespace": "", + "name": "tre-service-databricks", + "parameters": [ + { + "name": "id", + "source": { + "env": "ID" + } + }, + { + "name": "tre_id", + "source": { + "env": "TRE_ID" + } + }, + { + "name": "workspace_id", + "source": { + "env": "WORKSPACE_ID" + } + }, + { + "name": "address_space", + "source": { + "env": "ADDRESS_SPACE" + } + }, + { + "name": "is_exposed_externally", + "source": { + "env": "IS_EXPOSED_EXTERNALLY" + } + }, + { + "name": "tfstate_container_name", + "source": { + "env": "TERRAFORM_STATE_CONTAINER_NAME" + } + }, + { + "name": "tfstate_resource_group_name", + "source": { + "env": "MGMT_RESOURCE_GROUP_NAME" + } + }, + { + "name": "tfstate_storage_account_name", + "source": { + "env": "MGMT_STORAGE_ACCOUNT_NAME" + } + }, + { + "name": "arm_environment", + "source": { + "env": "ARM_ENVIRONMENT" + } + } + ] +} diff --git a/templates/workspace_services/databricks/porter.yaml b/templates/workspace_services/databricks/porter.yaml new file mode 100644 index 0000000..51cce2f --- /dev/null +++ b/templates/workspace_services/databricks/porter.yaml @@ -0,0 +1,176 @@ +--- +schemaVersion: 1.0.0 +name: tre-service-databricks2 +version: 1.0.3 +description: "An Azure TRE service for Azure Databricks." +registry: azuretre +dockerfile: Dockerfile.tmpl + +credentials: + + - name: azure_tenant_id + env: ARM_TENANT_ID + - name: azure_subscription_id + env: ARM_SUBSCRIPTION_ID + - name: azure_client_id + env: ARM_CLIENT_ID + - name: azure_client_secret + env: ARM_CLIENT_SECRET + +parameters: + - name: workspace_id + type: string + - name: tre_id + type: string + - name: id + type: string + description: "Resource ID" + - name: address_space + type: string + - name: is_exposed_externally + type: boolean + - name: tfstate_resource_group_name + type: string + description: "Resource group containing the Terraform state storage account" + - name: tfstate_storage_account_name + type: string + description: "The name of the Terraform state storage account" + - name: tfstate_container_name + env: tfstate_container_name + type: string + default: "tfstate" + description: "The name of the Terraform state storage container" + - name: arm_use_msi + env: ARM_USE_MSI + type: boolean + default: false + - name: arm_environment + env: ARM_ENVIRONMENT + type: string + default: "public" + +outputs: + - name: databricks_workspace_name + type: string + applyTo: + - install + - upgrade + - name: connection_uri + type: string + applyTo: + - install + - upgrade + - name: databricks_storage_account_name + type: string + applyTo: + - install + - upgrade + - name: dbfs_blob_storage_domain + type: string + applyTo: + - install + - upgrade + - name: metastore_addresses + type: string + applyTo: + - install + - upgrade + - name: event_hub_endpoint_addresses + type: string + applyTo: + - install + - upgrade + - name: log_blob_storage_domains + type: string + applyTo: + - install + - upgrade + - name: artifact_blob_storage_domains + type: string + applyTo: + - install + - upgrade + - name: workspace_address_spaces + type: string + applyTo: + - install + - upgrade + - name: databricks_address_prefixes + type: string + applyTo: + - install + - upgrade + +mixins: + - terraform: + clientVersion: 1.3.6 + +install: + - terraform: + description: "Deploy Databricks Service" + vars: + tre_resource_id: ${ bundle.parameters.id } + tre_id: ${ bundle.parameters.tre_id } + workspace_id: ${ bundle.parameters.workspace_id } + address_space: ${ bundle.parameters.address_space } + is_exposed_externally: ${ bundle.parameters.is_exposed_externally } + arm_environment: ${ bundle.parameters.arm_environment } + backendConfig: + resource_group_name: ${ bundle.parameters.tfstate_resource_group_name } + storage_account_name: ${ bundle.parameters.tfstate_storage_account_name } + container_name: ${ bundle.parameters.tfstate_container_name } + key: ${ bundle.name }-${ bundle.parameters.id } + outputs: + - name: databricks_workspace_name + - name: connection_uri + - name: databricks_storage_account_name + - name: dbfs_blob_storage_domain + - name: metastore_addresses + - name: event_hub_endpoint_addresses + - name: log_blob_storage_domains + - name: artifact_blob_storage_domains + - name: workspace_address_spaces + - name: databricks_address_prefixes + +upgrade: + - terraform: + description: "Upgrade Databricks Service" + vars: + tre_resource_id: ${ bundle.parameters.id } + tre_id: ${ bundle.parameters.tre_id } + workspace_id: ${ bundle.parameters.workspace_id } + address_space: ${ bundle.parameters.address_space } + is_exposed_externally: ${ bundle.parameters.is_exposed_externally } + arm_environment: ${ bundle.parameters.arm_environment } + backendConfig: + resource_group_name: ${ bundle.parameters.tfstate_resource_group_name } + storage_account_name: ${ bundle.parameters.tfstate_storage_account_name } + container_name: ${ bundle.parameters.tfstate_container_name } + key: ${ bundle.name }-${ bundle.parameters.id } + outputs: + - name: databricks_workspace_name + - name: connection_uri + - name: databricks_storage_account_name + - name: dbfs_blob_storage_domain + - name: metastore_addresses + - name: event_hub_endpoint_addresses + - name: log_blob_storage_domains + - name: artifact_blob_storage_domains + - name: workspace_address_spaces + - name: databricks_address_prefixes + +uninstall: + - terraform: + description: "Uninstall Azure Databricks Service" + vars: + tre_resource_id: ${ bundle.parameters.id } + tre_id: ${ bundle.parameters.tre_id } + workspace_id: ${ bundle.parameters.workspace_id } + address_space: ${ bundle.parameters.address_space } + is_exposed_externally: ${ bundle.parameters.is_exposed_externally } + arm_environment: ${ bundle.parameters.arm_environment } + backendConfig: + resource_group_name: ${ bundle.parameters.tfstate_resource_group_name } + storage_account_name: ${ bundle.parameters.tfstate_storage_account_name } + container_name: ${ bundle.parameters.tfstate_container_name } + key: ${ bundle.name }-${ bundle.parameters.id } diff --git a/templates/workspace_services/databricks/template_schema.json b/templates/workspace_services/databricks/template_schema.json new file mode 100644 index 0000000..edaf02c --- /dev/null +++ b/templates/workspace_services/databricks/template_schema.json @@ -0,0 +1,365 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "$id": "https://github.com/microsoft/AzureTRE/templates/workspace_services/databricks/template_schema.json", + "type": "object", + "title": "Azure Databricks 2", + "description": "Azure Databricks", + "required": [], + "properties": { + "display_name": { + "type": "string", + "title": "Name for the workspace service", + "description": "The name of the workspace service to be displayed to users", + "default": "Azure Databricks", + "updateable": true + }, + "description": { + "type": "string", + "title": "Description of the workspace service", + "description": "Description of the workspace service", + "default": "Azure Databricks is a fast, easy, and collaborative Apache Spark-based big data analytics service designed for data science and data engineering.", + "updateable": true + }, + "overview": { + "type": "string", + "title": "Workspace Service Overview", + "description": "Long form description of the workspace service, in markdown syntax", + "default": "The Azure Databricks Lakehouse Platform provides a unified set of tools for building, deploying, sharing, and maintaining enterprise-grade data solutions at scale.\nAzure Databricks integrates with cloud storage and security in your cloud account, and manages and deploys cloud infrastructure on your behalf.\n[Azure Databricks documentation](https://learn.microsoft.com/en-us/azure/databricks/introduction/)", + "updateable": true + }, + "is_exposed_externally": { + "$id": "#/properties/is_exposed_externally", + "type": "boolean", + "title": "Expose externally", + "description": "Is the Databricks workspace accessible from outside of the workspace network", + "default": false + }, + "address_space": { + "$id": "#/properties/address_space", + "type": "string", + "title": "Address space", + "description": "The address space of the databricks subnets" + } + }, + "uiSchema": { + "address_space": { + "classNames": "tre-hidden" + } + }, + "pipeline": { + "install": [ + { + "stepId": "12ba0dad-ea6c-4d0d-9255-daa6212f5ffa", + "stepTitle": "Upgrade to ensure aware of address space", + "resourceType": "workspace", + "resourceAction": "upgrade", + "properties": [] + }, + { + "stepId": "main" + }, + { + "stepId": "7ec5fa90-23bd-4809-b0d7-2d32c94016b1", + "stepTitle": "Add firewall rules for databricks", + "resourceTemplateName": "tre-shared-service-firewall", + "resourceType": "shared-service", + "resourceAction": "upgrade", + "properties": [ + { + "name": "network_rule_collections", + "type": "array", + "arraySubstitutionAction": "replace", + "arrayMatchField": "name", + "value": { + "name": "nrc_svc_{{ resource.id }}_databricks", + "action": "Allow", + "rules": [ + { + "name": "databricks", + "description": "Communication with Azure Databricks dependancies.", + "source_addresses": "{{ resource.properties.databricks_address_prefixes }}", + "destination_addresses": [ "AzureDatabricks"], + "destination_ports": [ + "443" + ], + "protocols": [ + "TCP" + ] + }, + { + "name": "databricks-sql-metastore", + "description": "Stores metadata for databases and child objects in a Azure Databricks workspace.", + "source_addresses": "{{ resource.properties.databricks_address_prefixes }}", + "destination_addresses": "{{ resource.properties.metastore_addresses }}", + "destination_ports": [ + "3306" + ], + "protocols": [ + "TCP" + ] + }, + { + "name": "databricks-observability-eventhub", + "description": "Transit for Azure Databricks on-cluster service specific telemetry.", + "source_addresses": "{{ resource.properties.databricks_address_prefixes }}", + "destination_addresses": "{{ resource.properties.event_hub_endpoint_addresses }}", + "destination_ports": [ + "9093" + ], + "protocols": [ + "TCP" + ] + }, + { + "name": "AzureAD", + "description": "AAD access", + "source_addresses": "{{ resource.properties.workspace_address_spaces }}", + "destination_addresses": ["AzureActiveDirectory"], + "destination_ports": ["*"], + "protocols": ["TCP"] + } + ] + } + }, + { + "name": "rule_collections", + "type": "array", + "arraySubstitutionAction": "replace", + "arrayMatchField": "name", + "value": { + "name": "arc_svc_{{ resource.id }}_databricks", + "action": "Allow", + "rules": [ + { + "name": "databricks-spark-log-blob-storage", + "description": "To store Azure Databricks audit and cluster logs (anonymized / masked) for support and troubleshooting.", + "source_addresses": "{{ resource.properties.databricks_address_prefixes }}", + "target_fqdns": "{{ resource.properties.log_blob_storage_domains }}", + "protocols": [ + { + "port": "443", + "type": "Https" + } + ] + }, + { + "name": "databricks-artifact-blob-storage", + "description": "Stores Databricks Runtime images to be deployed on cluster nodes.", + "source_addresses": "{{ resource.properties.databricks_address_prefixes }}", + "target_fqdns": "{{ resource.properties.artifact_blob_storage_domains }}", + "protocols": [ + { + "port": "443", + "type": "Https" + } + ] + }, + { + "name": "databricks-dbfs", + "description": "Azure Databricks workspace root storage.", + "source_addresses": "{{ resource.properties.databricks_address_prefixes }}", + "target_fqdns": [ + "{{ resource.properties.dbfs_blob_storage_domain }}" + ], + "protocols": [ + { + "port": "443", + "type": "Https" + } + ] + }, + { + "name": "AAD CDN", + "description": "AAD CDN", + "source_addresses": "{{ resource.properties.workspace_address_spaces }}", + "target_fqdns": [ + "aadcdn.msftauth.net" + ], + "protocols": [ + { + "port": "443", + "type": "Https" + } + ] + } + ] + } + } + ] + } + ], + "upgrade": [ + { + "stepId": "12baaaad-ea6c-4d0d-9255-d316212f5ffa", + "stepTitle": "Upgrade to ensure aware of address space", + "resourceType": "workspace", + "resourceAction": "upgrade", + "properties": [] + }, + { + "stepId": "main" + }, + { + "stepId": "260421b3-7308-491f-b531-e007cdc0aa46", + "stepTitle": "Add firewall rules for databricks", + "resourceTemplateName": "tre-shared-service-firewall", + "resourceType": "shared-service", + "resourceAction": "upgrade", + "properties": [ + { + "name": "network_rule_collections", + "type": "array", + "arraySubstitutionAction": "replace", + "arrayMatchField": "name", + "value": { + "name": "nrc_svc_{{ resource.id }}_databricks", + "action": "Allow", + "rules": [ + { + "name": "databricks", + "description": "Communication with Azure Databricks dependancies.", + "source_addresses": "{{ resource.properties.databricks_address_prefixes }}", + "destination_addresses": [ "AzureDatabricks"], + "destination_ports": [ + "443" + ], + "protocols": [ + "TCP" + ] + }, + { + "name": "databricks-sql-metastore", + "description": "Stores metadata for databases and child objects in a Azure Databricks workspace.", + "source_addresses": "{{ resource.properties.databricks_address_prefixes }}", + "destination_addresses": "{{ resource.properties.metastore_addresses }}", + "destination_ports": [ + "3306" + ], + "protocols": [ + "TCP" + ] + }, + { + "name": "databricks-observability-eventhub", + "description": "Transit for Azure Databricks on-cluster service specific telemetry.", + "source_addresses": "{{ resource.properties.databricks_address_prefixes }}", + "destination_addresses": "{{ resource.properties.event_hub_endpoint_addresses }}", + "destination_ports": [ + "9093" + ], + "protocols": [ + "TCP" + ] + }, + { + "name": "AzureAD", + "description": "AAD access", + "source_addresses": "{{ resource.properties.workspace_address_spaces }}", + "destination_addresses": ["AzureActiveDirectory"], + "destination_ports": ["*"], + "protocols": ["TCP"] + } + ] + } + }, + { + "name": "rule_collections", + "type": "array", + "arraySubstitutionAction": "replace", + "arrayMatchField": "name", + "value": { + "name": "arc_svc_{{ resource.id }}_databricks", + "action": "Allow", + "rules": [ + { + "name": "databricks-spark-log-blob-storage", + "description": "To store Azure Databricks audit and cluster logs (anonymized / masked) for support and troubleshooting.", + "source_addresses": "{{ resource.properties.databricks_address_prefixes }}", + "target_fqdns": "{{ resource.properties.log_blob_storage_domains }}", + "protocols": [ + { + "port": "443", + "type": "Https" + } + ] + }, + { + "name": "databricks-artifact-blob-storage", + "description": "Stores Databricks Runtime images to be deployed on cluster nodes.", + "source_addresses": "{{ resource.properties.databricks_address_prefixes }}", + "target_fqdns": "{{ resource.properties.artifact_blob_storage_domains }}", + "protocols": [ + { + "port": "443", + "type": "Https" + } + ] + }, + { + "name": "databricks-dbfs", + "description": "Azure Databricks workspace root storage.", + "source_addresses": "{{ resource.properties.databricks_address_prefixes }}", + "target_fqdns": [ + "{{ resource.properties.dbfs_blob_storage_domain }}" + ], + "protocols": [ + { + "port": "443", + "type": "Https" + } + ] + }, + { + "name": "AAD CDN", + "description": "AAD CDN", + "source_addresses": "{{ resource.properties.workspace_address_spaces }}", + "target_fqdns": [ + "aadcdn.msftauth.net" + ], + "protocols": [ + { + "port": "443", + "type": "Https" + } + ] + } + ] + } + } + ] + } + ], + "uninstall": [ + { + "stepId": "da2d99a3-3940-4dcc-a934-53535f2e2451", + "stepTitle": "Remove network firewall rules for databricks", + "resourceTemplateName": "tre-shared-service-firewall", + "resourceType": "shared-service", + "resourceAction": "upgrade", + "properties": [ + { + "name": "network_rule_collections", + "type": "array", + "arraySubstitutionAction": "remove", + "arrayMatchField": "name", + "value": { + "name": "nrc_svc_{{ resource.id }}_databricks" + } + }, + { + "name": "rule_collections", + "type": "array", + "arraySubstitutionAction": "remove", + "arrayMatchField": "name", + "value": { + "name": "arc_svc_{{ resource.id }}_databricks" + } + } + ] + }, + { + "stepId": "main" + } + ] + } +} diff --git a/templates/workspace_services/databricks/terraform/.terraform.lock.hcl b/templates/workspace_services/databricks/terraform/.terraform.lock.hcl new file mode 100644 index 0000000..a5d8741 --- /dev/null +++ b/templates/workspace_services/databricks/terraform/.terraform.lock.hcl @@ -0,0 +1,80 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/azure/azapi" { + version = "1.1.0" + constraints = "1.1.0" + hashes = [ + "h1:IR+AHCwfjl1c0baWwfOwZ6QZtHj41H2syTgHkJtAr/M=", + "zh:2a25df6325a49f9e821f0b02c7da86167fc19a3bac647cd1edf231300f29d077", + "zh:2b443a836a39724663fe455d4deee408ff3a2d9a8b86f8408aa7db2e8aa743f8", + "zh:364ed09ddfc50d9bed8d930f7de489cb654a9908feb139413a097823a50075fd", + "zh:523bc005f56ae785867d230d55c29f59db4b599dbc6c38b4d03ea55a79458916", + "zh:60ded375fdb305b60bcb4d9e596dbb222cab166bad1b4958199b05a72aaeacfd", + "zh:61e69c58642fead6814e511c872b7c0a6478ec6af4ab758b4512607d910ac078", + "zh:823b2154ae2262dabcbd11aac992e3cc29eae0f7baa96bee1e3e2fe1ece8730b", + "zh:870ea9cc24807ef5142e4cad0281dac7173f7b6bf818a79762b6c690d12d4c4b", + "zh:9094ae76ed66cb328a4f35bd18b9140fb6fc6859c2e46431ec73c018bcb58d96", + "zh:d89149cfd01cb70012459536b4d36490b58e43312440562e5910bd5160537858", + "zh:dba7ec06171ca062fc423ba5b4776a5600444e45e57f4d1cb043bdc3eee538b7", + "zh:ff5bd6883d9ac8334e043434246357a55107411e9a962856c1d17e47ee15ac37", + ] +} + +provider "registry.terraform.io/databricks/databricks" { + version = "1.5.0" + constraints = "1.5.0" + hashes = [ + "h1:UJe5L/BteOU7M5ewRLzuUjiewYFLF695eLp3hMKVR6M=", + "zh:0fa9ca13d977a8dcb46254f07c9be731891468f5b423f09cb51da97eaace8e2b", + "zh:3a648e4f8ece8aab05acfc7759b4e4cd153ecd29b3ed0e00d7f1a3a19911f7d8", + "zh:3b052b98b5e22ae4e81e4b667ae5cee9a68bb1750d22546ae9eff16c8d6a294a", + "zh:4320b165218cb39f0ad313d483bba20d0de9e48db0c1467fd0e3a0afb2c02012", + "zh:588c9fdbf35ca9c430cafb5dbd90f34a165744e3514212d0f2c07a3387d8b339", + "zh:b50f8eb38b556ddfa24a76b4113e8a84b778a9a0bb4b4ba5fdc3edca59198d2a", + "zh:ca5186443ac672f5566d9c9b5727f55124a8642dd3949e973790b9195e6b306a", + "zh:db817409b94c34c9b9b5e109751eff7fbca90d08b407a099630c8ec79b6c6d4b", + "zh:edf04424c68db603bf2473e2f14f3e3ad217feb84fc2c7debb6641d15886f8e3", + "zh:ef374f84c41fe529bff1ec3274eb7fe5dd8184c5e71f3e6d99a6adaff6eab82e", + ] +} + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.40.0" + constraints = "3.40.0" + hashes = [ + "h1:/Jbhw/zNAsDYDoASaG6w+0KZyay9BkUVOpR8b7m0CsA=", + "zh:00fa6dc05bf2643c6a3c741edb7d88263698086835a8a613f1d7bd76d1b918fd", + "zh:0da9b788e773272a7aa9d59bd9e3d5842edd4acc8c3895bea469e66dc14205a0", + "zh:25a8c39d1f042fc7c83ba9dd745c3569ea9e577fadb57563a575fb115ac2b9f1", + "zh:4423666dbeae8bc22c6e8898ffbb88745681dc27668ca9104b665dd7f3d7292c", + "zh:78c07308e7407b558d15737a98fb5eaf15529d297fc3798de6a7d61e0466e2e3", + "zh:894aca7e6f4f331ee8eb51957a180dc03d399d2b1727e0d7842e9b3f022a8c6a", + "zh:bb0e620c2161b4c4892a6f50b1c4c69ed70f66bb5e92543a03d79d0e4b1d9441", + "zh:c7d8e6a791159ca63b30908c9efe72ab65f60d64b30f0c1eb5a64972f4994844", + "zh:d04c11bfd346c1ac34d16bbdca70b23b006e822f6beb236b85375e8343888eb4", + "zh:f4edea9660327c7c70a823d786fd1b1c1b186c8759770447f63da72f23e1a73c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f986e268949cf445ff53a66af48a87c6f6dba5964e8a5b1dc0ea02afabdd71f7", + ] +} + +provider "registry.terraform.io/hashicorp/dns" { + version = "3.2.3" + constraints = "3.2.3" + hashes = [ + "h1:ODcR+vWOhCAJ2iCChZMVdRglNCx07VNr67OPLRPZyDY=", + "zh:03a304f4b76ac6c8bebffddcdf555bf77578a7f638948a681589def32e140cb8", + "zh:08c7d2498b747054e9c9df7838bfa4e4a6b5d63e2d29f0457247e384f792d56c", + "zh:20adf489819ba51ba9d9d15da2dbe1fecb92491b3d0dd80096873e5e84d8b4bd", + "zh:2959ff209d2578456ca490672b82864d483b9e9db9efc8e4ffada06e23017609", + "zh:3ecd0b22db79550fb1108ff7bd00c4066825e8c23bb64e3cc8d9b8102e8caa45", + "zh:6e53a9232245b4be52b56b078f15f270b89afe6abb9c9b8baab4a282fe0cf9f8", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:80437bdfa08eb90f70105b52cb06799a8f7967313654b43d28d7f654fcd4edc1", + "zh:816ddaca0ecc29e287376e5b0b8b0729ee13f23a9d74bfad5b14b7983e1a1775", + "zh:82d8ac7ad00c1a71d0a7c1aca03bb59a6b51128f895242df80b1f3d016c3c51a", + "zh:ec9243b8bd80693a6eeeea5d4f7f4e6f57bd44ae796d6d5b1a91790e359f8a61", + "zh:fd821adbfb03a2c9eac111ff27a32b3a5523b18f80333008de85482d3bbea645", + ] +} diff --git a/templates/workspace_services/databricks/terraform/data.tf b/templates/workspace_services/databricks/terraform/data.tf new file mode 100644 index 0000000..7d1342b --- /dev/null +++ b/templates/workspace_services/databricks/terraform/data.tf @@ -0,0 +1,30 @@ +data "azurerm_resource_group" "ws" { + name = local.resource_group_name +} + +data "azurerm_virtual_network" "ws" { + name = local.virtual_network_name + resource_group_name = data.azurerm_resource_group.ws.name +} + +data "azurerm_firewall" "firewall" { + name = local.firewall_name + resource_group_name = local.core_resource_group_name +} +data "azurerm_subnet" "services" { + name = "ServicesSubnet" + virtual_network_name = data.azurerm_virtual_network.ws.name + resource_group_name = data.azurerm_virtual_network.ws.resource_group_name +} + +data "azurerm_private_dns_zone" "databricks" { + name = module.terraform_azurerm_environment_configuration.private_links["privatelink.azuredatabricks.net"] + resource_group_name = local.core_resource_group_name +} + +data "azurerm_subscription" "current" {} + +data "azurerm_private_dns_zone" "dfscore" { + name = module.terraform_azurerm_environment_configuration.private_links["privatelink.dfs.core.windows.net"] + resource_group_name = local.core_resource_group_name +} diff --git a/templates/workspace_services/databricks/terraform/databricks-udr.json b/templates/workspace_services/databricks/terraform/databricks-udr.json new file mode 100644 index 0000000..36a9204 --- /dev/null +++ b/templates/workspace_services/databricks/terraform/databricks-udr.json @@ -0,0 +1,1136 @@ +{ + "australiacentral": { + "webappDestinationAddresses": ["13.75.218.172/32"], + "sccRelayDestinationAddresses": ["13.75.164.249/32"], + "sccRelayDomains": ["tunnel.australiaeast.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["13.70.105.50/32"], + "extendedInfrastructureDestinationAddresses": ["20.53.145.128/28"], + " ": ["dblogprodausteast.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodaustc.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodaustc2.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-australiaeast-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-australiacentral-prod-metastore.mysql.database.azure.com" + ] + }, + "australiacentral2": { + "webappDestinationAddresses": ["13.75.218.172/32"], + "sccRelayDestinationAddresses": ["13.75.164.249/32"], + "sccRelayDomains": ["tunnel.australiaeast.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["13.70.105.50/32"], + "extendedInfrastructureDestinationAddresses": ["20.53.145.128/28"], + "logBlobStorageDomains": ["dblogprodausteast.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodaustc2.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodaustc.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-australiaeast-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-australiacentral2-prod-metastore.mysql.database.azure.com" + ] + }, + "australiaeast": { + "webappDestinationAddresses": ["13.75.218.172/32"], + "sccRelayDestinationAddresses": ["13.75.164.249/32"], + "sccRelayDomains": ["tunnel.australiaeast.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["13.70.105.50/32"], + "extendedInfrastructureDestinationAddresses": ["20.53.145.128/28"], + "logBlobStorageDomains": ["dblogprodausteast.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodauste.blob.core.windows.net", + "arprodaustea1.blob.core.windows.net", + "arprodaustea2.blob.core.windows.net", + "arprodaustea3.blob.core.windows.net", + "arprodaustea4.blob.core.windows.net", + "arprodaustea5.blob.core.windows.net", + "arprodaustea6.blob.core.windows.net", + "arprodaustea7.blob.core.windows.net", + "arprodaustea8.blob.core.windows.net", + "arprodaustea9.blob.core.windows.net", + "arprodaustea10.blob.core.windows.net", + "arprodaustea11.blob.core.windows.net", + "arprodaustea12.blob.core.windows.net", + "arprodaustea13.blob.core.windows.net", + "arprodaustea14.blob.core.windows.net", + "arprodaustea15.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodaustse.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-australiaeast-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-australiaeast-prod-metastore.mysql.database.azure.com", + "consolidated-australiaeast-prod-metastore-addl-1.mysql.database.azure.com" + ] + }, + "australiasoutheast": { + "webappDestinationAddresses": ["13.75.218.172/32"], + "sccRelayDestinationAddresses": ["13.75.164.249/32"], + "sccRelayDomains": ["tunnel.australiaeast.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["13.70.105.50/32"], + "extendedInfrastructureDestinationAddresses": ["20.53.145.128/28"], + "logBlobStorageDomains": ["dblogprodausteast.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodaustse.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodauste.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-australiaeast-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-australiasoutheast-prod-metastore.mysql.database.azure.com" + ] + }, + "brazilsouth": { + "webappDestinationAddresses": ["104.41.54.118/32"], + "sccRelayDestinationAddresses": ["23.97.106.142/32"], + "sccRelayDomains": ["tunnel.brazilsouth.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["191.232.53.223/32"], + "extendedInfrastructureDestinationAddresses": ["20.197.222.144/28"], + "logBlobStorageDomains": ["dblogprodbrazilsou.blob.core.windows.net."], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodbrazilsou.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodsafrican.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-brazilsouth-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-brazilsouth-prod-metastore.mysql.database.azure.com" + ] + }, + "canadacentral": { + "webappDestinationAddresses": ["13.71.184.74/32"], + "sccRelayDestinationAddresses": ["13.88.249.244/32"], + "sccRelayDomains": ["tunnel.canadacentral.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["40.85.223.25/32"], + "extendedInfrastructureDestinationAddresses": ["52.139.4.160/28"], + "logBlobStorageDomains": ["dblogprodcacentral.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodcacentral.blob.core.windows.net", + "arprodcacentrala1.blob.core.windows.net", + "arprodcacentrala2.blob.core.windows.net", + "arprodcacentrala3.blob.core.windows.net", + "arprodcacentrala4.blob.core.windows.net", + "arprodcacentrala5.blob.core.windows.net", + "arprodcacentrala6.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodcaeast.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-canadacentral-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-canadacentral-prod-metastore.mysql.database.azure.com" + ] + }, + "canadaeast": { + "webappDestinationAddresses": ["13.71.184.74/32"], + "sccRelayDestinationAddresses": ["13.88.249.244/32"], + "sccRelayDomains": ["tunnel.canadacentral.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["40.85.223.25/32"], + "extendedInfrastructureDestinationAddresses": ["52.139.4.160/28"], + "logBlobStorageDomains": ["dblogprodcacentral.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodcaeast.blob.core.windows.net", + "arprodcaeasta1.blob.core.windows.net", + "arprodcaeasta2.blob.core.windows.net", + "arprodcaeasta3.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodcacentral.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-canadacentral-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-canadaeast-prod-metastore.mysql.database.azure.com" + ] + }, + "centralindia": { + "webappDestinationAddresses": ["104.211.89.81/32"], + "sccRelayDestinationAddresses": ["52.172.133.58/32"], + "sccRelayDomains": ["tunnel.centralindia.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["104.211.101.14/32"], + "extendedInfrastructureDestinationAddresses": ["20.193.246.208/28"], + "logBlobStorageDomains": ["dblogprodcindia.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodcindia.blob.core.windows.net", + "arprodcindiaa1.blob.core.windows.net", + "arprodcindiaa2.blob.core.windows.net", + "arprodcindiaa3.blob.core.windows.net", + "arprodcindiaa4.blob.core.windows.net", + "arprodcindiaa5.blob.core.windows.net", + "arprodcindiaa6.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodwindia.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-centralindia-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-centralindia-prod-metastore.mysql.database.azure.com" + ] + }, + "centralus": { + "webappDestinationAddresses": ["40.70.58.221/32", "20.37.156.209/32"], + "sccRelayDestinationAddresses": ["13.86.58.215/32", "52.247.0.200/32"], + "sccRelayDomains": [ + "tunnel.eastus2.azuredatabricks.net", + "tunnel.centralusc2.azuredatabricks.net" + ], + "controlPlaneNatDestinationAddresses": [ + "23.101.152.95/32", + "20.37.156.208/32" + ], + "extendedInfrastructureDestinationAddresses": ["20.57.106.0/28"], + "logBlobStorageDomains": [ + "dblogprodwestus.blob.core.windows.net", + "dblogprodcentralus.blob.core.windows.net" + ], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodcus.blob.core.windows.net", + "arprodcusa1.blob.core.windows.net", + "arprodcusa2.blob.core.windows.net", + "arprodcusa3.blob.core.windows.net", + "arprodcusa4.blob.core.windows.net", + "arprodcusa5.blob.core.windows.net", + "arprodcusa6.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodscus.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-westus-observabilityEventHubs.servicebus.windows.net", + "prod-centralusc2-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-centralus-prod-metastore.mysql.database.azure.com", + "consolidated-centralus-prod-metastore-addl-1.mysql.database.azure.com", + "consolidated-centralus-prod-metastore-addl-2.mysql.database.azure.com", + "consolidated-centralus-prod-metastore-addl-3.mysql.database.azure.com", + "consolidated-centralusc2-prod-metastore-0.mysql.database.azure.com", + "consolidated-centralusc2-prod-metastore-1.mysql.database.azure.com", + "consolidated-centralusc2-prod-metastore-2.mysql.database.azure.com", + "consolidated-centralusc2-prod-metastore-3.mysql.database.azure.com" + ] + }, + "chinaeast2": { + "webappDestinationAddresses": ["52.130.1.64/32"], + "sccRelayDestinationAddresses": ["52.130.1.65/32"], + "sccRelayDomains": ["tunnel.chinaeast2.databricks.azure.cn"], + "controlPlaneNatDestinationAddresses": ["52.130.1.65/32"], + "extendedInfrastructureDestinationAddresses": [], + "logBlobStorageDomains": ["dblogprodchinaeast2.blob.core.chinacloudapi.cn"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodcne2.blob.core.chinacloudapi.cn" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodcnn2.blob.core.chinacloudapi.cn" + ], + "eventHubEndpointDomains": [ + "prod-chinaeast2-observabilityeventhubs.servicebus.chinacloudapi.cn" + ], + "metastoreDomains": [ + "consolidated-chinaeast2-prod-metastore-0.mysql.database.chinacloudapi.cn" + ] + }, + + "chinaeast3": { + "webappDestinationAddresses": ["52.130.1.64/32"], + "sccRelayDestinationAddresses": ["52.130.1.65/32"], + "sccRelayDomains": ["tunnel.chinaeast2.databricks.azure.cn"], + "controlPlaneNatDestinationAddresses": ["52.130.1.65/32"], + "extendedInfrastructureDestinationAddresses": [], + "logBlobStorageDomains": ["dblogprodchinaeast3.blob.core.chinacloudapi.cn"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodcne3.blob.core.chinacloudapi.cn" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodcne3.blob.core.chinacloudapi.cn" + ], + "eventHubEndpointDomains": [ + "prod-chinaeast2-observabilityeventhubs.servicebus.chinacloudapi.cn" + ], + "metastoreDomains": [ + "consolidated-chinaeast3-prod-metastore-0.mysql.database.chinacloudapi.cn" + ] + }, + + "chinanorth2": { + "webappDestinationAddresses": ["52.130.16.113/32"], + "sccRelayDestinationAddresses": ["52.130.16.112/32"], + "sccRelayDomains": ["tunnel.chinanorth2.databricks.azure.cn"], + "controlPlaneNatDestinationAddresses": ["52.130.16.112/32"], + "extendedInfrastructureDestinationAddresses": [], + "logBlobStorageDomains": [ + "dblogprodchinanorth2.blob.core.chinacloudapi.cn" + ], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodcnn2.blob.core.chinacloudapi.cn" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodcnn2.blob.core.chinacloudapi.cn " + ], + "eventHubEndpointDomains": [ + "prod-chinanorth2-observabilityeventhubs.servicebus.chinacloudapi.cn" + ], + "metastoreDomains": [ + "consolidated-chinanorth2-prod-metastore-0.mysql.database.chinacloudapi.cn" + ] + }, + + "chinanorth3": { + "webappDestinationAddresses": ["52.130.16.113/32"], + "sccRelayDestinationAddresses": ["52.130.16.112/32"], + "sccRelayDomains": ["tunnel.chinanorth2.databricks.azure.cn"], + "controlPlaneNatDestinationAddresses": ["52.130.16.112/32"], + "extendedInfrastructureDestinationAddresses": [], + "logBlobStorageDomains": [ + "dblogprodchinanorth3.blob.core.chinacloudapi.cn" + ], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodcnn3.blob.core.chinacloudapi.cn" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodcnn3.blob.core.chinacloudapi.cn" + ], + "eventHubEndpointDomains": [ + "prod-chinanorth2-observabilityeventhubs.servicebus.chinacloudapi.cn" + ], + "metastoreDomains": [ + "consolidated-chinanorth3-prod-metastore-0.mysql.database.chinacloudapi.cn" + ] + }, + + "eastasia": { + "webappDestinationAddresses": ["52.187.145.107/32"], + "sccRelayDestinationAddresses": ["102.37.41.3/32"], + "sccRelayDomains": ["tunnel.southeastasia.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["52.187.0.85/32"], + "extendedInfrastructureDestinationAddresses": ["20.195.104.64/28"], + "logBlobStorageDomains": [ + "dblogprodseasia.blob.core.windows.net", + "dblogprodeastasia.blob.core.windows.net" + ], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodeap.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodseap.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-eastasiac2-observabilityeventhubs.servicebus.windows.net", + "prod-southeastasia-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-eastasia-prod-metastore.mysql.database.azure.com", + "consolidated-eastasiac2-prod-metastore-0.mysql.database.azure.com" + ] + }, + "eastus": { + "webappDestinationAddresses": [ + "40.70.58.221/32", + "20.42.4.209/32", + "20.42.4.211/32" + ], + "sccRelayDestinationAddresses": ["52.247.0.200/32", "52.146.50.16/32"], + "sccRelayDomains": [ + "tunnel.eastus2.azuredatabricks.net", + "tunnel.eastusc3.azuredatabricks.net" + ], + "controlPlaneNatDestinationAddresses": [ + "23.101.152.95/32", + "20.42.4.208/32", + "20.42.4.210/32" + ], + "extendedInfrastructureDestinationAddresses": ["20.57.106.0/28"], + "logBlobStorageDomains": [ + "dblogprodwestus.blob.core.windows.net", + "dblogprodeastus.blob.core.windows.net" + ], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodeastus.blob.core.windows.net", + "arprodeastusa1.blob.core.windows.net", + "arprodeastusa2.blob.core.windows.net", + "arprodeastusa3.blob.core.windows.net", + "arprodeastusa4.blob.core.windows.net", + "arprodeastusa5.blob.core.windows.net", + "arprodeastusa6.blob.core.windows.net", + "arprodeastusa7.blob.core.windows.net", + "arprodeastusa8.blob.core.windows.net", + "arprodeastusa9.blob.core.windows.net", + "arprodeastusa10.blob.core.windows.net", + "arprodeastusa11.blob.core.windows.net", + "arprodeastusa12.blob.core.windows.net", + "arprodeastusa13.blob.core.windows.net", + "arprodeastusa14.blob.core.windows.net", + "arprodeastusa15.