hashicorp · WodansSon · Apr 4, 2024 · Feb 28, 2024 · Feb 29, 2024 · Feb 29, 2024
diff --git a/examples/databricks/customer-managed-key/dbfs-cross-subscription/README.md b/examples/databricks/customer-managed-key/dbfs-cross-subscription/README.md
@@ -0,0 +1,7 @@
+## Example: Databricks Workspace with Root Databricks File System Customer Managed Keys in a Different Subscription
+
+This example provisions a Databricks Workspace within Azure with Root Databricks File System Customer Managed Keys enabled where the Key Vault and Key are hosted in a different subscription within the same tenant.
+
+### Variables
+
+* `prefix` - (Required) The prefix used for all resources in this example.
diff --git a/examples/databricks/customer-managed-key/dbfs-cross-subscription/main.tf b/examples/databricks/customer-managed-key/dbfs-cross-subscription/main.tf
@@ -0,0 +1,124 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+provider "azurerm" {
+  features {}
+}
+
+provider "azurerm" {
+  features {}
+  alias           = "keyVaultSubscription"
+  subscription_id = "{subscription where the Key Vault should be hosted}"
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "example" {
+  name     = "${var.prefix}-databricks-cmk"
+  location = "West Europe"
+}
+
+resource "azurerm_resource_group" "keyVault" {
+  provider = azurerm.keyVaultSubscription
+
+  name     = "${var.prefix}-databricks-cmk"
+  location = "West Europe"
+}
+
+resource "azurerm_databricks_workspace" "example" {
+  name                        = "${var.prefix}-DBW"
+  resource_group_name         = azurerm_resource_group.example.name
+  location                    = azurerm_resource_group.example.location
+  sku                         = "premium"
+  managed_resource_group_name = "${var.prefix}-DBW-managed-dbfs"
+
+  customer_managed_key_enabled = true
+
+  tags = {
+    Environment = "Sandbox"
+  }
+}
+
+resource "azurerm_databricks_workspace_root_dbfs_customer_managed_key" "example" {
+  depends_on = [azurerm_key_vault_access_policy.databricks]
+
+  workspace_id             = azurerm_databricks_workspace.example.id
+  key_vault_key_id         = azurerm_key_vault_key.example.id
+  managed_cmk_key_vault_id = azurerm_key_vault.example.id
+}
+
+resource "azurerm_key_vault" "example" {
+  provider = azurerm.keyVaultSubscription
+
+  name                = "${var.prefix}-keyvault"
+  location            = azurerm_resource_group.keyVault.location
+  resource_group_name = azurerm_resource_group.keyVault.name
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "premium"
+
+  purge_protection_enabled   = true
+  soft_delete_retention_days = 7
+}
+
+resource "azurerm_key_vault_key" "example" {
+  depends_on = [azurerm_key_vault_access_policy.terraform]
+
+  provider = azurerm.keyVaultSubscription
+
+  name         = "${var.prefix}-certificate"
+  key_vault_id = azurerm_key_vault.example.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "terraform" {
+  provider = azurerm.keyVaultSubscription
+
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = azurerm_key_vault.example.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
+
+  key_permissions = [
+    "Get",
+    "List",
+    "Create",
+    "Decrypt",
+    "Encrypt",
+    "Sign",
+    "UnwrapKey",
+    "Verify",
+    "WrapKey",
+    "Delete",
+    "Restore",
+    "Recover",
+    "Update",
+    "Purge",
+    "GetRotationPolicy",
+    "SetRotationPolicy",
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "databricks" {
+  depends_on = [azurerm_databricks_workspace.example]
+
+  provider = azurerm.keyVaultSubscription
+
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = azurerm_databricks_workspace.example.storage_account_identity.0.tenant_id
+  object_id    = azurerm_databricks_workspace.example.storage_account_identity.0.principal_id
+
+  key_permissions = [
+    "Get",
+    "UnwrapKey",
+    "WrapKey",
+  ]
+}
diff --git a/examples/databricks/customer-managed-key/dbfs-cross-subscription/variables.tf b/examples/databricks/customer-managed-key/dbfs-cross-subscription/variables.tf
@@ -0,0 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+variable "prefix" {
+  description = "The Prefix used for all resources in this example"
+}
diff --git a/examples/databricks/customer-managed-key/dbfs/README.md b/examples/databricks/customer-managed-key/dbfs/README.md
@@ -1,4 +1,4 @@
-## Example: Databricks Workspace Root Databricks File System Customer Managed Keys
+## Example: Databricks Workspace with Root Databricks File System Customer Managed Keys
 
 This example provisions a Databricks Workspace within Azure with Root Databricks File System Customer Managed Keys enabled.
 

diff --git a/examples/databricks/customer-managed-key/dbfs/main.tf b/examples/databricks/customer-managed-key/dbfs/main.tf
@@ -82,6 +82,8 @@ resource "azurerm_key_vault_access_policy" "terraform" {
     "Recover",
     "Update",
     "Purge",
+    "GetRotationPolicy",
+    "SetRotationPolicy",
   ]
 }
 
@@ -93,8 +95,8 @@ resource "azurerm_key_vault_access_policy" "databricks" {
   object_id    = azurerm_databricks_workspace.example.storage_account_identity.0.principal_id
 
   key_permissions = [
-    "get",
-    "unwrapKey",
-    "wrapKey",
+    "Get",
+    "UnwrapKey",
+    "WrapKey",
   ]
 }
diff --git a/examples/databricks/customer-managed-key/managed-services/README.md b/examples/databricks/customer-managed-key/managed-services/README.md
@@ -1,8 +1,8 @@
-## Example: Databricks Workspace Customer Managed Keys for Managed Services
+## Example: Databricks Workspace with Customer Managed Keys for Managed Services
 
 This example provisions a Databricks Workspace within Azure with Customer Managed Keys for Managed Services enabled.
 
-To find the correct Object ID to use for the `azurerm_key_vault_access_policy.managed` `object_id` field in your configuration file you will need to go to [portal](https://portal.azure.com/) -> `Azure Active Directory` and in the `search your tenant` bar enter the value `2ff814a6-3304-4ab8-85cb-cd0e6f879c1d`. You will see under `Enterprise application` results `AzureDatabricks`, click on the `AzureDatabricks` search result. This will open the `Enterprise Application` overview blade where you will see three values, the name of the application, the application ID, and the object ID. The value you want is the object ID, copy this value and paste it into the `object_id` field for your `azurerm_key_vault_access_policy.managed` configuration block.
+To find the correct Object ID to use for the `azurerm_key_vault_access_policy.managed` `object_id` field in your configuration file you will need to go to [portal](https://portal.azure.com/) -> `Microsoft Entra ID` and in the `search your tenant` bar enter the value `2ff814a6-3304-4ab8-85cb-cd0e6f879c1d`. You will see under `Enterprise application` results `AzureDatabricks`, click on the `AzureDatabricks` search result. This will open the `Enterprise Application` overview blade where you will see three values, the name of the application, the application ID, and the object ID. The value you want is the object ID, copy this value and paste it into the `object_id` field for your `azurerm_key_vault_access_policy.managed` configuration block.
 
 ### Variables
 

diff --git a/examples/databricks/customer-managed-key/managed-services/main.tf b/examples/databricks/customer-managed-key/managed-services/main.tf
@@ -24,7 +24,7 @@ resource "azurerm_databricks_workspace" "example" {
   managed_services_cmk_key_vault_key_id = azurerm_key_vault_key.example.id
 
   tags = {
-    Environment = "Production"
+    Environment = "Sandbox"
   }
 }
 
@@ -62,31 +62,33 @@ resource "azurerm_key_vault_access_policy" "terraform" {
   object_id    = data.azurerm_client_config.current.object_id
 
   key_permissions = [
-    "get",
-    "list",
-    "create",
-    "decrypt",
-    "encrypt",
-    "sign",
-    "unwrapKey",
-    "verify",
-    "wrapKey",
-    "delete",
-    "restore",
-    "recover",
-    "update",
-    "purge",
+    "Get",
+    "List",
+    "Create",
+    "Decrypt",
+    "Encrypt",
+    "Sign",
+    "UnwrapKey",
+    "Verify",
+    "WrapKey",
+    "Delete",
+    "Restore",
+    "Recover",
+    "Update",
+    "Purge",
+    "GetRotationPolicy",
+    "SetRotationPolicy",
   ]
 }
 
 resource "azurerm_key_vault_access_policy" "managed" {
   key_vault_id = azurerm_key_vault.example.id
   tenant_id    = azurerm_key_vault.example.tenant_id
-  object_id    = "See the README.md file for instructions on how to lookup the correct value to enter here"
+  object_id    = "00000000-0000-0000-0000-000000000000" # See the README.md file for instructions on how to lookup the correct value to enter here.
 
