Added preview for networks for GCP PSC (#2089)

jessiedu-db · web-flow · commit 82954cc434eb · 2023-03-13T22:35:29.000+01:00
diff --git a/docs/resources/mws_networks.md b/docs/resources/mws_networks.md
@@ -153,14 +153,35 @@ resource "databricks_mws_networks" "this" {
   gcp_network_info {
     network_project_id    = var.google_project
     vpc_id                = google_compute_network.dbx_private_vpc.name
-    subnet_id             = google_compute_subnetwork.network-with-private-secondary-ip-ranges.name
-    subnet_region         = google_compute_subnetwork.network-with-private-secondary-ip-ranges.region
+    subnet_id             = google_compute_subnetwork.network_with_private_secondary_ip_ranges.name
+    subnet_region         = google_compute_subnetwork.network_with_private_secondary_ip_ranges.region
     pod_ip_range_name     = "pods"
     service_ip_range_name = "svc"
   }
 }
 ```
 
+In order to create a VPC [that leverages GCP Private Service Connect](https://docs.gcp.databricks.com/administration-guide/cloud-configurations/gcp/private-service-connect.html) you would need to add the `vpc_endpoint_id` Attributes from [mws_vpc_endpoint](mws_vpc_endpoint.md) resources into the [databricks_mws_networks](databricks_mws_networks.md) resource. For example:
+
+```hcl
+resource "databricks_mws_networks" "this" {
+  account_id   = var.databricks_account_id
+  network_name = "test-demo-${random_string.suffix.result}"
+  gcp_network_info {
+    network_project_id    = var.google_project
+    vpc_id                = google_compute_network.dbx_private_vpc.name
+    subnet_id             = google_compute_subnetwork.network_with_private_secondary_ip_ranges.name
+    subnet_region         = google_compute_subnetwork.network_with_private_secondary_ip_ranges.region
+    pod_ip_range_name     = "pods"
+    service_ip_range_name = "svc"
+  }
+  vpc_endpoints {
+    dataplane_relay = [databricks_mws_vpc_endpoint.relay.vpc_endpoint_id]
+    rest_api        = [databricks_mws_vpc_endpoint.workspace.vpc_endpoint_id]
+  }
+}
+```
+
 ## Modifying networks on running workspaces (AWS only)
 
 Due to specifics of platform APIs, changing any attribute of network configuration would cause `databricks_mws_networks` to be re-created - deleted & added again with special case for running workspaces. Once network configuration is attached to a running [databricks_mws_workspaces](mws_workspaces.md), you cannot delete it and `terraform apply` would result in `INVALID_STATE: Unable to delete, Network is being used by active workspace X` error. In order to modify any attributes of a network, you have to perform three different `terraform apply` steps:
@@ -178,7 +199,7 @@ The following arguments are available:
 * `vpc_id` - (AWS only) [aws_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) id
 * `subnet_ids` - (AWS only) ids of [aws_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet)
 * `security_group_ids` - (AWS only) ids of [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group)
-* `vpc_endpoints` - (Optional, AWS only) mapping of [databricks_mws_vpc_endpoint](mws_vpc_endpoint.md) for PrivateLink connections
+* `vpc_endpoints` - (Optional) mapping of [databricks_mws_vpc_endpoint](mws_vpc_endpoint.md) for PrivateLink or Private Service Connect connections
 * `gcp_network_info` - (GCP only) a block consists of Google Cloud specific information for this network, for example the VPC ID, subnet ID, and secondary IP ranges. It has the following fields:
   * `network_project_id` - The Google Cloud project ID of the VPC network.
   * `vpc_id` - The ID of the VPC associated with this network. VPC IDs can be used in multiple network configurations.
@@ -209,5 +230,5 @@ The following resources are used in the same context:
 * [Provisioning AWS Databricks E2 with a Hub & Spoke firewall for data exfiltration protection](../guides/aws-e2-firewall-hub-and-spoke.md) guide.
 * [Provisioning Databricks on GCP](../guides/gcp-workspace.md) guide.
 * [databricks_mws_vpc_endpoint](mws_vpc_endpoint.md) to register [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) resources with Databricks such that they can be used as part of a [databricks_mws_networks](mws_networks.md) configuration.
-* [databricks_mws_private_access_settings](mws_private_access_settings.md) to create a [Private Access Setting](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html#step-5-create-a-private-access-settings-configuration-using-the-databricks-account-api) that can be used as part of a [databricks_mws_workspaces](mws_workspaces.md) resource to create a [Databricks Workspace that leverages AWS PrivateLink](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html).
+* [databricks_mws_private_access_settings](mws_private_access_settings.md) to create a Private Access Setting that can be used as part of a [databricks_mws_workspaces](mws_workspaces.md) resource to create a [Databricks Workspace that leverages AWS PrivateLink](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html) or [GCP Private Service Connect] (https://docs.gcp.databricks.com/administration-guide/cloud-configurations/gcp/private-service-connect.html).
