PerfectThymeTech · marvinbuss · Jan 15, 2025 · Jan 6, 2025 · Jan 6, 2025 · Jan 6, 2025
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -28,7 +28,7 @@ jobs:
     name: "Terraform"
     with:
       environment: "dev"
-      terraform_version: "1.10.2"
+      terraform_version: "1.10.3"
       node_version: 20
       working_directory: "./tests/e2e"
       tenant_id: "37963dd4-f4e6-40f8-a7d6-24b97919e452"
@@ -43,7 +43,7 @@ jobs:
     if: github.event_name == 'push' || github.event_name == 'release'
     with:
       environment: "dev"
-      terraform_version: "1.10.2"
+      terraform_version: "1.10.3"
       node_version: 20
       working_directory: "./tests/e2e"
       tenant_id: "37963dd4-f4e6-40f8-a7d6-24b97919e452"

diff --git a/databricksconfiguration.tf b/databricksconfiguration.tf
@@ -60,6 +60,12 @@ module "databricksworkspaceapplication" {
   databricks_keyvault_secret_scope_details = try(module.data_application[each.key].key_vault_details, {})
   storage_container_ids                    = try(module.data_application[each.key].storage_container_ids, {})
 
+  # Identity variables
+  admin_group_name       = try(each.value.identity.admin_group_name, "")
+  developer_group_name   = try(each.value.identity.developer_group_name, "")
+  reader_group_name      = try(each.value.identity.reader_group_name, "")
+  service_principal_name = try(each.value.identity.service_principal_name, "")
+
   # Budget variables
   budget = try(each.value.budget, 100)
 }
diff --git a/main.tf b/main.tf
@@ -91,8 +91,9 @@ module "data_application" {
   tags        = merge(var.tags, try(each.value.tags, {}))
 
   # Service variables
-  app_name            = each.key
-  storage_account_ids = module.core.storage_account_ids
+  app_name                     = each.key
+  storage_account_ids          = module.core.storage_account_ids
+  databricks_workspace_details = module.core.databricks_workspace_details
 
   # HA/DR variables
   zone_redundancy_enabled = var.zone_redundancy_enabled
@@ -101,6 +102,12 @@ module "data_application" {
   diagnostics_configurations = local.diagnostics_configurations
   alerting                   = try(each.value.alerting, {})
 
+  # Identity variables
+  admin_group_name       = try(each.value.identity.admin_group_name, "")
+  developer_group_name   = try(each.value.identity.developer_group_name, "")
+  reader_group_name      = try(each.value.identity.reader_group_name, "")
+  service_principal_name = try(each.value.identity.service_principal_name, "")
+
   # Network variables
   vnet_id                       = var.vnet_id
   subnet_id_app                 = module.platform.subnet_ids_private_endpoint_application[each.key]

diff --git a/modules/core/outputs.tf b/modules/core/outputs.tf
@@ -3,6 +3,10 @@ output "databricks_workspace_details" {
   description = "Specifies the workspace details of the Azure Databricks core workspace."
   value       = local.databricks_workspace_details
   sensitive   = false
+  depends_on = [
+    module.databricks_workspace_engineering.databricks_workspace_completed,
+    module.databricks_workspace_consumption.databricks_workspace_completed,
+  ]
 }
 
 output "databricks_private_endpoint_rules" {

diff --git a/modules/dataapplication/budget.tf b/modules/dataapplication/budget.tf
@@ -9,7 +9,7 @@ resource "azurerm_consumption_budget_subscription" "consumption_budget_subscript
   amount     = var.budget.categories.azure
   time_grain = "Monthly"
   time_period {
-    start_date = "${time_rotating.rotating_current.year - local.budget_start_date_rotation_years}-${time_rotating.rotating_current.month}-01T00:00:00Z"
+    start_date = "${time_rotating.rotating_current.year - local.budget_start_date_rotation_years}-${format("%02s", time_rotating.rotating_current.month)}-01T00:00:00Z"
   }
   filter {
     dynamic "tag" {

