Switch to use service principal auth instead of username/password (#142)

alexott · nkvuong · web-flow · commit 8fd666643bad · 2024-07-05T11:56:32.000+02:00
* Switch to use service principal auth instead of username/password Fixes #141 * Update examples/aws-databricks-flat/networks_special.tf Co-authored-by: vuong-nguyen <44292934+nkvuong@users.noreply.github.com> * Update examples/aws-databricks-modular-privatelink/README.md Co-authored-by: vuong-nguyen <44292934+nkvuong@users.noreply.github.com> * Update examples/aws-databricks-flat/modules/mws_network/versions.tf Co-authored-by: vuong-nguyen <44292934+nkvuong@users.noreply.github.com> * Update examples/aws-databricks-uc/README.md Co-authored-by: vuong-nguyen <44292934+nkvuong@users.noreply.github.com> --------- Co-authored-by: vuong-nguyen <44292934+nkvuong@users.noreply.github.com>
diff --git a/examples/aws-databricks-flat/modules/mws_network/variables.tf b/examples/aws-databricks-flat/modules/mws_network/variables.tf
@@ -3,12 +3,14 @@ variable "existing_vpc_id" {
   type = string
 }
 
-variable "databricks_account_username" {
-  type = string
+variable "databricks_account_client_id" {
+  type        = string
+  description = "Application ID of account-level service principal"
 }
 
-variable "databricks_account_password" {
-  type = string
+variable "databricks_account_client_secret" {
+  type        = string
+  description = "Client secret of account-level service principal"
 }
 
 variable "databricks_account_id" {
diff --git a/examples/aws-databricks-flat/modules/mws_network/versions.tf b/examples/aws-databricks-flat/modules/mws_network/versions.tf
@@ -13,8 +13,10 @@ provider "aws" {
 
 // initialize provider in "MWS" mode to provision new workspace
 provider "databricks" {
-  alias    = "mws"
-  host     = "https://accounts.cloud.databricks.com"
-  username = var.databricks_account_username
-  password = var.databricks_account_password
+  alias         = "mws"
+  host          = "https://accounts.cloud.databricks.com"
+  client_id     = var.databricks_account_client_id
+  client_secret = var.databricks_account_client_secret
+  account_id    = var.databricks_account_id
+  auth_type      = "oauth-m2m"
 }
diff --git a/examples/aws-databricks-flat/networks_special.tf b/examples/aws-databricks-flat/networks_special.tf
@@ -74,14 +74,14 @@ resource "aws_security_group" "test_sg" {
 }
 
 module "my_mws_network" {
-  source                      = "./modules/mws_network"
-  existing_vpc_id             = aws_vpc.mainvpc.id
-  databricks_account_username = var.databricks_account_username
-  databricks_account_password = var.databricks_account_password
-  databricks_account_id       = var.databricks_account_id
-  region                      = var.region
-  aws_nat_gateway_id          = aws_nat_gateway.nat_gateways[0].id
-  private_subnet_pair         = var.private_subnet_pair
-  security_group_ids          = [aws_security_group.test_sg.id]
-  prefix                      = local.prefix
+  source                           = "./modules/mws_network"
+  existing_vpc_id                  = aws_vpc.mainvpc.id
+  databricks_account_client_id     = var.databricks_account_client_id
+  databricks_account_client_secret = var.databricks_account_client_secret
+  databricks_account_id            = var.databricks_account_id
+  region                           = var.region
+  aws_nat_gateway_id               = aws_nat_gateway.nat_gateways[0].id
+  private_subnet_pair              = var.private_subnet_pair
+  security_group_ids               = [aws_security_group.test_sg.id]
+  prefix                           = local.prefix
 }
diff --git a/examples/aws-databricks-flat/providers.tf b/examples/aws-databricks-flat/providers.tf
@@ -13,10 +13,11 @@ provider "aws" {
 
 // initialize provider in "MWS" mode to provision new workspace
 provider "databricks" {
-  alias    = "mws"
-  host     = "https://accounts.cloud.databricks.com"
-  username = var.databricks_account_username
-  password = var.databricks_account_password
+  alias         = "mws"
+  host          = "https://accounts.cloud.databricks.com"
+  account_id    = var.databricks_account_id
+  client_id     = var.databricks_account_client_id
+  client_secret = var.databricks_account_client_secret
 }
 
 // initialize provider in normal mode
diff --git a/examples/aws-databricks-flat/variables.tf b/examples/aws-databricks-flat/variables.tf
@@ -1,9 +1,11 @@
-variable "databricks_account_username" {
-  type = string
+variable "databricks_account_client_id" {
+  type        = string
+  description = "Application ID of account-level service principal"
 }
 
