Finish AWS PrivateLink guide (#1131)

nfx · web-flow · commit 124519f81021 · 2022-02-21T15:26:50.000+01:00
Follow-up to #1084
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Version changelog
 
+## 0.5.1
+
+* Added an extended documentation from provisioning AWS PrivateLink workspace ([#1084](https://github.com/databrickslabs/terraform-provider-databricks/pull/1084)).
+
 ## 0.5.0
 
 * Added `workspace_url` attribute to the `databricks_current_user` data source ([#1107](https://github.com/databrickslabs/terraform-provider-databricks/pull/1107)).
diff --git a/common/version.go b/common/version.go
@@ -3,7 +3,7 @@ package common
 import "context"
 
 var (
-	version = "0.5.0"
+	version = "0.5.1"
 	// ResourceName is resource name without databricks_ prefix
 	ResourceName contextKey = 1
 	// Provider is the current instance of provider
diff --git a/docs/guides/aws-private-link-workspace.md b/docs/guides/aws-private-link-workspace.md
@@ -1,5 +1,5 @@
 ---
-page_title: "Enable Backend AWS PrivateLink for Databricks Workspace"
+page_title: "Provisioning Databricks on AWS with PrivateLink"
 ---
 
 # Deploying pre-requisite resources and enabling PrivateLink connections (AWS Preview)
@@ -15,16 +15,16 @@ This guide uses the following variables in configurations:
 - `databricks_account_username`: The username an account-level admin uses to log in to  [https://accounts.cloud.databricks.com](https://accounts.cloud.databricks.com).
 - `databricks_account_password`: The password for `databricks_account_username`.
 - `databricks_account_id`: The numeric ID for your Databricks account. When you are logged in, it appears in the bottom left corner of the page.
-- `vpc_id` - The ID for the AWS VPC 
-- `region` - AWS region
-- `security_group_id` - Security groups set up for the existing VPC
-- `subnet_ids` - Existing subnets being used for the customer managed VPC
+- `vpc_id` - The ID for the AWS VPC.
+- `region` - AWS region.
+- `security_group_id` - Security groups set up for the existing VPC.
+- `subnet_ids` - Existing subnets being used for the customer managed VPC.
 - `workspace_vpce_service` - Choose the region-specific service endpoint from this table.
 - `relay_vpce_service` - Choose the region-specific service from this table.
-- `vpce_subnet_cidr` - CIDR range for the subnet chosen for the VPC endpoint
-- `tags` - tags for the Private Link backend setup
-- `root_bucket_name` - AWS bucket name required for [storage mws resource](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/mws_storage_configurations) reference
-- `cross_account_arn` - AWS EC2 role ARN required for [credentials mws resource](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/mws_credentials)
+- `vpce_subnet_cidr` - CIDR range for the subnet chosen for the VPC endpoint.
+- `tags` - tags for the Private Link backend setup.
+- `root_bucket_name` - AWS bucket name required for [databricks_mws_storage_configurations](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/mws_storage_configurations).
+- `cross_account_arn` - AWS EC2 role ARN required for [databricks_mws_credentials](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/mws_credentials).
 
 This guide is provided as-is and you can use this guide as the basis for your custom Terraform module.
 
@@ -44,11 +44,10 @@ Initialize [provider with `mws` alias](https://www.terraform.io/language/provide
 terraform {
   required_providers {
     databricks = {
-      source  = "databrickslabs/databricks"
-      version = "0.5.0"
+      source = "databrickslabs/databricks"
     }
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
       version = "3.49.0"
     }
   }
@@ -58,15 +57,12 @@ provider "aws" {
   region = var.region
 }
 
