Merge pull request #35 from Azure-Samples/anuj/34-upgrade-databricks-…

…recipe Upgrade Databricks Recipe
Azure-Samples · May 31, 2023 · 82ae79c · 82ae79c
2 parents a827a02 + e70250f
commit 82ae79c
Show file tree

Hide file tree

Showing 16 changed files with 2,993 additions and 384 deletions.
diff --git a/src/az-databricks/README.md b/src/az-databricks/README.md
diff --git a/src/az-databricks/deploy/bicep/azuredeploy.parameters.sample.json b/src/az-databricks/deploy/bicep/azuredeploy.parameters.sample.json
@@ -2,29 +2,50 @@
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
     "contentVersion": "1.0.0.0",
     "parameters": {
-        "vnetAddressPrefix": {
+        "workspaceVnetAddressPrefix": {
             "value": "10.11.0.0/16"
         },
-        "privateEndpointSubnetAddressPrefix": {
+        "workspaceBackendPrivateEndpointSubnetAddressPrefix": {
             "value": "10.11.0.0/24"
         },
         "bastionSubnetAddressPrefix": {
             "value": "10.11.1.0/24"
         },
-        "containerSubnetAddressPrefix": {
+        "workspaceContainerSubnetAddressPrefix": {
             "value": "10.11.2.0/24"
         },
-        "hostSubnetAddressPrefix": {
-            "value": "10.11.3.0/24"
+        "transitVnetAddressPrefix": {
+            "value": "10.12.0.0/16"
+        },
+        "transitPrivateEndpointSubnetAddressPrefix": {
+            "value": "10.12.0.0/24"
+        },
+        "transitBastionSubnetAddressPrefix": {
+            "value": "10.12.1.0/24"
+        },
+        "newOrExistingDnsZones": {
+            "value": "new"
         },
         "dnsZoneResourceGroupName": {
             "value": "[NAME OF RESOURCE GROUP CONTAINING EXISTING AZURE PRIVATE DNS ZONES]"
         },
         "dnsZoneSubscriptionId": {
             "value": "[SUBSCRIPTION ID IN WHICH THE RESOURCE GROUP CONTAINING EXISTING AZURE PRIVATE DNS ZONES HAS BEEN CREATED]"
         },
-        "newOrExistingDnsZones": {
-            "value": "new"
+        "webAuthWorkspacePreference": {
+            "value": "createNew"
+        },
+        "webAuthWorkspaceVnetAddressPrefix": {
+            "value": "10.179.0.0/16"
+        },
+        "webAuthWorkspaceContainerSubnetAddressPrefix": {
+            "value": "10.179.0.0/24"
+        },
+        "webAuthWorkspaceHostSubnetAddressPrefix": {
+            "value": "10.179.1.0/24"
+        },
+        "existingWebAuthWorkspaceId": {
+            "value": "[RESOURCE ID OF THE EXISTING AZURE DATABRICKS WEB-AUTH WORKSPACE]"
         }
     }
-}
+}
diff --git a/...-databricks/deploy/bicep/databricks.bicep → ...bricks/deploy/bicep/databricks-main.bicep b/...-databricks/deploy/bicep/databricks.bicep → ...bricks/deploy/bicep/databricks-main.bicep
@@ -1,13 +1,12 @@
 @description('The Azure region for the specified resources.')
 param location string = resourceGroup().location
 
-@description('The base name to be appended to all provisioned resources.')
-@maxLength(13)
-param baseName string
-
 @description('The name of the Azure Databricks workspace.')
 param databricksWorkspaceName string
 
+@description('The name of the managed resource group for Azure Databricks')
+param managedResourceGroupName string
+
 @description('The name of the virtual network used by Azure Databricks.')
 param vnetName string
 
@@ -20,15 +19,15 @@ param containerSubnetName string
 @description('The tags to be applied to the provisioned resources.')
 param tags object
 
-resource databricks 'Microsoft.Databricks/workspaces@2018-04-01' = {
+resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {
   name: databricksWorkspaceName
   location: location
   tags: tags
   sku: {
     name: 'premium'
   }
   properties: {
-    managedResourceGroupId: '${subscription().id}/resourceGroups/mrg-db-${baseName}'
+    managedResourceGroupId: subscriptionResourceId('Microsoft.Resources/resourceGroups', managedResourceGroupName)
     parameters: {
       customVirtualNetworkId: {
         value: resourceId('Microsoft.Network/virtualNetworks', vnetName)
@@ -45,11 +44,12 @@ resource databricks 'Microsoft.Databricks/workspaces@2018-04-01' = {
       requireInfrastructureEncryption: {
         value: true
       }
-
     }
+    publicNetworkAccess: 'Disabled'
+    requiredNsgRules: 'NoAzureDatabricksRules'
   }
-
 }
 
