From e0e7542e2afa92cf7069c19b846be0ad008e14ff Mon Sep 17 00:00:00 2001 From: metrocavich <126178571+metrocavich@users.noreply.github.com> Date: Thu, 15 Aug 2024 15:16:47 -0400 Subject: [PATCH] Fix govcloud audit logging config --- .../logging_configuration.tf | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf index 6b4113b..15f56df 100644 --- a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf +++ b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf @@ -84,17 +84,27 @@ resource "aws_s3_bucket_policy" "log_delivery" { // IAM Role // Assume Role Policy Log Delivery -data "databricks_aws_assume_role_policy" "log_delivery" { - external_id = var.databricks_account_id - for_log_delivery = true +data "aws_iam_policy_document" "passrole_for_log_delivery" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + identifiers = ["arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:SaasUsageDeliveryRole-prod-aws-gov-IAMRole-L4QM0RCHYQ1G"] + type = "AWS" + } + condition { + test = "StringEquals" + variable = "sts:ExternalId" + values = [var.databricks_account_id] + } + } } - // Log Delivery IAM Role resource "aws_iam_role" "log_delivery" { name = "${var.resource_prefix}-log-delivery" description = "(${var.resource_prefix}) Log Delivery Role" - assume_role_policy = data.databricks_aws_assume_role_policy.log_delivery.json + assume_role_policy = data.aws_iam_policy_document.passrole_for_log_delivery.json tags = { Name = "${var.resource_prefix}-log-delivery-role" } @@ -147,4 +157,4 @@ resource "databricks_mws_log_delivery" "audit_logs" { depends_on = [ aws_s3_bucket_policy.log_delivery ] -} \ No newline at end of file +}