This repository contains examples of Azure DevOps ( azdo) Pipelines that demonstrate how an end-to-end Azure Databricks workspace automation could be done.

The Azure Pipelines can use either Terraform or scripts (with Azure CLI and ARM templates).

The main goal is to have a Databricks Delta pipeline orchestrated with Azure Data Factory while starting with an empty Azure account (with only an empty Subscription and DevOps Organization).

• all of this by simply running ./run_all.sh:

1. Create the Subscription and DevOps Organization. If using the free tier, request a free Azure DevOps Parallelism grant by filling out the following form: https://aka.ms/azpipelines-parallelism-request

2. Fork this GitHub repository as Azure DevOps would need access to it and changing the Azure Pipelines variables would require committing and pushing changes.

3. Customize the variables:

   • admin setup variables: edit the admin/vars.sh file (especially SUFFIX and AZURE_DEVOPS_GITHUB_REPO_URL)
   • Azure Pipelines variables: edit the pipelines/vars.yml file, commit and push changes

4. Use the run_all.sh script:

export USE_TERRAFORM="yes"
export AZDO_ORG_SERVICE_URL="https://dev.azure.com/myorg/"    # or set it in vars.sh
export AZDO_PERSONAL_ACCESS_TOKEN="xvwepmf76..."              # not required if USE_TERRAFORM="no"
export AZDO_GITHUB_SERVICE_CONNECTION_PAT="ghp_9xSDnG..."     # GitHub PAT

./run_all.sh

Security was a central part in designing the main steps of this example and reflected in the minimum user privileges required for each step:

• step 1: administrator user (Owner of Subscription and Global administrator of the AD)
• step 2: infra service principal that is Owner of the project Resources Group
• step 3: data service principal that can deploy and run a Data Factory pipeline

Builds the Azure core infrastructure (using a privileged user / Administrator):

• this is the foundation for the next step: Resource Groups, Azure DevOps Project and Pipelines, Service Principals, Project group and role assignments.
• the user creating these resources needs to be Owner of Subscription and Global administrator of the Active Directory tenant.
• it can be seen as deploying an empty shell for a project or business unit including the Service Principal ( the Infra SP) assigned to that project that would have control over the project resources.

To run this step use one of the scripts depending on the tool preference:

• Terraform: ./admin/setup-with-terraform.sh (code)
• Scripts with Azure CLI: ./admin/setup-with-azure-cli.sh (code)

Before using either, check and personalize the variables under the admin/vars.sh file.

Builds the Azure infrastructure for the data pipeline and project (using the project specific Infra SP):

• this is the Azure infrastructure required to run a Databricks data pipeline, including Data Lake Gen 2 account and containers, Azure Data Factory, Azure Databricks workspace and Azure permissions.
• the service principal creating these resources is the Infra SP deployed at step 1 ( Resource Group owner).
• it is run as the first stage in the Azure DevOps infra pipeline with the pipeline name defined in the AZURE_DEVOPS_INFRA_PIPELINE_NAME variable.

• there are two Azure Pipelines yaml definitions for this deployment and either one can be used depending on the tool preference:

  Terraform: pipelines/azure-pipelines-infra-with-terraform.yml (code)
  • ARM templates and Azure CLI: pipelines/azure-pipelines-infra-with-azure-cli.yml (code)

To run this step:

• either use the az cli command like run_all.sh does it.
• or use the Azure DevOps portal by clicking the Run pipeline button on the pipeline with the name defined in the AZURE_DEVOPS_INFRA_PIPELINE_NAME variable.

Before using either, check and personalize the variables under the pipelines/vars.yml file ( don't forget to push any changes to Git before running).

This step is executed together with the one above and after deploying the Azure infrastructure and the Databricks workspace itself:

• it bootstraps the Databricks workspace with the required workspace objects for a new project and pipeline, including Instance Pools, Clusters, Policies, Notebooks, Groups and Service Principals.
• the service principal creating these resources is the Infra SP deployed at step 1 and is already a Databricks workspace admin since it deployed the workspace.
• it is run as the second stage in the Azure DevOps infra pipeline with the pipeline name defined in the AZURE_DEVOPS_INFRA_PIPELINE_NAME variable.

This is run together with previous step but if it is needed to run it separately:

• in the Azure DevOps portal, before clicking the Run pipeline button on the Infra pipeline, deselect the Deploy infrastructure job.
• with Terraform, use the terraform/deployments/run-deployment.sh script file.

This step is executed after the infrastructure deployment and workspace bootstrap:

• it's a simple Azure DevOps Pipeline that deploys with ARM templates an Azure Data Factory data pipeline together with the Databricks linked service.
• it then invokes the Azure Data Factory data pipeline with the Azure DevOps Pipeline parameters.
• the service principal deploying and running the pipeline is the Data SP deployed at step 1 and it has the necessary Databricks and Data Factory permissions given at step 2.
• this service principal also has the permission to write data into the Data Lake.
• the Databricks linked service can be of two types:
  • using the Data Factory Managed Identity to authenticate to Databricks: pipelines/azure-pipelines-data-factory-msi.yml (code)
  • using an AAD Access Token of the Data SP to authenticate to Databricks: pipelines/azure-pipelines-data-factory-accesstoken.yml (code)

To run this step:

• either use the az cli command like run_all.sh does it.
• or use the Azure DevOps portal by clicking the Run pipeline button on the pipeline with the name defined in the AZURE_DEVOPS_DATA_PIPELINE_NAME variable.

It will use some of the variables under the pipelines/vars.yml file and it can be customized using pipeline parameters like database and table names, source data location, etc.