+output outDatabricksWorkspaceId string = databricks.id
 output outDatabricksWorkspaceName string = databricks.name
 output outDatabricksStorageAccountName string = databricks.properties.parameters.storageAccountName.value
diff --git a/src/az-databricks/deploy/bicep/databricks-web-auth.bicep b/src/az-databricks/deploy/bicep/databricks-web-auth.bicep
@@ -0,0 +1,206 @@
+@description('The Azure region for the specified resources.')
+param location string = resourceGroup().location
+
+@description('The name of the Azure Databricks workspace.')
+param databricksWorkspaceName string
+
+@description('The name of the managed resource group for Azure Databricks')
+param managedResourceGroupName string
+
+@description('The name of the Azure Databricks virtual network.')
+param vnetName string
+
+@description('The virtual network IP space to use for the Azure Databricks workspace virtual network')
+param vnetAddressPrefix string
+
+@description('The name of the databricks workspace host subnet.')
+param hostSubnetName string
+
+@description('The IP space to use for the databricks host subnet.')
+param hostSubnetAddressPrefix string
+
+@description('The name of the databricks workspace container subnet.')
+param containerSubnetName string
+
+@description('The IP space to use for the databricks container subnet.')
+param containerSubnetAddressPrefix string
+
+@description('The name of the network security group to be attached to the databricks workspace subnets.')
+param networkSecurityGroupName string
+
+@description('The tags to be applied to the provisioned resources.')
+param tags object
+
+resource nsg 'Microsoft.Network/networkSecurityGroups@2022-09-01' = {
+  name: networkSecurityGroupName
+  location: location
+  tags: tags
+  properties: {
+    securityRules: [
+      {
+        name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-inbound'
+        properties: {
+          description: 'Required for worker nodes communication within a cluster.'
+          protocol: '*'
+          sourcePortRange: '*'
+          destinationPortRange: '*'
+          sourceAddressPrefix: 'VirtualNetwork'
+          destinationAddressPrefix: 'VirtualNetwork'
+          access: 'Allow'
+          priority: 100
+          direction: 'Inbound'
+        }
+      }
+      {
+        name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound'
+        properties: {
+          description: 'Required for worker nodes communication within a cluster.'
+          protocol: '*'
+          sourcePortRange: '*'
+          destinationPortRange: '*'
+          sourceAddressPrefix: 'VirtualNetwork'
+          destinationAddressPrefix: 'VirtualNetwork'
+          access: 'Allow'
+          priority: 100
+          direction: 'Outbound'
+        }
+      }
+      {
+        name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql'
+        properties: {
+          description: 'Required for workers communication with Azure SQL services.'
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          destinationPortRange: '3306'
+          sourceAddressPrefix: 'VirtualNetwork'
+          destinationAddressPrefix: 'Sql'
+          access: 'Allow'
+          priority: 101
+          direction: 'Outbound'
+        }
+      }
+      {
+        name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage'
+        properties: {
+          description: 'Required for workers communication with Azure Storage services.'
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          destinationPortRange: '443'
+          sourceAddressPrefix: 'VirtualNetwork'
+          destinationAddressPrefix: 'Storage'
+          access: 'Allow'
+          priority: 102
+          direction: 'Outbound'
+        }
+      }
+      {
+        name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub'
+        properties: {
+          description: 'Required for worker communication with Azure Eventhub services.'
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          destinationPortRange: '9093'
+          sourceAddressPrefix: 'VirtualNetwork'
+          destinationAddressPrefix: 'EventHub'
+          access: 'Allow'
+          priority: 103
+          direction: 'Outbound'
+        }
+      }
+    ]
+  }
+}
+
+resource vnet 'Microsoft.Network/virtualNetworks@2021-03-01' = {
+  name: vnetName
+  location: location
+  tags: tags
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        vnetAddressPrefix
+      ]
+    }
+    subnets: [
+      {
+        name: hostSubnetName
+        properties: {
+          addressPrefix: hostSubnetAddressPrefix
+          delegations: [
+            {
+              properties: {
+                serviceName: 'Microsoft.Databricks/workspaces'
+              }
+              name: 'del-host-databricks'
+            }
+          ]
+          networkSecurityGroup: {
+            id: nsg.id
+          }
+        }
+      }
+      {
+        name: containerSubnetName
+        properties: {
+          addressPrefix: containerSubnetAddressPrefix
+          delegations: [
+            {
+              properties: {
+                serviceName: 'Microsoft.Databricks/workspaces'
+              }
+              name: 'del-container-databricks'
+            }
+          ]
+          networkSecurityGroup: {
+            id: nsg.id
+          }
+        }
+      }
+    ]
+  }
+}
+
+resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {
+  name: databricksWorkspaceName
+  location: location
+  tags: tags
+  sku: {
+    name: 'premium'
+  }
+  properties: {
+    managedResourceGroupId: subscriptionResourceId('Microsoft.Resources/resourceGroups', managedResourceGroupName)
+    parameters: {
+      customVirtualNetworkId: {
+        value: vnet.id
+      }
+      customPrivateSubnetName: {
+        value: containerSubnetName
+      }
+      customPublicSubnetName: {
+        value: hostSubnetName
+      }
+      enableNoPublicIp: {
+        value: true
+      }
+      requireInfrastructureEncryption: {
+        value: true
+      }
+    }
+    publicNetworkAccess: 'Disabled'
+    requiredNsgRules: 'NoAzureDatabricksRules'
+  }
+}
+
+// Setting a lock for this databricks workspace
+resource lock 'Microsoft.Authorization/locks@2020-05-01' = {
+  name: 'lock-${databricksWorkspaceName}-do-not-delete'
+  properties: {
+    level: 'CanNotDelete'
+    notes: 'Azure Databricks web authentication workspace should not be deleted.'
+  }
+  scope: databricks
+}
+
+output outDatabricksWorkspaceId string = databricks.id
+output outDatabricksWorkspaceName string = databricks.name
+output outDatabricksStorageAccountName string = databricks.properties.parameters.storageAccountName.value
diff --git a/src/az-databricks/deploy/bicep/deploy.sh b/src/az-databricks/deploy/bicep/deploy.sh
@@ -5,10 +5,7 @@ set -o pipefail
 set -o nounset
 