 * [databricks_mws_workspaces](mws_workspaces.md) to set up [workspaces in E2 architecture on AWS](https://docs.databricks.com/getting-started/overview.html#e2-architecture-1).
diff --git a/internal/acceptance/mws_networks_test.go b/internal/acceptance/mws_networks_test.go
@@ -22,3 +22,25 @@ func TestMwsAccNetworks(t *testing.T) {
 		}`,
 	})
 }
+
+func TestMwsAccGcpPscNetworks(t *testing.T) {
+	accountLevel(t, step{
+		Template: `
+		resource "databricks_mws_networks" "my_network" {
+			account_id   = "{env.DATABRICKS_ACCOUNT_ID}"
+			network_name = "network-test-{var.RANDOM}"
+			gcp_network_info {
+			  network_project_id = "{env.GOOGLE_PROJECT}"
+			  vpc_id = "{env.VPC_NETWORK_ID}"
+			  subnet_id = "{env.SUBNET_ID}"
+			  subnet_region = "{env.GOOGLE_REGION}"
+			  pod_ip_range_name = "{env.POD_IP_RANGE_NAME}"
+			  service_ip_range_name = "{env.SVC_IP_RANGE_NAME}"
+            }
+            vpc_endpoints {
+        	  rest_api = ["{env.REST_API_VPCE_ID}"]
+        	  dataplane_relay = ["{env.RELAY_VPCE_ID}"]
+            }
+		}`,
+	})
+}
diff --git a/mws/resource_mws_networks.go b/mws/resource_mws_networks.go
@@ -80,8 +80,7 @@ func ResourceMwsNetworks() *schema.Resource {
 		s["vpc_id"].ExactlyOneOf = []string{"vpc_id", "gcp_network_info"}
 		s["subnet_ids"].ExactlyOneOf = []string{"subnet_ids", "gcp_network_info"}
 		s["security_group_ids"].ExactlyOneOf = []string{"security_group_ids", "gcp_network_info"}
-		s["vpc_endpoints"].ConflictsWith = []string{"gcp_network_info"}
-		s["gcp_network_info"].ConflictsWith = []string{"vpc_id", "subnet_ids", "security_group_ids", "vpc_endpoints"}
+		s["gcp_network_info"].ConflictsWith = []string{"vpc_id", "subnet_ids", "security_group_ids"}
 
 		return s
 	})
diff --git a/mws/resource_mws_networks_test.go b/mws/resource_mws_networks_test.go
@@ -54,7 +54,7 @@ func TestResourceNetworkCreate(t *testing.T) {
 }
 
 func TestResourceNetworkCreate_GCP(t *testing.T) {
-	d, err := qa.ResourceFixture{
+	qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{
 			{
 				Method:   "POST",
@@ -102,9 +102,67 @@ func TestResourceNetworkCreate_GCP(t *testing.T) {
         }
 		`,
 		Create: true,
-	}.Apply(t)
-	assert.NoError(t, err)
-	assert.Equal(t, "abc/nid", d.Id())
+	}.ApplyNoError(t)
+}
+
+func TestResourceNetworkCreate_GCPPsc(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "POST",
+				Resource: "/api/2.0/accounts/abc/networks",
+				ExpectedRequest: Network{
+					AccountID:   "abc",
+					NetworkName: "Open Workers",
+					GcpNetworkInfo: &GcpNetworkInfo{
+						NetworkProjectId:   "project_a",
+						VpcId:              "vpc_a",
+						SubnetId:           "subnet_a",
+						SubnetRegion:       "region_a",
+						PodIpRangeName:     "pods",
+						ServiceIpRangeName: "svc",
+					},
+					VPCEndpoints: &NetworkVPCEndpoints{
+						RestAPI:           []string{"rest_api_endpoint"},
+						DataplaneRelayAPI: []string{"dataplane_relay_endpoint"},
+					},
+				},
+				Response: Network{
+					AccountID: "abc",
+					NetworkID: "nid",
+				},
+			},
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/accounts/abc/networks/nid",
+				Response: Network{
+					NetworkID:        "nid",
+					SecurityGroupIds: []string{"one", "two"},
+					NetworkName:      "Open Workers",
+					VPCID:            "five",
+					SubnetIds:        []string{"four", "three"},
+				},
+			},
+		},
+		Resource: ResourceMwsNetworks(),
+		HCL: `
+		account_id = "abc"
+		network_name = "Open Workers"
+		gcp_network_info {
+			network_project_id = "project_a"
+			vpc_id = "vpc_a"
+			subnet_id = "subnet_a"
+			subnet_region = "region_a"
+			pod_ip_range_name = "pods"
+			service_ip_range_name = "svc"
+		}
+        vpc_endpoints {
+        	rest_api = ["rest_api_endpoint"]
+        	dataplane_relay = ["dataplane_relay_endpoint"]
+        }
+		`,
+		Create: true,
+	}.ApplyNoError(t)
 }
 
 func TestResourceNetworkCreate_ConflictErrors(t *testing.T) {
@@ -135,7 +193,6 @@ func TestResourceNetworkCreate_ConflictErrors(t *testing.T) {
 	assert.ErrorContains(t, err, "[gcp_network_info] Conflicting configuration arguments")
 	assert.ErrorContains(t, err, "[security_group_ids] Invalid combination of arguments")
 	assert.ErrorContains(t, err, "[subnet_ids] Invalid combination of arguments")
-	assert.ErrorContains(t, err, "[vpc_endpoints] Conflicting configuration arguments")
 	assert.ErrorContains(t, err, "[vpc_id] Invalid combination of arguments")
 }
 
