Updated databricks_mws_private_access_settings (#883)

nfx · web-flow · commit 58d257bb1632 · 2021-10-29T19:44:24.000+02:00
* Added `private_access_level` and `allowed_vpc_endpoint_ids`
* Made it possible to edit existing `databricks_mws_private_access_settings`
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Version changelog
 
+## 0.3.10
+
+* Added `private_access_level` and `allowed_vpc_endpoint_ids` to `databricks_mws_private_access_settings` resource, which is also now updatable ([#867](https://github.com/databrickslabs/terraform-provider-databricks/issues/867)).
+
 ## 0.3.9
 
 * Added initial support for multiple task orchestration in `databricks_job` [#853](https://github.com/databrickslabs/terraform-provider-databricks/pull/853)
diff --git a/docs/resources/mws_private_access_settings.md b/docs/resources/mws_private_access_settings.md
@@ -50,6 +50,8 @@ The following arguments are available:
 * `private_access_settings_name` - Name of Private Access Settings in Databricks Account
 * `public_access_enabled` (Boolean, Optional, `false` by default) - If `true`, the [databricks_mws_workspaces](mws_workspaces.md) can be accessed over the [databricks_mws_vpc_endpoint](mws_vpc_endpoint.md) as well as over the public network. In such a case, you could also configure an [databricks_ip_access_list](ip_access_list.md) for the workspace, to restrict the source networks that could be used to access it over the public network. If `false` (default), the workspace can be accessed only over VPC endpoints, and not over the public network.
 * `region` - Region of AWS VPC
+* `private_access_level` - (Optional) The private access level controls which VPC endpoints can connect to the UI or API of any workspace that attaches this private access settings object. `ANY` level access _(default)_ lets any [databricks_mws_vpc_endpoint](mws_vpc_endpoint.md) connect to your [databricks_mws_workspaces](mws_workspaces.md). `ACCOUNT` level access lets only [databricks_mws_vpc_endpoint](mws_vpc_endpoint.md) that are registered in your Databricks account connect to your [databricks_mws_workspaces](mws_workspaces.md). `ENDPOINT` level access lets only specified [databricks_mws_vpc_endpoint](mws_vpc_endpoint.md) connect to your workspace. Please see the `allowed_vpc_endpoint_ids` documentation for more details.
+* `allowed_vpc_endpoint_ids` - (Optional) An array of [databricks_mws_vpc_endpoint](mws_vpc_endpoint.md#vpc_endpoint_id) `vpc_endpoint_id` (not `id`). Only used when `private_access_level` is set to `ENDPOINT`. This is an allow list of [databricks_mws_vpc_endpoint](mws_vpc_endpoint.md) that in your account that can connect to your [databricks_mws_workspaces](mws_workspaces.md) over AWS PrivateLink. If hybrid access to your workspace is enabled by setting `public_access_enabled` to true, then this control only works for PrivateLink connections. To control how your workspace is accessed via public internet, see the article for [databricks_ip_access_list](ip_access_list.md).
 
 ## Attribute Reference
 
diff --git a/mws/mws.go b/mws/mws.go
@@ -166,12 +166,14 @@ type VPCEndpoint struct {
 
 // PrivateAccessSettings (PAS) is the object that contains all the information for creating an PrivateAccessSettings (PAS)
 type PrivateAccessSettings struct {
-	AccountID           string `json:"account_id,omitempty"`
-	PasID               string `json:"private_access_settings_id,omitempty" tf:"computed"`
-	PasName             string `json:"private_access_settings_name"`
-	Region              string `json:"region"`
-	Status              string `json:"status,omitempty" tf:"computed"`
-	PublicAccessEnabled bool   `json:"public_access_enabled,omitempty"`
+	AccountID             string   `json:"account_id,omitempty"`
+	PasID                 string   `json:"private_access_settings_id,omitempty" tf:"computed"`
+	PasName               string   `json:"private_access_settings_name"`
+	Region                string   `json:"region"`
+	Status                string   `json:"status,omitempty" tf:"computed"`
+	PublicAccessEnabled   bool     `json:"public_access_enabled,omitempty"`
+	PrivateAccessLevel    string   `json:"private_access_level,omitempty" tf:"default:ANY"`
+	AllowedVpcEndpointIDS []string `json:"allowed_vpc_endpoint_ids,omitempty"`
 }
 
 type externalCustomerInfo struct {
diff --git a/mws/resource_mws_pas.go b/mws/resource_mws_pas.go
@@ -35,6 +35,11 @@ func (a PrivateAccessSettingsAPI) Read(mwsAcctID, pasID string) (PrivateAccessSe
 	return pas, err
 }
 
