Skip to content

Commit

Permalink
[Doc] Update documentation regarding authentication with Azure-manage…
Browse files Browse the repository at this point in the history
…d Service Principal using GITHUB OIDC (#3932)

## Changes
<!-- Summary of your changes that are easy to understand -->
Update documentation regarding authentication with Azure-managed Service
Principal using GITHUB OIDC.

## Tests
<!-- 
How is this tested? Please see the checklist below and also describe any
other relevant tests
-->

- [ ] `make test` run locally
- [x] relevant change in `docs/` folder
- [ ] covered with integration tests in `internal/acceptance`
- [ ] relevant acceptance tests are passing
- [ ] using Go SDK
  • Loading branch information
parthban-db authored Sep 4, 2024
1 parent 0cb0c8a commit 9019174
Showing 1 changed file with 45 additions and 2 deletions.
47 changes: 45 additions & 2 deletions docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ Alternatively, you can provide this value as an environment variable `DATABRICKS
* `profile` - (optional) Connection profile specified within ~/.databrickscfg. Please check [connection profiles section](https://docs.databricks.com/dev-tools/cli/index.html#connection-profiles) for more details. This field defaults to
`DEFAULT`.
* `account_id` - (optional for workspace-level operations, but required for account-level) Account Id that could be found in the top right corner of [Accounts Console](https://accounts.cloud.databricks.com/). Alternatively, you can provide this value as an environment variable `DATABRICKS_ACCOUNT_ID`. Only has effect when `host = "https://accounts.cloud.databricks.com/"`, and is currently used to provision account admins via [databricks_user](resources/user.md). In the future releases of the provider this property will also be used specify account for `databricks_mws_*` resources as well.
* `auth_type` - (optional) enforce specific auth type to be used in very rare cases, where a single Terraform state manages Databricks workspaces on more than one cloud and `more than one authorization method configured` error is a false positive. Valid values are `pat`, `basic`, `oauth-m2m`, `azure-client-secret`, `azure-msi`, `azure-cli`, `google-credentials`, and `google-id`.
* `auth_type` - (optional) enforce specific auth type to be used in very rare cases, where a single Terraform state manages Databricks workspaces on more than one cloud and `more than one authorization method configured` error is a false positive. Valid values are `pat`, `basic`, `oauth-m2m`, `azure-client-secret`, `azure-msi`, `azure-cli`, `github-oidc-azure`, `google-credentials`, and `google-id`.

## Special configurations for Azure

Expand Down Expand Up @@ -284,7 +284,7 @@ resource "databricks_user" "my-user" {
}
```

### Authenticating with Azure-managed Service Principal
### Authenticating with Azure-managed Service Principal using Client Secret

```hcl
provider "azurerm" {
Expand Down Expand Up @@ -326,6 +326,49 @@ There are `ARM_*` environment variables provide a way to share authentication co

When a workspace is created using a service principal account, that service principal account is automatically added to the workspace as a member of the admins group. To add a new service principal account to an existing workspace, create a [databricks_service_principal](resources/service_principal.md).

### Authenticating with Azure-managed Service Principal using GITHUB OIDC

```hcl
provider "azurerm" {
client_id = var.client_id
tenant_id = var.tenant_id
subscription_id = var.subscription_id
use_oidc = true
}
resource "azurerm_databricks_workspace" "this" {
location = "centralus"
name = "my-workspace-name"
resource_group_name = var.resource_group
sku = "premium"
}
provider "databricks" {
host = azurerm_databricks_workspace.this.workspace_url
auth_type = "github-oidc-azure"
azure_workspace_resource_id = azurerm_databricks_workspace.this.id
azure_client_id = var.client_id
azure_tenant_id = var.tenant_id
}
resource "databricks_user" "my-user" {
user_name = "test-user@databricks.com"
}
```

Follow the [Configuring OpenID Connect in Azure](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure). You can then use the Azure service principal to authenticate in databricks.

* `azure_workspace_resource_id` - (optional) `id` attribute of [azurerm_databricks_workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/databricks_workspace) resource. Combination of subscription id, resource group name, and workspace name. Required with `azure_use_msi` or `azure_client_secret`.

* `azure_client_id` - (optional) This is the Azure Enterprise Application (Service principal) client id. This service principal requires contributor access to your Azure Databricks deployment. Alternatively, you can provide this value as an environment variable `ARM_CLIENT_ID`.
* `azure_tenant_id` - (optional) This is the Azure Active Directory Tenant id in which the Enterprise Application (Service Principal)
resides. Alternatively, you can provide this value as an environment variable `ARM_TENANT_ID`.
* `azure_environment` - (optional) This is the Azure Environment which defaults to the `public` cloud. Other options are `german`, `china` and `usgovernment`. Alternatively, you can provide this value as an environment variable `ARM_ENVIRONMENT`.
* `auth_type` - (required) This is the Authentication Type that is used for specifying the authenticate method. This is required for this authentication type.

There are `ARM_*` environment variables provide a way to share authentication configuration using the `databricks` provider alongside the [`azurerm` provider](https://registry.terraform.io/providers/hashicorp/azurerm/latest).

When a workspace is created using a service principal account, that service principal account is automatically added to the workspace as a member of the admins group. To add a new service principal account to an existing workspace, create a [databricks_service_principal](resources/service_principal.md).
## Special configurations for GCP

The provider works with [Google Cloud CLI authentication](https://cloud.google.com/sdk/docs/authorizing) to facilitate local development workflows. For automated scenarios, a service principal auth is necessary using `google_service_account` parameter with [impersonation](https://cloud.google.com/docs/authentication#service-accounts) and Application Default Credentials. Alternatively, you could provide the service account key directly by passing it to `google_credentials` parameter (or `GOOGLE_CREDENTIALS` environment variable)
Expand Down

0 comments on commit 9019174

Please sign in to comment.