diff --git a/modules/dataapplication/data.tf b/modules/dataapplication/data.tf
@@ -9,3 +9,26 @@ data "azurerm_location" "current" {
 data "azuread_service_principal" "service_principal_databricks" {
   client_id = local.databricks_enterprise_application_id
 }
+
+data "azuread_service_principal" "service_principal" {
+  display_name = var.service_principal_name
+}
+
+data "azuread_group" "group_admin" {
+  display_name     = var.admin_group_name
+  security_enabled = true
+}
+
+data "azuread_group" "group_developer" {
+  count = var.developer_group_name == "" ? 0 : 1
+
+  display_name     = var.developer_group_name
+  security_enabled = true
+}
+
+data "azuread_group" "group_reader" {
+  count = var.reader_group_name == "" ? 0 : 1
+
+  display_name     = var.reader_group_name
+  security_enabled = true
+}
diff --git a/modules/dataapplication/roleassignments_admin.tf b/modules/dataapplication/roleassignments_admin.tf
@@ -0,0 +1,83 @@
+# Resource group role assignments
+resource "azurerm_role_assignment" "role_assignment_resource_group_app_reader_admin" {
+  description          = "Role assignment to app resource group."
+  scope                = azurerm_resource_group.resource_group_app.id
+  role_definition_name = "Reader"
+  principal_id         = data.azuread_group.group_admin.object_id
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_resource_group_app_monitoring_reader_admin" {
+  description          = "Role assignment to app resource group."
+  scope                = azurerm_resource_group.resource_group_app_monitoring.id
+  role_definition_name = "Reader"
+  principal_id         = data.azuread_group.group_admin.object_id
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_resource_group_storage_reader_admin" {
+  description          = "Role assignment to storage resource group."
+  scope                = "${data.azurerm_subscription.current.id}/resourceGroups/${split("/", var.storage_account_ids.external)[4]}"
+  role_definition_name = "Reader"
+  principal_id         = data.azuread_group.group_admin.object_id
+  principal_type       = "Group"
+}
+
+# Key vault role assignments
+resource "azurerm_role_assignment" "role_assignment_key_vault_secrets_officer_admin" {
+  description          = "Role assignment to key vault to create secrets."
+  scope                = module.key_vault.key_vault_id
+  role_definition_name = "Key Vault Secrets Officer"
+  principal_id         = data.azuread_group.group_admin.object_id
+  principal_type       = "Group"
+}
+
+# Databricks role assignments
+resource "azurerm_role_assignment" "role_assignment_databricks_workspace_reader_admin" {
+  description          = "Role assignment to databricks workspace."
+  scope                = var.databricks_workspace_details["engineering"].id
+  role_definition_name = "Reader"
+  principal_id         = data.azuread_group.group_admin.object_id
+  principal_type       = "Group"
+}
+
+# Storage role assignments
+resource "azurerm_role_assignment" "role_assignment_storage_container_external_blob_data_owner_admin" {
+  description          = "Role assignment to the external storage container."
+  scope                = azurerm_storage_container.storage_container_external.id
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = data.azuread_group.group_admin.object_id
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_storage_container_raw_blob_data_owner_admin" {
+  description          = "Role assignment to the raw storage container."
+  scope                = azurerm_storage_container.storage_container_raw.id
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = data.azuread_group.group_admin.object_id
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_storage_container_enriched_blob_data_owner_admin" {
+  description          = "Role assignment to the enriched storage container."
+  scope                = azurerm_storage_container.storage_container_enriched.id
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = data.azuread_group.group_admin.object_id
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_storage_container_curated_blob_data_owner_admin" {
+  description          = "Role assignment to the curated storage container."
+  scope                = azurerm_storage_container.storage_container_curated.id
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = data.azuread_group.group_admin.object_id
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_storage_container_workspace_blob_data_owner_admin" {
+  description          = "Role assignment to the workspace storage container."
+  scope                = azurerm_storage_container.storage_container_workspace.id
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = data.azuread_group.group_admin.object_id
+  principal_type       = "Group"
+}
diff --git a/modules/dataapplication/roleassignments_developer.tf b/modules/dataapplication/roleassignments_developer.tf
@@ -0,0 +1,103 @@
+# Resource group role assignments
+resource "azurerm_role_assignment" "role_assignment_resource_group_app_reader_developer" {
+  count = var.developer_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to app resource group."
+  scope                = azurerm_resource_group.resource_group_app.id
+  role_definition_name = "Reader"
+  principal_id         = one(data.azuread_group.group_developer[*].object_id)
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_resource_group_app_monitoring_reader_developer" {
+  count = var.developer_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to app resource group."
+  scope                = azurerm_resource_group.resource_group_app_monitoring.id
+  role_definition_name = "Reader"
+  principal_id         = one(data.azuread_group.group_developer[*].object_id)
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_resource_group_storage_reader_developer" {
+  count = var.developer_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to storage resource group."
+  scope                = "${data.azurerm_subscription.current.id}/resourceGroups/${split("/", var.storage_account_ids.external)[4]}"
+  role_definition_name = "Reader"
+  principal_id         = one(data.azuread_group.group_developer[*].object_id)
+  principal_type       = "Group"
+}
+
+# Key vault role assignments
+resource "azurerm_role_assignment" "role_assignment_key_vault_secrets_user_developer" {
+  count = var.developer_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to key vault to read secrets."
+  scope                = module.key_vault.key_vault_id
+  role_definition_name = "Key Vault Secrets User"
+  principal_id         = one(data.azuread_group.group_developer[*].object_id)
+  principal_type       = "Group"
+}
+
+# Databricks role assignments
+resource "azurerm_role_assignment" "role_assignment_databricks_workspace_reader_developer" {
