Mode 2: Bring-your-own Hub
Description
You provide an existing hub infrastructure (VNET, Key Vault, metastore, NCC, network policy). SRA creates only the spoke workspace with a managed spoke network.
What Gets Created
| Resource | Component | Created by SRA |
|---|---|---|
| Hub Resource Group | Hub VNET + Azure Firewall | ✗ (You provide) |
| Webauth Workspace | ✗ (You provide) | |
| CMK KeyVault | ✗ (You provide) | |
| Route Table | ✗ (You provide) | |
| Spoke Resource Group | Workspace | ✓ |
| Spoke VNET | ✓ | |
| Back-end Private Endpoint | ✓ | |
| UC Storage Account | ✓ | |
| Account Console | NCC (Network Connectivity Config) | ✗ (You provide) |
| Network Policy | ✗ (You provide) | |
| Metastore | ✗ (You provide) |
Configuration
create_hub = false
Required Variables
Additional Requirements
When create_hub = false, you must provide several additional variables from your existing hub infrastructure.
# Disable hub creation
create_hub = false
# Basic configuration
location = "westus2"
subscription_id = "ffffffff-ffff-ffff-ffff-ffffffffffff"
resource_suffix = "spoke"
# REQUIRED: Existing metastore from your hub
databricks_metastore_id = "00000000-0000-0000-0000-000000000000"
# REQUIRED: Existing hub VNET details (for spoke network peering)
existing_hub_vnet = {
route_table_id = "/subscriptions/.../providers/Microsoft.Network/routeTables/rt-hub"
vnet_id = "/subscriptions/.../providers/Microsoft.Network/virtualNetworks/vnet-hub"
}
# REQUIRED: Existing NCC and network policy
existing_ncc_id = "your-ncc-id"
existing_network_policy_id = "your-network-policy-id"
# REQUIRED if cmk_enabled = true (default)
existing_cmk_ids = {
key_vault_id = "/subscriptions/.../providers/Microsoft.KeyVault/vaults/kv-hub"
managed_disk_key_id = "https://kv-hub.vault.azure.net/keys/cmk-disk/version"
managed_services_key_id = "https://kv-hub.vault.azure.net/keys/cmk-services/version"
}
tags = {
Owner = "user@example.com"
}
Required Variable Summary
databricks_account_idlocationsubscription_idresource_suffixdatabricks_metastore_idexisting_ncc_idexisting_network_policy_idexisting_hub_vnetexisting_cmk_ids(ifcmk_enabled = true)
Template File
Use template_byo_hub.example.tfvars as the template for this type of deployment.
Important Notes
CMK Configuration
If cmk_enabled = true (default), you must provide existing_cmk_ids. Alternatively, you can disable CMK:
cmk_enabled = false
SAT Not Available
The Security Analysis Tool (SAT) can only be deployed when create_hub = true. If you need SAT with a BYO hub deployment, you must deploy it separately.
Validation Rules
When create_hub = false:
- Must provide
databricks_metastore_id - Must provide
existing_ncc_id - Must provide
existing_network_policy_id - Must provide
existing_hub_vnet - Must provide
existing_cmk_idsifcmk_enabled = true - Must NOT provide
existing_cmk_idsifcmk_enabled = false
Next Steps
- Copy
template_byo_hub.example.tfvarstoterraform.tfvars - Fill in required variables from your existing hub infrastructure
- Review Configuration Reference for optional features
- Follow Getting Started deployment steps