Rework adb-exfiltration-protection module based on the practical usage (#93)

Changes include:

- Added `dns` provider to resolve FQDNs into IP Addresses to simplify configuration
- SCC Relay & Metastore are now lists of FQDNs instead of IP addresses - that's required
  for bigger regions like, West Europe
- Added variable for extended infrastructure IP range
- Moved ADB EventHubs into a separate variable and made it a list of FQDNs (also required
  for bigger regions. Moved handling of EventHubs traffic to the network rules because we
  need to handle port 9093
- Added a variable to control if we should skip routing of SCC traffic via firewall or not
- Added a possibility to add/override tags
- Bumped Databricks provider version

`adb-with-private-links-exfiltration-protection` will be changed as well after this PR is merged.

Author: alexott

examples/adb-exfiltration-protection/main.tf

@@ -1,23 +1,27 @@
 /**
- * Azure Databricks workspace in custom VNet
+ * Azure Databricks workspace in custom VNet with traffic routed via firewall in the Hub VNet
  *
  * Module creates:
  * * Resource group with random prefix
  * * Tags, including `Owner`, which is taken from `az account show --query user`
- * * VNet with public and private subnet
+ * * VNet with public and private subnet for Databricks
+ * * VNet with subnet for deployment of Azure Firewall
+ * * Azure Firewall with access enabled to Databricks-related resources
  * * Databricks workspace
  */
 
 module "adb-exfiltration-protection" {
-  source       = "github.com/databricks/terraform-databricks-examples/modules/adb-exfiltration-protection"
-  hubcidr          = var.hubcidr
-  spokecidr        = var.spokecidr
-  no_public_ip     = var.no_public_ip
-  rglocation       = var.rglocation
-  metastoreip      = var.metastoreip
-  sccip            = var.sccip
-  webappip         = var.webappip
-  dbfs_prefix      = var.dbfs_prefix
-  workspace_prefix = var.workspace_prefix
-  firewallfqdn     = var.firewallfqdn
-}
+  source            = "../../modules/adb-exfiltration-protection"
+  hubcidr           = var.hubcidr
+  spokecidr         = var.spokecidr
+  no_public_ip      = var.no_public_ip
+  rglocation        = var.rglocation
+  metastore         = var.metastore
+  scc_relay         = var.scc_relay
+  webapp_ips        = var.webapp_ips
+  extended_infra_ip = var.extended_infra_ip
+  dbfs_prefix       = var.dbfs_prefix
+  workspace_prefix  = var.workspace_prefix
+  firewallfqdn      = var.firewallfqdn
+  eventhubs         = var.eventhubs
+}

