Added private link option to the exfiltration protection example (#100)

* Predefine regional settings
Corrected README
Simplify steps by providing outputs
Updated to the latest version of dbx and aws modules
Simplify configuration of examples

* reverted change

* refactor

* updated comment

* reformat code

* Added Private link between clusters on the data plane and core services on the control plane
Whitelist maven

* updated readme

* updated readme

* updated vars

* updated vars

* updated vars

* updated comments

* refactor for private link

* code refactor

* implemented code review feedback

* implemented code review feedback

* removed versions from examples

* code refactor

* added no public ip param

* updated main route table association name

* renamed resources

* renamed resources

* refactor

* refactor

* moved provider out of the module

* moved resource out of variables

* use default provider

Author: mwojtyczka

examples/aws-exfiltration-protection/README.md

@@ -12,6 +12,9 @@ This template provides an example deployment of AWS Databricks E2 workspace with
 
 > **Note**  
 > If you are using AWS Firewall to block most traffic but allow the URLs that Databricks needs to connect to, please update the configuration based on your region. You can get the configuration details for your region from [Firewall Appliance](https://docs.databricks.com/administration-guide/cloud-configurations/aws/customer-managed-vpc.html#firewall-appliance-infrastructure) document.
+> 
+> You can optionally enable Private Link in the variables. Enabling Private link on AWS requires Databricks "Enterprise" tier which is configured at the Databricks account level.
+
 
 1. Reference this module using one of the different [module source types](https://developer.hashicorp.com/terraform/language/modules/sources)
 2. Add a `variables.tf` with the same content in [variables.tf](variables.tf)
@@ -20,7 +23,8 @@ This template provides an example deployment of AWS Databricks E2 workspace with
     * TF_VAR_databricks_account_username, set to the value of your Databricks account-level admin username.
     * TF_VAR_databricks_account_password, set to the value of the password for your Databricks account-level admin user.
     * TF_VAR_databricks_account_id, set to the value of the ID of your Databricks account. You can find this value in the corner of your Databricks account console.
-5. Add a `output.tf` file.
-6. (Optional) Configure your [remote backend](https://developer.hashicorp.com/terraform/language/settings/backends/s3)
-7. Run `terraform init` to initialize terraform and get provider ready.
-8. Run `terraform apply` to create the resources.
+5. (Optional) Configure your [remote backend](https://developer.hashicorp.com/terraform/language/settings/backends/s3)
+6. Run `terraform init` to initialize terraform and get provider ready.
+7. Run `terraform plan` to validate and preview the deployment.
+8. Run `terraform apply` to create the resources.
+9. Run `terraform output -json` to print url (host) of the created Databricks workspace.

examples/aws-exfiltration-protection/main.tf

@@ -1,8 +1,18 @@
 module "aws-exfiltration-protection" {
-  source                      = "github.com/databricks/terraform-databricks-examples/modules/aws-exfiltration-protection"
-  databricks_account_id       = var.databricks_account_id
-  databricks_account_username = var.databricks_account_username
-  databricks_account_password = var.databricks_account_password
+  source                = "github.com/databricks/terraform-databricks-examples/modules/aws-exfiltration-protection"
+  databricks_account_id = var.databricks_account_id
+  prefix                = var.prefix
+  tags                  = var.tags
+  spoke_cidr_block      = var.spoke_cidr_block
+  hub_cidr_block        = var.hub_cidr_block
+  region                = var.region
+  whitelisted_urls      = var.whitelisted_urls
+  enable_private_link   = var.enable_private_link
+
+  providers = {
+    aws        = aws
+    databricks = databricks.mws
+  }
 }
 
 resource "random_string" "naming" {

examples/aws-exfiltration-protection/outputs.tf

@@ -0,0 +1,3 @@
+output "databricks_host" {
+  value = module.aws-exfiltration-protection.databricks_host
+}

