Added support for vpc endpoint on GCP preview (#2080)

Author: jessiedu-db

docs/resources/mws_vpc_endpoint.md

@@ -7,12 +7,14 @@ subcategory: "Deployment"
 
 -> **Note** This resource has an evolving API, which will change in the upcoming versions of the provider in order to simplify user experience.
 
-Enables you to register [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) resources with Databricks such that they can be used as part of a [databricks_mws_networks](mws_networks.md) configuration.
+Enables you to register [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) resources or gcp vpc_endpoint resources with Databricks such that they can be used as part of a [databricks_mws_networks](mws_networks.md) configuration.
 
-It is strongly recommended that customers read the [Enable Private Link](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html) documentation before trying to leverage this resource.
+It is strongly recommended that customers read the [Enable AWS Private Link](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html) or the [Enable GCP Private Service Connect](https://docs.gcp.databricks.com/administration-guide/cloud-configurations/gcp/private-service-connect.html) documentation before trying to leverage this resource.
 
 ## Example Usage
 
+### Databricks on AWS usage
+
 Before using this resource, you will need to create the necessary VPC Endpoints as per your [VPC endpoint requirements](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html#vpc-endpoint-requirements). You can use the [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) resource for this, for example:
 
 ```hcl
@@ -107,23 +109,96 @@ resource "databricks_mws_workspaces" "this" {
 }
 ```
 
+### Databricks on GCP usage
+
+Before using this resource, you will need to create the necessary Private Service Connect (PSC) connections on your Google Cloud VPC networks. You can see [Enable Private Service Connect for your workspace](https://docs.gcp.databricks.com/administration-guide/cloud-configurations/gcp/private-service-connect.html) for more details. 
+
+Once you have created the necessary PSC connections, you need to register each of them via *this* Terraform resource, which calls out to the Databricks Account API.
+
+```hcl
+variable "databricks_account_id" {
+  description = "Account Id that could be found in https://accounts.gcp.databricks.com/"
+}
+variable "databricks_google_service_account" {}
+variable "google_project" {}
+variable "subnet_region" {}
+
+provider "databricks" {
+  alias = "mws"
+  host  = "https://accounts.gcp.databricks.com"
+}
+
+resource "databricks_mws_vpc_endpoint" "workspace" {
+  provider            = databricks.mws
+  account_id          = var.databricks_account_id
+  vpc_endpoint_name   = "PSC Rest API endpoint"
+  gcp_vpc_endpoint_info {
+    project_id        = var.google_project
+    psc_endpoint_name = "PSC Rest API endpoint"
+    endpoint_region   = var.subnet_region
+  }
+}
+
+resource "databricks_mws_vpc_endpoint" "relay" {
+  provider            = databricks.mws
+  account_id          = var.databricks_account_id
+  vpc_endpoint_name   = "PSC Relay endpoint"
+  gcp_vpc_endpoint_info {
+    project_id        = var.google_project
+    psc_endpoint_name = "PSC Relay endpoint"
+    endpoint_region   = var.subnet_region
+  }
+}
+```
+
+Typically the next steps after this would be to create a [databricks_mws_private_access_settings](mws_private_access_settings.md) and [databricks_mws_networks](mws_networks.md) configuration, before passing the `databricks_mws_private_access_settings.pas.private_access_settings_id` and `databricks_mws_networks.this.network_id` into a [databricks_mws_workspaces](mws_workspaces.md) resource:
+
+```hcl
+resource "databricks_mws_workspaces" "this" {
+  provider                   = databricks.mws
+  account_id                 = var.databricks_account_id
+  workspace_name             = "gcp workspace"
+  location                   = var.subnet_region
+  cloud_resource_container {
+    gcp {
+      project_id = var.google_project
+    }
+  }
+  gke_config {
+    connectivity_type = "PRIVATE_NODE_PUBLIC_MASTER"
+    master_ip_range   = "10.3.0.0/28"
+  }
+  network_id                 = databricks_mws_networks.this.network_id
+  private_access_settings_id = databricks_mws_private_access_settings.pas.private_access_settings_id
+  pricing_tier               = "PREMIUM"
+  depends_on                 = [databricks_mws_networks.this]
+}
+```
+
 ## Argument Reference
 
 The following arguments are required:
 
-* `account_id` - Account Id that could be found in the bottom left corner of [Accounts Console](https://accounts.cloud.databricks.com/)
-* `aws_vpc_endpoint_id` - ID of configured [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint)
+* `account_id` - Account Id that could be found in the Accounts Console for [AWS](https://accounts.cloud.databricks.com/) or [GCP](https://accounts.gcp.databricks.com/)
+* `aws_vpc_endpoint_id` - (AWS only) ID of configured [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint)
 * `vpc_endpoint_name` - Name of VPC Endpoint in Databricks Account
-* `region` - Region of AWS VPC
+* `region` - (AWS only) Region of AWS VPC
+* `gcp_vpc_endpoint_info` - (GCP only) a block consists of Google Cloud specific information for this PSC endpoint. It has the following fields:
+  * `project_id` - The Google Cloud project ID of the VPC network where the PSC connection resides.
+  * `psc_endpoint_name` - The name of the PSC endpoint in the Google Cloud project.
+  * `endpoint_region` - Region of the PSC endpoint.
 
