From 0755b3efbf5e3aeabdabe561360a2b45062bbce3 Mon Sep 17 00:00:00 2001 From: James Bartolome Date: Fri, 25 Oct 2024 13:49:45 -0700 Subject: [PATCH 1/4] fix: Associate role with policy containing self-assumption --- databricks-catalog-external-location/main.tf | 21 ++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/databricks-catalog-external-location/main.tf b/databricks-catalog-external-location/main.tf index 568e4a8a..4d5358a5 100644 --- a/databricks-catalog-external-location/main.tf +++ b/databricks-catalog-external-location/main.tf @@ -7,6 +7,7 @@ locals { name = "${var.tags.project}-${var.tags.env}" bucket_name = "${local.name}-dbx-catalog-bucket" iam_role_name = "external_location_dbx_${var.tags.env}_aws_role" + iam_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.iam_role_name}" } ## Bucket and policy @@ -61,8 +62,7 @@ data "aws_iam_policy_document" "databricks_external_location_assume_role" { principals { type = "AWS" identifiers = [ - "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.iam_role_name}" + "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL" ] } @@ -86,7 +86,7 @@ data "aws_iam_policy_document" "databricks_external_location_assume_role" { test = "ArnEquals" variable = "aws:PrincipalArn" - values = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.iam_role_name}"] + values = [local.iam_role_arn] } } } @@ -119,13 +119,8 @@ data "aws_iam_policy_document" "databricks_external_location_bucket_access" { statement { sid = "databricksAssumeRole" - effect = "Allow" - actions = [ - "sts:AssumeRole" - ] - resources = [ - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.iam_role_name}" - ] + actions = ["sts:AssumeRole"] + resources = [local.iam_role_arn] } } @@ -140,6 +135,12 @@ resource "aws_iam_role_policy_attachment" "databricks_external_location_bucket_a role = aws_iam_role.databricks_external_location_iam_role.name } +resource "aws_iam_role_policy" "databricks_external_location_access_role_policy" { + name_prefix = local.path + role = aws_iam_role.databricks_external_location_iam_role + policy = data.aws_iam_policy_document.databricks_external_location_bucket_access +} + ### Databricks storage credential - allows workspace to access an external location. ### NOTE: names need to be unique across an account, not just a workspace resource "databricks_storage_credential" "external" { From b61a897281e138e3ebc80a8e78af9d2f07605b9e Mon Sep 17 00:00:00 2001 From: James Bartolome Date: Fri, 25 Oct 2024 14:02:12 -0700 Subject: [PATCH 2/4] fix prefix --- databricks-catalog-external-location/main.tf | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/databricks-catalog-external-location/main.tf b/databricks-catalog-external-location/main.tf index 4d5358a5..34cde3f0 100644 --- a/databricks-catalog-external-location/main.tf +++ b/databricks-catalog-external-location/main.tf @@ -3,11 +3,12 @@ data "aws_caller_identity" "current" { } locals { - path = "/databricks/" - name = "${var.tags.project}-${var.tags.env}" - bucket_name = "${local.name}-dbx-catalog-bucket" - iam_role_name = "external_location_dbx_${var.tags.env}_aws_role" - iam_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.iam_role_name}" + iam_role_prefix = "databricks" + path = "/${local.iam_role_prefix}/" + name = "${var.tags.project}-${var.tags.env}" + bucket_name = "${local.name}-dbx-catalog-bucket" + iam_role_name = "external_location_dbx_${var.tags.env}_aws_role" + iam_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.iam_role_name}" } ## Bucket and policy From af707d5b0c5837f208b6942fc58ee1e2bb228841 Mon Sep 17 00:00:00 2001 From: James Bartolome Date: Fri, 25 Oct 2024 14:02:39 -0700 Subject: [PATCH 3/4] fix prefix --- databricks-catalog-external-location/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/databricks-catalog-external-location/main.tf b/databricks-catalog-external-location/main.tf index 34cde3f0..f244c54b 100644 --- a/databricks-catalog-external-location/main.tf +++ b/databricks-catalog-external-location/main.tf @@ -137,7 +137,7 @@ resource "aws_iam_role_policy_attachment" "databricks_external_location_bucket_a } resource "aws_iam_role_policy" "databricks_external_location_access_role_policy" { - name_prefix = local.path + name_prefix = local.iam_role_prefix role = aws_iam_role.databricks_external_location_iam_role policy = data.aws_iam_policy_document.databricks_external_location_bucket_access } From 2a860c86bc3eefb0f5c0372183373f8058defe6a Mon Sep 17 00:00:00 2001 From: James Bartolome Date: Fri, 25 Oct 2024 14:07:17 -0700 Subject: [PATCH 4/4] fix values --- databricks-catalog-external-location/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/databricks-catalog-external-location/main.tf b/databricks-catalog-external-location/main.tf index f244c54b..732125cf 100644 --- a/databricks-catalog-external-location/main.tf +++ b/databricks-catalog-external-location/main.tf @@ -138,8 +138,8 @@ resource "aws_iam_role_policy_attachment" "databricks_external_location_bucket_a resource "aws_iam_role_policy" "databricks_external_location_access_role_policy" { name_prefix = local.iam_role_prefix - role = aws_iam_role.databricks_external_location_iam_role - policy = data.aws_iam_policy_document.databricks_external_location_bucket_access + role = aws_iam_role.databricks_external_location_iam_role.id + policy = data.aws_iam_policy_document.databricks_external_location_bucket_access.json } ### Databricks storage credential - allows workspace to access an external location.