examples/aws-exfiltration-protection/providers.tf

@@ -0,0 +1,12 @@
+provider "aws" {
+  region = var.region
+}
+
+// initialize provider in "MWS" mode to provision new workspace
+provider "databricks" {
+  alias      = "mws"
+  host       = "https://accounts.cloud.databricks.com"
+  account_id = var.databricks_account_id
+  username   = var.databricks_account_username
+  password   = var.databricks_account_password
+}

examples/aws-exfiltration-protection/variables.tf

@@ -1,5 +1,10 @@
-variable "databricks_account_username" {}
-variable "databricks_account_password" {}
+variable "databricks_account_username" {
+  type = string
+}
+
+variable "databricks_account_password" {
+  type = string
+}
 
 variable "databricks_account_id" {
   type        = string
@@ -25,39 +30,25 @@ variable "hub_cidr_block" {
 }
 
 variable "region" {
-  default     = "eu-central-1"
   type        = string
+  default     = "eu-central-1"
   description = "AWS region to deploy to"
 }
 
 variable "whitelisted_urls" {
-  default     = [".pypi.org", ".pythonhosted.org", ".cran.r-project.org"]
-  description = "List of the domains to allow traffic to"
-  type        = list(string)
-}
-
-variable "db_web_app" {
-  default     = "frankfurt.cloud.databricks.com"
-  description = "Hostname of Databricks web application"
-  type        = string
-}
-
-variable "db_tunnel" {
-  default     = "tunnel.eu-central-1.cloud.databricks.com"
-  description = "Hostname of Databricks SCC Relay"
-  type        = string
-}
-
-variable "db_rds" {
-  default     = "mdv2llxgl8lou0.ceptxxgorjrc.eu-central-1.rds.amazonaws.com"
-  description = "Hostname of AWS RDS instance for built-in Hive Metastore"
-  type        = string
-}
-
-variable "db_control_plane" {
-  default     = "18.159.44.32/28"
-  description = "IP Range for AWS Databricks control plane"
-  type        = string
+  type = list(string)
+  default = [
+    ".pypi.org", ".pythonhosted.org",   # python packages
+    ".cran.r-project.org",              # R packages
+    ".maven.org",                       # maven artifacts
+    ".storage-download.googleapis.com", # maven mirror
+    ".spark-packages.org",              # spark packages
+  ]
+}
+
+variable "enable_private_link" {
+  type    = bool
+  default = false
 }
 
 variable "prefix" {

examples/aws-exfiltration-protection/versions.tf

@@ -1,14 +1,11 @@
-# versions.tf
 terraform {
   required_providers {
     databricks = {
-      source  = "databricks/databricks"
-      version = ">=1.13.0"
+      source = "databricks/databricks"
     }
 
     aws = {
-      source  = "hashicorp/aws"
-      version = "~> 4.58.0"
+      source = "hashicorp/aws"
     }
   }
 }

modules/aws-exfiltration-protection/README.md

@@ -1,4 +1,4 @@
-# Provisioning AWS Databricks E2 with a Hub & Spoke firewall for data exfiltration protection
+# Provisioning AWS Databricks E2 workspace with a Hub & Spoke firewall for data exfiltration protection
 
 This template provides an example deployment of AWS Databricks E2 workspace with a Hub & Spoke firewall for data exfiltration protection. Details are described in [Data Exfiltration Protection With Databricks on AWS](https://www.databricks.com/blog/2021/02/02/data-exfiltration-protection-with-databricks-on-aws.html). 
 
@@ -16,21 +16,22 @@ Resources to be created:
 * S3 Root bucket
 * Cross-account IAM role
 * Databricks E2 workspace
+* (Optional) Private link between clusters on the data plane and core services on the control plane
 
+Note that enabling Private link on AWS requires Databricks "Enterprise" tier. On AWS the tier is configured at the Databricks account level.
+If your Databricks account is using lower tier disable the private link in the variables (see below).
 
