-
Notifications
You must be signed in to change notification settings - Fork 40
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added CMEK, Firewall and Egress Control, Upgraded Providers, renamed …
…variables
- Loading branch information
1 parent
cc49cec
commit 6367703
Showing
10 changed files
with
157 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
|
||
# create key ring | ||
resource "google_kms_key_ring" "databricks_key_ring" { | ||
count = var.use_existing_cmek ? 0 : 1 | ||
provider = google | ||
name = var.keyring_name | ||
location = var.google_region | ||
} | ||
|
||
# create key used for encryption | ||
resource "google_kms_crypto_key" "databricks_key" { | ||
count = var.use_existing_cmek ? 0 : 1 | ||
provider = google | ||
name = var.key_name | ||
key_ring = google_kms_key_ring.databricks_key_ring[0].id | ||
purpose = "ENCRYPT_DECRYPT" | ||
rotation_period = "31536000s" # Set rotation period to 1 year in seconds, need to be greater than 1 day | ||
|
||
} | ||
|
||
|
||
|
||
|
||
# # assign CMEK on Databricks side | ||
resource "databricks_mws_customer_managed_keys" "this" { | ||
provider = databricks.accounts | ||
account_id = var.databricks_account_id | ||
gcp_key_info { | ||
kms_key_id = google_kms_crypto_key.databricks_key[0].id | ||
} | ||
use_cases = ["STORAGE","MANAGED","MANAGED_SERVICES"] | ||
lifecycle { | ||
ignore_changes = all | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
resource "google_compute_firewall" "deny_egress" { | ||
name = "deny-egress-${google_compute_network.dbx_private_vpc.name}" | ||
direction = "EGRESS" | ||
priority = 1100 | ||
destination_ranges = ["0.0.0.0/0"] | ||
source_ranges = [] | ||
# allow = [] | ||
deny { | ||
protocol = "all" | ||
} | ||
network = google_compute_network.dbx_private_vpc.self_link | ||
} | ||
|
||
|
||
# This is the only Egress rule that goes to a public internet IP | ||
# It can be avoided if the workspace is UC-enabled and that the spark config is configured to avoid fetching the metastore IP | ||
resource "google_compute_firewall" "to_databricks_managed_hive" { | ||
name = "to-databricks-managed-hive-${google_compute_network.dbx_private_vpc.name}" | ||
direction = "EGRESS" | ||
priority = 1010 | ||
destination_ranges = [] | ||
source_ranges = [var.hive_metastore_ip] | ||
allow { | ||
protocol = "tcp" | ||
ports = ["3306"] | ||
} | ||
network = google_compute_network.dbx_private_vpc.self_link | ||
} | ||
|
||
resource "google_compute_firewall" "to_gke_health_checks" { | ||
name = "to-gke-health-checks-${google_compute_network.dbx_private_vpc.name}" | ||
direction = "EGRESS" | ||
priority = 1010 | ||
destination_ranges = ["35.191.0.0/16", "130.211.0.0/22"] | ||
source_ranges = [] | ||
allow { | ||
protocol = "tcp" | ||
ports = ["443", "80"] | ||
} | ||
network = google_compute_network.dbx_private_vpc.self_link | ||
} | ||
|
||
resource "google_compute_firewall" "from_gke_health_checks" { | ||
name = "from-gke-health-checks-${google_compute_network.dbx_private_vpc.name}" | ||
direction = "INGRESS" | ||
priority = 1010 | ||
destination_ranges = [] | ||
source_ranges = ["35.191.0.0/16", "130.211.0.0/22"] | ||
allow { | ||
protocol = "tcp" | ||
ports = ["443", "80"] | ||
} | ||
network = google_compute_network.dbx_private_vpc.self_link | ||
} | ||
|
||
resource "google_compute_firewall" "to_gke_cp" { | ||
name = "to-gke-cp-${google_compute_network.dbx_private_vpc.name}" | ||
direction = "EGRESS" | ||
priority = 1010 | ||
destination_ranges = ["10.32.0.0/28"] | ||
source_ranges = [] | ||
allow { | ||
protocol = "tcp" | ||
ports = ["443", "10250"] | ||
} | ||
network = google_compute_network.dbx_private_vpc.self_link | ||
} | ||
|
||
resource "google_compute_firewall" "to_google_apis" { | ||
name = "to-google-apis-${google_compute_network.dbx_private_vpc.name}" | ||
direction = "EGRESS" | ||
priority = 1010 | ||
destination_ranges = ["199.36.153.4/30"] | ||
source_ranges = [] | ||
allow { | ||
protocol = "all" | ||
} | ||
network = google_compute_network.dbx_private_vpc.self_link | ||
} | ||
|
||
resource "google_compute_firewall" "to_gke_nodes_subnet" { | ||
name = "to-gke-nodes-subnet-${google_compute_network.dbx_private_vpc.name}" | ||
direction = "EGRESS" | ||
priority = 1010 | ||
destination_ranges = [var.nodes_ip_cidr_range, var.pod_ip_cidr_range, var.service_ip_cidr_range] | ||
source_ranges = [] | ||
allow { | ||
protocol = "all" | ||
} | ||
network = google_compute_network.dbx_private_vpc.self_link | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 0 additions & 1 deletion
1
...modules/customer_managed_vpc/workspace.tf → ...modules/workspace_deployment/workspace.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters