1. Configuring Kusto Database Access for External Tenants

    TypeScript

    To configure access to a Kusto (Azure Data Explorer) database for external tenants, you'll use the Azure Data Explorer's access control features. One way of granting access is by using the Attached Database Configuration resource, which lets you attach a database from one Azure Data Explorer cluster to another, potentially in a different tenant.

    Below is a Pulumi program written in TypeScript that demonstrates how to configure an Attached Database Configuration for a Kusto database. This configuration will allow for sharing a database between clusters, which can be used to provide access to external tenants.

    First, you'll need to set up an AttachedDatabaseConfiguration, specifying the necessary parameters such as the database name, the cluster resource ID that the database resides in, and which tables, materialized views, etc., are included or excluded in the attachment.

    Here's how you can do this with Pulumi:

    import * as azureNative from "@pulumi/azure-native"; const resourceGroupName = "my-resource-group"; const location = "West US"; const sourceClusterName = "source-cluster"; const targetClusterName = "target-cluster"; const databaseName = "my-database"; const clusterResourceId = `/subscriptions/<subscription-id>/resourceGroups/${resourceGroupName}/providers/Microsoft.Kusto/Clusters/${sourceClusterName}`; const attachedDatabaseConfigurationName = "my-attached-database-configuration"; const attachedDatabaseConfig = new azureNative.kusto.AttachedDatabaseConfiguration(attachedDatabaseConfigurationName, { // The name of the attached database configuration attachedDatabaseConfigurationName: attachedDatabaseConfigurationName, // The name of the database that you want to attach databaseName: databaseName, // Resource ID of the source cluster where the database resides clusterResourceId: clusterResourceId, // Resource group name resourceGroupName: resourceGroupName, // The name of the target cluster to which you want to attach the existing database clusterName: targetClusterName, location: location, // Define which objects to include or exclude from the attachment tableLevelSharingProperties: { tablesToInclude: ["Table1", "Table2"], // Specify tables to include tablesToExclude: ["Table3"], // Specify tables to exclude // You can also specify other objects like materialized views, functions, etc. }, // Specify the kind of permission changes that are allowed on the existing database principals defaultPrincipalsModificationKind: "Union", }); export const configurationId = attachedDatabaseConfig.id;

    This program will create an Attached Database Configuration resource within your Azure environment for a given Kusto database. Here's a breakdown of the steps involved:

    1. We first import the @pulumi/azure-native package, which contains the necessary resources to interface with Azure services.

    2. We define several constants such as the resource group name, location, the names of the source and target clusters, and the name of the database that we would like to attach.

    3. We create a new AttachedDatabaseConfiguration resource. The parameters we pass include the names of the source cluster, the target cluster, the database, and the configuration itself. We also define tableLevelSharingProperties, which lets us specify which tables to include or exclude from the database sharing configuration. By controlling these settings, we can fine-tune the visibility and accessibility of our data to the external tenants.

    4. We set defaultPrincipalsModificationKind to Union, which allows combining existing database principal roles with those already defined on the attached database.

    5. Finally, we export configurationId, which is the unique identifier of the attached database configuration. This can be used to reference the configuration programmatically, for example, in the case of automation scripts or when needing to identify the resource in other parts of your infrastructure.

    Make sure to replace <subscription-id> with your actual Azure subscription ID and update table names according to your schema.

    To apply this configuration, you would run pulumi up, which creates or updates resources according to the defined program.

    Please note that this code assumes that you've set up the necessary Pulumi and Azure configurations, including authenticating with Pulumi CLI and Azure Cloud. Additionally, it's assumed that the Azure Data Explorer clusters and the database already exist in your subscription. Ensure that the target cluster (where you attach the database) is in a state that allows the database to be attached and that cross-tenant policies on both source and target tenants permit this operation.