jasondamour
diff --git a/‎README.md
+3-1 b/‎README.md
+3-1
diff --git a/‎examples/adb-exfiltration-protection/.terraform.lock.hcl
-98 b/‎examples/adb-exfiltration-protection/.terraform.lock.hcl
-98
diff --git a/‎examples/adb-exfiltration-protection/README.md
+8-5 b/‎examples/adb-exfiltration-protection/README.md
+8-5
diff --git a/‎examples/adb-exfiltration-protection/main.tf
+13-59 b/‎examples/adb-exfiltration-protection/main.tf
+13-59
diff --git a/‎examples/adb-private-links-general/images/adb-private-links-general.png
-996 KB b/‎examples/adb-private-links-general/images/adb-private-links-general.png
-996 KB
diff --git a/‎examples/adb-private-links-general/README.md renamed to ‎examples/adb-with-private-links-exfiltration-protection/README.md
+9-6 b/‎examples/adb-private-links-general/README.md renamed to ‎examples/adb-with-private-links-exfiltration-protection/README.md
+9-6
diff --git a/‎examples/adb-with-private-links-exfiltration-protection/images/adb-private-links-general.png
504 KB b/‎examples/adb-with-private-links-exfiltration-protection/images/adb-private-links-general.png
504 KB
diff --git a/‎examples/adb-with-private-links-exfiltration-protection/main.tf
+21 b/‎examples/adb-with-private-links-exfiltration-protection/main.tf
+21
diff --git a/‎examples/adb-private-links-general/terraform.tfvars renamed to ‎examples/adb-with-private-links-exfiltration-protection/terraform.tfvars b/‎examples/adb-private-links-general/terraform.tfvars renamed to ‎examples/adb-with-private-links-exfiltration-protection/terraform.tfvars
diff --git a/‎examples/adb-private-links-general/variables.tf renamed to ‎examples/adb-with-private-links-exfiltration-protection/variables.tf b/‎examples/adb-private-links-general/variables.tf renamed to ‎examples/adb-with-private-links-exfiltration-protection/variables.tf
diff --git a/‎examples/adb-with-private-links-exfiltration-protection/versions.tf
+14 b/‎examples/adb-with-private-links-exfiltration-protection/versions.tf
+14
@@ -37,7 +37,7 @@ The folder `examples` contains the following Terraform implementation examples :
 | Azure | [adb-external-hive-metastore](examples/adb-external-hive-metastore/)               | Example template to implement [external hive metastore](https://learn.microsoft.com/en-us/azure/databricks/data/metastores/external-hive-metastore)           |
 | Azure | [adb-kafka](examples/adb-kafka/)                                                   | ADB - single node kafka template                                                                                                                              |
 | Azure | [adb-private-links](examples/adb-private-links/)                                   | Azure Databricks Private Links                                                                                                                                |
-| Azure | [adb-private-links-general](examples/adb-private-links-general/)                   | Azure Databricks Private Links General Implementation                                                                                                         |
+| Azure | [adb-private-links-general](examples/adb-private-links-general/)                   | Provisioning Databricks on Azure with Private Link and [Data Exfiltration Protection](https://www.databricks.com/blog/2020/03/27/data-exfiltration-protection-with-azure-databricks.html)                                                                                                         |
 | Azure | [adb-splunk](examples/adb-splunk/)                                                 | ADB workspace with single VM splunk integration                                                                                                               |
 | Azure | [adb-squid-proxy](examples/adb-squid-proxy/)                                       | ADB clusters with HTTP proxy                                                                                                                                  |
 | Azure | [adb-teradata](examples/adb-teradata/)                                             | ADB with single VM Teradata integration                                                                                                                       |
@@ -59,6 +59,8 @@ The folder `modules` contains the following Terraform modules :
 | All | [databricks-department-clusters](modules/databricks-department-clusters/)                     | Terraform module that creates Databricks resources for a team            |
 | Azure | [adb-lakehouse](modules/adb-lakehouse/)                      | Lakehouse terraform blueprints            |
 | Azure | [adb-with-private-link-standard](modules/adb-with-private-link-standard/)                     | Provisioning Databricks on Azure with Private Link - Standard deployment            |
+| Azure | [adb-exfiltration-protection](modules/adb-exfiltration-protection/)                     | A sample implementation of [Data Exfiltration Protection](https://www.databricks.com/blog/2020/03/27/data-exfiltration-protection-with-azure-databricks.html)             |
+| Azure | [adb-with-private-links-exfiltration-protection](modules/adb-with-private-links-exfiltration-protection/)                     | Provisioning Databricks on Azure with Private Link and [Data Exfiltration Protection](https://www.databricks.com/blog/2020/03/27/data-exfiltration-protection-with-azure-databricks.html)            |
 | AWS   | Coming soon                                         |             |
 | GCP   | Coming soon                                         |             |
 
 
@@ -1,5 +1,7 @@
 # Provisioning Azure Databricks workspace with a Hub & Spoke firewall for data exfiltration protection
 
+This example is using the [adb-exfiltration-protection](../../modules/adb-exfiltration-protection) module.
+
 This template provides an example deployment of: Hub-Spoke networking with egress firewall to control all outbound traffic from Databricks subnets. Details are described in: https://databricks.com/blog/2020/03/27/data-exfiltration-protection-with-azure-databricks.html
 
 With this setup, you can setup firewall rules to block / allow egress traffic from your Databricks clusters. You can also use firewall to block all access to storage accounts, and use private endpoint connection to bypass this firewall, such that you allow access only to specific storage accounts.  
@@ -18,11 +20,12 @@ Resources to be created:
 * Associated firewall rules, both FQDN and network rule using IP.
 