examples/adb-exfiltration-protection/terraform.tfvars

@@ -1,16 +1,57 @@
-hubcidr          = "10.178.0.0/20"
-spokecidr        = "10.179.0.0/20"
-no_public_ip     = true
-rglocation       = "southeastasia"
-metastoreip      = "40.78.233.2"
-sccip            = "52.230.27.216/32" // get scc ip from nslookup 
-webappip         = "52.187.145.107/32"
-dbfs_prefix      = "dbfs"
-workspace_prefix = "adb"
-firewallfqdn = [                                                      // dbfs rule will be added - depends on dbfs storage name
-  "dbartifactsprodseap.blob.core.windows.net",                        //databricks artifacts
-  "dbartifactsprodeap.blob.core.windows.net",                         //databricks artifacts secondary
-  "dblogprodseasia.blob.core.windows.net",                            //log blob
-  "prod-southeastasia-observabilityeventhubs.servicebus.windows.net", //eventhub
-  "cdnjs.com",                                                        //ganglia
+hubcidr      = "10.178.0.0/20"
+spokecidr    = "10.179.0.0/20"
+no_public_ip = true
+rglocation   = "westeurope"
+metastore = ["consolidated-westeurope-prod-metastore.mysql.database.azure.com",
+  "consolidated-westeurope-prod-metastore-addl-1.mysql.database.azure.com",
+  "consolidated-westeurope-prod-metastore-addl-2.mysql.database.azure.com",
+  "consolidated-westeurope-prod-metastore-addl-3.mysql.database.azure.com",
+  "consolidated-westeuropec2-prod-metastore-0.mysql.database.azure.com",
+  "consolidated-westeuropec2-prod-metastore-1.mysql.database.azure.com",
+  "consolidated-westeuropec2-prod-metastore-2.mysql.database.azure.com",
+  "consolidated-westeuropec2-prod-metastore-3.mysql.database.azure.com",
 ]
+// get from https://learn.microsoft.com/en-us/azure/databricks/resources/supported-regions#--metastore-artifact-blob-storage-system-tables-blob-storage-log-blob-storage-and-event-hub-endpoint-ip-addresses
+scc_relay  = ["tunnel.westeurope.azuredatabricks.net", "tunnel.westeuropec2.azuredatabricks.net"]
+webapp_ips = ["52.230.27.216/32", "40.74.30.80/32"]
+eventhubs = ["prod-westeurope-observabilityeventhubs.servicebus.windows.net",
+  "prod-westeuc2-observabilityeventhubs.servicebus.windows.net",
+]
+extended_infra_ip = "20.73.215.48/28"
+dbfs_prefix       = "dbfs"
+workspace_prefix  = "adb"
+firewallfqdn = [                                 // dbfs rule will be added - depends on dbfs storage name
+  "dbartifactsprodwesteu.blob.core.windows.net", //databricks artifacts
+  "arprodwesteua1.blob.core.windows.net",
+  "arprodwesteua2.blob.core.windows.net",
+  "arprodwesteua3.blob.core.windows.net",
+  "arprodwesteua4.blob.core.windows.net",
+  "arprodwesteua5.blob.core.windows.net",
+  "arprodwesteua6.blob.core.windows.net",
+  "arprodwesteua7.blob.core.windows.net",
+  "arprodwesteua8.blob.core.windows.net",
+  "arprodwesteua9.blob.core.windows.net",
+  "arprodwesteua10.blob.core.windows.net",
+  "arprodwesteua11.blob.core.windows.net",
+  "arprodwesteua12.blob.core.windows.net",
+  "arprodwesteua13.blob.core.windows.net",
+  "arprodwesteua14.blob.core.windows.net",
+  "arprodwesteua15.blob.core.windows.net",
+  "arprodwesteua16.blob.core.windows.net",
+  "arprodwesteua17.blob.core.windows.net",
+  "arprodwesteua18.blob.core.windows.net",
+  "arprodwesteua19.blob.core.windows.net",
+  "arprodwesteua20.blob.core.windows.net",
+  "arprodwesteua21.blob.core.windows.net",
+  "arprodwesteua22.blob.core.windows.net",
+  "arprodwesteua23.blob.core.windows.net",
+  "arprodwesteua24.blob.core.windows.net",
+  "dbartifactsprodnortheu.blob.core.windows.net", //databricks artifacts secondary
+  "ucstprdwesteu.blob.core.windows.net",          // system tables storage
+  "dblogprodwesteurope.blob.core.windows.net",    //log blob
+  "cdnjs.com",                                    //ganglia
+  // Azure monitor
+  "global.handler.control.monitor.azure.com",
+  "westeurope.handler.control.monitor.azure.com",
+]
+

examples/adb-exfiltration-protection/variables.tf

@@ -1,45 +1,64 @@
 variable "hubcidr" {
+  description = "IP range for creaiton of the Spoke VNet"
   type    = string
   default = "10.178.0.0/20"
 }
 
 variable "spokecidr" {
+  description = "IP range for creaiton of the Hub VNet"
   type    = string
   default = "10.179.0.0/20"
 }
 
 variable "no_public_ip" {
+  description = "If workspace should be created with No-Public-IP"
   type    = bool
   default = true
 }
 
 variable "rglocation" {
+  description = "Location of resource group"
   type    = string
-  default = "southeastasia"
 }
 
-variable "metastoreip" {
-  type = string
+variable "metastore" {
+  description = "List of FQDNs for Azure Databricks Metastore databases"
+  type = list(string)
 }
 
-variable "sccip" {
-  type = string
+variable "scc_relay" {
+  description = "List of FQDNs for Azure Databricks Secure Cluster Connectivity relay"
+  type = list(string)
+}
+
+variable "webapp_ips" {
+  description = "List of IP ranges for Azure Databricks Webapp"
+  type = list(string)
 }
 