-// initialize provider in "MWS" mode for provisioning workspace with AWS PrivateLink
 provider "databricks" {
   alias    = "mws"
   host     = "https://accounts.cloud.databricks.com"
   username = var.databricks_account_username
   password = var.databricks_account_password
 }
-
-
 ```
 
 Define the required variables
@@ -75,33 +71,25 @@ Define the required variables
 variable "databricks_account_id" {}
 variable "databricks_account_username" {}
 variable "databricks_account_password" {}
+variable "root_bucket_name" {}
+variable "cross_account_arn" {}
 variable "vpc_id" {}
 variable "region" {}
 variable "security_group_id" {}
-
-// this input variable is of array type
-variable "subnet_ids" {
-  type = list(string)
-}
-
+variable "subnet_ids" { type = list(string) }
 variable "workspace_vpce_service" {}
 variable "relay_vpce_service" {}
 variable "vpce_subnet_cidr" {}
-
-variable "private_dns_enabled" { default = false}
-variable "tags" { default = {}}
-
-// these resources (bucket and IAM role) are assumed created using your AWS provider and the examples here https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/mws_storage_configurations and https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/mws_credentials, respectively.
-variable "root_bucket_name" {}
-variable "cross_account_arn" {}
+variable "private_dns_enabled" { default = false }
+variable "tags" { default = {} }
 
 locals {
   prefix = "private-link-ws"
 }
 ```
 
-## Existing Storage Objects 
-The following object is used in order to reference the storage configuration ID. 
+## Root bucket 
+Create new storage configuration with [databricks_mws_storage_configurations](../resources/mws_storage_configurations.md):
 ```hcl
 resource "databricks_mws_storage_configurations" "this" {
   provider                   = databricks.mws
@@ -111,56 +99,53 @@ resource "databricks_mws_storage_configurations" "this" {
 }
 ```
 
-## Existing IAM Role 
-The following object is used in order to reference the credential configuration ID. 
+## Cross-account IAM role
+Create new cross-account credentials with [databricks_mws_credentials](../resources/mws_credentials.md):
 ```hcl
 resource "databricks_mws_credentials" "this" {
   provider         = databricks.mws
   account_id       = var.databricks_account_id
   role_arn         = var.cross_account_arn
   credentials_name = "${local.prefix}-credentials"
 }
-
 ```
 
-
-## Configure AWS objects
+## Configure networking
 The first step is to create the required AWS objects:
-- A subnet dedicated to your VPC endpoints
+- A subnet dedicated to your VPC endpoints.
 - A security group dedicated to your VPC endpoints and satisfying required inbound/outbound TCP/HTTPS traffic rules on ports 443 and 6666, respectively.
-- Lastly, creation of the private access settings and workspace.
 
 ```hcl
+data "aws_vpc" "prod" {
+  id = var.vpc_id
+}
+
 // this subnet houses the data plane VPC endpoints
 resource "aws_subnet" "dataplane_vpce" {
   vpc_id     = var.vpc_id
   cidr_block = var.vpce_subnet_cidr
 
-  tags = merge(
-    data.aws_vpc.prod.tags,
-    {
-      Name = "${local.prefix}-${data.aws_vpc.prod.id}-pl-vpce"
-    },
-  )
+  tags = merge(data.aws_vpc.prod.tags, {
+    Name = "${local.prefix}-${data.aws_vpc.prod.id}-pl-vpce"
+  })
 }
 
 resource "aws_route_table" "this" {
-    vpc_id = var.vpc_id
-
-    tags = merge(
-    data.aws_vpc.prod.tags,
-    {
-      Name = "${local.prefix}-${data.aws_vpc.prod.id}-pl-local-route-tbl"
-    },
-  )
+  vpc_id = var.vpc_id
+
+  tags = merge(data.aws_vpc.prod.tags, {
+    Name = "${local.prefix}-${data.aws_vpc.prod.id}-pl-local-route-tbl"
+  })
 }
 
 resource "aws_route_table_association" "dataplane_vpce_rtb" {
-    subnet_id = aws_subnet.dataplane_vpce.id
-    route_table_id = aws_route_table.this.id
+  subnet_id      = aws_subnet.dataplane_vpce.id
+  route_table_id = aws_route_table.this.id
 }
 ```
 
