From 8d55f757bdd5e10dc54ec88ee85da0cfae16a8fa Mon Sep 17 00:00:00 2001 From: Patrick Conway Date: Mon, 11 Aug 2025 16:14:21 -0400 Subject: [PATCH] IP allow lists --- main.tf | 32 ++++++++++++++++++++++++++++++-- variables.tf | 6 ++++++ 2 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 variables.tf diff --git a/main.tf b/main.tf index ea544ec..016f61a 100644 --- a/main.tf +++ b/main.tf @@ -67,6 +67,34 @@ resource "databricks_permissions" "sp_usage_of_warehouse" { } } +# ----------------------------------------------------------------------------- +# Grant the service principal permission to create tables in the SQL Warehouse. +# ----------------------------------------------------------------------------- +resource "databricks_workspace_conf" "enable_ip_access_lists" { + count = var.enable_ip_allowlist ? 1 : 0 + provider = databricks.workspace + + custom_config = { + "enableIpAccessLists" = true + } +} + +resource "databricks_ip_access_list" "vantage_static_ips" { + count = var.enable_ip_allowlist ? 1 : 0 + provider = databricks.workspace + + label = "allow_in" + list_type = "ALLOW" + ip_addresses = [ + "54.87.66.45", + "3.95.43.133", + "54.162.3.72", + "44.199.143.63", + "3.218.103.23" + ] + depends_on = [databricks_workspace_conf.enable_ip_access_lists] +} + # ----------------------------------------------------------------------------- # Reference to the 'system.billing' schema, which contains billing data. # ----------------------------------------------------------------------------- @@ -123,7 +151,7 @@ data "databricks_schema" "system_access" { resource "databricks_grant" "system_access_grants" { provider = databricks.workspace - schema = data.databricks_schema.system_access.id - principal = databricks_service_principal.vantage_billing_sp.application_id + schema = data.databricks_schema.system_access.id + principal = databricks_service_principal.vantage_billing_sp.application_id privileges = ["USE_SCHEMA", "EXECUTE", "READ_VOLUME", "SELECT"] } \ No newline at end of file diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..49f0f6d --- /dev/null +++ b/variables.tf @@ -0,0 +1,6 @@ +variable "enable_ip_allowlist" { + type = bool + default = false + # https://docs.vantage.sh/security/#:~:text=Does%20Vantage%20use%20fixed%20IP%20addresses%20when%20connecting%20to%20external%20providers%2C%20such%20as%20AWS%20or%20Azure%3F + description = "Enable IP allowlist for Vantage IP Addresses" +} \ No newline at end of file