Add nightly integration testing on AWS (#949)

Author: nfx

docs/guides/aws-workspace.md

@@ -130,7 +130,6 @@ module "vpc" {
   single_nat_gateway   = true
   create_igw           = true
 
-  public_subnets  = [cidrsubnet(var.cidr_block, 3, 0)]
   private_subnets = [cidrsubnet(var.cidr_block, 3, 1),
                      cidrsubnet(var.cidr_block, 3, 2)]
 

scripts/nightly/awsit.tf

@@ -0,0 +1,258 @@
+terraform {
+  required_providers {
+    databricks = {
+      source = "databrickslabs/databricks"
+    }
+  }
+}
+
+provider "aws" {
+  region = local.region
+}
+
+// initialize provider in "MWS" mode to provision new workspace
+provider "databricks" {
+  alias = "mws"
+  host  = "https://accounts.cloud.databricks.com"
+}
+
+data "databricks_aws_assume_role_policy" "this" {
+  provider    = databricks.mws
+  external_id = local.account_id
+}
+
+resource "aws_iam_role" "cross_account_role" {
+  name               = "${local.prefix}-cx-terraform-it"
+  assume_role_policy = data.databricks_aws_assume_role_policy.this.json
+  tags               = local.tags
+}
+
+data "databricks_aws_crossaccount_policy" "this" {
+  provider   = databricks.mws
+  pass_roles = [aws_iam_role.data_role.arn]
+}
+
+resource "aws_iam_role_policy" "this" {
+  name   = "${local.prefix}-cx-terraform-it"
+  role   = aws_iam_role.cross_account_role.id
+  policy = data.databricks_aws_crossaccount_policy.this.json
+}
+
+// register cross-account ARN
+resource "databricks_mws_credentials" "this" {
+  provider         = databricks.mws
+  account_id       = local.account_id
+  role_arn         = aws_iam_role.cross_account_role.arn
+  credentials_name = "${local.prefix}-creds"
+
+  // not explicitly needed by this, but to make sure a smooth deployment
+  depends_on = [aws_iam_role_policy.this]
+}
+
+resource "aws_s3_bucket" "root_storage_bucket" {
+  bucket = "${local.prefix}-cx-terraform-it"
+  acl    = "private"
+  versioning {
+    enabled = false
+  }
+  force_destroy = true
+  tags = merge(local.tags, {
+    Name = "${local.prefix}-cx-terraform-it"
+  })
+}
+
+resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
+  bucket             = aws_s3_bucket.root_storage_bucket.id
+  ignore_public_acls = true
+  depends_on         = [aws_s3_bucket.root_storage_bucket]
+}
+
+data "databricks_aws_bucket_policy" "this" {
+  bucket = aws_s3_bucket.root_storage_bucket.bucket
+}
+
+resource "aws_s3_bucket_policy" "root_bucket_policy" {
+  bucket = aws_s3_bucket.root_storage_bucket.id
+  policy = data.databricks_aws_bucket_policy.this.json
+}
+
+// register root bucket
+resource "databricks_mws_storage_configurations" "this" {
+  provider                   = databricks.mws
+  account_id                 = local.account_id
+  bucket_name                = aws_s3_bucket.root_storage_bucket.bucket
+  storage_configuration_name = "${local.prefix}-cx-terraform-it"
+}
+
+// register VPC
+data "aws_availability_zones" "available" {}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "3.2.0"
+
+  name = local.prefix
+  cidr = local.cidr_block
+  azs  = data.aws_availability_zones.available.names
+  tags = local.tags
+
+  enable_dns_hostnames = true
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
+  create_igw           = true
+
+  public_subnets = [cidrsubnet(local.cidr_block, 3, 0)]
+  private_subnets = [cidrsubnet(local.cidr_block, 3, 1),
+  cidrsubnet(local.cidr_block, 3, 2)]
+
+  manage_default_security_group = true
+  default_security_group_name   = "${local.prefix}-sg"
+
+  default_security_group_egress = [{
+    cidr_blocks = "0.0.0.0/0"
+  }]
+
+  default_security_group_ingress = [{
+    description = "Allow all internal TCP and UDP"
+    self        = true
+  }]
+}
+
+resource "databricks_mws_networks" "this" {
+  provider           = databricks.mws
+  account_id         = local.account_id
+  network_name       = "${local.prefix}-network"
+  security_group_ids = [module.vpc.default_security_group_id]
+  subnet_ids         = module.vpc.private_subnets
+  vpc_id             = module.vpc.vpc_id
+}
+
+// create workspace in given VPC with DBFS on root bucket
+resource "databricks_mws_workspaces" "this" {
+  provider        = databricks.mws
+  account_id      = local.account_id
+  aws_region      = local.region
+  workspace_name  = local.prefix
+  deployment_name = local.prefix
+
+  credentials_id           = databricks_mws_credentials.this.credentials_id
+  storage_configuration_id = databricks_mws_storage_configurations.this.storage_configuration_id
+  network_id               = databricks_mws_networks.this.network_id
+}
+
+// initialize provider in normal mode
+provider "databricks" {
+  // in normal scenario you won't have to give providers aliases
+  alias = "created_workspace"
+
+  host = databricks_mws_workspaces.this.workspace_url
+}
+
+// create PAT token to provision entities within workspace
+resource "databricks_token" "pat" {
+  provider = databricks.created_workspace
+  comment  = "Terraform Provisioning"
+  // 1 day token
+  lifetime_seconds = 60 * 60 * 24 * 7
+}
+
+// create bucket for mounting
+resource "aws_s3_bucket" "ds" {
+  bucket = "${local.prefix}-ds"
+  acl    = "private"
+  versioning {
+    enabled = false
+  }
+  force_destroy = true
+  tags = merge(local.tags, {
+    Name = "${local.prefix}-ds"
+  })
+}
+
+data "aws_iam_policy_document" "assume_role_for_ec2" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      identifiers = ["ec2.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+resource "aws_iam_role" "data_role" {
+  name               = "${local.prefix}-first-ec2s3"
+  description        = "(${local.prefix}) EC2 Assume Role role for S3 access"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_for_ec2.json
+  tags               = local.tags
+}
+
+resource "aws_iam_instance_profile" "this" {
+  name = "${local.prefix}-first-profile"
+  role = aws_iam_role.data_role.name
+}
+
+data "databricks_aws_bucket_policy" "ds" {
+  provider         = databricks.mws
+  full_access_role = aws_iam_role.data_role.arn
+  bucket           = aws_s3_bucket.ds.bucket
+}
+
+// allow databricks to access this bucket
+resource "aws_s3_bucket_policy" "ds" {
+  bucket = aws_s3_bucket.ds.id
+  policy = data.databricks_aws_bucket_policy.ds.json
+}
+
+// block all public access to created bucket
+resource "aws_s3_bucket_public_access_block" "this" {
+  bucket             = aws_s3_bucket.ds.id
+  ignore_public_acls = true
+}
+
+resource "aws_s3_bucket_object" "this" {
+  key    = "/dummy-${aws_s3_bucket_public_access_block.this.bucket}/main.tf"
+  bucket = aws_s3_bucket.ds.id
+  source = "${path.module}/main.tf"
+  tags   = local.tags
+}
+
+resource "azurerm_container_group" "aws" {
+  name                = "${local.prefix}-aws-run"
+  location            = azurerm_resource_group.this.location
+  resource_group_name = azurerm_resource_group.this.name
+  tags                = azurerm_resource_group.this.tags
+
+  os_type            = "Linux"
+  restart_policy     = "Never"
+  ip_address_type    = "Private"
+  network_profile_id = azurerm_network_profile.this.id
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.this.id]
+  }
+
+  container {
+    name   = "acceptance"
+    image  = "ghcr.io/databrickslabs/terraform-provider-it:master"
+    cpu    = "2"
+    memory = "2"
+    environment_variables = {
+      CLOUD_ENV                 = "AWS"
+      TEST_FILTER               = "TestAcc"
+      DATABRICKS_HOST           = databricks_mws_workspaces.this.workspace_url
+      TEST_S3_BUCKET            = aws_s3_bucket.ds.bucket
+      TEST_EC2_INSTANCE_PROFILE = aws_iam_instance_profile.this.arn
+    }
+
+    secure_environment_variables = {
+      DATABRICKS_TOKEN = databricks_token.pat.token_value
+    }
+
+    ports {
+      port     = 443
+      protocol = "TCP"
+    }
+  }
+}