 ## Attribute Reference
 
 In addition to all arguments above, the following attributes are exported:
 
 * `vpc_endpoint_id` - Canonical unique identifier of VPC Endpoint in Databricks Account
-* `aws_endpoint_service_id` - The ID of the Databricks endpoint service that this VPC endpoint is connected to. Please find the list of endpoint service IDs for each supported region in the [Databricks PrivateLink documentation](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html)
-* `state` - State of VPC Endpoint
-
+* `aws_endpoint_service_id` - (AWS Only) The ID of the Databricks endpoint service that this VPC endpoint is connected to. Please find the list of endpoint service IDs for each supported region in the [Databricks PrivateLink documentation](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html)
+* `state` - (AWS Only) State of VPC Endpoint
+* `gcp_vpc_endpoint_info`- (GCP only) a block consists of Google Cloud specific information for this PSC endpoint. It has the following fields exported:
+  * `psc_connection_id` - The unique ID of this PSC connection.
+  * `service_attachment_id` - The service attachment this PSC connection connects to.
+ 
 ## Import
 
 -> **Note** Importing this resource is not currently supported.

internal/acceptance/mws_vpc_endpoint_test.go

@@ -17,3 +17,20 @@ func TestMwsAccVpcEndpoint(t *testing.T) {
 		}`,
 	})
 }
+
+func TestMwsAccVpcEndpoint_GCP(t *testing.T) {
+	accountLevel(t, step{
+		Template: `
+		resource "databricks_mws_vpc_endpoint" "this" {
+			account_id = "{env.DATABRICKS_ACCOUNT_ID}"
+			vpc_endpoint_name = "vpce-{var.RANDOM}"
+            
+            gcp_vpc_endpoint_info {
+			  project_id = "{env.GOOGLE_PROJECT}"
+			  psc_endpoint_name = "{env.TEST_RELAY_PSC_ENDPOINT}"
+			  endpoint_region = "{env.GOOGLE_REGION}"
+        }
+
+		}`,
+	})
+}

mws/mws.go

@@ -72,17 +72,27 @@ type Network struct {
 	GcpNetworkInfo   *GcpNetworkInfo      `json:"gcp_network_info,omitempty"`
 }
 
+// GcpVpcEndpointInfo is the objecy that configures GCP Private Service Connect endpoints.
+type GcpVpcEndpointInfo struct {
+	PscConnectionId     string `json:"psc_connection_id,omitempty" tf:"computed"`
+	ProjectId           string `json:"project_id"`
+	PscEndpointName     string `json:"psc_endpoint_name"`
+	EndpointRegion      string `json:"endpoint_region"`
+	ServiceAttachmentId string `json:"service_attachment_id,omitempty" tf:"computed"`
+}
+
 // VPCEndpoint is the object that contains all the information for registering an VPC endpoint
 type VPCEndpoint struct {
-	VPCEndpointID           string `json:"vpc_endpoint_id,omitempty" tf:"computed"`
-	AwsVPCEndpointID        string `json:"aws_vpc_endpoint_id"`
-	AccountID               string `json:"account_id,omitempty"`
-	VPCEndpointName         string `json:"vpc_endpoint_name"`
-	AwsVPCEndpointServiceID string `json:"aws_endpoint_service_id,omitempty" tf:"computed"`
-	AWSAccountID            string `json:"aws_account_id,omitempty" tf:"computed"`
-	UseCase                 string `json:"use_case,omitempty" tf:"computed"`
-	Region                  string `json:"region"`
-	State                   string `json:"state,omitempty" tf:"computed"`
+	VPCEndpointID           string              `json:"vpc_endpoint_id,omitempty" tf:"computed"`
+	AwsVPCEndpointID        string              `json:"aws_vpc_endpoint_id,omitempty"`
+	AccountID               string              `json:"account_id,omitempty"`
+	VPCEndpointName         string              `json:"vpc_endpoint_name"`
+	AwsVPCEndpointServiceID string              `json:"aws_endpoint_service_id,omitempty" tf:"computed"`
+	AWSAccountID            string              `json:"aws_account_id,omitempty" tf:"computed"`
+	UseCase                 string              `json:"use_case,omitempty" tf:"computed"`
+	Region                  string              `json:"region,omitempty"`
+	State                   string              `json:"state,omitempty" tf:"computed"`
+	GcpVpcEndpointInfo      *GcpVpcEndpointInfo `json:"gcp_vpc_endpoint_info,omitempty"`
 }
 