-variable "databricks_account_password" {
-  type = string
+variable "databricks_account_client_secret" {
+  type        = string
+  description = "Client secret of account-level service principal"
 }
 
 variable "databricks_account_id" {
diff --git a/examples/aws-databricks-modular-privatelink/README.md b/examples/aws-databricks-modular-privatelink/README.md
@@ -54,9 +54,9 @@ This modular design also allows customer to deploy, manage and delete `individua
 > Step 1: Clone this repo to local, set environment variables for `aws` and `databricks` providers authentication:
     
 ```bash
-export TF_VAR_databricks_account_username=your_username
-export TF_VAR_databricks_account_password=your_password
-export TF_VAR_databricks_account_id=your_databricks_E2_account_id
+export TF_VAR_databricks_account_client_id=your_account_level_spn_application_id
+export TF_VAR_databricks_account_client_secret=your_account_level_spn_secret
+export TF_VAR_databricks_account_id=your_databricks_account_id
 
 export AWS_ACCESS_KEY_ID=your_aws_role_access_key_id
 export AWS_SECRET_ACCESS_KEY=your_aws_role_secret_access_key
@@ -260,8 +260,8 @@ By default, the instance profile you created from the above steps is only access
 | ----------------------------------------------------------------------------------------------------------------------- | ----------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: |
 | <a name="input_cmk_admin"></a> [cmk\_admin](#input\_cmk\_admin)                                                         | cmk         | `string`       | `"arn:aws:iam::026655378770:user/hao"`                                                                                                                                                                                                                                                                                                                                                                                                                                                            |    no    |
 | <a name="input_databricks_account_id"></a> [databricks\_account\_id](#input\_databricks\_account\_id)                   | n/a         | `string`       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |   yes    |
-| <a name="input_databricks_account_password"></a> [databricks\_account\_password](#input\_databricks\_account\_password) | n/a         | `string`       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |   yes    |
-| <a name="input_databricks_account_username"></a> [databricks\_account\_username](#input\_databricks\_account\_username) | n/a         | `string`       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |   yes    |
+| <a name="input_databricks_account_client_secret"></a> [databricks\_account\_password](#input\_databricks\_account\_client\_secret) | n/a         | `string`       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |   yes    |
+| <a name="input_databricks_account_client_id"></a> [databricks\_account\_client_id](#input\_databricks\_account\_client\_id) | n/a         | `string`       | n/a                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |   yes    |
 | <a name="input_privatelink_subnets_cidr"></a> [privatelink\_subnets\_cidr](#input\_privatelink\_subnets\_cidr)          | n/a         | `list(string)` | <pre>[<br>  "10.109.4.0/23"<br>]</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                            |    no    |
 | <a name="input_public_subnets_cidr"></a> [public\_subnets\_cidr](#input\_public\_subnets\_cidr)                         | n/a         | `list(string)` | <pre>[<br>  "10.109.2.0/23"<br>]</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                            |    no    |
 | <a name="input_region"></a> [region](#input\_region)                                                                    | n/a         | `string`       | `"ap-southeast-1"`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |    no    |
@@ -278,4 +278,4 @@ By default, the instance profile you created from the above steps is only access
 | -------------------------------------------------------------------------------------- | ----------- |
 | <a name="output_arn"></a> [arn](#output\_arn)                                          | n/a         |
 | <a name="output_databricks_hosts"></a> [databricks\_hosts](#output\_databricks\_hosts) | n/a         |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
diff --git a/examples/aws-databricks-modular-privatelink/providers.tf b/examples/aws-databricks-modular-privatelink/providers.tf
@@ -25,10 +25,10 @@ provider "aws" {
 