+func (a PrivateAccessSettingsAPI) Update(pas *PrivateAccessSettings) error {
+	pasAPIPath := fmt.Sprintf("/accounts/%s/private-access-settings/%s", pas.AccountID, pas.PasID)
+	return a.client.Put(a.context, pasAPIPath, pas)
+}
+
 // Delete deletes the PAS object given a pas id
 func (a PrivateAccessSettingsAPI) Delete(mwsAcctID, pasID string) error {
 	pasAPIPath := fmt.Sprintf("/accounts/%s/private-access-settings/%s", mwsAcctID, pasID)
@@ -85,6 +90,18 @@ func ResourcePrivateAccessSettings() *schema.Resource {
 			}
 			return common.StructToData(pas, s, d)
 		},
+		Update: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
+			_, pasID, err := p.Unpack(d)
+			if err != nil {
+				return err
+			}
+			var pas PrivateAccessSettings
+			if err := common.DataToStructPointer(d, s, &pas); err != nil {
+				return err
+			}
+			pas.PasID = pasID
+			return NewPrivateAccessSettingsAPI(ctx, c).Update(&pas)
+		},
 		Delete: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
 			accountID, pasID, err := p.Unpack(d)
 			if err != nil {
diff --git a/mws/resource_mws_pas_test.go b/mws/resource_mws_pas_test.go
@@ -49,9 +49,10 @@ func TestResourcePASCreate(t *testing.T) {
 				Method:   "POST",
 				Resource: "/api/2.0/accounts/abc/private-access-settings",
 				ExpectedRequest: PrivateAccessSettings{
-					AccountID: "abc",
-					Region:    "ar",
-					PasName:   "pas_name",
+					AccountID:          "abc",
+					Region:             "ar",
+					PasName:            "pas_name",
+					PrivateAccessLevel: "ANY",
 				},
 				Response: PrivateAccessSettings{
 					PasID: "pas_id",
@@ -173,6 +174,48 @@ func TestResourcePAS_Error(t *testing.T) {
 	assert.Equal(t, "abc/pas_id", d.Id(), "Id should not be empty for error reads")
 }
 
+func TestResourcePAS_Update(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "PUT",
+				Resource: "/api/2.0/accounts/abc/private-access-settings/pas_id",
+				ExpectedRequest: PrivateAccessSettings{
+					Region:                "eu-west-1",
+					PublicAccessEnabled:   true,
+					PrivateAccessLevel:    "ENDPOINT",
+					AccountID:             "abc",
+					PasID:                 "pas_id",
+					PasName:               "pas_name",
+					AllowedVpcEndpointIDS: []string{"a", "b"},
+				},
+			},
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/accounts/abc/private-access-settings/pas_id",
+				Response: PrivateAccessSettings{
+					Region:              "eu-west-1",
+					PublicAccessEnabled: true,
+					AccountID:           "abc",
+					PasID:               "pas_id",
+					PasName:             "pas_name",
+				},
+			},
+		},
+		Resource: ResourcePrivateAccessSettings(),
+		Update:   true,
+		ID:       "abc/pas_id",
+		HCL: `
+		account_id = "abc"
+		private_access_settings_name = "pas_name"
+		public_access_enabled = true
+		region = "eu-west-1"
+		private_access_level = "ENDPOINT"
+		allowed_vpc_endpoint_ids = ["a", "b"]
+		`,
+	}.ApplyNoError(t)
+}
+
 func TestResourcePASDelete(t *testing.T) {
 	d, err := qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{