 // PrivateAccessSettings (PAS) is the object that contains all the information for creating an PrivateAccessSettings (PAS)

mws/resource_mws_vpc_endpoint.go

@@ -10,7 +10,6 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 )
 
 // NewVPCEndpointAPI creates VPCEndpointAPI instance from provider meta
@@ -36,6 +35,9 @@ func (a VPCEndpointAPI) Create(vpcEndpoint *VPCEndpoint) error {
 		if err != nil {
 			return resource.NonRetryableError(err)
 		}
+		if ve.GcpVpcEndpointInfo != nil {
+			return nil
+		}
 		switch state := strings.ToLower(ve.State); state {
 		case "available":
 			return nil
@@ -75,7 +77,11 @@ func (a VPCEndpointAPI) List(mwsAcctID string) ([]VPCEndpoint, error) {
 func ResourceMwsVpcEndpoint() *schema.Resource {
 	s := common.StructToSchema(VPCEndpoint{}, func(s map[string]*schema.Schema) map[string]*schema.Schema {
 		// nolint
-		s["vpc_endpoint_name"].ValidateFunc = validation.StringLenBetween(4, 256)
+		s["aws_vpc_endpoint_id"].ExactlyOneOf = []string{"aws_vpc_endpoint_id", "gcp_vpc_endpoint_info"}
+		s["region"].ExactlyOneOf = []string{"region", "gcp_vpc_endpoint_info"}
+		s["aws_endpoint_service_id"].ConflictsWith = []string{"gcp_vpc_endpoint_info"}
+		s["aws_account_id"].ConflictsWith = []string{"gcp_vpc_endpoint_info"}
+		s["gcp_vpc_endpoint_info"].ConflictsWith = []string{"aws_vpc_endpoint_id", "region", "aws_endpoint_service_id", "aws_account_id"}
 		return s
 	})
 	p := common.NewPairSeparatedID("account_id", "vpc_endpoint_id", "/")

mws/resource_mws_vpc_endpoint_test.go

@@ -54,6 +54,78 @@ func TestResourceVPCEndpointCreate(t *testing.T) {
 	assert.Equal(t, "abc/ve_id", d.Id())
 }
 
+func TestResourceVPCEndpointCreate_GCP(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "POST",
+				Resource: "/api/2.0/accounts/abc/vpc-endpoints",
+				ExpectedRequest: VPCEndpoint{
+					AccountID:       "abc",
+					VPCEndpointName: "ve_name",
+					GcpVpcEndpointInfo: &GcpVpcEndpointInfo{
+						ProjectId:       "project_a",
+						PscEndpointName: "psc_endpoint_a",
+						EndpointRegion:  "region_a",
+					},
+				},
+				Response: VPCEndpoint{
+					VPCEndpointID: "ve_id",
+				},
+			},
+			{
+				Method:       "GET",
+				Resource:     "/api/2.0/accounts/abc/vpc-endpoints/ve_id",
+				ReuseRequest: true,
+				Response: VPCEndpoint{
+					AccountID:       "abc",
+					VPCEndpointName: "ve_name",
+					GcpVpcEndpointInfo: &GcpVpcEndpointInfo{
+						ProjectId:           "project_a",
+						PscEndpointName:     "psc_endpoint_a",
+						EndpointRegion:      "region_a",
+						PscConnectionId:     "120938102938209",
+						ServiceAttachmentId: "service_attachment_a",
+					},
+				},
+			},
+		},
+		Resource: ResourceMwsVpcEndpoint(),
+		HCL: `
+		account_id = "abc"
+		vpc_endpoint_name = "ve_name"
+		gcp_vpc_endpoint_info {
+			project_id = "project_a"
+			psc_endpoint_name = "psc_endpoint_a"
+			endpoint_region = "region_a"
+        }
+		`,
+		Create: true,
+	}.ApplyNoError(t)
+}
+
+func TestResourceVPCEndpointCreate_ConflictErrors(t *testing.T) {
+	_, err := qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{},
+		Resource: ResourceMwsVpcEndpoint(),
+		HCL: `
+		account_id = "abc"
+		vpc_endpoint_name = "ve_name"
+		region = "ar"
+		aws_vpc_endpoint_id = "ave_id"
+		gcp_vpc_endpoint_info {
+			project_id = "project_a"
+			psc_endpoint_name = "psc_endpoint_a"
+			endpoint_region = "region_a"
+        }
+		`,
+		Create: true,
+	}.Apply(t)
+	assert.ErrorContains(t, err, "[gcp_vpc_endpoint_info] Conflicting configuration arguments")
+	assert.ErrorContains(t, err, "[region] Invalid combination of arguments")
+	assert.ErrorContains(t, err, "[aws_vpc_endpoint_id] Invalid combination of arguments")
+}
+
 func TestResourceVPCEndpointCreate_Error(t *testing.T) {
 	d, err := qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{