[AWS] VPC endpoint refactor + pre-registered endpoints + naming overrides#232
Merged
Conversation
airizarryDB
changed the title
shreelshah12
approved these changes
May 13, 2026
Contributor
shreelshah12
left a comment
shreelshah12
left a comment
There was a problem hiding this comment.
lgtm and tested on AWS Commercial
airizarryDB
changed the title
airizarryDB
changed the title
- aws/README.md
- Network Configuration → Custom: added two sub-bullets for the AWS-id vs MWS-id paths
- Core AWS Components: added Service Direct entry right after Back-end PrivateLink
- New "Optional Naming Overrides" subsection at the end of the Component Breakdown
- docs/sra/docs/usage/AWS/components.mdx — mirror of the same three additions
airizarryDB
changed the title
airizarryDB
changed the title
Contributor
Author
|
Just completed testing, LGTM |
metrocavich
approved these changes
May 22, 2026
DavidWells-DB
pushed a commit
to DavidWells-DB/Databricks-SRA-WebUI
that referenced
this pull request
May 25, 2026
Mirrors the rename in databricks/terraform-databricks-sra#232: - custom_workspace_vpce_id -> custom_general_access_vpce_id - custom_relay_vpce_id -> custom_scc_relay_vpce_id Includes schema, modes, generator, custom-network component, tests, and snapshot.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This branch refactors the AWS SRA's VPC endpoint handling and adds several quality-of-life flags. It also introduces backwards-compatible state migrations and updates the docs.
New AWS resources
aws_vpc_endpoint.service_direct,databricks_mws_vpc_endpoint.service_direct): a front-end PrivateLink endpoint that customers' clients use to reach the workspace UI/API privately. Service Direct endpoints are commonly shared across workspaces in the same VPC, so SRA does not create one by default — set the newcreate_service_direct_vpce = trueflag to opt in. Not available in GovCloud regions, where the resource is automatically skipped.New optional tfvars
create_service_direct_vpce(bool, defaultfalse): opt-in flag for SRA to create + register a Service Direct VPC endpoint for this workspace.custom_service_direct_vpce_id(string, defaultnull): bring your own AWS Service Direct VPC endpoint ID (used in custom networking mode when you've already provisioned the endpoint).custom_general_access_mws_vpce_id,custom_scc_relay_mws_vpce_id,custom_service_direct_mws_vpce_id(string, defaultnull): pre-registered Databricks-side MWS VPC endpoint IDs. When set, SRA skips thedatabricks_mws_vpc_endpointregistration step and wires the ID directly into the workspace network configuration. Use this when the AWS VPC endpoint has already been registered with the Databricks account (e.g., shared across workspaces in the same VPC).workspace_display_name(string, defaultnull): human-readable workspace name shown in the Databricks UI. Defaults toresource_prefixwhen unset.custom_metastore_name(string, defaultnull): name for the Unity Catalog metastore created by this deployment. Defaults to${var.region}-unity-catalogwhen unset. Only used whenmetastore_exists = false.Variable + resource renames (alignment with new naming)
VPC endpoint resources, module inputs, and tfvars variables were renamed to match the underlying Databricks PrivateLink endpoint nomenclature (
general_access,scc_tunnel_dataplane_relay_access,service_direct) rather than the legacybackend_*names.If you set either of these in your
tfvarsfile, rename them before upgrading:custom_workspace_vpce_idcustom_general_access_vpce_idcustom_relay_vpce_idcustom_scc_relay_vpce_idWiring is identical — only the variable names changed.
Resource address renames (handled automatically)
The following Terraform resource addresses changed in this branch.
movedblocks are included so existing deployments preserve their state on upgrade — no destroy/recreate plans, no out-of-bandterraform state mv:aws_vpc_endpoint.backend_restaws_vpc_endpoint.general_accessaws_vpc_endpoint.backend_relayaws_vpc_endpoint.scc_tunnel_dataplane_relay_accessdatabricks_mws_vpc_endpoint.backend_restdatabricks_mws_vpc_endpoint.general_access[0]databricks_mws_vpc_endpoint.backend_relaydatabricks_mws_vpc_endpoint.scc_tunnel_dataplane_relay_access[0]The
[0]index on thedatabricks_mws_vpc_endpointresources reflects the addition ofcount(so the resources can be skipped when an MWS endpoint ID is provided).Documentation
aws/README.md: added pre-registered MWS endpoint guidance to the "Custom" networking mode bullet; added a "Service Direct" entry under Core AWS Components; added an "Optional Naming Overrides" subsection.docs/sra/docs/usage/AWS/components.mdx: mirrors the README updates for the Docusaurus site.Tests
aws/tf/tests/mock_plan.tftest.hclandaws/tf/tests/mock_plan_gov.tftest.hclwere updated to include the new variables (defaulted to null/false). Existing assertions are unchanged.Related
data.databricks_mws_vpc_endpointsource: databricks/terraform-provider-databricks#5715. When that lands, the "pre-registered MWS endpoint ID" path here can be simplified by looking endpoints up from state rather than having callers thread IDs in manually.Test plan
terraform fmt -recursive— cleanterraform validate— passes against the existing mock test configterraform test -filter=tests/mock_plan.tftest.hcl— passesterraform test -filter=tests/mock_plan_gov.tftest.hcl— passescreate_service_direct_vpce = truein a supported region — Service Direct endpoint created and registeredmainon an existing deployment —movedblocks rewrite state, no destroy/recreate in the plancustom_general_access_mws_vpce_idset —databricks_mws_vpc_endpoint.general_accessis skipped,mws_networksuses the provided ID directlyworkspace_display_nameset — UI shows the override, notresource_prefixcustom_metastore_nameset (andmetastore_exists = false) — metastore is created with the override name