Secure Token Management for Databricks Notebooks.

Question

Pulumi · Accepted Answer

When working with Databricks Notebooks using Pulumi, it's essential to handle tokens and other secrets securely. You might need to create Databricks tokens, manage secret scopes, store secrets and coordinate access to your notebooks safely.

Here's an overview of what we'll do in this Pulumi Python program:

1. Set up a secret scope using `databricks.SecretScope`. A secret scope allows us to store and manage secrets like tokens, passwords, and keys securely.

2. Create a token using `databricks.Token`. This token can be used for authenticating API requests or accessing Databricks services programmatically.

3. Store the generated token securely in the created secret scope with `databricks.Secret`.

4. Associate a notebook to a git repository for versioning using `databricks.Repo`, assuming that your Notebook content is stored in a Git repository. This step is optional and serves only as an example of how you might set up a notebook within Pulumi if your use case requires it.

5. Deploy a notebook using `databricks.Notebook`.

Remember, in a real-world scenario, you should handle the generated token with utmost care, and it should never be exposed in plain text or committed to your version control system.

We will now walk through the code that accomplishes the tasks listed above:
```python
import pulumi
import pulumi_databricks as databricks

# 1. Create a Secret Scope in Databricks.
# The `initial_manage_principal` is set to "users" which means all users can manage the secrets in this scope.
secret_scope = databricks.SecretScope("my-secret-scope",
                                      name="my-secret-scope",
                                      backend_type="DATABRICKS",
                                      initial_manage_principal="users")

# 2. Generate a Databricks Token.
# `lifetime_seconds` specifies how long the token remains valid. Adjust according to your requirements.
token = databricks.Token("my-token",
                         comment="pulumi generated token",
                         # Here, we set the token to expire after 1 day (86400 seconds).
                         # You might want to adjust this to fit your application's needs.
                         lifetime_seconds=86400)

# 3. Securely store the generated token in the secret scope we created earlier.
# The token's value is marked as secret to avoid exposing it in the Pulumi state.
secret = databricks.Secret("my-secret",
                           key="databricks-token",
                           string_value=token.token_value,
                           scope=secret_scope.name)

# OPTIONAL (if your notebooks are in a Git repo)
# 4. Associate a Databricks Notebook with a Git repository.
repo = databricks.Repo("my-repo",
                       path="/Repos/username/my-repo",
                       url="https://github.com/username/repo.git")

# 5. Deploy a Databricks Notebook.
notebook = databricks.Notebook("my-notebook",
                               path="/Workspace/notebook",
                               language="PYTHON",
                               content_base64="base64-encoded-content-here",
                               # Assuming you want to import notebook content from a file:
                               # source=pulumi.FileAsset("path_to_your_notebook.py").path)

# To minimize exposure of sensitive data, don't export the token value or secret information.
pulumi.export("secret_scope_name", secret_scope.name)
pulumi.export("notebook_path", notebook.path)
# Export the Repo's URL only if you have included step 4.
pulumi.export("repo_url", repo.url)
```

Each step in the Pulumi program is critical for ensuring that your Databricks environment is set up securely and efficiently. The secret scope and secure storage for your token make sure that the sensitive information is not exposed and is managed according to best practices. Deploying a notebook through Pulumi ensures that you have version control over your infrastructures, such as Databricks notebooks, just as you would with your application code.

For more detailed documentation on the Databricks resources used in Pulumi:
- [`databricks.SecretScope`](https://www.pulumi.com/registry/packages/databricks/api-docs/secretscope/)
- [`databricks.Token`](https://www.pulumi.com/registry/packages/databricks/api-docs/token/)
- [`databricks.Secret`](https://www.pulumi.com/registry/packages/databricks/api-docs/secret/)
- [`databricks.Repo`](https://www.pulumi.com/registry/packages/databricks/api-docs/repo/) (Optional)
- [`databricks.Notebook`](https://www.pulumi.com/registry/packages/databricks/api-docs/notebook/)

Before running this program, ensure you have the required Databricks provider configuration set up either in your Pulumi stack configuration or as environment variables. After executing this Pulumi program, it will output the name of the secret scope and the path to the notebook on the Databricks workspace.

Remember, this is a basic setup to get you started with Secure Token Management and Notebook deployment in Databricks using Pulumi. Depending on your needs, you might need to adjust token lifetimes, permissions, repository settings, and more.