-variable "webappip" {
+variable "extended_infra_ip" {
+  description = "IP range for Azure Databricks extended infrastructure"
   type = string
 }
 
+variable "eventhubs" {
+  description = "List of FQDNs for Azure Databricks EventHubs traffic"
+  type = list(string)
+}
+
 variable "dbfs_prefix" {
+  description = "Prefix for DBFS storage account name"
   type    = string
   default = "dbfs"
 }
 
 variable "workspace_prefix" {
+  description = "Prefix for workspace name"
   type    = string
   default = "adb"
 }
 
 variable "firewallfqdn" {
   type = list(any)
+  description = "List of domains names to put into application rules for handling of HTTPS traffic (Databricks storage accounts, etc.)"
 }

examples/adb-exfiltration-protection/versions.tf

@@ -3,12 +3,17 @@ terraform {
   required_providers {
     databricks = {
       source  = "databricks/databricks"
-      version = ">=0.5.1"
+      version = ">=1.20.0"
     }
-
     azurerm = {
       source  = "hashicorp/azurerm"
       version = ">=2.83.0"
     }
+    random = {
+      source = "hashicorp/random"
+    }
+    dns = {
+      source = "hashicorp/dns"
+    }
   }
 }

modules/adb-exfiltration-protection/README.md

@@ -2,7 +2,7 @@
 
 This template provides an example deployment of: Hub-Spoke networking with egress firewall to control all outbound traffic from Databricks subnets. Details are described in: https://databricks.com/blog/2020/03/27/data-exfiltration-protection-with-azure-databricks.html
 
-With this setup, you can setup firewall rules to block / allow egress traffic from your Databricks clusters. You can also use firewall to block all access to storage accounts, and use private endpoint connection to bypass this firewall, such that you allow access only to specific storage accounts.  
+With this setup, you can setup firewall rules to block / allow egress traffic from your Databricks clusters. You can also use firewall to block all access to storage accounts, and use private endpoint connection to bypass this firewall, such that you allow access only to specific storage accounts.
 
 
 To find IP and FQDN for your deployment, go to: https://docs.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/udr
@@ -20,7 +20,7 @@ Resources to be created:
 
 ## How to use
 
-> **Note**  
+> **Note**
 > You can customize this module by adding, deleting or updating the Azure resources to adapt the module to your requirements.
 > A deployment example using this module can be found in [examples/adb-exfiltration-protection](../../examples/adb-exfiltration-protection)
 
@@ -35,18 +35,19 @@ Resources to be created:
 
 ## How to fill in variable values
 
-Most of the values are to be found at: https://docs.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/udr
+Most of the values are to be found at: https://learn.microsoft.com/en-us/azure/databricks/resources/supported-regions and https://docs.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/udr
 
-In `variables.tfvars`, set these variables:
-
-metastoreip      = "40.78.233.2" # find your metastore service ip
-
-sccip            = "52.230.27.216" # use nslookup on the domain name to find the ip
-
-webappip         = "52.187.145.107/32" # given at UDR page
-
-firewallfqdn = ["dbartifactsprodseap.blob.core.windows.net","dbartifactsprodeap.blob.core.windows.net","dblogprodseasia.blob.core.windows.net","prod-southeastasia-observabilityeventhubs.servicebus.windows.net","cdnjs.com"] # find these for your region, follow Databricks blog tutorial.
+In `variables.tfvars`, set these variables (bigger regions have multiple instances of each service):
 
+```hcl
+metastore         = ["consolidated-westeurope-prod-metastore.mysql.database.azure.com"]
+scc_relay         = ["tunnel.westeurope.azuredatabricks.net"]
+webapp_ips        = ["52.230.27.216/32"] # given at UDR page
+extended_infra_ip = "20.73.215.48/28"
+eventhubs         = ["prod-westeurope-observabilityeventhubs.servicebus.windows.net"]
+# find these for your region, follow Databricks blog tutorial.
+firewallfqdn = ["dbartifactsprodseap.blob.core.windows.net","dbartifactsprodeap.blob.core.windows.net","dblogprodseasia.blob.core.windows.net","cdnjs.com"]
+```
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
@@ -63,6 +64,7 @@ firewallfqdn = ["dbartifactsprodseap.blob.core.windows.net","dbartifactsprodeap.
 | <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm)    | 2.83.0  |
 | <a name="provider_external"></a> [external](#provider\_external) | 2.2.0   |
 | <a name="provider_random"></a> [random](#provider\_random)       | 3.1.0   |
+| <a name="provider_dns"></a> [dns](#provider\_dns)                | 3.3.0   |
 