   key_permissions = [
-    "get",
-    "unwrapKey",
-    "wrapKey",
+    "Get",
+    "UnwrapKey",
+    "WrapKey",
   ]
 }
diff --git a/examples/databricks/managed-services-cross-subscription/README.md b/examples/databricks/managed-services-cross-subscription/README.md
@@ -0,0 +1,9 @@
+## Example: Databricks Workspace with Customer Managed Keys for Managed Services with Key Vault and Key in a Different Subscription
+
+This example provisions a Databricks Workspace within Azure with Customer Managed Keys for Managed Services enabled where the Key Vault and Key are hosted in a different subscription within the same tenant.
+
+To find the correct Object ID to use for the `azurerm_key_vault_access_policy.managed` `object_id` field in your configuration file you will need to go to [portal](https://portal.azure.com/) -> `Microsoft Entra ID` and in the `search your tenant` bar enter the value `2ff814a6-3304-4ab8-85cb-cd0e6f879c1d`. You will see under `Enterprise application` results `AzureDatabricks`, click on the `AzureDatabricks` search result. This will open the `Enterprise Application` overview blade where you will see three values, the name of the application, the application ID, and the object ID. The value you want is the object ID, copy this value and paste it into the `object_id` field for your `azurerm_key_vault_access_policy.managed` configuration block.
+
+### Variables
+
+* `prefix` - (Required) The prefix used for all resources in this example.
diff --git a/examples/databricks/managed-services-cross-subscription/main.tf b/examples/databricks/managed-services-cross-subscription/main.tf
@@ -0,0 +1,116 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+provider "azurerm" {
+  features {}
+}
+
+provider "azurerm" {
+  features {}
+  alias           = "keyVaultSubscription"
+  subscription_id = "{subscription where the Key Vault should be hosted}"
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "example" {
+  name     = "${var.prefix}-databricks-managed-services"
+  location = "West Europe"
+}
+
+resource "azurerm_resource_group" "keyVault" {
+  provider = azurerm.keyVaultSubscription
+
+  name     = "${var.prefix}-databricks-managed-services"
+  location = "West Europe"
+}
+
+resource "azurerm_databricks_workspace" "example" {
+  depends_on = [azurerm_key_vault_access_policy.managed]
+
+  name                        = "${var.prefix}-DBW"
+  resource_group_name         = azurerm_resource_group.example.name
+  location                    = azurerm_resource_group.example.location
+  sku                         = "premium"
+  managed_resource_group_name = "${var.prefix}-DBW-managed-services"
+
+  managed_cmk_key_vault_id              = azurerm_key_vault.example.id
+  managed_services_cmk_key_vault_key_id = azurerm_key_vault_key.example.id
+
+  tags = {
+    Environment = "Sandbox"
+  }
+}
+
+resource "azurerm_key_vault" "example" {
+  provider = azurerm.keyVaultSubscription
+
+  name                = "${var.prefix}-keyvault"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "premium"
+
+  soft_delete_retention_days = 7
+}
+
+resource "azurerm_key_vault_key" "example" {
+  depends_on = [azurerm_key_vault_access_policy.terraform]
+
+  provider = azurerm.keyVaultSubscription
+
+  name         = "${var.prefix}-certificate"
+  key_vault_id = azurerm_key_vault.example.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "terraform" {
+  provider = azurerm.keyVaultSubscription
+
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = azurerm_key_vault.example.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
+
+  key_permissions = [
+    "Get",
+    "List",
+    "Create",
+    "Decrypt",
+    "Encrypt",
+    "Sign",
+    "UnwrapKey",
+    "Verify",
+    "WrapKey",
+    "Delete",
+    "Restore",
+    "Recover",
+    "Update",
+    "Purge",
+    "GetRotationPolicy",
+    "SetRotationPolicy",
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "managed" {
+  provider = azurerm.keyVaultSubscription
+
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = azurerm_key_vault.example.tenant_id
+  object_id    = "00000000-0000-0000-0000-000000000000" # See the README.md file for instructions on how to lookup the correct value to enter here.
+
+  key_permissions = [
+    "Get",
+    "UnwrapKey",
+    "WrapKey",
+  ]
+}
diff --git a/examples/databricks/managed-services-cross-subscription/variables.tf b/examples/databricks/managed-services-cross-subscription/variables.tf
@@ -0,0 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+variable "prefix" {
+  description = "The Prefix used for all resources in this example"
+}