 # The short name for the Azure region (az account list-locations --query [].name -o tsv)
-LOCATION=eastus
-
-# The name of the resource group to be created for the deployment.
-RESOURCE_GROUP_NAME=[YOUR-RESOURCE-GROUP-NAME]
+LOCATION=australiaeast
 
 # The name of the existing virtual network within the OPERATIONS_RESOURCE_GROUP_NAME resource group; used to establish a peering relationship.
 OPERATIONS_VNET_NAME=[YOUR-OPERATIONS-VIRUTAL-NETWORK-NAME]
@@ -25,24 +22,24 @@ PEER_VNET="false"
 # Getting current subscription id
 SUBSCRIPTION_ID="$(az account show | jq -r '.id')"
 
-az group create --location $LOCATION --name "$RESOURCE_GROUP_NAME"
-
-az deployment group create \
-    --resource-group "$RESOURCE_GROUP_NAME" \
+az deployment sub create \
+    --location $LOCATION \
+    --name "databricksVnetRcpDeploy" \
     --template-file main.bicep \
     --parameters azuredeploy.parameters.json > output.json
 
 if [[ $PEER_VNET == "true" ]]; then
     echo "Retrieving virtual network name created in Azure Databricks recipe deployment . . ."
 
-    RECIPE_VNET_NAME="$(jq -r '.properties.outputs.outVirtualNetworkName.value' output.json)"
+    RECIPE_VNET_NAME="$(jq -r '.properties.outputs.outTransitVirtualNetworkName.value' output.json)"
+    RECIPE_RESOURCE_GROUP_NAME="$(jq -r '.properties.outputs.outResourceGroupName.value' output.json)"
 
     echo "Retrieved virtual network name: '$RECIPE_VNET_NAME'."
 
     # Recipe vnet to the hub vnet
     echo "Establishing peering relationship: '$RECIPE_VNET_NAME' to '$OPERATIONS_VNET_NAME' . . ."
     az deployment group create \
-        --resource-group "$RESOURCE_GROUP_NAME" \
+        --resource-group "$RECIPE_RESOURCE_GROUP_NAME" \
         --template-file '../../../common/infrastructure/bicep/vnet-peering.bicep' \
         --parameters vnetName="$RECIPE_VNET_NAME" remoteVnetName="$OPERATIONS_VNET_NAME" remoteResourceGroupName="$OPERATIONS_RESOURCE_GROUP_NAME" remoteSubscriptionId="$OPERATIONS_SUBSCRIPTION_ID"