+Define security group for data plane VPC endpoint backend/relay connections:
+
 ```hcl
 data "aws_subnet" "ws_vpc_subnets" {
   for_each = toset(var.subnet_ids)
@@ -170,73 +155,66 @@ data "aws_subnet" "ws_vpc_subnets" {
 locals {
   vpc_cidr_blocks = [
     for subnet in data.aws_subnet.ws_vpc_subnets :
-      subnet.cidr_block
-    ]
+    subnet.cidr_block
+  ]
 }
 
-// security group for data plane VPC endpoints for backend/relay connections
 resource "aws_security_group" "dataplane_vpce" {
   name        = "Data Plane VPC endpoint security group"
   description = "Security group shared with relay and workspace endpoints"
   vpc_id      = var.vpc_id
 
   ingress {
-    description      = "Inbound rules"
-    from_port        = 443
-    to_port          = 443
-    protocol         = "tcp"
-    cidr_blocks      = concat([var.vpce_subnet_cidr], local.vpc_cidr_blocks)
+    description = "Inbound rules"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = concat([var.vpce_subnet_cidr], local.vpc_cidr_blocks)
   }
 
   ingress {
-    description      = "Inbound rules"
-    from_port        = 6666
-    to_port          = 6666
-    protocol         = "tcp"
-    cidr_blocks      = concat([var.vpce_subnet_cidr], local.vpc_cidr_blocks)
+    description = "Inbound rules"
+    from_port   = 6666
+    to_port     = 6666
+    protocol    = "tcp"
+    cidr_blocks = concat([var.vpce_subnet_cidr], local.vpc_cidr_blocks)
   }
 
   egress {
-    description      = "Outbound rules"
-    from_port        = 443
-    to_port          = 443
-    protocol         = "tcp"
-    cidr_blocks      = concat([var.vpce_subnet_cidr], local.vpc_cidr_blocks)
+    description = "Outbound rules"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = concat([var.vpce_subnet_cidr], local.vpc_cidr_blocks)
   }
 
   egress {
-    description      = "Outbound rules"
-    from_port        = 6666
-    to_port          = 6666
-    protocol         = "tcp"
-    cidr_blocks      = concat([var.vpce_subnet_cidr], local.vpc_cidr_blocks)
+    description = "Outbound rules"
+    from_port   = 6666
+    to_port     = 6666
+    protocol    = "tcp"
+    cidr_blocks = concat([var.vpce_subnet_cidr], local.vpc_cidr_blocks)
   }
 
-  tags = merge(
-    data.aws_vpc.prod.tags,
-    {
-      Name = "${local.prefix}-${data.aws_vpc.prod.id}-pl-vpce-sg-rules"
-    },
-  )
+  tags = merge(data.aws_vpc.prod.tags, {
+    Name = "${local.prefix}-${data.aws_vpc.prod.id}-pl-vpce-sg-rules"
+  })
 }
 ```
 
-```hcl
-data "aws_vpc" "prod" {
-  id    = var.vpc_id
-}
+Run terraform apply twice when configuring PrivateLink: see an [outstanding issue](https://github.com/hashicorp/terraform-provider-aws/issues/7148) for more information.
+* Run 1 - comment the `private_dns_enabled` lines.
+* Run 2 - uncomment the `private_dns_enabled` lines.
 
+```hcl
 resource "aws_vpc_endpoint" "backend_rest" {
   vpc_id             = var.vpc_id
   service_name       = var.workspace_vpce_service
   vpc_endpoint_type  = "Interface"
   security_group_ids = [aws_security_group.dataplane_vpce.id]
   subnet_ids         = [aws_subnet.dataplane_vpce.id]
-  // run terraform apply twice when configuring PrivateLink - see this outstanding issue for understanding why this is required - https://github.com/hashicorp/terraform-provider-aws/issues/7148
-  // Run 1 - comment the `private_dns_enabled` line
-  // Run 2 - uncomment the `private_dns_enabled` line
   // private_dns_enabled = var.private_dns_enabled
-  depends_on         = [aws_subnet.dataplane_vpce]
+  depends_on = [aws_subnet.dataplane_vpce]
 }
 
 resource "aws_vpc_endpoint" "relay" {
@@ -245,14 +223,10 @@ resource "aws_vpc_endpoint" "relay" {
   vpc_endpoint_type  = "Interface"
   security_group_ids = [aws_security_group.dataplane_vpce.id]
   subnet_ids         = [aws_subnet.dataplane_vpce.id]
-  // run terraform apply twice when configuring PrivateLink - see this outstanding issue for understanding why this is required - https://github.com/hashicorp/terraform-provider-aws/issues/7148
-  // Run 1 - comment the `private_dns_enabled` line
-  // Run 2 - uncomment the `private_dns_enabled` line
   // private_dns_enabled = var.private_dns_enabled
-  depends_on         = [aws_subnet.dataplane_vpce]
+  depends_on = [aws_subnet.dataplane_vpce]
 }
 