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodeastus2.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-westus-observabilityEventHubs.servicebus.windows.net", + "prod-eastusc2-observabilityeventhubs.servicebus.windows.net", + "prod-eastusc3-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-eastus-prod-metastore.mysql.database.azure.com", + "consolidated-eastus-prod-metastore-addl-1.mysql.database.azure.com", + "consolidated-eastus-prod-metastore-addl-2.mysql.database.azure.com", + "consolidated-eastus-prod-metastore-addl-3.mysql.database.azure.com", + "consolidated-eastus-prod-metastore-addl-4.mysql.database.azure.com", + "consolidated-eastusc3-prod-metastore-0.mysql.database.azure.com", + "consolidated-eastusc3-prod-metastore-1.mysql.database.azure.com", + "consolidated-eastusc3-prod-metastore-2.mysql.database.azure.com", + "consolidated-eastusc3-prod-metastore-3.mysql.database.azure.com" + ] + }, + "eastus2": { + "webappDestinationAddresses": ["40.70.58.221/32", "20.41.4.113/32"], + "sccRelayDestinationAddresses": ["52.247.0.200/32", "20.186.83.56/32"], + "sccRelayDomains": [ + "tunnel.eastus2.azuredatabricks.net", + "tunnel.eastus2c2.azuredatabricks.net" + ], + "controlPlaneNatDestinationAddresses": [ + "23.101.152.95/32", + "20.41.4.112/32" + ], + "extendedInfrastructureDestinationAddresses": ["20.57.106.0/28"], + "logBlobStorageDomains": [ + "dblogprodwestus.blob.core.windows.net", + "dblogprodeastus2.blob.core.windows.net" + ], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodeastus2.blob.core.windows.net", + "arprodeastus2a1.blob.core.windows.net", + "arprodeastus2a2.blob.core.windows.net", + "arprodeastus2a3.blob.core.windows.net", + "arprodeastus2a4.blob.core.windows.net", + "arprodeastus2a5.blob.core.windows.net", + "arprodeastus2a6.blob.core.windows.net", + "arprodeastus2a7.blob.core.windows.net", + "arprodeastus2a8.blob.core.windows.net", + "arprodeastus2a9.blob.core.windows.net", + "arprodeastus2a10.blob.core.windows.net", + "arprodeastus2a11.blob.core.windows.net", + "arprodeastus2a12.blob.core.windows.net", + "arprodeastus2a13.blob.core.windows.net", + "arprodeastus2a14.blob.core.windows.net", + "arprodeastus2a15.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodeastus.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-westus-observabilityEventHubs.servicebus.windows.net", + "prod-eastus2c2-observabilityeventhubs.servicebus.windows.net", + "prod-eastus2c3-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-eastus2-prod-metastore.mysql.database.azure.com", + "consolidated-eastus2-prod-metastore-addl-1.mysql.database.azure.com", + "consolidated-eastus2-prod-metastore-addl-2.mysql.database.azure.com", + "consolidated-eastus2-prod-metastore-addl-3.mysql.database.azure.com", + "consolidated-eastus2c2-prod-metastore-0.mysql.database.azure.com", + "consolidated-eastus2c2-prod-metastore-1.mysql.database.azure.com", + "consolidated-eastus2c2-prod-metastore-2.mysql.database.azure.com", + "consolidated-eastus2c2-prod-metastore-3.mysql.database.azure.com", + "consolidated-eastus2c3-prod-metastore-0.mysql.database.azure.com" + ] + }, + + "eastus2euap": { + "webappDestinationAddresses": [""], + "sccRelayDestinationAddresses": [""], + "sccRelayDomains": [""], + "controlPlaneNatDestinationAddresses": [""], + "extendedInfrastructureDestinationAddresses": [], + "logBlobStorageDomains": [""], + "artifactBlobStoragePrimaryDomains": [""], + "artifactBlobStorageSecondaryDomains": [""], + "eventHubEndpointDomains": [""], + "metastoreDomains": [""] + }, + + "francecentral": { + "webappDestinationAddresses": ["40.89.168.225/32"], + "sccRelayDestinationAddresses": ["51.103.18.111/32"], + "sccRelayDomains": ["tunnel.francecentral.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["40.89.171.101/32"], + "extendedInfrastructureDestinationAddresses": ["20.74.69.128/28"], + "logBlobStorageDomains": ["dblogprodfrcentral.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodfrcentral.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodukwest.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-francecentral-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-francecentral-prod-metastore.mysql.database.azure.com" + ] + }, + "germanywestcentral": { + "webappDestinationAddresses": ["20.52.93.41/32"], + "sccRelayDestinationAddresses": ["20.52.93.40/32"], + "sccRelayDomains": ["tunnel.germanywestcentral.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["20.52.93.42/32"], + "extendedInfrastructureDestinationAddresses": ["20.52.93.40/29"], + "logBlobStorageDomains": ["dblogprodgerwescen.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodgerwescen.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodswissnor.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-germanywestcentral-observabilityEventHubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-germanywestcentral-prod-metastore-0.mysql.database.azure.com" + ] + }, + "japaneast": { + "webappDestinationAddresses": ["52.246.160.72/32"], + "sccRelayDestinationAddresses": ["20.46.121.76/32"], + "sccRelayDomains": ["tunnel.japaneast.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["13.78.19.235/32"], + "extendedInfrastructureDestinationAddresses": ["20.78.226.176/28"], + "logBlobStorageDomains": ["dblogprodjapaneast.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodjapaneast.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodjapanwest.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-japaneast-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-japaneast-prod-metastore.mysql.database.azure.com" + ] + }, + "japanwest": { + "webappDestinationAddresses": ["52.246.160.72/32"], + "sccRelayDestinationAddresses": ["20.46.121.76/32"], + "sccRelayDomains": ["tunnel.japaneast.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["13.78.19.235/32"], + "extendedInfrastructureDestinationAddresses": ["20.78.226.176/28"], + "logBlobStorageDomains": ["dblogprodjapaneast.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodjapanwest.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodjapaneast.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-japaneast-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-japanwest-prod-metastore.mysql.database.azure.com" + ] + }, + "koreacentral": { + "webappDestinationAddresses": ["52.141.22.164/32"], + "sccRelayDestinationAddresses": ["20.194.4.102/32"], + "sccRelayDomains": ["tunnel.koreacentral.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["52.141.6.181/32"], + "extendedInfrastructureDestinationAddresses": ["20.194.107.48/28"], + "logBlobStorageDomains": ["dblogprodkoreacentral.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodkoreacen.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodwestus.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-koreacentral-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-koreacentral-prod-metastore.mysql.database.azure.com" + ] + }, + "northcentralus": { + "webappDestinationAddresses": ["40.70.58.221/32", "40.80.188.0/32"], + "sccRelayDestinationAddresses": ["52.247.0.200/32", "23.100.226.13/32"], + "sccRelayDomains": [ + "tunnel.eastus2.azuredatabricks.net", + "tunnel.northcentralusc2.azuredatabricks.net" + ], + "controlPlaneNatDestinationAddresses": [ + "23.101.152.95/32", + "40.80.188.1/32" + ], + "extendedInfrastructureDestinationAddresses": ["20.57.106.0/28"], + "logBlobStorageDomains": [ + "dblogprodwestus.blob.core.windows.net", + "dblogprodncentralus.blob.core.windows.net" + ], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodncus.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodcus.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-westus-observabilityEventHubs.servicebus.windows.net", + "prod-northcentralusc2-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-northcentralus-prod-metastore.mysql.database.azure.com", + "consolidated-northcentralusc2-prod-metastore-0.mysql.database.azure.com" + ] + }, + "northeurope": { + "webappDestinationAddresses": ["52.232.19.246/32", "20.38.84.81/32"], + "sccRelayDestinationAddresses": ["23.97.201.41/32", "40.127.147.196/32"], + "sccRelayDomains": [ + "tunnel.westeurope.azuredatabricks.net", + "tunnel.northeuropec2.azuredatabricks.net" + ], + "controlPlaneNatDestinationAddresses": [ + "23.100.0.135/32", + "20.38.84.80/32" + ], + "extendedInfrastructureDestinationAddresses": ["20.73.215.48/28"], + "logBlobStorageDomains": ["dblogprodwesteurope.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodnortheu.blob.core.windows.net", + "arprodnortheua1.blob.core.windows.net", + "arprodnortheua2.blob.core.windows.net", + "arprodnortheua3.blob.core.windows.net", + "arprodnortheua4.blob.core.windows.net", + "arprodnortheua5.blob.core.windows.net", + "arprodnortheua6.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodwesteu.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-westeurope-observabilityeventhubs.servicebus.windows.net", + "prod-northeuropec2-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-northeurope-prod-metastore.mysql.database.azure.com", + "consolidated-northeurope-prod-metastore-addl-1.mysql.database.azure.com", + "consolidated-northeurope-prod-metastore-addl-2.mysql.database.azure.com", + "consolidated-northeurope-prod-metastore-addl-3.mysql.database.azure.com", + "consolidated-northeuropec2-prod-metastore-0.mysql.database.azure.com", + "consolidated-northeuropec2-prod-metastore-1.mysql.database.azure.com", + "consolidated-northeuropec2-prod-metastore-2.mysql.database.azure.com", + "consolidated-northeuropec2-prod-metastore-3.mysql.database.azure.com" + ] + }, + "norwayeast": { + "webappDestinationAddresses": ["51.120.40.120/32"], + "sccRelayDestinationAddresses": ["51.120.40.122/32"], + "sccRelayDomains": ["tunnel.norwayeast.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["51.120.40.121/32"], + "extendedInfrastructureDestinationAddresses": ["51.13.86.224/28"], + "logBlobStorageDomains": ["dblogprodnweast.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodnweast.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodwestus.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-norwayeast-observabilityEventHubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-norwayeast-prod-metastore-0.mysql.database.azure.com" + ] + }, + "southafricanorth": { + "webappDestinationAddresses": ["102.133.224.24/32"], + "sccRelayDestinationAddresses": ["102.37.41.3/32"], + "sccRelayDomains": ["tunnel.southafricanorth.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["40.127.5.82/32"], + "extendedInfrastructureDestinationAddresses": ["102.133.192.48/28"], + "logBlobStorageDomains": ["dblogprodsafrican.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodsafrican.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodwestus.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-southafricanorth-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-southafricanorth-prod-metastore.mysql.database.azure.com" + ] + }, + "southcentralus": { + "webappDestinationAddresses": ["40.118.174.12/32", "40.119.9.208/32"], + "sccRelayDestinationAddresses": ["40.86.167.110/32"], + "sccRelayDomains": ["tunnel.westus.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": [ + "40.83.178.242/32", + "40.119.9.209/32" + ], + "extendedInfrastructureDestinationAddresses": ["13.91.84.96/28"], + "logBlobStorageDomains": [ + "dblogprodwestus.blob.core.windows.net", + "dblogprodscentralus.blob.core.windows.net" + ], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodscus.blob.core.windows.net", + "arprodscusa1.blob.core.windows.net", + "arprodscusa2.blob.core.windows.net", + "arprodscusa3.blob.core.windows.net", + "arprodscusa4.blob.core.windows.net", + "arprodscusa5.blob.core.windows.net", + "arprodscusa6.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodncus.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-westus-observabilityEventHubs.servicebus.windows.net", + "prod-southcentralusc2-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-southcentralus-prod-metastore.mysql.database.azure.com", + "consolidated-southcentralus-prod-metastore-addl-1.mysql.database.azure.com", + "consolidated-southcentralusc2-prod-metastore-addl-1.mysql.database.azure.com" + ] + }, + "southindia": { + "webappDestinationAddresses": ["104.211.89.81/32"], + "sccRelayDestinationAddresses": ["52.172.133.58/32"], + "sccRelayDomains": ["tunnel.centralindia.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["104.211.101.14/32"], + "extendedInfrastructureDestinationAddresses": ["20.193.246.208/28"], + "logBlobStorageDomains": ["dblogprodcindia.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodsindia.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodcindia.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-centralindia-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-southindia-prod-metastore.mysql.database.azure.com" + ] + }, + "southeastasia": { + "webappDestinationAddresses": ["52.187.145.107/32"], + "sccRelayDestinationAddresses": ["52.230.27.216/32"], + "sccRelayDomains": ["tunnel.southeastasia.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["52.187.0.85/32"], + "extendedInfrastructureDestinationAddresses": ["20.195.104.64/28"], + "logBlobStorageDomains": ["dblogprodseasia.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodseap.blob.core.windows.net", + "arprodseapa1.blob.core.windows.net", + "arprodseapa2.blob.core.windows.net", + "arprodseapa3.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodeap.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-southeastasia-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-southeastasia-prod-metastore.mysql.database.azure.com", + "consolidated-southeastasia-prod-metastore-addl-1.mysql.database.azure.com" + ] + }, + "swedencentral": { + "webappDestinationAddresses": ["51.12.41.16/32"], + "sccRelayDestinationAddresses": ["51.12.41.18/32"], + "sccRelayDomains": ["tunnel.swedencentral.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["51.12.41.17/32"], + "extendedInfrastructureDestinationAddresses": ["20.91.164.16/28"], + "logBlobStorageDomains": ["dblogprodswissnor.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodswissnor.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodwesteu.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-switzerlandnorth-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-switzerlandnorth-prod-metastore-0.mysql.database.azure.com" + ] + }, + "switzerlandnorth": { + "webappDestinationAddresses": ["51.107.48.120/32"], + "sccRelayDestinationAddresses": ["51.107.203.195/32"], + "sccRelayDomains": ["tunnel.switzerlandnorth.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["51.107.48.121/32"], + "extendedInfrastructureDestinationAddresses": ["51.103.172.176/28"], + "logBlobStorageDomains": [""], + "artifactBlobStoragePrimaryDomains": [""], + "artifactBlobStorageSecondaryDomains": [""], + "eventHubEndpointDomains": [""], + "metastoreDomains": [""] + }, + "switzerlandwest": { + "webappDestinationAddresses": ["51.107.144.68/32"], + "sccRelayDestinationAddresses": ["51.107.144.70/32"], + "sccRelayDomains": ["tunnel.switzerlandwest.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["51.107.144.69/32"], + "extendedInfrastructureDestinationAddresses": ["51.107.233.80/28"], + "logBlobStorageDomains": ["dblogprodswisswest.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodswisswest.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodswissnor.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-switzerlandwest-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-switzerlandwest-prod-metastore-0.mysql.database.azure.com", + "consolidated-switzerlandwest-prod-metastore-0.mysql.database.azure.com" + ] + }, + "uaenorth": { + "webappDestinationAddresses": ["40.123.212.253/32"], + "sccRelayDestinationAddresses": ["40.123.225.135/32"], + "sccRelayDomains": ["tunnel.uaenorth.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["40.123.218.63/32"], + "extendedInfrastructureDestinationAddresses": ["40.120.89.0/28"], + "logBlobStorageDomains": ["dblogproduaenorth.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsproduaenorth.blob.core.windows.net", + "arproduaenortha1.blob.core.windows.net", + "arproduaenortha2.blob.core.windows.net", + "arproduaenortha3.blob.core.windows.net", + "arproduaenortha4.blob.core.windows.net", + "arproduaenortha5.blob.core.windows.net", + "arproduaenortha6.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodsafrican.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-uaenorth-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-uaenorth-prod-metastore.mysql.database.azure.com" + ] + }, + "uksouth": { + "webappDestinationAddresses": ["51.140.204.4/32"], + "sccRelayDestinationAddresses": ["51.141.103.193/32"], + "sccRelayDomains": ["tunnel.ukwest.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["51.140.203.27/32"], + "extendedInfrastructureDestinationAddresses": ["51.141.64.128/28"], + "logBlobStorageDomains": ["dblogprodukwest.