-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsecrets.tf
74 lines (63 loc) · 2.36 KB
/
secrets.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
locals {
sp_secrets = {
(var.sp_client_id_secret_name) = { value = data.azurerm_key_vault_secret.sp_client_id.value }
(var.sp_key_secret_name) = { value = data.azurerm_key_vault_secret.sp_key.value }
}
secrets_objects_list = flatten([for param in var.secret_scope : [
for secret in param.secrets : {
scope_name = param.scope_name, key = secret.key, string_value = secret.string_value
}] if param.secrets != null
])
}
# Secret Scope with SP secrets for mounting Azure Data Lake Storage
resource "databricks_secret_scope" "main" {
name = "main"
initial_manage_principal = "users"
}
resource "databricks_secret" "main" {
for_each = local.sp_secrets
key = each.key
string_value = each.value["value"]
scope = databricks_secret_scope.main.id
}
# Custom additional Databricks Secret Scope
resource "databricks_secret_scope" "this" {
for_each = {
for param in var.secret_scope : (param.scope_name) => param
if param.scope_name != null
}
name = each.key
initial_manage_principal = "users"
}
resource "databricks_secret" "this" {
for_each = { for entry in local.secrets_objects_list : "${entry.scope_name}.${entry.key}" => entry }
key = each.value.key
string_value = each.value.string_value
scope = databricks_secret_scope.this[each.value.scope_name].id
}
# At the nearest future, Azure will allow acquiring AAD tokens by service principals,
# thus providing an ability to create Azure backed Key Vault with Terraform
# https://github.com/databricks/terraform-provider-databricks/pull/1965
## Azure Key Vault-backed Scope
#resource "azurerm_key_vault_access_policy" "databricks" {
# count = var.key_vault_secret_scope.key_vault_id != null ? 1 : 0
# key_vault_id = var.key_vault_secret_scope.key_vault_id
# object_id = "9b38785a-6e08-4087-a0c4-20634343f21f" # Global 'AzureDatabricks' SP object id
# tenant_id = data.azurerm_key_vault_secret.tenant_id.value
#
# secret_permissions = [
# "Get",
# "List",
# ]
#}
#
#resource "databricks_secret_scope" "external" {
# count = var.key_vault_secret_scope.key_vault_id != null ? 1 : 0
#
# name = "external"
# keyvault_metadata {
# resource_id = var.key_vault_secret_scope.key_vault_id
# dns_name = var.key_vault_secret_scope.dns_name
# }
# depends_on = [azurerm_key_vault_access_policy.databricks]
#}