Read Before Deploying
Key Considerations
The Security Reference Architecture (SRA) is a purpose-built, simplified deployment pattern designed for highly secure and regulated customers.
This architecture includes specific functionalities that may affect certain use cases, as outlined below.
-
No outbound internet traffic: There is no outbound internet access from the classic compute plane or serverless compute plane.
- To add packages to classic compute or serverless compute, set up a private repository for scanned packages.
- Consider using a modern firewall solution to connect to public API endpoints if public internet connectivity is required.
-
Restrictive AWS Resource Policies: Restrictive bucket and endpoint policies have been implemented for the workspace root storage bucket, S3 gateway endpoint, and the STS and Kinesis interface endpoints. These restrictions are continuously refined as the product evolves.
- Policies can be adjusted to allow access to additional AWS resources, such as other S3 buckets.
- If you encounter unexpected product behavior due to a policy in this repository, please raise a GitHub issue.
-
Isolated Unity Catalog Securables: Unity Catalog securables like catalogs, Storage Credentials, and External Locations are isolated to individual workspaces.
- To share securables between workspaces, update the resources using the
databricks_workspace_bindingresource.
- To share securables between workspaces, update the resources using the
Customizations
Terraform customizations are available to support the baseline deployment of the Security Reference Architecture (SRA). These customizations are organized by provider:
- Workspace: Databricks workspace provider
These extensions can be found in the top-level customizations folder.