SRA Components Breakdown
This section outlines the core components of the Security Reference Architeture (SRA). Several .tf scripts contain direct links to the Databricks Terraform documention.
The full Databricks Terraform Provider Documentation can be found here.
Core Azure Components
- Vnet Injection: Vnet Injection allows Azure Databricks workspaces to be deployed directly into a customer-managed virtual network (VNet), providing control over network configuration to meet organizational security and governance requirements.
- Private Endpoints: Leveraging Azure Private Link, private endpoints connect the customer’s VNet to Azure services without using public IP addresses, ensuring secure, private communication.
- PrivateLink Connectivity: Private Link establishes private network paths between the customer’s data plane and the Databricks control plane, preventing traffic from traversing the public internet. This template configures Back-End Private Link for communication to the Databricks control plane from classic compute clusters.
Core Databricks Components
- Unity Catalog: Unity Catalog is a unified governance solution for data and AI assets such as files, tables, and machine learning models. Unity Catalog enforces fine-grained access controls, centralized policy management, auditing, and lineage tracking—all integrated into the Databricks workflow.
- Network Connectivity Configuration: Serverless network connectivity is managed with network connectivity configurations (NCC), which are account-level regional constructs that are used to manage private endpoints creation and firewall enablement at scale. An NCC is created and attached to the workspace, which contains a list of stable Azure service subnets, which will be used by the serverless compute in that workspace to connect the Azure resource using service endpoints.
- Restrictive Network Policy: Network Policies implement egress controls for serverless compute by enforcing a restrictive network policy that permits outbound traffic only to required data buckets.
Security Analysis Tool (SAT)
The Security Analysis Tool (SAT) is disabled by default. You can enable SAT to continuously monitor the security posture of your Databricks environment. By default, SAT is installed in the hub workspace when enabled, also known as the WEB_AUTH workspace.
Changing the SAT Workspace
To deploy the Security Analysis Tool (SAT) in a different workspace, three modifications are required in customizations.tf:
- Update the Databricks provider in the SAT module:
# Default
providers = {
databricks = databricks.hub
}
# Modified
providers = {
databricks = databricks.spoke
}
- Update the local sat_workspace reference:
# Default
locals {
sat_workspace = var.create_hub && length(module.webauth_workspace) > 0 ? module.webauth_workspace[0] : null
}
# Modified
locals {
sat_workspace = module.spoke_workspace
}
- Update the
databricks_permission_assignment.sat_workspace_adminresource
# Default
resource "databricks_permission_assignment" "sat_workspace_admin" {
count = length(module.sat)
...
provider = databricks.hub
}
# Modified
resource "databricks_permission_assignment" "sat_workspace_admin" {
count = length(module.sat)
...
provider = databricks.spoke
}
NOTE: The Security Analysis Tool (SAT) is designed to be deployed once per Azure subscription.
SAT Service Principal
Some users may not have permissions to create Entra ID service principals. In this case, a pre-existing service principal can be used:
# example.tfvars
sat_service_principal = {
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "some-secret"
}
If no service principal is provided, the template creates one named spSAT by default. The name can be customized:
# example.tfvars
sat_service_principal = {
name = "spSATDev"
}
SAT Compute
The Security Analysis Tool (SAT) is installed using classic compute by default. This is because SAT does not yet support inspecting workspaces outside of the current workspace when running on serverless. If you would like to run on serverless compute instead, you can modify the sat_configuration variable to specify using serverless (see below):
sat_configuration = {
run_on_serverless = true
}
NOTE: When running the Security Analysis Tool (SAT) on serverless compute, SAT will only inspect the current workspace.