 ## How to use
 
 > **Note**  
-> You can customize this module by adding, deleting or updating the Azure resources to adapt the module to your requirements.
+> You can customize this module by adding, deleting or updating the AWS resources to adapt the module to your requirements.
 > A deployment example using this module can be found in [examples/aws-exfiltration-protection](../../examples/aws-exfiltration-protection)
 > If you are using AWS Firewall to block most traffic but allow the URLs that Databricks needs to connect to, please update the configuration based on your region. You can get the configuration details for your region from [Firewall Appliance](https://docs.databricks.com/administration-guide/cloud-configurations/aws/customer-managed-vpc.html#firewall-appliance-infrastructure) document.
 
 1. Reference this module using one of the different [module source types](https://developer.hashicorp.com/terraform/language/modules/sources)
 2. Add a `variables.tf` with the same content in [variables.tf](variables.tf)
 3. Add a `terraform.tfvars` file and provide values to each defined variable
 4. Configure the following environment variables:
-    * TF_VAR_databricks_account_username, set to the value of your Databricks account-level admin username.
-    * TF_VAR_databricks_account_password, set to the value of the password for your Databricks account-level admin user.
     * TF_VAR_databricks_account_id, set to the value of the ID of your Databricks account. You can find this value in the corner of your Databricks account console.
 5. Add a `output.tf` file.
 6. (Optional) Configure your [remote backend](https://developer.hashicorp.com/terraform/language/settings/backends/s3)

modules/aws-exfiltration-protection/firewall.tf

@@ -7,7 +7,7 @@ resource "aws_networkfirewall_rule_group" "databricks_fqdns_rg" {
       rules_source_list {
         generated_rules_type = "ALLOWLIST"
         target_types         = ["TLS_SNI", "HTTP_HOST"]
-        targets              = concat([var.db_web_app, var.db_tunnel, var.db_rds, local.db_root_bucket], var.whitelisted_urls)
+        targets              = var.enable_private_link ? local.private_link_whitelisted_urls : local.whitelisted_urls
       }
     }
     rule_variables {
@@ -42,7 +42,7 @@ resource "aws_networkfirewall_rule_group" "allow_db_cpl_protocols_rg" {
         content {
           action = "PASS"
           header {
-            destination      = var.db_control_plane
+            destination      = local.db_control_plane
             destination_port = "443"
             protocol         = stateful_rule.value
             direction        = "ANY"
@@ -75,7 +75,7 @@ resource "aws_networkfirewall_rule_group" "deny_protocols_rg" {
     }
     rules_source {
       dynamic "stateful_rule" {
-        for_each = local.protocols
+        for_each = local.protocols_to_drop
         content {
           action = "DROP"
           header {
@@ -128,12 +128,14 @@ resource "aws_networkfirewall_firewall" "exfiltration_firewall" {
   tags = var.tags
 }
 
+# Add Route from Nat Gateway to Firewall
 resource "aws_route" "db_nat_firewall" {
   route_table_id         = aws_route_table.hub_nat_public_rt.id
   destination_cidr_block = "0.0.0.0/0"
   vpc_endpoint_id        = data.aws_vpc_endpoint.firewall.id
 }
 
+# Add Route from Internet Gateway to Firewall
 resource "aws_route" "db_igw_nat_firewall" {
   route_table_id         = aws_route_table.hub_igw_rt.id
   count                  = length(local.hub_nat_public_subnets_cidr)

modules/aws-exfiltration-protection/iam.tf

@@ -4,7 +4,7 @@ resource "aws_iam_role" "cross_account_role" {
   tags               = var.tags
 }
 
-resource "aws_iam_role_policy" "this" {
+resource "aws_iam_role_policy" "cross_account_policy" {
   name   = "${local.prefix}-policy"
   role   = aws_iam_role.cross_account_role.id
   policy = data.databricks_aws_crossaccount_policy.this.json