-
 resource "databricks_mws_vpc_endpoint" "backend_rest_vpce" {
   provider            = databricks.mws
   account_id          = var.databricks_account_id
@@ -270,17 +244,11 @@ resource "databricks_mws_vpc_endpoint" "relay" {
   region              = var.region
   depends_on          = [aws_vpc_endpoint.relay]
 }
-
 ```
 
-## Workspace creation
-
-Once the VPC endpoints are created, they can be supplied in the `databricks_mws_networks` resource for workspace creation with AWS PrivateLink. After the terraform apply is run once (see the comment in the aws_vpc_endpoint resource above), run the terraform apply a second time with the line for private_dns_enabled set to true uncommented to set the proper DNS settings for PrivateLink. For understanding the reason that this needs to be applied twice, see this existing [issue](hashicorp/terraform-provider-aws#7148) in the underlying AWS provider.
-
-The credentials ID which is referenced below is one of the attributes which is created as a result of configuring the cross-account IAM role, which Databricks uses to orchestrate EC2 resources. The credentials are created via [databricks_mws_credentials](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/mws_credentials). Similarly, the storage configuration ID is obtained from the [databricks_mws_storage_configurations](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/mws_storage_configurations) resource.
+Once the VPC endpoints are created, they can be supplied in the [databricks_mws_networks](../resources/mws_networks.md) resource for workspace creation with AWS PrivateLink. After the `terraform apply` is run once (see the comment in the `aws_vpc_endpoint` resource above), run the terraform apply a second time with the line for `private_dns_enabled` set to true uncommented to set the proper DNS settings for PrivateLink. For understanding the reason that this needs to be applied twice, see this existing [issue](https://github.com/hashicorp/terraform-provider-aws/issues/7148) in the underlying AWS provider.
 
 ```hcl
-// Inputs are 2 subnets and one security group from existing VPC that will be used for your Databricks workspace
 resource "databricks_mws_networks" "this" {
   provider           = databricks.mws
   account_id         = var.databricks_account_id
@@ -293,7 +261,13 @@ resource "databricks_mws_networks" "this" {
     rest_api        = [databricks_mws_vpc_endpoint.backend_rest_vpce.vpc_endpoint_id]
   }
 }
+```
+
+## Configure workspace
 