+  count = var.developer_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to databricks workspace."
+  scope                = var.databricks_workspace_details["engineering"].id
+  role_definition_name = "Reader"
+  principal_id         = one(data.azuread_group.group_developer[*].object_id)
+  principal_type       = "Group"
+}
+
+# Storage role assignments
+resource "azurerm_role_assignment" "role_assignment_storage_container_external_blob_data_conributor_developer" {
+  count = var.developer_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to the external storage container."
+  scope                = azurerm_storage_container.storage_container_external.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = one(data.azuread_group.group_developer[*].object_id)
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_storage_container_raw_blob_data_conributor_developer" {
+  count = var.developer_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to the raw storage container."
+  scope                = azurerm_storage_container.storage_container_raw.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = one(data.azuread_group.group_developer[*].object_id)
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_storage_container_enriched_blob_data_conributor_developer" {
+  count = var.developer_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to the enriched storage container."
+  scope                = azurerm_storage_container.storage_container_enriched.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = one(data.azuread_group.group_developer[*].object_id)
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_storage_container_curated_blob_data_conributor_developer" {
+  count = var.developer_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to the curated storage container."
+  scope                = azurerm_storage_container.storage_container_curated.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = one(data.azuread_group.group_developer[*].object_id)
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_storage_container_workspace_blob_data_conributor_developer" {
+  count = var.developer_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to the workspace storage container."
+  scope                = azurerm_storage_container.storage_container_workspace.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = one(data.azuread_group.group_developer[*].object_id)
+  principal_type       = "Group"
+}
diff --git a/...eassignments_databricksaccessconnector.tf → ...ignments_msi_databricksaccessconnector.tf b/...eassignments_databricksaccessconnector.tf → ...ignments_msi_databricksaccessconnector.tf
diff --git a/modules/dataapplication/roleassignments_reader.tf b/modules/dataapplication/roleassignments_reader.tf
@@ -0,0 +1,94 @@
+# Resource group role assignments
+resource "azurerm_role_assignment" "role_assignment_resource_group_app_reader_reader" {
+  count = var.reader_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to app resource group."
+  scope                = azurerm_resource_group.resource_group_app.id
+  role_definition_name = "Reader"
+  principal_id         = one(data.azuread_group.group_reader[*].object_id)
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_resource_group_app_monitoring_reader_reader" {
+  count = var.reader_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to app resource group."
+  scope                = azurerm_resource_group.resource_group_app_monitoring.id
+  role_definition_name = "Reader"
+  principal_id         = one(data.azuread_group.group_reader[*].object_id)
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_resource_group_storage_reader_reader" {
+  count = var.reader_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to storage resource group."
+  scope                = "${data.azurerm_subscription.current.id}/resourceGroups/${split("/", var.storage_account_ids.external)[4]}"
+  role_definition_name = "Reader"
+  principal_id         = one(data.azuread_group.group_reader[*].object_id)
+  principal_type       = "Group"
+}
+
+# Key vault role assignments
+
+# Databricks role assignments
+resource "azurerm_role_assignment" "role_assignment_databricks_workspace_reader_reader" {
+  count = var.reader_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to databricks workspace."
+  scope                = var.databricks_workspace_details["engineering"].id
+  role_definition_name = "Reader"
+  principal_id         = one(data.azuread_group.group_reader[*].object_id)
+  principal_type       = "Group"
+}
+
+# Storage role assignments
+resource "azurerm_role_assignment" "role_assignment_storage_container_external_blob_data_reader_reader" {
+  count = var.reader_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to the external storage container."
+  scope                = azurerm_storage_container.storage_container_external.id
+  role_definition_name = "Storage Blob Data Reader"
+  principal_id         = one(data.azuread_group.group_reader[*].object_id)
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_storage_container_raw_blob_data_reader_reader" {
+  count = var.reader_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to the raw storage container."
+  scope                = azurerm_storage_container.storage_container_raw.id
+  role_definition_name = "Storage Blob Data Reader"
+  principal_id         = one(data.azuread_group.group_reader[*].object_id)
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_storage_container_enriched_blob_data_reader_reader" {
+  count = var.reader_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to the enriched storage container."
+  scope                = azurerm_storage_container.storage_container_enriched.id
+  role_definition_name = "Storage Blob Data Reader"
+  principal_id         = one(data.azuread_group.group_reader[*].object_id)
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_storage_container_curated_blob_data_reader_reader" {
+  count = var.reader_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to the curated storage container."
+  scope                = azurerm_storage_container.storage_container_curated.id
+  role_definition_name = "Storage Blob Data Reader"
+  principal_id         = one(data.azuread_group.group_reader[*].object_id)
+  principal_type       = "Group"
+}
+
+resource "azurerm_role_assignment" "role_assignment_storage_container_workspace_blob_data_reader_reader" {
+  count = var.reader_group_name == "" ? 0 : 1
+
+  description          = "Role assignment to the workspace storage container."
+  scope                = azurerm_storage_container.storage_container_workspace.id
+  role_definition_name = "Storage Blob Data Reader"
+  principal_id         = one(data.azuread_group.group_reader[*].object_id)
+  principal_type       = "Group"
+}