 // initialize provider in "MWS" mode to provision new workspace
 provider "databricks" {
-  alias      = "mws"
-  host       = "https://accounts.cloud.databricks.com"
-  account_id = var.databricks_account_id
-  username   = var.databricks_account_username
-  password   = var.databricks_account_password
-  auth_type  = "basic"
+  alias         = "mws"
+  host          = "https://accounts.cloud.databricks.com"
+  account_id    = var.databricks_account_id
+  client_id     = var.databricks_account_client_id
+  client_secret = var.databricks_account_client_secret
+  auth_type     = "oauth-m2m"
 }
diff --git a/examples/aws-databricks-modular-privatelink/variables.tf b/examples/aws-databricks-modular-privatelink/variables.tf
@@ -1,9 +1,11 @@
-variable "databricks_account_username" {
-  type = string
+variable "databricks_account_client_id" {
+  type        = string
+  description = "Application ID of account-level service principal"
 }
 
-variable "databricks_account_password" {
-  type = string
+variable "databricks_account_client_secret" {
+  type        = string
+  description = "Client secret of account-level service principal"
 }
 
 variable "databricks_account_id" {
diff --git a/examples/aws-databricks-uc-bootstrap/README.md b/examples/aws-databricks-uc-bootstrap/README.md
@@ -16,11 +16,11 @@ AWS Databricks has 2 levels of resources:
 1. Account Level (unity metastore, account level users/groups, etc)
 2. Workspace Level (workspace level users/groups, workspace objects like clusters)
 
-The 2 levels of resources use different providers configs and have different authentication method, username/password is the only method for account level provider authentication. 
+The 2 levels of resources use different providers configs and have different authentication method, client ID/client secret is the only method for account level provider authentication. 
 
 For workspace level provider you can create `n` databricks providers for `n` existing workspaces, each provider to be authenticate via PAT token.
 
-We propose 2-stage process to get onboarded to UC. Starting at the point where you only have `account owner`, and this identity will also be the first `account admin`. Account admins can add/remove other `account admin`.
+We propose 2-stage process to get onboarded to UC. Starting at the point where you only have `account owner`, and this identity will also be the first `account admin`. Account admins can add/remove other account admins, including service principals.
 
 We recommend using `account admin` identities to deploy unity catalog related resources.
 
diff --git a/examples/aws-databricks-uc-bootstrap/main.tf b/examples/aws-databricks-uc-bootstrap/main.tf
@@ -7,12 +7,12 @@ terraform {
 }
 
 provider "databricks" {
-  alias      = "mws"
-  host       = "https://accounts.cloud.databricks.com"
-  account_id = var.databricks_account_id // like a shared account? HA from multiple email accounts
-  username   = var.databricks_account_username
-  password   = var.databricks_account_password
-  auth_type  = "basic"
+  alias         = "mws"
+  host          = "https://accounts.cloud.databricks.com"
+  account_id    = var.databricks_account_id // like a shared account? HA from multiple email accounts
+  client_id     = var.databricks_account_client_id
+  client_secret = var.databricks_account_client_secret
+  auth_type     = "oauth-m2m"
 }
 
 // create users and groups at account level (not workspace user/group)
diff --git a/examples/aws-databricks-uc-bootstrap/variables.tf b/examples/aws-databricks-uc-bootstrap/variables.tf
@@ -1,9 +1,11 @@
-variable "databricks_account_username" {
-  type = string
+variable "databricks_account_client_id" {
+  type        = string
+  description = "Application ID of account-level service principal"
 }
 
-variable "databricks_account_password" {
-  type = string
+variable "databricks_account_client_secret" {
+  type        = string
+  description = "Client secret of account-level service principal"
 }
 
 variable "databricks_account_id" {
diff --git a/examples/aws-databricks-uc/README.md b/examples/aws-databricks-uc/README.md
@@ -18,12 +18,12 @@ When running tf configs for UC resources, due to sometimes requires a few minute
 
 
 ```bash
-export TF_VAR_databricks_account_username=your_username
-export TF_VAR_databricks_account_password=your_password
-export TF_VAR_databricks_account_id=your_databricks_E2_account_id
+export TF_VAR_databricks_account_client_id=your_account_level_spn_application_id
+export TF_VAR_databricks_account_client_secret=your_account_level_spn_secret
+export TF_VAR_databricks_account_id=your_databricks_account_id
 