+The credentials ID which is referenced below is one of the attributes which is created as a result of configuring the cross-account IAM role, which Databricks uses to orchestrate EC2 resources. The credentials are created via [databricks_mws_credentials](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/mws_credentials). Similarly, the storage configuration ID is obtained from the [databricks_mws_storage_configurations](https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/mws_storage_configurations) resource.
+
+```hcl
 resource "databricks_mws_private_access_settings" "pas" {
   provider                     = databricks.mws
   account_id                   = var.databricks_account_id
@@ -316,4 +290,3 @@ resource "databricks_mws_workspaces" "this" {
   depends_on                 = [databricks_mws_networks.this]
 }
 ```
-
diff --git a/docs/resources/mws_networks.md b/docs/resources/mws_networks.md
@@ -113,6 +113,7 @@ In addition to all arguments above, the following attributes are exported:
 The following resources are used in the same context:
 
 * [Provisioning Databricks on AWS](../guides/aws-workspace.md) guide.
+* [Provisioning Databricks on AWS with PrivateLink](../guides/aws-private-link-workspace.md) guide.
 * [Provisioning AWS Databricks E2 with a Hub & Spoke firewall for data exfiltration protection](../guides/aws-e2-firewall-hub-and-spoke.md) guide.
 * [databricks_mws_vpc_endpoint](mws_vpc_endpoint.md) to register [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) resources with Databricks such that they can be used as part of a [databricks_mws_networks](mws_networks.md) configuration.
 * [databricks_mws_private_access_settings](mws_private_access_settings.md) to create a [Private Access Setting](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html#step-5-create-a-private-access-settings-configuration-using-the-databricks-account-api) that can be used as part of a [databricks_mws_workspaces](mws_workspaces.md) resource to create a [Databricks Workspace that leverages AWS PrivateLink](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html).
diff --git a/docs/resources/mws_private_access_settings.md b/docs/resources/mws_private_access_settings.md
@@ -65,6 +65,7 @@ In addition to all arguments above, the following attributes are exported:
 The following resources are used in the same context:
 
 * [Provisioning Databricks on AWS](../guides/aws-workspace.md) guide.
+* [Provisioning Databricks on AWS with PrivateLink](../guides/aws-private-link-workspace.md) guide.
 * [Provisioning AWS Databricks E2 with a Hub & Spoke firewall for data exfiltration protection](../guides/aws-e2-firewall-hub-and-spoke.md) guide.
 * [databricks_mws_vpc_endpoint](mws_vpc_endpoint.md) to register [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) resources with Databricks such that they can be used as part of a [databricks_mws_networks](mws_networks.md) configuration.
 * [databricks_mws_networks](mws_networks.md) to [configure VPC](https://docs.databricks.com/administration-guide/cloud-configurations/aws/customer-managed-vpc.html) & subnets for new workspaces within AWS.
diff --git a/docs/resources/mws_storage_configurations.md b/docs/resources/mws_storage_configurations.md
@@ -54,6 +54,7 @@ In addition to all arguments above, the following attributes are exported:
 The following resources are used in the same context:
 
 * [Provisioning Databricks on AWS](../guides/aws-workspace.md) guide.
+* [Provisioning Databricks on AWS with PrivateLink](../guides/aws-private-link-workspace.md) guide.
 * [databricks_mws_credentials](mws_credentials.md) to configure the cross-account role for creation of new workspaces within AWS.
 * [databricks_mws_customer_managed_keys](mws_customer_managed_keys.md) to configure KMS keys for new workspaces within AWS.
 * [databricks_mws_log_delivery](mws_log_delivery.md) to configure delivery of [billable usage logs](https://docs.databricks.com/administration-guide/account-settings/billable-usage-delivery.html) and [audit logs](https://docs.databricks.com/administration-guide/account-settings/audit-logs.html).
diff --git a/docs/resources/mws_vpc_endpoint.md b/docs/resources/mws_vpc_endpoint.md
@@ -152,6 +152,7 @@ In addition to all arguments above, the following attributes are exported:
 The following resources are used in the same context:
 
 * [Provisioning Databricks on AWS](../guides/aws-workspace.md) guide.
+* [Provisioning Databricks on AWS with PrivateLink](../guides/aws-private-link-workspace.md) guide.
 * [Provisioning AWS Databricks E2 with a Hub & Spoke firewall for data exfiltration protection](../guides/aws-e2-firewall-hub-and-spoke.md) guide.
 * [databricks_mws_networks](mws_networks.md) to [configure VPC](https://docs.databricks.com/administration-guide/cloud-configurations/aws/customer-managed-vpc.html) & subnets for new workspaces within AWS.
 * [databricks_mws_private_access_settings](mws_private_access_settings.md) to create a [Private Access Setting](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html#step-5-create-a-private-access-settings-configuration-using-the-databricks-account-api) that can be used as part of a [databricks_mws_workspaces](mws_workspaces.md) resource to create a [Databricks Workspace that leverages AWS PrivateLink](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html).
diff --git a/docs/resources/mws_workspaces.md b/docs/resources/mws_workspaces.md
@@ -249,6 +249,7 @@ You can reset local DNS caches before provisioning new workspaces with one of th
 The following resources are used in the same context:
 
 * [Provisioning Databricks on AWS](../guides/aws-workspace.md) guide.
+* [Provisioning Databricks on AWS with PrivateLink](../guides/aws-private-link-workspace.md) guide.
 * [Provisioning AWS Databricks E2 with a Hub & Spoke firewall for data exfiltration protection](../guides/aws-e2-firewall-hub-and-spoke.md) guide.
 * [databricks_mws_credentials](mws_credentials.md) to configure the cross-account role for creation of new workspaces within AWS.
 * [databricks_mws_customer_managed_keys](mws_customer_managed_keys.md) to configure KMS keys for new workspaces within AWS.