scripts/nightly/azureit.tf

@@ -108,7 +108,7 @@ resource "local_file" "function" {
         "name" : "nightly",
         "type" : "timerTrigger",
         "direction" : "in",
-        "schedule" : "0 15 11-17 * * 1-5"
+        "schedule" : "35 11-17 * * 1-5"
       }
     ]
   })
@@ -224,7 +224,7 @@ resource "azurerm_function_app" "azureit" {
     use_32_bit_worker_process   = false
     scm_use_main_ip_restriction = true
     ip_restriction {
-      action = "Allow"
+      action                    = "Allow"
       virtual_network_subnet_id = azurerm_subnet.this.id
     }
   }
@@ -252,7 +252,7 @@ resource "azurerm_container_group" "this" {
     cpu    = "2"
     memory = "2"
     environment_variables = {
-      TEST_FILTER                  = "'^(TestAcc|TestAzureAcc)'"
+      TEST_FILTER                  = "TestAcc"
       CLOUD_ENV                    = "azure"
       ARM_USE_MSI                  = "true"
       DATABRICKS_AZURE_RESOURCE_ID = azurerm_databricks_workspace.this.id

scripts/nightly/main.tf

@@ -1,5 +1,9 @@
 locals {
-  prefix = "dltp${random_string.naming.result}"
+  prefix     = "dltp${random_string.naming.result}"
+  cidr_block = data.external.env.result.TEST_CIDR
+  region     = data.external.env.result.TEST_REGION
+  account_id = data.external.env.result.DATABRICKS_ACCOUNT_ID
+  tags       = azurerm_resource_group.this.tags
 }
 
 data "external" "env" {