 export AWS_ACCESS_KEY_ID=your_aws_role_access_key_id
 export AWS_SECRET_ACCESS_KEY=your_aws_role_secret_access_key
 ``` 
 
-> Step 2: Run `terraform init` and `terraform apply` to deploy the resources. This will deploy both AWS resources that Unity Catalog requires and Databricks Account Level resources.
+> Step 2: Run `terraform init` and `terraform apply` to deploy the resources. This will deploy both AWS resources that Unity Catalog requires and Databricks Account Level resources.
diff --git a/examples/aws-databricks-uc/providers.tf b/examples/aws-databricks-uc/providers.tf
@@ -16,12 +16,12 @@ provider "aws" {
 
 // initialize provider in "MWS" mode to provision new workspace
 provider "databricks" {
-  alias      = "mws"
-  host       = "https://accounts.cloud.databricks.com"
-  account_id = var.databricks_account_id // like a shared account? HA from multiple email accounts
-  username   = var.databricks_account_username
-  password   = var.databricks_account_password
-  auth_type  = "basic"
+  alias         = "mws"
+  host          = "https://accounts.cloud.databricks.com"
+  account_id    = var.databricks_account_id // like a shared account? HA from multiple email accounts
+  client_id     = var.databricks_account_client_id
+  client_secret = var.databricks_account_client_secret
+  auth_type     = "oauth-m2m"
 }
 
 provider "databricks" {
diff --git a/examples/aws-databricks-uc/variables.tf b/examples/aws-databricks-uc/variables.tf
@@ -1,9 +1,11 @@
-variable "databricks_account_username" {
-  type = string
+variable "databricks_account_client_id" {
+  type        = string
+  description = "Application ID of account-level service principal"
 }
 
-variable "databricks_account_password" {
-  type = string
+variable "databricks_account_client_secret" {
+  type        = string
+  description = "Client secret of account-level service principal"
 }
 
 variable "databricks_account_id" {
diff --git a/examples/aws-exfiltration-protection/README.md b/examples/aws-exfiltration-protection/README.md
@@ -20,8 +20,8 @@ This template provides an example deployment of AWS Databricks E2 workspace with
 2. Add a `variables.tf` with the same content in [variables.tf](variables.tf)
 3. Add a `terraform.tfvars` file and provide values to each defined variable
 4. Configure the following environment variables:
-    * TF_VAR_databricks_account_username, set to the value of your Databricks account-level admin username.
-    * TF_VAR_databricks_account_password, set to the value of the password for your Databricks account-level admin user.
+    * TF_VAR_databricks_account_client_id, set to the value of application ID of your Databricks account-level service principal with admin permission.
+    * TF_VAR_databricks_account_client_secret, set to the value of the client secret for your Databricks account-level service principal.
     * TF_VAR_databricks_account_id, set to the value of the ID of your Databricks account. You can find this value in the corner of your Databricks account console.
 5. (Optional) Configure your [remote backend](https://developer.hashicorp.com/terraform/language/settings/backends/s3)
 6. Run `terraform init` to initialize terraform and get provider ready.
diff --git a/examples/aws-exfiltration-protection/providers.tf b/examples/aws-exfiltration-protection/providers.tf
@@ -4,9 +4,9 @@ provider "aws" {
 
 // initialize provider in "MWS" mode to provision new workspace
 provider "databricks" {
-  alias      = "mws"
-  host       = "https://accounts.cloud.databricks.com"
-  account_id = var.databricks_account_id
-  username   = var.databricks_account_username
-  password   = var.databricks_account_password
-}
+  alias         = "mws"
+  host          = "https://accounts.cloud.databricks.com"
+  account_id    = var.databricks_account_id
+  client_id     = var.databricks_account_client_id
+  client_secret = var.databricks_account_client_secret
+}
diff --git a/examples/aws-exfiltration-protection/variables.tf b/examples/aws-exfiltration-protection/variables.tf
@@ -1,9 +1,11 @@
-variable "databricks_account_username" {
-  type = string
+variable "databricks_account_client_id" {
+  type        = string
+  description = "Application ID of account-level service principal"
 }
 
-variable "databricks_account_password" {
-  type = string
+variable "databricks_account_client_secret" {
+  type        = string
+  description = "Client secret of account-level service principal"
 }
 
 variable "databricks_account_id" {
diff --git a/examples/aws-workspace-basic/README.md b/examples/aws-workspace-basic/README.md
diff --git a/examples/aws-workspace-with-firewall/README.md b/examples/aws-workspace-with-firewall/README.md
diff --git a/examples/aws-workspace-with-firewall/variables.tf b/examples/aws-workspace-with-firewall/variables.tf
diff --git a/modules/aws-workspace-basic/README.md b/modules/aws-workspace-basic/README.md
diff --git a/modules/aws-workspace-with-firewall/README.md b/modules/aws-workspace-with-firewall/README.md

Original file line number	Diff line number	Diff line change
`@@ -3,12 +3,14 @@ variable "existing_vpc_id" {`
`3`	`3`	`type = string`
`4`	`4`	`}`
`5`	`5`
`6`		`-variable "databricks_account_username" {`
`7`		`- type = string`
	`6`	`+variable "databricks_account_client_id" {`
	`7`	`+ type = string`
	`8`	`+ description = "Application ID of account-level service principal"`
`8`	`9`	`}`
`9`	`10`
`10`		`-variable "databricks_account_password" {`
`11`		`- type = string`
	`11`	`+variable "databricks_account_client_secret" {`
	`12`	`+ type = string`
	`13`	`+ description = "Client secret of account-level service principal"`
`12`	`14`	`}`
`13`	`15`
`14`	`16`	`variable "databricks_account_id" {`
Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,11 @@`
`1`		`-variable "databricks_account_username" {`
`2`		`- type = string`
	`1`	`+variable "databricks_account_client_id" {`
	`2`	`+ type = string`
	`3`	`+ description = "Application ID of account-level service principal"`
`3`	`4`	`}`
`4`	`5`
`5`		`-variable "databricks_account_password" {`
`6`		`- type = string`
	`6`	`+variable "databricks_account_client_secret" {`
	`7`	`+ type = string`
	`8`	`+ description = "Client secret of account-level service principal"`
`7`	`9`	`}`
`8`	`10`
`9`	`11`	`variable "databricks_account_id" {`