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsproduksouth.blob.core.windows.net", + "arproduksoutha1.blob.core.windows.net", + "arproduksoutha2.blob.core.windows.net", + "arproduksoutha3.blob.core.windows.net", + "arproduksoutha4.blob.core.windows.net", + "arproduksoutha5.blob.core.windows.net", + "arproduksoutha6.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodukwest.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-ukwest-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-uksouth-prod-metastore.mysql.database.azure.com", + "consolidated-uksouth-prod-metastore-addl-1.mysql.database.azure.com" + ] + }, + "ukwest": { + "webappDestinationAddresses": ["51.140.204.4/32"], + "sccRelayDestinationAddresses": ["51.141.103.193/32"], + "sccRelayDomains": ["tunnel.ukwest.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["51.140.203.27/32"], + "extendedInfrastructureDestinationAddresses": ["51.141.64.128/28"], + "logBlobStorageDomains": ["dblogprodukwest.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodukwest.blob.core.windows.net", + "arprodukwesta1.blob.core.windows.net", + "arprodukwesta2.blob.core.windows.net", + "arprodukwesta3.blob.core.windows.net", + "arprodukwesta4.blob.core.windows.net", + "arprodukwesta5.blob.core.windows.net", + "arprodukwesta6.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsproduksouth.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-ukwest-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-ukwest-prod-metastore.mysql.database.azure.com" + ] + }, + "usgovarizona": { + "webappDestinationAddresses": ["52.244.37.5/32"], + "sccRelayDestinationAddresses": ["52.244.38.231/32"], + "sccRelayDomains": ["tunnel.usgovarizona.databricks.azure.us"], + "controlPlaneNatDestinationAddresses": ["20.140.48.120/32"], + "extendedInfrastructureDestinationAddresses": [], + "logBlobStorageDomains": ["dblogprodusgovvirg.blob.core.usgovcloudapi.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodusgariz.blob.core.usgovcloudapi.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodusgvirg.blob.core.usgovcloudapi.net" + ], + "eventHubEndpointDomains": [ + "prod-usgovarizona-observabilityeventhubs.servicebus.usgovcloudapi.net" + ], + "metastoreDomains": [ + "consolidated-usgovarizona-prod-metastore-0.mysql.database.usgovcloudapi.net" + ] + }, + "usgovvirginia": { + "webappDestinationAddresses": ["52.227.227.164/32"], + "sccRelayDestinationAddresses": ["52.227.226.255/32"], + "sccRelayDomains": ["tunnel.usgovvirginia.databricks.azure.us"], + "controlPlaneNatDestinationAddresses": ["52.127.49.73/32"], + "extendedInfrastructureDestinationAddresses": [], + "logBlobStorageDomains": ["dblogprodusgovvirg.blob.core.usgovcloudapi.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodusgvirg.blob.core.usgovcloudapi.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodusgariz.blob.core.usgovcloudapi.net" + ], + "eventHubEndpointDomains": [ + "prod-usgovvirginia-observabilityeventhubs.servicebus.usgovcloudapi.net" + ], + "metastoreDomains": [ + "consolidated-usgovvirginia-prod-metastore.mysql.database.usgovcloudapi.net" + ] + }, + "westcentralus": { + "webappDestinationAddresses": ["52.150.136.68/32"], + "sccRelayDestinationAddresses": ["52.150.136.70/32"], + "sccRelayDomains": ["tunnel.westcentralus.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["52.150.136.69/32"], + "extendedInfrastructureDestinationAddresses": ["52.161.34.0/28"], + "logBlobStorageDomains": ["dblogprodwcentus.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodwcentus.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodwestus.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-westcentralus-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-westcentralus-prod-metastore-0.mysql.database.azure.com" + ] + }, + "westeurope": { + "webappDestinationAddresses": ["52.232.19.246/32", "40.74.30.80/32"], + "sccRelayDestinationAddresses": ["23.97.201.41/32", "51.138.96.158/32"], + "sccRelayDomains": [ + "tunnel.westeurope.azuredatabricks.net", + "tunnel.westeuropec2.azuredatabricks.net" + ], + "controlPlaneNatDestinationAddresses": [ + "23.100.0.135/32", + "40.74.30.81/32" + ], + "extendedInfrastructureDestinationAddresses": ["20.73.215.48/28"], + "logBlobStorageDomains": ["dblogprodwesteurope.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodwesteu.blob.core.windows.net", + "arprodwesteua1.blob.core.windows.net", + "arprodwesteua2.blob.core.windows.net", + "arprodwesteua3.blob.core.windows.net", + "arprodwesteua4.blob.core.windows.net", + "arprodwesteua5.blob.core.windows.net", + "arprodwesteua6.blob.core.windows.net", + "arprodwesteua7.blob.core.windows.net", + "arprodwesteua8.blob.core.windows.net", + "arprodwesteua9.blob.core.windows.net", + "arprodwesteua10.blob.core.windows.net", + "arprodwesteua11.blob.core.windows.net", + "arprodwesteua12.blob.core.windows.net", + "arprodwesteua13.blob.core.windows.net", + "arprodwesteua14.blob.core.windows.net", + "arprodwesteua15.blob.core.windows.net", + "arprodwesteua16.blob.core.windows.net", + "arprodwesteua17.blob.core.windows.net", + "arprodwesteua18.blob.core.windows.net", + "arprodwesteua19.blob.core.windows.net", + "arprodwesteua20.blob.core.windows.net", + "arprodwesteua21.blob.core.windows.net", + "arprodwesteua22.blob.core.windows.net", + "arprodwesteua23.blob.core.windows.net", + "arprodwesteua24.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodnortheu.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-westeurope-observabilityeventhubs.servicebus.windows.net", + "prod-westeuc2-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-westeurope-prod-metastore.mysql.database.azure.com", + "consolidated-westeurope-prod-metastore-addl-1.mysql.database.azure.com", + "consolidated-westeurope-prod-metastore-addl-2.mysql.database.azure.com", + "consolidated-westeurope-prod-metastore-addl-3.mysql.database.azure.com", + "consolidated-westeuropec2-prod-metastore-0.mysql.database.azure.com", + "consolidated-westeuropec2-prod-metastore-1.mysql.database.azure.com", + "consolidated-westeuropec2-prod-metastore-2.mysql.database.azure.com", + "consolidated-westeuropec2-prod-metastore-3.mysql.database.azure.com" + ] + }, + "westindia": { + "webappDestinationAddresses": ["104.211.89.81/32"], + "sccRelayDestinationAddresses": ["52.172.133.58/32"], + "sccRelayDomains": ["tunnel.centralindia.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["104.211.101.14/32"], + "extendedInfrastructureDestinationAddresses": ["20.193.246.208/28"], + "logBlobStorageDomains": ["dblogprodcindia.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodwindia.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodsindia.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-centralindia-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-westindia-prod-metastore.mysql.database.azure.com" + ] + }, + "westus": { + "webappDestinationAddresses": ["40.118.174.12/32", "20.42.129.160/32"], + "sccRelayDestinationAddresses": ["40.86.167.110/32"], + "sccRelayDomains": ["tunnel.westus.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": [ + "40.83.178.242/32", + "20.42.129.161/32" + ], + "extendedInfrastructureDestinationAddresses": ["13.91.84.96/28"], + "logBlobStorageDomains": ["dblogprodwestus.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodwestus.blob.core.windows.net", + "arprodwestusa1.blob.core.windows.net", + "arprodwestusa2.blob.core.windows.net", + "arprodwestusa3.blob.core.windows.net", + "arprodwestusa4.blob.core.windows.net", + "arprodwestusa5.blob.core.windows.net", + "arprodwestusa6.blob.core.windows.net", + "arprodwestusa7.blob.core.windows.net", + "arprodwestusa8.blob.core.windows.net", + "arprodwestusa9.blob.core.windows.net", + "arprodwestusa10.blob.core.windows.net", + "arprodwestusa11.blob.core.windows.net", + "arprodwestusa12.blob.core.windows.net", + "arprodwestusa13.blob.core.windows.net", + "arprodwestusa14.blob.core.windows.net", + "arprodwestusa15.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodwestus2.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-westus-observabilityEventHubs.servicebus.windows.net", + "prod-westus2c2-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-westus-prod-metastore.mysql.database.azure.com", + "consolidated-westus-prod-metastore-addl-1.mysql.database.azure.com", + "consolidated-westus-prod-metastore-addl-2.mysql.database.azure.com", + "consolidated-westus-prod-metastore-addl-3.mysql.database.azure.com", + "consolidated-westus2c2-prod-metastore-addl-1.mysql.database.azure.com" + ] + }, + "westus2": { + "webappDestinationAddresses": ["40.118.174.12/32"], + "sccRelayDestinationAddresses": ["40.86.167.110/32"], + "sccRelayDomains": ["tunnel.westus.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["40.83.178.242/32"], + "extendedInfrastructureDestinationAddresses": ["13.91.84.96/28"], + "logBlobStorageDomains": [ + "dblogprodwestus.blob.core.windows.net", + "dblogprodwestus2.blob.core.windows.net" + ], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodwestus2.blob.core.windows.net", + "arprodwestus2a1.blob.core.windows.net", + "arprodwestus2a2.blob.core.windows.net", + "arprodwestus2a3.blob.core.windows.net", + "arprodwestus2a4.blob.core.windows.net", + "arprodwestus2a5.blob.core.windows.net", + "arprodwestus2a6.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodwestus.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-westus-observabilityEventHubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-westus2-prod-metastore.mysql.database.azure.com", + "consolidated-westus2-prod-metastore-addl-1.mysql.database.azure.com", + "consolidated-westus2-prod-metastore-addl-2.mysql.database.azure.com" + ] + }, + "westus3": { + "webappDestinationAddresses": ["20.150.160.106"], + "sccRelayDestinationAddresses": ["40.86.167.110/32"], + "sccRelayDomains": ["tunnel.westus3.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": ["20.150.160.104"], + "extendedInfrastructureDestinationAddresses": ["20.125.82.0/28"], + "logBlobStorageDomains": ["dblogprodwestus3.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodwestus3.blob.core.windows.net", + "arprodwestus3a1.blob.core.windows.net", + "arprodwestus3a2.blob.core.windows.net", + "arprodwestus3a3.blob.core.windows.net", + "arprodwestus3a4.blob.core.windows.net", + "arprodwestus3a5.blob.core.windows.net", + "arprodwestus3a6.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodwestus3.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-westus3-observabilityEventHubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-westus3-prod-metastore-0.mysql.database.azure.com" + ] + } +} diff --git a/templates/workspace_services/databricks/terraform/deploy.sh b/templates/workspace_services/databricks/terraform/deploy.sh new file mode 100755 index 0000000..c188837 --- /dev/null +++ b/templates/workspace_services/databricks/terraform/deploy.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +set -o errexit +set -o pipefail +set -o nounset + +# Uncomment this line to see each command for debugging (careful: this will show secrets!) +#set -o xtrace + +export TF_LOG="TRACE" +export TF_LOG_PATH="/home/adminuser/tf.log" + +# shellcheck disable=SC2154 +terraform init -input=false -backend=true -reconfigure \ + -backend-config="resource_group_name=$TF_VAR_mgmt_resource_group_name" \ + -backend-config="storage_account_name=$TF_VAR_mgmt_storage_account_name" \ + -backend-config="container_name=$TF_VAR_terraform_state_container_name" \ + -backend-config="key=tre-workspace-service-gitea-${TF_VAR_id}" + +terraform plan + +terraform apply -auto-approve diff --git a/templates/workspace_services/databricks/terraform/locals.tf b/templates/workspace_services/databricks/terraform/locals.tf new file mode 100644 index 0000000..c78b989 --- /dev/null +++ b/templates/workspace_services/databricks/terraform/locals.tf @@ -0,0 +1,28 @@ +locals { + databricks_subnets = cidrsubnets(var.address_space, 1, 1) + container_subnet_address_space = local.databricks_subnets[0] # .0 - .127 + host_subnet_address_space = local.databricks_subnets[1] # .128 - .254 + short_service_id = substr(var.tre_resource_id, -4, -1) + short_workspace_id = substr(var.workspace_id, -4, -1) + workspace_resource_name_suffix = "${var.tre_id}-ws-${local.short_workspace_id}" + service_resource_name_suffix = "${var.tre_id}-ws-${local.short_workspace_id}-svc-${local.short_service_id}" + resource_group_name = "rg-${var.tre_id}-ws-${local.short_workspace_id}" + virtual_network_name = "vnet-${local.workspace_resource_name_suffix}" + core_resource_group_name = "rg-${var.tre_id}" + firewall_name = "fw-${var.tre_id}" + databricks_workspace_name = "adb-${local.service_resource_name_suffix}" + managed_resource_group_name = "rg-${local.service_resource_name_suffix}" + host_subnet_name = "adb-host-subnet-${local.service_resource_name_suffix}" + container_subnet_name = "adb-container-subnet-${local.service_resource_name_suffix}" + network_security_group_name = "nsg-${local.service_resource_name_suffix}" + route_table_name = "rt-${local.service_resource_name_suffix}" + # databricks-udr.json was build according to this page https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/udr + map_location_url_config = jsondecode(file("${path.module}/databricks-udr.json")) + storage_name = lower(replace("stgdbfs${substr(local.service_resource_name_suffix, -8, -1)}", "-", "")) + + tre_workspace_service_tags = { + tre_id = var.tre_id + tre_workspace_id = var.workspace_id + tre_workspace_service_id = var.tre_resource_id + } +} diff --git a/templates/workspace_services/databricks/terraform/main.tf b/templates/workspace_services/databricks/terraform/main.tf new file mode 100644 index 0000000..01bc718 --- /dev/null +++ b/templates/workspace_services/databricks/terraform/main.tf @@ -0,0 +1,28 @@ +resource "azurerm_databricks_workspace" "databricks" { + name = local.databricks_workspace_name + resource_group_name = data.azurerm_resource_group.ws.name + location = data.azurerm_resource_group.ws.location + sku = "premium" + managed_resource_group_name = local.managed_resource_group_name + infrastructure_encryption_enabled = true + public_network_access_enabled = var.is_exposed_externally + network_security_group_rules_required = "NoAzureDatabricksRules" + tags = local.tre_workspace_service_tags + + lifecycle { ignore_changes = [tags] } + + custom_parameters { + no_public_ip = true + public_subnet_name = azurerm_subnet.host.name + private_subnet_name = azurerm_subnet.container.name + virtual_network_id = data.azurerm_virtual_network.ws.id + public_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.host.id + private_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.container.id + storage_account_name = local.storage_name + } + + depends_on = [ + azurerm_subnet_network_security_group_association.host, + azurerm_subnet_network_security_group_association.container + ] +} diff --git a/templates/workspace_services/databricks/terraform/network.tf b/templates/workspace_services/databricks/terraform/network.tf new file mode 100644 index 0000000..c9d9dad --- /dev/null +++ b/templates/workspace_services/databricks/terraform/network.tf @@ -0,0 +1,214 @@ +resource "azurerm_network_security_group" "nsg" { + name = local.network_security_group_name + location = data.azurerm_resource_group.ws.location + resource_group_name = data.azurerm_resource_group.ws.name + + tags = local.tre_workspace_service_tags + + lifecycle { ignore_changes = [tags] } + + security_rule { + name = "AllowInboundDatabricksWorkerNodesToCluster" + description = "Required for worker nodes communication within a cluster." + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "VirtualNetwork" + } + + security_rule { + name = "AllowOutboundDatabricksWorkerNodesToControlPlain" + description = "Required for workers communication with Databricks Webapp." + priority = 100 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "AzureDatabricks" + } + + security_rule { + name = "AllowOutboundDatabricksWorkerNodesToAzureSQLServices" + description = "Required for workers communication with Azure SQL services." + priority = 101 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3306" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "Sql" + } + + security_rule { + name = "AllowOutboundDatabricksWorkerNodesToAzureStorage" + description = "Required for workers communication with Azure Storage services." + priority = 102 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "Storage" + } + + security_rule { + name = "AllowOutboundDatabricksWorkerNodesWithinACluster" + description = "Required for worker nodes communication within a cluster." + priority = 103 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "VirtualNetwork" + } + + security_rule { + name = "AllowOutboundWorkerNodesToAzureEventhub" + description = "Required for worker communication with Azure Eventhub services." + priority = 104 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "9093" + source_address_prefix = "VirtualNetwork" + destination_address_prefix = "EventHub" + } + +} + +resource "azurerm_subnet" "host" { + name = local.host_subnet_name + resource_group_name = data.azurerm_resource_group.ws.name + virtual_network_name = data.azurerm_virtual_network.ws.name + address_prefixes = [local.host_subnet_address_space] + + delegation { + name = "db-host-vnet-integration" + + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", + "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action", + ] + name = "Microsoft.Databricks/workspaces" + } + } +} + +resource "azurerm_subnet" "container" { + name = local.container_subnet_name + resource_group_name = data.azurerm_resource_group.ws.name + virtual_network_name = data.azurerm_virtual_network.ws.name + address_prefixes = [local.container_subnet_address_space] + + delegation { + name = "db-container-vnet-integration" + + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", + "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action", + ] + name = "Microsoft.Databricks/workspaces" + } + } +} + +resource "azurerm_route_table" "rt" { + name = local.route_table_name + location = data.azurerm_resource_group.ws.location + resource_group_name = data.azurerm_resource_group.ws.name + disable_bgp_route_propagation = false + + tags = local.tre_workspace_service_tags + lifecycle { ignore_changes = [tags] } + + route { + name = "to-firewall" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = data.azurerm_firewall.firewall.ip_configuration[0].private_ip_address + } +} + +resource "azurerm_subnet_network_security_group_association" "container" { + subnet_id = azurerm_subnet.container.id + network_security_group_id = azurerm_network_security_group.nsg.id +} + +resource "azurerm_subnet_network_security_group_association" "host" { + subnet_id = azurerm_subnet.host.id + network_security_group_id = azurerm_network_security_group.nsg.id +} + +resource "azurerm_subnet_route_table_association" "rt_container" { + subnet_id = azurerm_subnet.container.id + route_table_id = azurerm_route_table.rt.id +} + +resource "azurerm_subnet_route_table_association" "rt_host" { + subnet_id = azurerm_subnet.host.id + route_table_id = azurerm_route_table.rt.id +} + + +resource "azurerm_private_endpoint" "databricks_control_plane_private_endpoint" { + name = "pe-adb-cp-${local.service_resource_name_suffix}" + location = data.azurerm_resource_group.ws.location + resource_group_name = data.azurerm_resource_group.ws.name + subnet_id = data.azurerm_subnet.services.id + tags = local.tre_workspace_service_tags + + lifecycle { ignore_changes = [tags] } + + private_service_connection { + name = "private-service-connection-databricks-control-plane-${local.service_resource_name_suffix}" + private_connection_resource_id = azurerm_databricks_workspace.databricks.id + is_manual_connection = false + subresource_names = ["databricks_ui_api"] + } + + private_dns_zone_group { + name = "private-dns-zone-group-databricks-control-plane-${local.service_resource_name_suffix}" + private_dns_zone_ids = [data.azurerm_private_dns_zone.databricks.id] + } +} + +resource "azurerm_private_endpoint" "databricks_filesystem_private_endpoint" { + name = "pe-adb-fs-${local.service_resource_name_suffix}" + location = data.azurerm_resource_group.ws.location + resource_group_name = data.azurerm_resource_group.ws.name + subnet_id = data.azurerm_subnet.services.id + tags = local.tre_workspace_service_tags + + lifecycle { ignore_changes = [tags] } + + private_service_connection { + name = "private-service-connection-databricks-filesystem-${local.service_resource_name_suffix}" + private_connection_resource_id = join("", [azurerm_databricks_workspace.databricks.managed_resource_group_id, "/providers/Microsoft.Storage/storageAccounts/${local.storage_name}"]) + is_manual_connection = false + subresource_names = ["dfs"] + } + + private_dns_zone_group { + name = "private-dns-zone-group-databricks-filesystem-${local.service_resource_name_suffix}" + private_dns_zone_ids = [data.azurerm_private_dns_zone.dfscore.id] + } + + depends_on = [ + azurerm_private_endpoint.databricks_control_plane_private_endpoint + ] +} diff --git a/templates/workspace_services/databricks/terraform/outputs.tf b/templates/workspace_services/databricks/terraform/outputs.tf new file mode 100644 index 0000000..800dd1f --- /dev/null +++ b/templates/workspace_services/databricks/terraform/outputs.tf @@ -0,0 +1,51 @@ +output "databricks_workspace_name" { + value = azurerm_databricks_workspace.databricks.name +} + +output "connection_uri" { + value = "https://${azurerm_databricks_workspace.databricks.workspace_url}/aad/auth?has=&Workspace=${data.azurerm_subscription.current.id}/resourceGroups/${local.resource_group_name}/providers/Microsoft.Databricks/workspaces/${local.databricks_workspace_name}&WorkspaceResourceGroupUri=${data.azurerm_subscription.current.id}/resourceGroups/${local.managed_resource_group_name}&l=en-us" +} + +output "databricks_storage_account_name" { + value = azurerm_databricks_workspace.databricks.custom_parameters[0].storage_account_name +} + +output "dbfs_blob_storage_domain" { + value = replace(".blob.core.windows.net", "", azurerm_databricks_workspace.databricks.custom_parameters[0].storage_account_name) +} + +output "log_blob_storage_domains" { + value = local.map_location_url_config[module.azure_region.location_cli].logBlobStorageDomains +} + +output "artifact_blob_storage_domains" { + value = setunion(local.map_location_url_config[module.azure_region.location_cli].artifactBlobStoragePrimaryDomains, local.map_location_url_config[module.azure_region.location_cli].artifactBlobStorageSecondaryDomains) +} + +output "workspace_address_spaces" { + value = data.azurerm_virtual_network.ws.address_space +} + +output "databricks_address_prefixes" { + value = setunion(azurerm_subnet.container.address_prefixes, azurerm_subnet.host.address_prefixes) +} + +# convert list of metastore domains to ip addresses +data "dns_a_record_set" "metastore_addresses" { + for_each = toset(local.map_location_url_config[module.azure_region.location_cli].metastoreDomains) + host = each.key +} + +output "metastore_addresses" { + value = setunion(flatten([for addr in data.dns_a_record_set.metastore_addresses : addr.addrs])) +} + +# convert list of event hub endpoint domains to ip addresses +data "dns_a_record_set" "event_hub_endpoint_addresses" { + for_each = toset(local.map_location_url_config[module.azure_region.location_cli].eventHubEndpointDomains) + host = each.key +} + +output "event_hub_endpoint_addresses" { + value = setunion(flatten([for addr in data.dns_a_record_set.event_hub_endpoint_addresses : addr.addrs])) +} diff --git a/templates/workspace_services/databricks/terraform/providers.tf b/templates/workspace_services/databricks/terraform/providers.tf new file mode 100644 index 0000000..b3699a7 --- /dev/null +++ b/templates/workspace_services/databricks/terraform/providers.tf @@ -0,0 +1,64 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "=3.40.0" + } + azapi = { + source = "Azure/azapi" + version = "=1.1.0" + } + databricks = { + source = "databricks/databricks" + version = "=1.5.0" + } + dns = { + source = "hashicorp/dns" + version = "=3.2.3" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features { + key_vault { + # Don't purge on destroy (this would fail due to purge protection being enabled on keyvault) + purge_soft_delete_on_destroy = false + purge_soft_deleted_secrets_on_destroy = false + purge_soft_deleted_certificates_on_destroy = false + purge_soft_deleted_keys_on_destroy = false + # When recreating an environment, recover any previously soft deleted secrets - set to true by default + recover_soft_deleted_key_vaults = true + recover_soft_deleted_secrets = true + recover_soft_deleted_certificates = true + recover_soft_deleted_keys = true + } + } +} + +provider "azapi" { +} + +provider "databricks" { + host = azurerm_databricks_workspace.databricks.workspace_url + azure_workspace_resource_id = azurerm_databricks_workspace.databricks.id + + azure_use_msi = true +} + +module "azure_region" { + source = "claranet/regions/azurerm" + version = "=6.1.0" + + azure_region = data.azurerm_resource_group.ws.location +} + +provider "dns" { +} + +module "terraform_azurerm_environment_configuration" { + source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0" + arm_environment = var.arm_environment +} diff --git a/templates/workspace_services/databricks/terraform/variables.tf b/templates/workspace_services/databricks/terraform/variables.tf new file mode 100644 index 0000000..e6851c3 --- /dev/null +++ b/templates/workspace_services/databricks/terraform/variables.tf @@ -0,0 +1,28 @@ +variable "tre_id" { + type = string + description = "Unique TRE ID" +} + +variable "tre_resource_id" { + type = string + description = "Unique TRE Resource ID" +} + +variable "workspace_id" { + type = string + description = "Unique TRE WORKSPACE ID" +} + +variable "address_space" { + type = string + description = "The address space that is used by the databricks subnets." +} + +variable "is_exposed_externally" { + type = bool + description = "If the databricks workspace is exposed externally or not." +} + +variable "arm_environment" { + type = string +} From 61ca96be84726161d8fddd71e1cf38d985a4a985 Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Mon, 24 Jun 2024 12:40:16 +0100 Subject: [PATCH 04/13] update gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index fa8c139..e37b17f 100644 --- a/.gitignore +++ b/.gitignore @@ -419,3 +419,5 @@ FodyWeavers.xsd # Local .terraform directories **/.terraform/* + +/letsencrypt/ From b875bd73ecdc5c0f3abc7371140a9424ba4d6629 Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Mon, 24 Jun 2024 17:54:05 +0000 Subject: [PATCH 05/13] add in post deploy script --- post_deploy_script.sh | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 post_deploy_script.sh diff --git a/post_deploy_script.sh b/post_deploy_script.sh new file mode 100644 index 0000000..1db6f00 --- /dev/null +++ b/post_deploy_script.sh @@ -0,0 +1,22 @@ +#!/bin/bash + + +tre_id=$(grep tre_id config.yaml|awk '{print $2}') + +sa_id=$(az storage account show -g rg-${tre_id} -n stweb${tre_id} --query "id"|awk -F\" '{print $2}') +user_id=$(az account show --query "id"|awk -F\" '{print $2}') +user_email=$(az account show --query "user.name"|awk -F\" '{print $2}') + +az role assignment create --role "Storage Blob Data Contributor" --assignee ${user_email} --scope ${sa_id} +az role assignment create --role "Storage Blob Data Reader" --assignee ${user_email} --scope ${sa_id} +az role assignment create --role "Storage Table Data Contributor" --assignee ${user_email} --scope ${sa_id} +az role assignment create --role "Storage Table Data Reader" --assignee ${user_email} --scope ${sa_id} +az role assignment create --role "Storage Queue Data Contributor" --assignee ${user_email} --scope ${sa_id} +az role assignment create --role "Storage Queue Data Reader" --assignee ${user_email} --scope ${sa_id} +az keyvault set-policy --name kv-${tre_id} --upn ${user_email} --certificate-permissions all +az keyvault set-policy --name kv-${tre_id} --upn ${user_email} --secret-permissions all +az keyvault set-policy --name kv-${tre_id} --upn ${user_email} --key-permissions all + +sleep 60s + +make letsencrypt From 49dfedb5edf6daeb257389d41c63b4c6e6eb461b Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Tue, 25 Jun 2024 14:48:56 +0000 Subject: [PATCH 06/13] update datebricks version --- .../workspace_services/databricks/porter.yaml | 6 +- .../databricks/template_schema.json | 2 +- .../databricks/terraform/.terraform.lock.hcl | 108 ++-- .../databricks/terraform/databricks-udr.json | 469 +++++++++++++++--- .../databricks/terraform/deploy.sh | 0 .../databricks/terraform/providers.tf | 8 +- 6 files changed, 449 insertions(+), 144 deletions(-) mode change 100755 => 100644 templates/workspace_services/databricks/terraform/deploy.sh diff --git a/templates/workspace_services/databricks/porter.yaml b/templates/workspace_services/databricks/porter.yaml index 51cce2f..a547e1d 100644 --- a/templates/workspace_services/databricks/porter.yaml +++ b/templates/workspace_services/databricks/porter.yaml @@ -1,8 +1,8 @@ --- schemaVersion: 1.0.0 -name: tre-service-databricks2 -version: 1.0.3 -description: "An Azure TRE service for Azure Databricks." +name: tre-service-databricks3 +version: 1.1.0 +description: "An Azure TRE service for Azure Databricks. 3" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/databricks/template_schema.json b/templates/workspace_services/databricks/template_schema.json index edaf02c..44260c2 100644 --- a/templates/workspace_services/databricks/template_schema.json +++ b/templates/workspace_services/databricks/template_schema.json @@ -2,7 +2,7 @@ "$schema": "http://json-schema.org/draft-07/schema", "$id": "https://github.com/microsoft/AzureTRE/templates/workspace_services/databricks/template_schema.json", "type": "object", - "title": "Azure Databricks 2", + "title": "Azure Databricks 3", "description": "Azure Databricks", "required": [], "properties": { diff --git a/templates/workspace_services/databricks/terraform/.terraform.lock.hcl b/templates/workspace_services/databricks/terraform/.terraform.lock.hcl index a5d8741..450f230 100644 --- a/templates/workspace_services/databricks/terraform/.terraform.lock.hcl +++ b/templates/workspace_services/databricks/terraform/.terraform.lock.hcl @@ -2,79 +2,75 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/azure/azapi" { - version = "1.1.0" - constraints = "1.1.0" + version = "1.13.1" + constraints = "1.13.1" hashes = [ - "h1:IR+AHCwfjl1c0baWwfOwZ6QZtHj41H2syTgHkJtAr/M=", - "zh:2a25df6325a49f9e821f0b02c7da86167fc19a3bac647cd1edf231300f29d077", - "zh:2b443a836a39724663fe455d4deee408ff3a2d9a8b86f8408aa7db2e8aa743f8", - "zh:364ed09ddfc50d9bed8d930f7de489cb654a9908feb139413a097823a50075fd", - "zh:523bc005f56ae785867d230d55c29f59db4b599dbc6c38b4d03ea55a79458916", - "zh:60ded375fdb305b60bcb4d9e596dbb222cab166bad1b4958199b05a72aaeacfd", - "zh:61e69c58642fead6814e511c872b7c0a6478ec6af4ab758b4512607d910ac078", - "zh:823b2154ae2262dabcbd11aac992e3cc29eae0f7baa96bee1e3e2fe1ece8730b", - "zh:870ea9cc24807ef5142e4cad0281dac7173f7b6bf818a79762b6c690d12d4c4b", - "zh:9094ae76ed66cb328a4f35bd18b9140fb6fc6859c2e46431ec73c018bcb58d96", - "zh:d89149cfd01cb70012459536b4d36490b58e43312440562e5910bd5160537858", - "zh:dba7ec06171ca062fc423ba5b4776a5600444e45e57f4d1cb043bdc3eee538b7", - "zh:ff5bd6883d9ac8334e043434246357a55107411e9a962856c1d17e47ee15ac37", + "h1:xDZG4lbtQJeyJa3Gzo8qecYxyw+AIXYcdDRlkaSLNz8=", + "zh:1f2aceddd67ceeb82a75c2f15dc01e54781e9aed5968507dbc29590c165b2e2b", + "zh:397f0bfbac899d48e23cecf38d362c27562150aa20b19157b5bd370b8e6801ee", + "zh:652263b7d00623684e29ef7b8ff285a17c5bd7cc8ba7d22967c66d0b3a3c568a", + "zh:652c53320a41434942877515780296a1509be03f32d54e60178f39200f960a67", + "zh:666426faf686401e54ec09fe06e9d7c06a6455ec398764f70558440c73aeb7f9", + "zh:6aa91ae8ba78f2494f99b4c99e66d15ed0b14d735cd1f77adc12ff9dfa075807", + "zh:a529e5a13c37d1805c469227f08cdbe7527d04dd64d18709d26627c6a0b588b1", + "zh:a589c049205e8e5bf94a13d56b28f400d908ad27e13e16df64408ee82eb8a0ff", + "zh:a9a50defdee230f315f74be6c77ff104fe2610a1b3ad6b87326f555e80d13b18", + "zh:ba49ef70d96e13795e2dbffd6cb2ff976dfe84e0373a5971ebe3b4c9c9b7af60", + "zh:d3ed50efe5f8c80d3d7d464ab9a13ccf82440d871c9ce3032ce476845364c6b9", + "zh:e3eb48ee8c36ee4f81850d8a21fc59b81886c729d7c3b7adece4a25f355bed2f", ] } provider "registry.terraform.io/databricks/databricks" { - version = "1.5.0" - constraints = "1.5.0" + version = "1.48.0" + constraints = "1.48.0" hashes = [ - "h1:UJe5L/BteOU7M5ewRLzuUjiewYFLF695eLp3hMKVR6M=", - "zh:0fa9ca13d977a8dcb46254f07c9be731891468f5b423f09cb51da97eaace8e2b", - "zh:3a648e4f8ece8aab05acfc7759b4e4cd153ecd29b3ed0e00d7f1a3a19911f7d8", - "zh:3b052b98b5e22ae4e81e4b667ae5cee9a68bb1750d22546ae9eff16c8d6a294a", - "zh:4320b165218cb39f0ad313d483bba20d0de9e48db0c1467fd0e3a0afb2c02012", - "zh:588c9fdbf35ca9c430cafb5dbd90f34a165744e3514212d0f2c07a3387d8b339", - "zh:b50f8eb38b556ddfa24a76b4113e8a84b778a9a0bb4b4ba5fdc3edca59198d2a", - "zh:ca5186443ac672f5566d9c9b5727f55124a8642dd3949e973790b9195e6b306a", - "zh:db817409b94c34c9b9b5e109751eff7fbca90d08b407a099630c8ec79b6c6d4b", - "zh:edf04424c68db603bf2473e2f14f3e3ad217feb84fc2c7debb6641d15886f8e3", - "zh:ef374f84c41fe529bff1ec3274eb7fe5dd8184c5e71f3e6d99a6adaff6eab82e", + "h1:o1tNRClUSRi0luylRIJEZWkXTcAWj3okW4UzZxyLj+c=", + "zh:2f754ee98cc6779cc989363156fee3a094c3e3b42f5fc7725058b76a2dcc8672", + "zh:8e328c079117a274815f4e4c7c456e4dd4c3bcf72547bf96e7ccd873e6dde73a", + "zh:9d5ae7428e2a12c13138a360b51195a7d76cffd86c2b3587a6a8a931b26cb560", + "zh:c4067270ae9639261493b36200bce767c3546351e3ad1198bc4b909efef98400", + "zh:d93a9ff998e27f6db70a0ffb37cd31c3e6c9c42291ef69030581c8ed7a133ee5", + "zh:f154f5c0331f23fc3a2f2afb9ad6ebc3f32546a9370171259e344a11aeada7f6", ] } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.40.0" - constraints = "3.40.0" + version = "3.108.0" + constraints = "3.108.0" hashes = [ - "h1:/Jbhw/zNAsDYDoASaG6w+0KZyay9BkUVOpR8b7m0CsA=", - "zh:00fa6dc05bf2643c6a3c741edb7d88263698086835a8a613f1d7bd76d1b918fd", - "zh:0da9b788e773272a7aa9d59bd9e3d5842edd4acc8c3895bea469e66dc14205a0", - "zh:25a8c39d1f042fc7c83ba9dd745c3569ea9e577fadb57563a575fb115ac2b9f1", - "zh:4423666dbeae8bc22c6e8898ffbb88745681dc27668ca9104b665dd7f3d7292c", - "zh:78c07308e7407b558d15737a98fb5eaf15529d297fc3798de6a7d61e0466e2e3", - "zh:894aca7e6f4f331ee8eb51957a180dc03d399d2b1727e0d7842e9b3f022a8c6a", - "zh:bb0e620c2161b4c4892a6f50b1c4c69ed70f66bb5e92543a03d79d0e4b1d9441", - "zh:c7d8e6a791159ca63b30908c9efe72ab65f60d64b30f0c1eb5a64972f4994844", - "zh:d04c11bfd346c1ac34d16bbdca70b23b006e822f6beb236b85375e8343888eb4", - "zh:f4edea9660327c7c70a823d786fd1b1c1b186c8759770447f63da72f23e1a73c", + "h1:RIFBFTXz4X48JDHjbQHX4y400ax1/uEzMVFZgX3/z3w=", + "zh:2afecf948fd702bc08c87d9114595809d011f99a70a12dbf6bc67a12d0bee5fc", + "zh:395b6d1384a579867064e62d49b0b91e15919c33b03ea8b5031c2779bfa16b3d", + "zh:3e5594c59b6b02bc6e0f4c3de71aa2ab992494c53725fb3c64d36745f3814ef3", + "zh:4613e190609377309f6a4ac44f631c9469efab3ae148dbb09e73718201dc4f42", + "zh:624f01cb7604d58100068401bd07ab09a141e7bd318f8214127838cf202e4868", + "zh:65709950c9933e38704e2075a2339951e1259a6e882f35d390be36e1844ebc72", + "zh:af82657fad4e3a177f2ebb8035b45bda40f8856eb999288533321028794d03e5", + "zh:c40b331eba08830d16c0e6795fa7cbf08231073df2cfdb0f34e9d908a915981a", + "zh:d6ccd533a0bd984ca7ed1ae860e057e9e2f88468745be9712236d2d240353de4", + "zh:f361fd398e8772f8554a010331d161d6f7284a43238fd28bfa7b41795a5538b8", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f986e268949cf445ff53a66af48a87c6f6dba5964e8a5b1dc0ea02afabdd71f7", + "zh:f8c2132c77d35930203ec66f1bf9bbf633a2406e9f7b572ff425d65b8aa8c492", ] } provider "registry.terraform.io/hashicorp/dns" { - version = "3.2.3" - constraints = "3.2.3" + version = "3.4.1" + constraints = "3.4.1" hashes = [ - "h1:ODcR+vWOhCAJ2iCChZMVdRglNCx07VNr67OPLRPZyDY=", - "zh:03a304f4b76ac6c8bebffddcdf555bf77578a7f638948a681589def32e140cb8", - "zh:08c7d2498b747054e9c9df7838bfa4e4a6b5d63e2d29f0457247e384f792d56c", - "zh:20adf489819ba51ba9d9d15da2dbe1fecb92491b3d0dd80096873e5e84d8b4bd", - "zh:2959ff209d2578456ca490672b82864d483b9e9db9efc8e4ffada06e23017609", - "zh:3ecd0b22db79550fb1108ff7bd00c4066825e8c23bb64e3cc8d9b8102e8caa45", - "zh:6e53a9232245b4be52b56b078f15f270b89afe6abb9c9b8baab4a282fe0cf9f8", + "h1:6VWKyyb75bXOvm+jFNyOfu/cj0SdcDru7seMblWRBfc=", + "zh:00fc9ba46d66a35c0f4cb66d19b402280f5d074a5652b6a378aac9b11b93d069", + "zh:0d612631e82f246d1e7ee20d3dff29ad1c328d1cec0a3b030719e6246676737b", + "zh:29b847c53ea307acf7ed923c751f3051aae3308a23ba376ad86b120c0f6b978b", + "zh:4b5612e01d369ba56abe87daaea12e65114da9befdd080bf26269dfcbd1c07fa", + "zh:5a2e3af49eabe6592bc24ff6c718872cc8a3fbc3b7be152b00d124ef1dd5d0bd", + "zh:6570128aa7cb71390f78b9aa918c937f1ab0d695e8d7a0b38b84713d2cc92893", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:80437bdfa08eb90f70105b52cb06799a8f7967313654b43d28d7f654fcd4edc1", - "zh:816ddaca0ecc29e287376e5b0b8b0729ee13f23a9d74bfad5b14b7983e1a1775", - "zh:82d8ac7ad00c1a71d0a7c1aca03bb59a6b51128f895242df80b1f3d016c3c51a", - "zh:ec9243b8bd80693a6eeeea5d4f7f4e6f57bd44ae796d6d5b1a91790e359f8a61", - "zh:fd821adbfb03a2c9eac111ff27a32b3a5523b18f80333008de85482d3bbea645", + "zh:874cbc34ef9973e4b1f894d910e7f853cc317ee6b5208179d41c1bfa51831425", + "zh:946d5fbe75d4fc0fdc1d2deea85a5e02ec46f6830731f9414884276b7c3ec4bc", + "zh:b1cde393e83634c733649caea76ef6f4f14f01f2b04e8c90926ccbb49ac6c53d", + "zh:b803d82cf6fc8ae6660f896144e065d6ed032273a3eb418e62b39a7dec73f734", + "zh:e8d8b93b1c13b199c929819b2b049627a6d3874fd3f16e05b3f594d526233dd6", ] } diff --git a/templates/workspace_services/databricks/terraform/databricks-udr.json b/templates/workspace_services/databricks/terraform/databricks-udr.json index 36a9204..4cabb84 100644 --- a/templates/workspace_services/databricks/terraform/databricks-udr.json +++ b/templates/workspace_services/databricks/terraform/databricks-udr.json @@ -1,9 +1,21 @@ { "australiacentral": { - "webappDestinationAddresses": ["13.75.218.172/32"], + "webappDestinationAddresses": [ + "13.75.218.172/32", + "20.70.34.64/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["13.75.164.249/32"], "sccRelayDomains": ["tunnel.australiaeast.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["13.70.105.50/32"], + "controlPlaneNatDestinationAddresses": [ + "13.70.105.50/32", + "20.211.147.64/29", + "20.28.138.72/29", + "20.11.26.96/29", + "20.40.72.88/29", + "20.5.1.136/29", + "20.5.170.240/29" + ], "extendedInfrastructureDestinationAddresses": ["20.53.145.128/28"], " ": ["dblogprodausteast.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -20,10 +32,22 @@ ] }, "australiacentral2": { - "webappDestinationAddresses": ["13.75.218.172/32"], + "webappDestinationAddresses": [ + "13.75.218.172/32", + "20.193.110.128/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["13.75.164.249/32"], "sccRelayDomains": ["tunnel.australiaeast.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["13.70.105.50/32"], + "controlPlaneNatDestinationAddresses": [ + "13.70.105.50/32", + "20.211.147.64/29", + "20.28.138.72/29", + "20.11.26.96/29", + "20.40.72.88/29", + "20.5.1.136/29", + "20.5.170.240/29" + ], "extendedInfrastructureDestinationAddresses": ["20.53.145.128/28"], "logBlobStorageDomains": ["dblogprodausteast.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -40,10 +64,22 @@ ] }, "australiaeast": { - "webappDestinationAddresses": ["13.75.218.172/32"], + "webappDestinationAddresses": [ + "13.75.218.172/32", + "4.147.241.0/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["13.75.164.249/32"], "sccRelayDomains": ["tunnel.australiaeast.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["13.70.105.50/32"], + "controlPlaneNatDestinationAddresses": [ + "13.70.105.50/32", + "20.211.147.64/29", + "20.28.138.72/29", + "20.11.26.96/29", + "20.40.72.88/29", + "20.5.1.136/29", + "20.5.170.240/29" + ], "extendedInfrastructureDestinationAddresses": ["20.53.145.128/28"], "logBlobStorageDomains": ["dblogprodausteast.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -76,10 +112,22 @@ ] }, "australiasoutheast": { - "webappDestinationAddresses": ["13.75.218.172/32"], + "webappDestinationAddresses": [ + "13.75.218.172/32", + "4.198.113.16/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["13.75.164.249/32"], "sccRelayDomains": ["tunnel.australiaeast.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["13.70.105.50/32"], + "controlPlaneNatDestinationAddresses": [ + "13.70.105.50/32", + "20.211.147.64/29", + "20.28.138.72/29", + "20.11.26.96/29", + "20.40.72.88/29", + "20.5.1.136/29", + "20.5.170.240/29" + ], "extendedInfrastructureDestinationAddresses": ["20.53.145.128/28"], "logBlobStorageDomains": ["dblogprodausteast.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -96,10 +144,22 @@ ] }, "brazilsouth": { - "webappDestinationAddresses": ["104.41.54.118/32"], + "webappDestinationAddresses": [ + "104.41.54.118/32", + "20.201.68.160/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["23.97.106.142/32"], "sccRelayDomains": ["tunnel.brazilsouth.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["191.232.53.223/32"], + "controlPlaneNatDestinationAddresses": [ + "191.232.53.223/32", + "20.206.205.232/29", + "20.201.127.40/29", + "191.233.243.72/29", + "20.206.144.56/29", + "191.233.243.64/29", + "20.206.205.224/29" + ], "extendedInfrastructureDestinationAddresses": ["20.197.222.144/28"], "logBlobStorageDomains": ["dblogprodbrazilsou.blob.core.windows.net."], "artifactBlobStoragePrimaryDomains": [ @@ -116,10 +176,22 @@ ] }, "canadacentral": { - "webappDestinationAddresses": ["13.71.184.74/32"], + "webappDestinationAddresses": [ + "13.71.184.74/32", + "20.220.50.240/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["13.88.249.244/32"], "sccRelayDomains": ["tunnel.canadacentral.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["40.85.223.25/32"], + "controlPlaneNatDestinationAddresses": [ + "40.85.223.25/32", + "4.229.241.184/29", + "20.151.153.184/29", + "4.239.251.152/29", + "20.151.145.208/29", + "4.239.251.160/29", + "4.229.241.192/29" + ], "extendedInfrastructureDestinationAddresses": ["52.139.4.160/28"], "logBlobStorageDomains": ["dblogprodcacentral.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -142,10 +214,22 @@ ] }, "canadaeast": { - "webappDestinationAddresses": ["13.71.184.74/32"], + "webappDestinationAddresses": [ + "13.71.184.74/32", + "20.220.99.176/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["13.88.249.244/32"], "sccRelayDomains": ["tunnel.canadacentral.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["40.85.223.25/32"], + "controlPlaneNatDestinationAddresses": [ + "40.85.223.25/32", + "4.229.241.184/29", + "20.151.153.184/29", + "4.239.251.152/29", + "20.151.145.208/29", + "4.239.251.160/29", + "4.229.241.192/29" + ], "extendedInfrastructureDestinationAddresses": ["52.139.4.160/28"], "logBlobStorageDomains": ["dblogprodcacentral.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -165,10 +249,22 @@ ] }, "centralindia": { - "webappDestinationAddresses": ["104.211.89.81/32"], + "webappDestinationAddresses": [ + "104.211.89.81/32", + "20.235.199.64/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["52.172.133.58/32"], "sccRelayDomains": ["tunnel.centralindia.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["104.211.101.14/32"], + "controlPlaneNatDestinationAddresses": [ + "104.211.101.14/32", + "20.244.88.56/29", + "98.70.76.16/29", + "20.198.25.0/29", + "98.70.75.40/29", + "20.198.9.224/29", + "98.70.91.64/29" + ], "extendedInfrastructureDestinationAddresses": ["20.193.246.208/28"], "logBlobStorageDomains": ["dblogprodcindia.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -191,7 +287,12 @@ ] }, "centralus": { - "webappDestinationAddresses": ["40.70.58.221/32", "20.37.156.209/32"], + "webappDestinationAddresses": [ + "40.70.58.221/32", + "20.37.156.209/32", + "4.249.192.240/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["13.86.58.215/32", "52.247.0.200/32"], "sccRelayDomains": [ "tunnel.eastus2.azuredatabricks.net", @@ -199,7 +300,19 @@ ], "controlPlaneNatDestinationAddresses": [ "23.101.152.95/32", - "20.37.156.208/32" + "20.37.156.208/32", + "52.180.139.48/29", + "172.202.121.240/29", + "20.186.233.208/29", + "74.249.107.232/29", + "20.161.82.48/29", + "20.161.68.208/29", + "4.150.177.120/29", + "52.165.98.248/29", + "20.15.235.192/29", + "20.161.81.88/29", + "20.161.68.200/29", + "68.154.4.136/29" ], "extendedInfrastructureDestinationAddresses": ["20.57.106.0/28"], "logBlobStorageDomains": [ @@ -322,10 +435,22 @@ }, "eastasia": { - "webappDestinationAddresses": ["52.187.145.107/32"], + "webappDestinationAddresses": [ + "20.189.106.192/32", + "20.239.211.144/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["102.37.41.3/32"], "sccRelayDomains": ["tunnel.southeastasia.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["52.187.0.85/32"], + "controlPlaneNatDestinationAddresses": [ + "20.189.106.194/32", + "20.2.226.184/29", + "20.2.234.144/29", + "52.184.83.208/29", + "20.205.24.128/29", + "20.189.126.232/29", + "20.6.233.184/29" + ], "extendedInfrastructureDestinationAddresses": ["20.195.104.64/28"], "logBlobStorageDomains": [ "dblogprodseasia.blob.core.windows.net", @@ -350,7 +475,9 @@ "webappDestinationAddresses": [ "40.70.58.221/32", "20.42.4.209/32", - "20.42.4.211/32" + "20.42.4.211/32", + "52.234.168.240/28", + "4.150.168.160/28" ], "sccRelayDestinationAddresses": ["52.247.0.200/32", "52.146.50.16/32"], "sccRelayDomains": [ @@ -360,7 +487,19 @@ "controlPlaneNatDestinationAddresses": [ "23.101.152.95/32", "20.42.4.208/32", - "20.42.4.210/32" + "20.42.4.210/32", + "57.151.106.192/29", + "57.151.124.96/29", + "57.151.82.88/29", + "74.249.107.232/29", + "20.161.82.48/29", + "20.161.68.208/29", + "57.151.124.56/29", + "57.151.84.240/29", + "172.203.186.112/29", + "20.161.81.88/29", + "20.161.68.200/29", + "68.154.4.136/29" ], "extendedInfrastructureDestinationAddresses": ["20.57.106.0/28"], "logBlobStorageDomains": [ @@ -406,15 +545,35 @@ ] }, "eastus2": { - "webappDestinationAddresses": ["40.70.58.221/32", "20.41.4.113/32"], + "webappDestinationAddresses": [ + "40.70.58.221/32", + "20.41.4.113/32", + "20.41.4.116/32", + "52.254.24.96/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["52.247.0.200/32", "20.186.83.56/32"], "sccRelayDomains": [ "tunnel.eastus2.azuredatabricks.net", - "tunnel.eastus2c2.azuredatabricks.net" + "tunnel.eastus2c2.azuredatabricks.net", + "tunnel.eastus2c3.azuredatabricks.net" ], "controlPlaneNatDestinationAddresses": [ "23.101.152.95/32", - "20.41.4.112/32" + "20.41.4.112/32", + "20.41.4.114/32", + "74.249.107.232/29", + "20.161.82.48/29", + "20.161.68.208/29", + "74.249.108.56/29", + "20.161.82.56/29", + "20.161.68.216/29", + "74.249.108.120/29", + "20.161.82.64/29", + "20.161.68.224/29", + "20.161.81.88/29", + "20.161.68.200/29", + "68.154.4.136/29" ], "extendedInfrastructureDestinationAddresses": ["20.57.106.0/28"], "logBlobStorageDomains": [ @@ -459,7 +618,6 @@ "consolidated-eastus2c3-prod-metastore-0.mysql.database.azure.com" ] }, - "eastus2euap": { "webappDestinationAddresses": [""], "sccRelayDestinationAddresses": [""], @@ -472,12 +630,15 @@ "eventHubEndpointDomains": [""], "metastoreDomains": [""] }, - "francecentral": { - "webappDestinationAddresses": ["40.89.168.225/32"], + "webappDestinationAddresses": [ + "40.89.168.225/32", + "20.19.113.192/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["51.103.18.111/32"], "sccRelayDomains": ["tunnel.francecentral.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["40.89.171.101/32"], + "controlPlaneNatDestinationAddresses": ["40.89.171.101/32", "98.66.170.152/29", "4.233.185.56/29", "20.19.35.8/29", "4.233.193.64/29", "20.19.34.168/29", "4.178.122.232/29"], "extendedInfrastructureDestinationAddresses": ["20.74.69.128/28"], "logBlobStorageDomains": ["dblogprodfrcentral.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -494,10 +655,14 @@ ] }, "germanywestcentral": { - "webappDestinationAddresses": ["20.52.93.41/32"], + "webappDestinationAddresses": [ + "20.52.93.41/32", + "98.67.225.0/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["20.52.93.40/32"], "sccRelayDomains": ["tunnel.germanywestcentral.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["20.52.93.42/32"], + "controlPlaneNatDestinationAddresses": ["20.52.93.42/32", "20.218.169.48/29", "98.67.186.40/29", "51.116.120.104/29", "98.67.186.32/29", "51.116.120.96/29", "20.218.169.40/29"], "extendedInfrastructureDestinationAddresses": ["20.52.93.40/29"], "logBlobStorageDomains": ["dblogprodgerwescen.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -514,10 +679,14 @@ ] }, "japaneast": { - "webappDestinationAddresses": ["52.246.160.72/32"], + "webappDestinationAddresses": [ + "52.246.160.72/32", + "4.189.194.16/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["20.46.121.76/32"], "sccRelayDomains": ["tunnel.japaneast.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["13.78.19.235/32"], + "controlPlaneNatDestinationAddresses": ["13.78.19.235/32", "20.210.195.88/29", "20.40.91.88/29", "4.216.211.0/29", "20.222.179.176/29", "20.243.34.72/29", "20.210.194.80/29"], "extendedInfrastructureDestinationAddresses": ["20.78.226.176/28"], "logBlobStorageDomains": ["dblogprodjapaneast.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -534,10 +703,14 @@ ] }, "japanwest": { - "webappDestinationAddresses": ["52.246.160.72/32"], + "webappDestinationAddresses": [ + "52.246.160.72/32", + "138.91.16.64/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["20.46.121.76/32"], "sccRelayDomains": ["tunnel.japaneast.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["13.78.19.235/32"], + "controlPlaneNatDestinationAddresses": ["13.78.19.235/32", "20.210.195.88/29", "20.40.91.88/29", "4.216.211.0/29", "20.222.179.176/29", "20.243.34.72/29", "20.210.194.80/29"], "extendedInfrastructureDestinationAddresses": ["20.78.226.176/28"], "logBlobStorageDomains": ["dblogprodjapaneast.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -554,10 +727,14 @@ ] }, "koreacentral": { - "webappDestinationAddresses": ["52.141.22.164/32"], + "webappDestinationAddresses": [ + "52.141.22.164/32", + "20.214.117.160/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["20.194.4.102/32"], "sccRelayDomains": ["tunnel.koreacentral.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["52.141.6.181/32"], + "controlPlaneNatDestinationAddresses": ["52.141.6.181/32", "20.39.199.24/29", "20.41.120.112/29", "52.141.26.136/29", "20.41.105.232/29", "52.141.26.120/29", "20.39.198.216/29"], "extendedInfrastructureDestinationAddresses": ["20.194.107.48/28"], "logBlobStorageDomains": ["dblogprodkoreacentral.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -574,15 +751,19 @@ ] }, "northcentralus": { - "webappDestinationAddresses": ["40.70.58.221/32", "40.80.188.0/32"], + "webappDestinationAddresses": [ + "40.70.58.221/32", + "40.80.188.0/32", + "172.214.168.112/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["52.247.0.200/32", "23.100.226.13/32"], "sccRelayDomains": [ "tunnel.eastus2.azuredatabricks.net", "tunnel.northcentralusc2.azuredatabricks.net" ], "controlPlaneNatDestinationAddresses": [ - "23.101.152.95/32", - "40.80.188.1/32" + "23.101.152.95/32", "40.80.188.1/32", "74.249.107.232/29", "20.161.82.48/29", "20.161.68.208/29", "52.240.210.16/28", "20.161.81.88/29", "20.161.68.200/29", "68.154.4.136/29" ], "extendedInfrastructureDestinationAddresses": ["20.57.106.0/28"], "logBlobStorageDomains": [ @@ -605,15 +786,19 @@ ] }, "northeurope": { - "webappDestinationAddresses": ["52.232.19.246/32", "20.38.84.81/32"], + "webappDestinationAddresses": [ + "52.232.19.246/32", + "20.38.84.81/32", + "4.209.165.0/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["23.97.201.41/32", "40.127.147.196/32"], "sccRelayDomains": [ "tunnel.westeurope.azuredatabricks.net", "tunnel.northeuropec2.azuredatabricks.net" ], "controlPlaneNatDestinationAddresses": [ - "23.100.0.135/32", - "20.38.84.80/32" + "23.100.0.135/32", "20.38.84.80/32", "98.71.25.152/29", "4.245.219.224/29", "20.123.51.88/29", "172.201.83.192/29", "172.211.2.248/29", "172.205.204.120/29", "4.245.227.208/29", "68.219.252.224/29", "74.234.43.80/29", "172.211.67.168/29", "172.201.244.200/29", "172.211.58.192/29" ], "extendedInfrastructureDestinationAddresses": ["20.73.215.48/28"], "logBlobStorageDomains": ["dblogprodwesteurope.blob.core.windows.net"], @@ -645,10 +830,22 @@ ] }, "norwayeast": { - "webappDestinationAddresses": ["51.120.40.120/32"], + "webappDestinationAddresses": [ + "51.120.40.120/32", + "20.100.214.208/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["51.120.40.122/32"], "sccRelayDomains": ["tunnel.norwayeast.