 ## Modules
 
@@ -102,16 +104,20 @@ No modules.
 
 | Name                                                                                                           | Description | Type        | Default           | Required |
 | -------------------------------------------------------------------------------------------------------------- | ----------- | ----------- | ----------------- | :------: |
+| <a name="input_bypass_scc_relay"></a> [bypass\_scc\_relay](#input\_bypass\_scc\_relay)                         | n/a         | `bool`      | `true`          |    no    |
 | <a name="input_dbfs_prefix"></a> [dbfs\_prefix](#input\_dbfs\_prefix)                                          | n/a         | `string`    | `"dbfs"`          |    no    |
-| <a name="input_firewallfqdn"></a> [firewallfqdn](#input\_firewallfqdn)                                         | n/a         | `list(any)` | n/a               |   yes    |
+| <a name="input_extended_infra_ip"></a> [extended_infra_ip](#input\_extended_infra_ip)                          | n/a         | `string` | n/a               |   yes    |
+| <a name="input_eventhubs"></a> [eventhubs](#input\_eventhubs)                                                  | n/a         | `list(string)` | n/a               |   yes    |
+| <a name="input_firewallfqdn"></a> [firewallfqdn](#input\_firewallfqdn)                                         | n/a         | `list(string)` | n/a               |   yes    |
 | <a name="input_hubcidr"></a> [hubcidr](#input\_hubcidr)                                                        | n/a         | `string`    | `"10.178.0.0/20"` |    no    |
-| <a name="input_metastoreip"></a> [metastoreip](#input\_metastoreip)                                            | n/a         | `string`    | n/a               |   yes    |
+| <a name="input_metastore"></a> [metastore](#input\_metastore)                                                  | n/a         | `list(string)`    | n/a               |   yes    |
 | <a name="input_no_public_ip"></a> [no\_public\_ip](#input\_no\_public\_ip)                                     | n/a         | `bool`      | `true`            |    no    |
 | <a name="input_private_subnet_endpoints"></a> [private\_subnet\_endpoints](#input\_private\_subnet\_endpoints) | n/a         | `list`      | `[]`              |    no    |
 | <a name="input_rglocation"></a> [rglocation](#input\_rglocation)                                               | n/a         | `string`    | `"southeastasia"` |    no    |
-| <a name="input_sccip"></a> [sccip](#input\_sccip)                                                              | n/a         | `string`    | n/a               |   yes    |
+| <a name="input_scc_relay"></a> [scc_relay](#input\_scc_relay)                                                  | n/a         | `list(string)`    | n/a               |   yes    |
 | <a name="input_spokecidr"></a> [spokecidr](#input\_spokecidr)                                                  | n/a         | `string`    | `"10.179.0.0/20"` |    no    |
-| <a name="input_webappip"></a> [webappip](#input\_webappip)                                                     | n/a         | `string`    | n/a               |   yes    |
+| <a name="input_tags"></a> [tags](#input\_tags)                                                                 | n/a         | `map`    | `{}`               |   no    |
+| <a name="input_webappip"></a> [webappip](#input\_webappip)                                                     | n/a         | `list(string)`    | n/a               |   yes    |
 | <a name="input_workspace_prefix"></a> [workspace\_prefix](#input\_workspace\_prefix)                           | n/a         | `string`    | `"adb"`           |    no    |
 
 ## Outputs
@@ -125,4 +131,4 @@ No modules.
 | <a name="output_databricks_azure_workspace_resource_id"></a> [databricks\_azure\_workspace\_resource\_id](#output\_databricks\_azure\_workspace\_resource\_id) | n/a         |
 | <a name="output_resource_group"></a> [resource\_group](#output\_resource\_group)                                                                               | n/a         |
 | <a name="output_workspace_url"></a> [workspace\_url](#output\_workspace\_url)                                                                                  | n/a         |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->