Azure

Setting Up Terraform

Unity Catalog Required

SAT v0.5.0 and higher requires Unity Catalog. Make sure Unity Catalog is enabled in your Databricks environment before installing SAT.

Note

SAT v0.2.0 or higher introduces full support for Unity Catalog. You can now pick your own catalog instead of being limited to the hive_metastore. Additionally, you have the flexibility to choose your own schema name.

Note

SAT requires at least one SAT set up in a workspace per Azure subscription.

Step 1: Install Required Tools

1. Install Terraform.
2. Install Git on your local machine.

Step 2: Clone the Repository

Clone the Security Analysis Tool repository using:

git clone https://github.com/databricks-industry-solutions/security-analysis-tool.git

Step 3: Navigate to the Terraform Directory

Navigate to the relevant cloud directory:

cd security-analysis-tool/terraform/<cloud>/

Step 4: Configure Variables

1. Create a terraform.tfvars file using the template.tfvars file as a base.
2. Refer to the variables.tf for descriptions of the variables.
3. Set all required variables for your deployment.

Azure-Specific Configuration

• Follow the Azure Setup Guide for variable setup.

Service Principal Role Requirements:

• "Reader" role at the subscription level via Access control (IAM).
• Accounts Admin role
• Admin role for each workspace
• Member of the metastore admin group

Refer to the documentation for workspace_url, workspace_id, and account_console_id

Step 5: Configure Azure CLI Credentials

1. Set up Azure CLI credentials for the provider block in provider.tf.
2. Use the Azure CLI to log in. The CLI will open a web browser for authentication:

az login

Proxies are now supported as part of SAT. You can add your HTTP and HTTPS links to use your proxies.

{
    "http": "http://example.com",
    "https": "https://example.com"
}

Run Terraform and SAT Workflows

Step 6: Run Terraform Commands

1. Initialize Terraform:

terraform init

2. Plan Terraform Changes - create a plan to preview changes to your infrastructure:

terraform plan

3. Apply Terraform Plan - Execute the proposed changes:

terraform apply

Step 7: Run Databricks Jobs

1. Run "SAT Initializer Notebook":

• This must be run successfully once. While it can be run multiple times, a single successful run is sufficient.

2. Run "SAT Driver Notebook":

• This notebook can be scheduled to run periodically (e.g., every Monday, Wednesday, and Friday).

Step 8: Access the SAT Dashboard

1. Navigate to the SQL > Dashboard in the left menu from the Databricks workspace.
2. Select the SAT Dashboard, choose a Workspace from the dropdown, and refresh the dashboard.

Supplemental Documentation

• Databricks Documentation Terraform
• Databricks Terraform Provider Docs

Additional Considerations:

If a pre-existing secret scope named sat_scope causes jobs to fail:

1. Rename the secret scope in secrets.tf
2. Re-run terraform apply.
3. Update the secret scope name in 6 locations (CMD 4 and CMD 5) of Workspace -> Applications -> SAT-TF/notebooks/Utils/initialize.
4. Re-run failed jobs

Congratulations! 🎉 You are now ready to start using the SAT. Please click here for a detailed description on how to run and use it.