 
-## Getting Started
-1. Clone this repo to your local machine running terraform.
-2. Run `terraform init` to initialize terraform and get provider ready.
-3. Change `terraform.tfvars` values to your own values.
-4. Inside the local project folder, run `terraform apply` to create the resources.
+## How to use
+
+1. Update `terraform.tfvars` file and provide values to each defined variable
+2. (Optional) Configure your [remote backend](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm)
+4. Run `terraform init` to initialize terraform and get provider ready.
+4. Run `terraform apply` to create the resources.
 
 ## How to fill in variable values
 
 
@@ -7,63 +7,17 @@
  * * VNet with public and private subnet
  * * Databricks workspace
  */
-provider "azurerm" {
-  features {}
-}
 
-provider "random" {
-}
-
-resource "random_string" "naming" {
-  special = false
-  upper   = false
-  length  = 6
-}
-
-data "azurerm_client_config" "current" {
-}
-
-data "external" "me" {
-  program = ["az", "account", "show", "--query", "user"]
-}
-
-locals {
-  // dltp - databricks labs terraform provider
-  prefix   = join("-", [var.workspace_prefix, "${random_string.naming.result}"])
-  location = var.rglocation
-  cidr     = var.spokecidr
-  dbfsname = join("", [var.dbfs_prefix, "${random_string.naming.result}"]) // dbfs name must not have special chars
-
-  // tags that are propagated down to all resources
-  tags = {
-    Environment = "Testing"
-    Owner       = lookup(data.external.me.result, "name")
-    Epoch       = random_string.naming.result
-  }
-}
-
-resource "azurerm_resource_group" "this" {
-  name     = "adb-dev-${local.prefix}-rg"
-  location = local.location
-  tags     = local.tags
-}
-
-output "arm_client_id" {
-  value = data.azurerm_client_config.current.client_id
-}
-
-output "arm_subscription_id" {
-  value = data.azurerm_client_config.current.subscription_id
-}
-
-output "arm_tenant_id" {
-  value = data.azurerm_client_config.current.tenant_id
-}
-
-output "azure_region" {
-  value = local.location
-}
-
-output "resource_group" {
-  value = azurerm_resource_group.this.name
-}
+module "adb-exfiltration-protection" {
+  source       = "github.com/databricks/terraform-databricks-examples/modules/adb-exfiltration-protection"
+  hubcidr          = var.hubcidr
+  spokecidr        = var.spokecidr
+  no_public_ip     = var.no_public_ip
+  rglocation       = var.rglocation
+  metastoreip      = var.metastoreip
+  sccip            = var.sccip
+  webappip         = var.webappip
+  dbfs_prefix      = var.dbfs_prefix
+  workspace_prefix = var.workspace_prefix
+  firewallfqdn     = var.firewallfqdn
+}
@@ -1,5 +1,7 @@
 # Azure Databricks with Private Links (incl. web-auth PE) and Hub-Spoke Firewall structure (data exfiltration protection).
 
+This example is using the [adb-with-private-links-exfiltration-protection](../../modules/adb-with-private-links-exfiltration-protection) module.
+
 Include:
 1. Hub-Spoke networking with egress firewall to control all outbound traffic, e.g. to pypi.org.
 2. Private Link connection for backend traffic from data plane to control plane.
@@ -8,7 +10,7 @@ Include:
 5. Private Endpoint for web-auth traffic.
 
 Overall Architecture:
-![alt text](https://raw.githubusercontent.com/databricks/terraform-databricks-examples/main/examples/adb-private-links-general/images/adb-private-links-general.png?raw=true)
+![alt text](https://raw.githubusercontent.com/databricks/terraform-databricks-examples/main/examples/adb-with-private-links-exfiltration-protection/images/adb-private-links-general.png?raw=true)
 
 With this deployment, traffic from user client to webapp (notebook UI), backend traffic from data plane to control plane will be through private endpoints. This terraform sample will create:
 * Resource group with random prefix
@@ -17,8 +19,9 @@ With this deployment, traffic from user client to webapp (notebook UI), backend
 * Databricks workspace with private link to control plane, user to webapp and private link to dbfs
 
 
-## Getting Started
-1. Clone this repo to your local machine.
-2. Run `terraform init` to initialize terraform and get provider ready.
-3. Change `terraform.tfvars` values to your own values.
-4. Inside the local project folder, run `terraform apply` to create the resources.
+## How to use
+
+1. Update `terraform.tfvars` file and provide values to each defined variable
+2. (Optional) Configure your [remote backend](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm)
+4. Run `terraform init` to initialize terraform and get provider ready.
+4. Run `terraform apply` to create the resources.
@@ -0,0 +1,21 @@
+/**
+ * Azure Databricks workspace in custom VNet
+ *
+ * Module creates:
+ * * Resource group with random prefix
+ * * Tags, including `Owner`, which is taken from `az account show --query user`
+ * * VNet with public and private subnet
+ * * Databricks workspace
+ */
+
+module "adb-with-private-links-exfiltration-protection" {
+  source           = "github.com/databricks/terraform-databricks-examples/modules/adb-with-private-links-exfiltration-protection"
+  hubcidr          = var.hubcidr
+  spokecidr        = var.spokecidr
+  no_public_ip     = var.no_public_ip
+  rglocation       = var.rglocation
+  metastoreip      = var.metastoreip
+  dbfs_prefix      = var.dbfs_prefix
+  workspace_prefix = var.workspace_prefix
+  firewallfqdn     = var.firewallfqdn
+}
@@ -0,0 +1,14 @@
+# versions.tf
+terraform {
+  required_providers {
+    databricks = {
+      source  = "databricks/databricks"
+      version = ">=0.5.1"
+    }
+
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=2.83.0"
+    }
+  }
+}