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["51.120.40.121/32"], + "controlPlaneNatDestinationAddresses": [ + "51.120.40.121/32", + "51.120.246.120/29", + "4.235.113.232/29", + "51.120.8.208/29", + "20.251.169.232/29", + "51.120.8.32/29", + "51.120.246.96/29" + ], "extendedInfrastructureDestinationAddresses": ["51.13.86.224/28"], "logBlobStorageDomains": ["dblogprodnweast.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -664,11 +861,47 @@ "consolidated-norwayeast-prod-metastore-0.mysql.database.azure.com" ] }, + "qatarcentral": { + "webappDestinationAddresses": [ + "20.21.32.32/32", + "20.173.17.128/28", + "4.150.168.160/28" + ], + "sccRelayDestinationAddresses": [""], + "sccRelayDomains": ["tunnel.qatarcentral.azuredatabricks.net"], + "controlPlaneNatDestinationAddresses": [ + "20.21.32.34/32", + "20.173.105.240/29", + "20.173.97.224/29", + "20.173.50.48/29", + "20.21.129.232/29", + "20.173.50.40/29", + "20.173.105.232/29" + ], + "extendedInfrastructureDestinationAddresses": [""], + "logBlobStorageDomains": ["dblogprodqcentral.blob.core.windows.net"], + "artifactBlobStoragePrimaryDomains": [ + "dbartifactsprodqcentral.blob.core.windows.net" + ], + "artifactBlobStorageSecondaryDomains": [ + "dbartifactsprodwestus.blob.core.windows.net" + ], + "eventHubEndpointDomains": [ + "prod-qatarcentral-observabilityeventhubs.servicebus.windows.net" + ], + "metastoreDomains": [ + "consolidated-qatarcentral-prod-metastore-0.mysql.database.azure.com" + ] + }, "southafricanorth": { - "webappDestinationAddresses": ["102.133.224.24/32"], + "webappDestinationAddresses": [ + "102.133.224.24/32", + "20.87.238.224/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["102.37.41.3/32"], "sccRelayDomains": ["tunnel.southafricanorth.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["40.127.5.82/32"], + "controlPlaneNatDestinationAddresses": ["40.127.5.82/32", "40.127.8.136/29", "102.37.214.112/29", "20.164.16.120/29", "102.37.214.88/29", "20.164.16.48/29", "40.127.8.48/29"], "extendedInfrastructureDestinationAddresses": ["102.133.192.48/28"], "logBlobStorageDomains": ["dblogprodsafrican.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -685,12 +918,16 @@ ] }, "southcentralus": { - "webappDestinationAddresses": ["40.118.174.12/32", "40.119.9.208/32"], + "webappDestinationAddresses": [ + "40.118.174.12/32", + "40.119.9.208/32", + "52.185.215.96/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["40.86.167.110/32"], "sccRelayDomains": ["tunnel.westus.azuredatabricks.net"], "controlPlaneNatDestinationAddresses": [ - "40.83.178.242/32", - "40.119.9.209/32" + "40.83.178.242/32", "40.119.9.209/32", "20.65.137.224/29", "40.124.140.48/29", "4.151.11.48/29", "52.157.9.208/28" ], "extendedInfrastructureDestinationAddresses": ["13.91.84.96/28"], "logBlobStorageDomains": [ @@ -720,10 +957,22 @@ ] }, "southindia": { - "webappDestinationAddresses": ["104.211.89.81/32"], + "webappDestinationAddresses": [ + "104.211.89.81/32", + "52.140.35.224/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["52.172.133.58/32"], "sccRelayDomains": ["tunnel.centralindia.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["104.211.101.14/32"], + "controlPlaneNatDestinationAddresses": [ + "104.211.101.14/32", + "20.244.88.56/29", + "98.70.76.16/29", + "20.198.25.0/29", + "98.70.75.40/29", + "20.198.9.224/29", + "98.70.91.64/29" + ], "extendedInfrastructureDestinationAddresses": ["20.193.246.208/28"], "logBlobStorageDomains": ["dblogprodcindia.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -740,10 +989,14 @@ ] }, "southeastasia": { - "webappDestinationAddresses": ["52.187.145.107/32"], + "webappDestinationAddresses": [ + "52.187.145.107/32", + "20.247.134.0/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["52.230.27.216/32"], "sccRelayDomains": ["tunnel.southeastasia.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["52.187.0.85/32"], + "controlPlaneNatDestinationAddresses": ["52.187.0.85/32", "52.237.98.24/29", "20.6.34.248/29", "20.6.83.136/29", "172.188.66.64/29", "20.6.82.208/29", "172.188.123.176/29"], "extendedInfrastructureDestinationAddresses": ["20.195.104.64/28"], "logBlobStorageDomains": ["dblogprodseasia.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -764,10 +1017,14 @@ ] }, "swedencentral": { - "webappDestinationAddresses": ["51.12.41.16/32"], + "webappDestinationAddresses": [ + "51.12.41.16/32", + "4.225.21.224/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["51.12.41.18/32"], "sccRelayDomains": ["tunnel.swedencentral.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["51.12.41.17/32"], + "controlPlaneNatDestinationAddresses": ["51.12.41.17/32", "51.12.251.232/29", "20.240.203.248/29", "20.240.218.136/29", "172.160.244.40/29", "51.12.59.200/29", "51.12.250.248/29"], "extendedInfrastructureDestinationAddresses": ["20.91.164.16/28"], "logBlobStorageDomains": ["dblogprodswissnor.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -784,10 +1041,14 @@ ] }, "switzerlandnorth": { - "webappDestinationAddresses": ["51.107.48.120/32"], + "webappDestinationAddresses": [ + "51.107.48.120/32", + "20.208.63.112/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["51.107.203.195/32"], "sccRelayDomains": ["tunnel.switzerlandnorth.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["51.107.48.121/32"], + "controlPlaneNatDestinationAddresses": ["51.107.48.121/32", "20.250.160.184/29", "51.103.214.248/29", "51.107.12.216/29", "20.250.144.32/29", "51.107.12.208/29", "74.242.170.224/29"], "extendedInfrastructureDestinationAddresses": ["51.103.172.176/28"], "logBlobStorageDomains": [""], "artifactBlobStoragePrimaryDomains": [""], @@ -796,10 +1057,14 @@ "metastoreDomains": [""] }, "switzerlandwest": { - "webappDestinationAddresses": ["51.107.144.68/32"], + "webappDestinationAddresses": [ + "51.107.144.68/32", + "20.199.198.240/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["51.107.144.70/32"], "sccRelayDomains": ["tunnel.switzerlandwest.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["51.107.144.69/32"], + "controlPlaneNatDestinationAddresses": ["51.107.144.69/32", "20.199.199.32/28"], "extendedInfrastructureDestinationAddresses": ["51.107.233.80/28"], "logBlobStorageDomains": ["dblogprodswisswest.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -817,10 +1082,14 @@ ] }, "uaenorth": { - "webappDestinationAddresses": ["40.123.212.253/32"], + "webappDestinationAddresses": [ + "40.123.212.253/32", + "20.233.156.224/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["40.123.225.135/32"], "sccRelayDomains": ["tunnel.uaenorth.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["40.123.218.63/32"], + "controlPlaneNatDestinationAddresses": ["40.123.218.63/32", "20.174.35.40/29", "20.174.162.32/29", "20.46.193.88/29", "20.174.162.24/29", "20.46.193.40/29", "20.174.35.32/29"], "extendedInfrastructureDestinationAddresses": ["40.120.89.0/28"], "logBlobStorageDomains": ["dblogproduaenorth.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -843,10 +1112,14 @@ ] }, "uksouth": { - "webappDestinationAddresses": ["51.140.204.4/32"], + "webappDestinationAddresses": [ + "51.140.204.4/32", + "4.158.9.160/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["51.141.103.193/32"], "sccRelayDomains": ["tunnel.ukwest.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["51.140.203.27/32"], + "controlPlaneNatDestinationAddresses": ["51.140.203.27/32", "51.141.67.0/28"], "extendedInfrastructureDestinationAddresses": ["51.141.64.128/28"], "logBlobStorageDomains": ["dblogprodukwest.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -870,10 +1143,14 @@ ] }, "ukwest": { - "webappDestinationAddresses": ["51.140.204.4/32"], + "webappDestinationAddresses": [ + "51.140.204.4/32", + "20.254.183.0/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["51.141.103.193/32"], "sccRelayDomains": ["tunnel.ukwest.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["51.140.203.27/32"], + "controlPlaneNatDestinationAddresses": ["51.140.203.27/32", "51.141.67.0/28"], "extendedInfrastructureDestinationAddresses": ["51.141.64.128/28"], "logBlobStorageDomains": ["dblogprodukwest.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -936,10 +1213,14 @@ ] }, "westcentralus": { - "webappDestinationAddresses": ["52.150.136.68/32"], + "webappDestinationAddresses": [ + "52.150.136.68/32", + "13.78.197.48/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["52.150.136.70/32"], "sccRelayDomains": ["tunnel.westcentralus.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["52.150.136.69/32"], + "controlPlaneNatDestinationAddresses": ["52.150.136.69/32", "13.78.197.240/28"], "extendedInfrastructureDestinationAddresses": ["52.161.34.0/28"], "logBlobStorageDomains": ["dblogprodwcentus.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -956,15 +1237,19 @@ ] }, "westeurope": { - "webappDestinationAddresses": ["52.232.19.246/32", "40.74.30.80/32"], + "webappDestinationAddresses": [ + "52.232.19.246/32", + "40.74.30.80/32", + "20.103.219.240/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["23.97.201.41/32", "51.138.96.158/32"], "sccRelayDomains": [ "tunnel.westeurope.azuredatabricks.net", "tunnel.westeuropec2.azuredatabricks.net" ], "controlPlaneNatDestinationAddresses": [ - "23.100.0.135/32", - "40.74.30.81/32" + "23.100.0.135/32", "40.74.30.81/32", "172.201.83.192/29", "172.211.2.248/29", "172.205.204.120/29", "172.201.84.24/29", "172.211.3.72/29", "172.205.204.128/29", "172.211.67.168/29", "172.201.244.200/29", "172.211.58.192/29" ], "extendedInfrastructureDestinationAddresses": ["20.73.215.48/28"], "logBlobStorageDomains": ["dblogprodwesteurope.blob.core.windows.net"], @@ -1014,10 +1299,22 @@ ] }, "westindia": { - "webappDestinationAddresses": ["104.211.89.81/32"], + "webappDestinationAddresses": [ + "104.211.89.81/32", + "104.211.190.96/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["52.172.133.58/32"], "sccRelayDomains": ["tunnel.centralindia.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["104.211.101.14/32"], + "controlPlaneNatDestinationAddresses": [ + "104.211.101.14/32", + "20.244.88.56/29", + "98.70.76.16/29", + "20.198.25.0/29", + "98.70.75.40/29", + "20.198.9.224/29", + "98.70.91.64/29" + ], "extendedInfrastructureDestinationAddresses": ["20.193.246.208/28"], "logBlobStorageDomains": ["dblogprodcindia.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ @@ -1034,12 +1331,15 @@ ] }, "westus": { - "webappDestinationAddresses": ["40.118.174.12/32", "20.42.129.160/32"], + "webappDestinationAddresses": [ + "40.118.174.12/32", + "13.91.180.32/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["40.86.167.110/32"], "sccRelayDomains": ["tunnel.westus.azuredatabricks.net"], "controlPlaneNatDestinationAddresses": [ - "40.83.178.242/32", - "20.42.129.161/32" + "40.83.178.242/32", "52.157.9.208/28", "52.157.9.208/28" ], "extendedInfrastructureDestinationAddresses": ["13.91.84.96/28"], "logBlobStorageDomains": ["dblogprodwestus.blob.core.windows.net"], @@ -1077,10 +1377,15 @@ ] }, "westus2": { - "webappDestinationAddresses": ["40.118.174.12/32"], + "webappDestinationAddresses": [ + "40.118.174.12/32", + "20.42.129.160/32", + "20.59.51.96/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["40.86.167.110/32"], "sccRelayDomains": ["tunnel.westus.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["40.83.178.242/32"], + "controlPlaneNatDestinationAddresses": ["40.83.178.242/32", "4.149.240.248/29", "20.42.129.161/32", "4.242.19.240/29", "20.115.219.72/29"], "extendedInfrastructureDestinationAddresses": ["13.91.84.96/28"], "logBlobStorageDomains": [ "dblogprodwestus.blob.core.windows.net", @@ -1108,10 +1413,14 @@ ] }, "westus3": { - "webappDestinationAddresses": ["20.150.160.106"], + "webappDestinationAddresses": [ + "20.150.160.106", + "4.227.68.192/28", + "4.150.168.160/28" + ], "sccRelayDestinationAddresses": ["40.86.167.110/32"], "sccRelayDomains": ["tunnel.westus3.azuredatabricks.net"], - "controlPlaneNatDestinationAddresses": ["20.150.160.104"], + "controlPlaneNatDestinationAddresses": ["20.150.160.104", "20.163.31.104/29", "20.168.96.112/29", "20.163.3.56/29", "20.168.96.96/29", "20.163.2.88/29", "20.169.49.96/29"], "extendedInfrastructureDestinationAddresses": ["20.125.82.0/28"], "logBlobStorageDomains": ["dblogprodwestus3.blob.core.windows.net"], "artifactBlobStoragePrimaryDomains": [ diff --git a/templates/workspace_services/databricks/terraform/deploy.sh b/templates/workspace_services/databricks/terraform/deploy.sh old mode 100755 new mode 100644 diff --git a/templates/workspace_services/databricks/terraform/providers.tf b/templates/workspace_services/databricks/terraform/providers.tf index b3699a7..e0fd9fc 100644 --- a/templates/workspace_services/databricks/terraform/providers.tf +++ b/templates/workspace_services/databricks/terraform/providers.tf @@ -2,19 +2,19 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "=3.40.0" + version = "=3.108.0" } azapi = { source = "Azure/azapi" - version = "=1.1.0" + version = "=1.13.1" } databricks = { source = "databricks/databricks" - version = "=1.5.0" + version = "=1.48.0" } dns = { source = "hashicorp/dns" - version = "=3.2.3" + version = "=3.4.1" } } From 0f539938645871dc177aa5f877d8d3590c3dda86 Mon Sep 17 00:00:00 2001 From: Danny Cooke <136708214+Danny-Cooke-CK@users.noreply.github.com> Date: Fri, 7 Jun 2024 14:00:22 +0100 Subject: [PATCH 07/13] Update devcontainer.json --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index e5a133e..04fe9d9 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -12,7 +12,7 @@ "DOCKER_GROUP_ID": "${localEnv:DOCKER_GROUP_ID}", "INTERACTIVE": "true", "OSS_REPO": "microsoft/AzureTRE", - "OSS_VERSION": "v0.17.0" + "OSS_VERSION": "v0.16.0" } }, "runArgs": [ From de9f7914a5fbf6de1d7d5aeccc5e7da2e36b1b5d Mon Sep 17 00:00:00 2001 From: Danny Cooke <136708214+Danny-Cooke-CK@users.noreply.github.com> Date: Sat, 8 Jun 2024 09:44:14 +0100 Subject: [PATCH 08/13] Update devcontainer.json --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 04fe9d9..f91505d 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -12,7 +12,7 @@ "DOCKER_GROUP_ID": "${localEnv:DOCKER_GROUP_ID}", "INTERACTIVE": "true", "OSS_REPO": "microsoft/AzureTRE", - "OSS_VERSION": "v0.16.0" + "OSS_VERSION": "v0.15.2" } }, "runArgs": [ From a2f9584a4ff6d6e481cefd54c63de56cb5035bb1 Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Wed, 12 Jun 2024 14:13:17 +0100 Subject: [PATCH 09/13] update --- .gitignore | 2 +- post_deploy.sh | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 post_deploy.sh diff --git a/.gitignore b/.gitignore index e37b17f..63f3ae4 100644 --- a/.gitignore +++ b/.gitignore @@ -420,4 +420,4 @@ FodyWeavers.xsd # Local .terraform directories **/.terraform/* -/letsencrypt/ +letsencrypt/ \ No newline at end of file diff --git a/post_deploy.sh b/post_deploy.sh new file mode 100644 index 0000000..6912666 --- /dev/null +++ b/post_deploy.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +tre_id=$(grep tre_id config.yaml|awk '{print $2}') + +sa_id=$(az storage account show -g rg-${tre_id} -n stweb${tre_id} --query "id"|awk -F\" '{print $2}') +user_id=$(az account show --query "id"|awk -F\" '{print $2}') +user_email=$(az account show --query "user.name"|awk -F\" '{print $2}') + +az role assignment create --role "Storage Blob Data Contributor" --assignee ${user_email} --scope ${sa_id} +az role assignment create --role "Storage Blob Data Reader" --assignee ${user_email} --scope ${sa_id} +az role assignment create --role "Storage Table Data Contributor" --assignee ${user_email} --scope ${sa_id} +az role assignment create --role "Storage Table Data Reader" --assignee ${user_email} --scope ${sa_id} +az role assignment create --role "Storage Queue Data Contributor" --assignee ${user_email} --scope ${sa_id} +az role assignment create --role "Storage Queue Data Reader" --assignee ${user_email} --scope ${sa_id} +az keyvault set-policy --name kv-${tre_id} --upn ${user_email} --certificate-permissions all +az keyvault set-policy --name kv-${tre_id} --upn ${user_email} --secret-permissions all +az keyvault set-policy --name kv-${tre_id} --upn ${user_email} --key-permissions all + +sleep 60s + +make letsencrypt \ No newline at end of file From 5075ee326bff610d3cfd82d2cab4ad30a9090be5 Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Thu, 13 Jun 2024 10:32:51 +0100 Subject: [PATCH 10/13] add in pipelines --- .github/workflows/deploy_tre_bundle.yml | 86 +++++ .../workflows/deploy_tre_reusable_bundle.yml | 345 ++++++++++++++++++ 2 files changed, 431 insertions(+) create mode 100644 .github/workflows/deploy_tre_bundle.yml create mode 100644 .github/workflows/deploy_tre_reusable_bundle.yml diff --git a/.github/workflows/deploy_tre_bundle.yml b/.github/workflows/deploy_tre_bundle.yml new file mode 100644 index 0000000..9c1e5a0 --- /dev/null +++ b/.github/workflows/deploy_tre_bundle.yml @@ -0,0 +1,86 @@ +--- +name: Deploy Azure TRE (Bundle) +# This workflow is the integration build run for pushes to the main branch +# It also runs on a schedule, serving as the nightly build + +on: # yamllint disable-line rule:truthy + workflow_dispatch: + inputs: + environment: + description: The environment to run this workflow in + type: environment + default: Dev + required: true + templateVersion: + type: choice + description: Template Version + options: + - stable + - beta + bundleType: + type: choice + description: Bundle Type + options: + - workspace + - workspace_service + - user_resource + - shared_service + bundleDir: + type: choice + description: Bundle Dir + options: + - workspaces + - workspace_services + - user_resources + - shared_services + bundleName: + type: string + description: Bundle Name + + # bundleDir: + # type: string + # description: Bundle Directory e.g. ./templates/workspaces/base + # default: ./templates/stable/workspaces/airlock-import-review + workspaceName: + type: string + description: Workspace Name (Required if type is user_resource) tre-service-... + +# This will prevent multiple runs of this entire workflow. +# We should NOT cancel in progress runs as that can destabilize the environment. +concurrency: "${{ github.workflow }}-${{ github.ref }}" + +jobs: + run-deploy-tre-bundle: + name: "Deploy Bundle" + # if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/development' + uses: ./.github/workflows/deploy_tre_reusable_bundle.yml + with: + ciGitRef: ${{ github.ref }} + e2eTestsCustomSelector: >- + ${{ (github.event_name == 'push' && 'extended or extended_aad') + || 'extended or extended_aad or shared_services or airlock' }} + environmentName: ${{ github.event.inputs.environment || 'CICD' }} + E2E_TESTS_NUMBER_PROCESSES: 1 + DEVCONTAINER_TAG: "latest" + bundleType: ${{ inputs.bundleType }} + bundleDir: "./templates/${{ inputs.templateVersion }}/${{ inputs.bundleDir }}/${{ inputs.bundleName }}" + workspaceName: ${{ inputs.workspaceName }} + secrets: + AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }} + ACR_NAME: ${{ secrets.ACR_NAME }} + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + API_CLIENT_ID: ${{ secrets.API_CLIENT_ID }} + API_CLIENT_SECRET: ${{ secrets.API_CLIENT_SECRET }} + APPLICATION_ADMIN_CLIENT_ID: ${{ secrets.APPLICATION_ADMIN_CLIENT_ID }} + APPLICATION_ADMIN_CLIENT_SECRET: ${{ secrets.APPLICATION_ADMIN_CLIENT_SECRET }} + MGMT_RESOURCE_GROUP_NAME: ${{ secrets.MGMT_RESOURCE_GROUP_NAME }} + MS_TEAMS_WEBHOOK_URI: ${{ secrets.MS_TEAMS_WEBHOOK_URI }} + MGMT_STORAGE_ACCOUNT_NAME: ${{ secrets.MGMT_STORAGE_ACCOUNT_NAME }} + SWAGGER_UI_CLIENT_ID: ${{ secrets.SWAGGER_UI_CLIENT_ID }} + TEST_APP_ID: ${{ secrets.TEST_APP_ID }} + TEST_WORKSPACE_APP_ID: ${{ secrets.TEST_WORKSPACE_APP_ID }} + TEST_WORKSPACE_APP_SECRET: "${{ secrets.TEST_WORKSPACE_APP_SECRET }}" + TEST_ACCOUNT_CLIENT_ID: "${{ secrets.TEST_ACCOUNT_CLIENT_ID }}" + TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}" + TRE_ID: ${{ secrets.TRE_ID }} + CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }} diff --git a/.github/workflows/deploy_tre_reusable_bundle.yml b/.github/workflows/deploy_tre_reusable_bundle.yml new file mode 100644 index 0000000..65d61d9 --- /dev/null +++ b/.github/workflows/deploy_tre_reusable_bundle.yml @@ -0,0 +1,345 @@ +--- +name: Reusable - Deploy Azure TRE (Bundle) + +on: # yamllint disable-line rule:truthy + workflow_call: + inputs: + bundleDir: + description: e.g. ./templates/stable/workspaces/base + type: string + bundleType: + type: string + description: workspace, workspace_service, user_resource, shared_service + workspaceName: + type: string + description: Required if Bundle Type is user_resource + default: "tre-service-guacamole" + prRef: + description: The git ref to checkout + type: string + required: false + prHeadSha: + description: >- + For PR builds where GITHUB_REF isn't set to the PR (e.g. comment trigger), + pass the PR's head SHA commit here + type: string + required: false + ciGitRef: + description: The git ref to use in annotations to associate a deployment with the code that triggered it + type: string + required: true + e2eTestsCustomSelector: + description: The pytest marker selector for the e2e tests to be run + type: string + default: "" + required: false + environmentName: + description: The name of the Github Action's environment this will deploy into + type: string + required: true + E2E_TESTS_NUMBER_PROCESSES: + description: "" + type: number + required: false + DEVCONTAINER_TAG: + description: "" + type: string + required: true + secrets: + AAD_TENANT_ID: + description: "" + required: true + ACR_NAME: + description: "" + required: true + API_CLIENT_ID: + description: "" + required: true + API_CLIENT_SECRET: + description: "" + required: true + APPLICATION_ADMIN_CLIENT_ID: + description: "" + required: true + APPLICATION_ADMIN_CLIENT_SECRET: + description: "" + required: true + MGMT_RESOURCE_GROUP_NAME: + description: "" + required: true + MS_TEAMS_WEBHOOK_URI: + description: "" + required: true + MGMT_STORAGE_ACCOUNT_NAME: + description: "" + required: true + SWAGGER_UI_CLIENT_ID: + description: "" + required: true + TEST_APP_ID: + description: "" + required: true + TEST_WORKSPACE_APP_ID: + description: "" + required: true + TEST_WORKSPACE_APP_SECRET: + description: "" + required: true + TEST_ACCOUNT_CLIENT_ID: + description: "" + required: true + TEST_ACCOUNT_CLIENT_SECRET: + description: "" + required: true + TRE_ID: + description: "" + required: true + CI_CACHE_ACR_NAME: + description: "" + required: false + AZURE_CREDENTIALS: + description: "" + required: true + +# This will prevent multiple runs of this entire workflow. +# We should NOT cancel in progress runs as that can destabilize the environment. +concurrency: "deploy-bundle-${{ inputs.ciGitRef }}" + +jobs: + deploy_management: + name: Deploy Management + runs-on: ubuntu-latest + environment: ${{ inputs.environmentName }} + steps: + - name: Show inputs + run: | + echo "Inputs" + echo "======" + echo "prRef : ${{ inputs.prRef }}" + echo "prRHeadSha : ${{ inputs.prHeadSha }}" + echo "ciGitRef : ${{ inputs.ciGitRef }}" + echo "environment : ${{ inputs.environmentName }}" + echo "bundleType : ${{ inputs.bundleType }}" + echo "bundleDir : ${{ inputs.bundleDir }}" + echo "workspaceName : ${{ inputs.workspaceName }}" + + - name: Check required values + id: check_required_values + # since this is a resuable workflow, required=true secrets will always have a value but it can be empty. + run: | + if [ "${{ secrets.AAD_TENANT_ID }}" == '' ]; then + echo "Missing secret: AAD_TENANT_ID" && exit 1 + fi + if [ "${{ secrets.ACR_NAME }}" == '' ]; then + echo "Missing secret: ACR_NAME" && exit 1 + fi + if [ "${{ secrets.API_CLIENT_ID }}" == '' ]; then + echo "Missing secret: API_CLIENT_ID" && exit 1 + fi + if [ "${{ secrets.API_CLIENT_SECRET }}" == '' ]; then + echo "Missing secret: API_CLIENT_SECRET" && exit 1 + fi + if [ "${{ secrets.APPLICATION_ADMIN_CLIENT_ID }}" == '' ]; then + echo "Missing secret: APPLICATION_ADMIN_CLIENT_ID" && exit 1 + fi + if [ "${{ secrets.APPLICATION_ADMIN_CLIENT_SECRET }}" == '' ]; then + echo "Missing secret: APPLICATION_ADMIN_CLIENT_SECRET" && exit 1 + fi + if [ "${{ secrets.MGMT_RESOURCE_GROUP_NAME }}" == '' ]; then + echo "Missing secret: MGMT_RESOURCE_GROUP_NAME" && exit 1 + fi + if [ "${{ secrets.MGMT_STORAGE_ACCOUNT_NAME }}" == '' ]; then + echo "Missing secret: MGMT_STORAGE_ACCOUNT_NAME" && exit 1 + fi + if [ "${{ secrets.SWAGGER_UI_CLIENT_ID }}" == '' ]; then + echo "Missing secret: SWAGGER_UI_CLIENT_ID" && exit 1 + fi + if [ "${{ secrets.TEST_APP_ID }}" == '' ]; then + echo "Missing secret: TEST_APP_ID" && exit 1 + fi + if [ "${{ secrets.TEST_WORKSPACE_APP_ID }}" == '' ]; then + echo "Missing secret: TEST_WORKSPACE_APP_ID" && exit 1 + fi + if [ "${{ secrets.TEST_WORKSPACE_APP_SECRET }}" == '' ]; then + echo "Missing secret: TEST_WORKSPACE_APP_SECRET" && exit 1 + fi + if [ "${{ secrets.TEST_ACCOUNT_CLIENT_ID }}" == '' ]; then + echo "Missing secret: TEST_ACCOUNT_CLIENT_ID" && exit 1 + fi + if [ "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}" == '' ]; then + echo "Missing secret: TEST_ACCOUNT_CLIENT_SECRET" && exit 1 + fi + if [ "${{ secrets.TRE_ID }}" == '' ]; then + echo "Missing secret: TRE_ID" && exit 1 + fi + if [ "${{ secrets.AZURE_CREDENTIALS }}" == '' ]; then + echo "Missing secret: AZURE_CREDENTIALS" && exit 1 + fi + if [ "${{ inputs.DEVCONTAINER_TAG }}" == '' ]; then + echo "Missing input: DEVCONTAINER_TAG" && exit 1 + fi + if [ "${{ vars.LOCATION }}" == '' ]; then + echo "Missing variable: LOCATION" && exit 1 + fi + + - name: Checkout + uses: actions/checkout@v3 + with: + persist-credentials: false + # if the following values are missing (i.e. not triggered via comment workflow) + # then the default checkout will apply + ref: ${{ inputs.prRef }} + + - name: Set up Docker BuildKit + uses: docker/setup-buildx-action@v2 + + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }} + + - name: ACR Login + id: ci_cache_cr_login + # will fail if this is a new env which is expected + continue-on-error: true + run: az acr login --name "${{ secrets.CI_CACHE_ACR_NAME }}" + + - name: Build new devcontainer + env: + DOCKER_BUILDKIT: 1 + run: | + set -e + + USER_UID=$(id -u) + USER_GID=$(id -g) + acr_domain_suffix=$(az cloud show --query suffixes.acrLoginServerEndpoint --output tsv) + CI_CACHE_ACR_URI=${{ secrets.CI_CACHE_ACR_NAME }}${acr_domain_suffix} + echo "CI_CACHE_ACR_URI=$CI_CACHE_ACR_URI" >> "$GITHUB_ENV" + + docker_cache=() + if [ "${{ steps.ci_cache_cr_login.outcome }}" = "success" ]; then + docker_cache+=(--cache-from "$CI_CACHE_ACR_URI/tredev:${{ inputs.DEVCONTAINER_TAG }}") + docker_cache+=(--cache-from "$CI_CACHE_ACR_URI/tredev:latest") + fi + + docker build . "${docker_cache[@]}" \ + -t "tredev:${{ inputs.DEVCONTAINER_TAG }}" -f ".devcontainer/Dockerfile" \ + --build-arg BUILDKIT_INLINE_CACHE=1 --build-arg USER_UID="${USER_UID}" --build-arg USER_GID="${USER_GID}" + + docker image tag tredev:"${{ inputs.DEVCONTAINER_TAG }}" \ + "$CI_CACHE_ACR_URI/tredev:${{ inputs.DEVCONTAINER_TAG }}" + + - name: Deploy management + uses: ./.github/actions/devcontainer_run_command + with: + COMMAND: "make bootstrap mgmt-deploy" + DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} + CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} + TRE_ID: ${{ secrets.TRE_ID }} + LOCATION: ${{ vars.LOCATION }} + ACR_NAME: ${{ secrets.ACR_NAME }} + TERRAFORM_STATE_CONTAINER_NAME: ${{ vars.TERRAFORM_STATE_CONTAINER_NAME }} + MGMT_RESOURCE_GROUP_NAME: ${{ secrets.MGMT_RESOURCE_GROUP_NAME }} + MGMT_STORAGE_ACCOUNT_NAME: ${{ secrets.MGMT_STORAGE_ACCOUNT_NAME }} + + - name: ACR Login + # failure in the first attempt indicates a new ACR, so we need to try again after it's been created + if: steps.ci_cache_cr_login.outcome != 'success' + run: | + # shellcheck disable=SC2034,SC2015,SC2125 + for i in {1..3}; do + az acr login --name "${{ secrets.CI_CACHE_ACR_NAME }}" && ec=0 && break || ec=\$? && sleep 10 + done + # shellcheck disable=SC2242 + (exit \$ec) + + - name: Push cached devcontainer + run: docker image push ${{ env.CI_CACHE_ACR_URI }}/tredev:${{ inputs.DEVCONTAINER_TAG }} + + publish_bundles: + name: Publish Bundle + runs-on: ubuntu-latest + needs: [deploy_management] + strategy: + matrix: + include: + - { BUNDLE_TYPE: "${{ inputs.bundleType }}", BUNDLE_DIR: "${{ inputs.bundleDir }}" } + environment: ${{ inputs.environmentName }} + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + persist-credentials: false + # if the following values are missing (i.e. not triggered via comment workflow) + # then the default checkout will apply + ref: ${{ inputs.prRef }} + - name: Replace Tags + shell: bash + run: bash ./.github/scripts/replace_tags.sh ${{ matrix.BUNDLE_DIR }} ${{ vars.CUSTOM_TAG_KEY_1 }} ${{ vars.CUSTOM_TAG_KEY_2 }} ${{ vars.CUSTOM_TAG_KEY_3 }} ${{ vars.CUSTOM_TAG_KEY_4 }} ${{ vars.CUSTOM_TAG_KEY_5 }} ${{ vars.CUSTOM_TAG_KEY_6 }} + - name: Replace Tag Enums + shell: bash + run: bash ./.github/scripts/replace_tag_enums.sh ${{ matrix.BUNDLE_DIR }} '${{ vars.CUSTOM_TAG_ENUM_1 }}' '${{ vars.CUSTOM_TAG_ENUM_2 }}' '${{ vars.CUSTOM_TAG_ENUM_3 }}' + - name: Publish ${{ matrix.BUNDLE_TYPE }} bundle + uses: ./.github/actions/devcontainer_run_command + with: + # Although porter publish will build automatically, our makefile build target includes logic that should run + COMMAND: >- + for i in {1..3}; do make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }} + && ec=0 && break || ec=\$? && sleep 30; done; (exit \$ec) + DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} + CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} + ACR_NAME: ${{ secrets.ACR_NAME }} + + register_bundles: + name: Register Bundle + runs-on: ubuntu-latest + # user resource bundles need to wait for their parent resource to be registered. + needs: [publish_bundles] + strategy: + matrix: + include: + - { + BUNDLE_TYPE: "${{ inputs.bundleType }}", + BUNDLE_DIR: "${{ inputs.bundleDir }}", + WORKSPACE_SERVICE_NAME: "${{ inputs.workspaceName }}", + } + environment: ${{ inputs.environmentName }} + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + persist-credentials: false + # if the following values are missing (i.e. not triggered via comment workflow) + # then the default checkout will apply + ref: ${{ inputs.prRef }} + - name: Replace Tags + shell: bash + run: bash ./.github/scripts/replace_tags.sh ${{ matrix.BUNDLE_DIR }} ${{ vars.CUSTOM_TAG_KEY_1 }} ${{ vars.CUSTOM_TAG_KEY_2 }} ${{ vars.CUSTOM_TAG_KEY_3 }} ${{ vars.CUSTOM_TAG_KEY_4 }} ${{ vars.CUSTOM_TAG_KEY_5 }} ${{ vars.CUSTOM_TAG_KEY_6 }} + - name: Replace Tag Enums + shell: bash + run: bash ./.github/scripts/replace_tag_enums.sh ${{ matrix.BUNDLE_DIR }} '${{ vars.CUSTOM_TAG_ENUM_1 }}' '${{ vars.CUSTOM_TAG_ENUM_2 }}' '${{ vars.CUSTOM_TAG_ENUM_3 }}' + - name: Register ${{ matrix.BUNDLE_TYPE }} bundle + uses: ./.github/actions/devcontainer_run_command + with: + COMMAND: >- + for i in {1..3}; do make bundle-register DIR=${{ matrix.BUNDLE_DIR }} + && ec=0 && break || ec=\$? && sleep 10; done; (exit \$ec) + DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} + CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} + ACR_NAME: ${{ secrets.ACR_NAME }} + API_CLIENT_ID: "${{ secrets.API_CLIENT_ID }}" + AAD_TENANT_ID: "${{ secrets.AAD_TENANT_ID }}" + TEST_APP_ID: "${{ secrets.TEST_APP_ID }}" + TEST_ACCOUNT_CLIENT_ID: "${{ secrets.TEST_ACCOUNT_CLIENT_ID }}" + TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}" + TRE_ID: ${{ secrets.TRE_ID }} + LOCATION: ${{ vars.LOCATION }} + BUNDLE_TYPE: ${{ matrix.BUNDLE_TYPE }} + WORKSPACE_SERVICE_NAME: ${{ matrix.WORKSPACE_SERVICE_NAME }} From 33165719f99dba79b6d7c5a076fbc8654556dd6c Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Thu, 13 Jun 2024 10:50:05 +0100 Subject: [PATCH 11/13] update --- .github/workflows/deploy_tre_bundle.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/deploy_tre_bundle.yml b/.github/workflows/deploy_tre_bundle.yml index 9c1e5a0..42c3066 100644 --- a/.github/workflows/deploy_tre_bundle.yml +++ b/.github/workflows/deploy_tre_bundle.yml @@ -11,12 +11,6 @@ on: # yamllint disable-line rule:truthy type: environment default: Dev required: true - templateVersion: - type: choice - description: Template Version - options: - - stable - - beta bundleType: type: choice description: Bundle Type @@ -63,7 +57,7 @@ jobs: E2E_TESTS_NUMBER_PROCESSES: 1 DEVCONTAINER_TAG: "latest" bundleType: ${{ inputs.bundleType }} - bundleDir: "./templates/${{ inputs.templateVersion }}/${{ inputs.bundleDir }}/${{ inputs.bundleName }}" + bundleDir: "./templates/${{ inputs.bundleDir }}/${{ inputs.bundleName }}" workspaceName: ${{ inputs.workspaceName }} secrets: AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }} From 030f3ff62732c309485117c9c8d58a1314f054df Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Mon, 24 Jun 2024 12:40:16 +0100 Subject: [PATCH 12/13] update gitignore --- index.html | 2 ++ validation.txt | 1 + 2 files changed, 3 insertions(+) create mode 100644 index.html create mode 100644 validation.txt diff --git a/index.html b/index.html new file mode 100644 index 0000000..e9ed973 --- /dev/null +++ b/index.html @@ -0,0 +1,2 @@ + + diff --git a/validation.txt b/validation.txt new file mode 100644 index 0000000..dac2969 --- /dev/null +++ b/validation.txt @@ -0,0 +1 @@ +7JYHTwibFK2cfPJXIQyspqGLc3hiTouktKkgxk3w3Fw.o_FytN0vSItYWJukImEyyGII5zbY8DXjvH6-ZDsTv6o From f02505816cc0cf5bc9edd0636a0b3f09e21bc906 Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Tue, 25 Jun 2024 15:56:34 +0100 Subject: [PATCH 13/13] update --- .github/workflows/deploy_tre_reusable_bundle.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/.github/workflows/deploy_tre_reusable_bundle.yml b/.github/workflows/deploy_tre_reusable_bundle.yml index 65d61d9..ce6e806 100644 --- a/.github/workflows/deploy_tre_reusable_bundle.yml +++ b/.github/workflows/deploy_tre_reusable_bundle.yml @@ -276,12 +276,6 @@ jobs: # if the following values are missing (i.e. not triggered via comment workflow) # then the default checkout will apply ref: ${{ inputs.prRef }} - - name: Replace Tags - shell: bash - run: bash ./.github/scripts/replace_tags.sh ${{ matrix.BUNDLE_DIR }} ${{ vars.CUSTOM_TAG_KEY_1 }} ${{ vars.CUSTOM_TAG_KEY_2 }} ${{ vars.CUSTOM_TAG_KEY_3 }} ${{ vars.CUSTOM_TAG_KEY_4 }} ${{ vars.CUSTOM_TAG_KEY_5 }} ${{ vars.CUSTOM_TAG_KEY_6 }} - - name: Replace Tag Enums - shell: bash - run: bash ./.github/scripts/replace_tag_enums.sh ${{ matrix.BUNDLE_DIR }} '${{ vars.CUSTOM_TAG_ENUM_1 }}' '${{ vars.CUSTOM_TAG_ENUM_2 }}' '${{ vars.CUSTOM_TAG_ENUM_3 }}' - name: Publish ${{ matrix.BUNDLE_TYPE }} bundle uses: ./.github/actions/devcontainer_run_command with: @@ -317,12 +311,6 @@ jobs: # if the following values are missing (i.e. not triggered via comment workflow) # then the default checkout will apply ref: ${{ inputs.prRef }} - - name: Replace Tags - shell: bash - run: bash ./.github/scripts/replace_tags.sh ${{ matrix.BUNDLE_DIR }} ${{ vars.CUSTOM_TAG_KEY_1 }} ${{ vars.CUSTOM_TAG_KEY_2 }} ${{ vars.CUSTOM_TAG_KEY_3 }} ${{ vars.CUSTOM_TAG_KEY_4 }} ${{ vars.CUSTOM_TAG_KEY_5 }} ${{ vars.CUSTOM_TAG_KEY_6 }} - - name: Replace Tag Enums - shell: bash - run: bash ./.github/scripts/replace_tag_enums.sh ${{ matrix.BUNDLE_DIR }} '${{ vars.CUSTOM_TAG_ENUM_1 }}' '${{ vars.CUSTOM_TAG_ENUM_2 }}' '${{ vars.CUSTOM_TAG_ENUM_3 }}' - name: Register ${{ matrix.BUNDLE_TYPE }} bundle uses: ./.github/actions/devcontainer_run_command with: