1. Packages
  2. Databricks
  3. API Docs
  4. getAwsAssumeRolePolicy
Databricks v1.35.0 published on Friday, Mar 29, 2024 by Pulumi

databricks.getAwsAssumeRolePolicy

Explore with Pulumi AI

databricks logo
Databricks v1.35.0 published on Friday, Mar 29, 2024 by Pulumi

    This data source constructs necessary AWS STS assume role policy for you.

    Example Usage

    End-to-end example of provisioning Cross-account IAM role with databricks_mws_credentials:

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    import * as databricks from "@pulumi/databricks";
    
    const config = new pulumi.Config();
    const databricksAccountId = config.requireObject("databricksAccountId");
    const thisAwsCrossAccountPolicy = databricks.getAwsCrossAccountPolicy({});
    const crossAccountPolicy = new aws.iam.Policy("crossAccountPolicy", {policy: thisAwsCrossAccountPolicy.then(thisAwsCrossAccountPolicy => thisAwsCrossAccountPolicy.json)});
    const thisAwsAssumeRolePolicy = databricks.getAwsAssumeRolePolicy({
        externalId: databricksAccountId,
    });
    const crossAccountRole = new aws.iam.Role("crossAccountRole", {
        assumeRolePolicy: thisAwsAssumeRolePolicy.then(thisAwsAssumeRolePolicy => thisAwsAssumeRolePolicy.json),
        description: "Grants Databricks full access to VPC resources",
    });
    const crossAccountRolePolicyAttachment = new aws.iam.RolePolicyAttachment("crossAccountRolePolicyAttachment", {
        policyArn: crossAccountPolicy.arn,
        role: crossAccountRole.name,
    });
    // required only in case of multi-workspace setup
    const thisMwsCredentials = new databricks.MwsCredentials("thisMwsCredentials", {
        accountId: databricksAccountId,
        credentialsName: `${_var.prefix}-creds`,
        roleArn: crossAccountRole.arn,
    }, {
        provider: databricks.mws,
    });
    
    import pulumi
    import pulumi_aws as aws
    import pulumi_databricks as databricks
    
    config = pulumi.Config()
    databricks_account_id = config.require_object("databricksAccountId")
    this_aws_cross_account_policy = databricks.get_aws_cross_account_policy()
    cross_account_policy = aws.iam.Policy("crossAccountPolicy", policy=this_aws_cross_account_policy.json)
    this_aws_assume_role_policy = databricks.get_aws_assume_role_policy(external_id=databricks_account_id)
    cross_account_role = aws.iam.Role("crossAccountRole",
        assume_role_policy=this_aws_assume_role_policy.json,
        description="Grants Databricks full access to VPC resources")
    cross_account_role_policy_attachment = aws.iam.RolePolicyAttachment("crossAccountRolePolicyAttachment",
        policy_arn=cross_account_policy.arn,
        role=cross_account_role.name)
    # required only in case of multi-workspace setup
    this_mws_credentials = databricks.MwsCredentials("thisMwsCredentials",
        account_id=databricks_account_id,
        credentials_name=f"{var['prefix']}-creds",
        role_arn=cross_account_role.arn,
        opts=pulumi.ResourceOptions(provider=databricks["mws"]))
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
    	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		cfg := config.New(ctx, "")
    		databricksAccountId := cfg.RequireObject("databricksAccountId")
    		thisAwsCrossAccountPolicy, err := databricks.GetAwsCrossAccountPolicy(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		crossAccountPolicy, err := iam.NewPolicy(ctx, "crossAccountPolicy", &iam.PolicyArgs{
    			Policy: pulumi.String(thisAwsCrossAccountPolicy.Json),
    		})
    		if err != nil {
    			return err
    		}
    		thisAwsAssumeRolePolicy, err := databricks.GetAwsAssumeRolePolicy(ctx, &databricks.GetAwsAssumeRolePolicyArgs{
    			ExternalId: databricksAccountId,
    		}, nil)
    		if err != nil {
    			return err
    		}
    		crossAccountRole, err := iam.NewRole(ctx, "crossAccountRole", &iam.RoleArgs{
    			AssumeRolePolicy: pulumi.String(thisAwsAssumeRolePolicy.Json),
    			Description:      pulumi.String("Grants Databricks full access to VPC resources"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewRolePolicyAttachment(ctx, "crossAccountRolePolicyAttachment", &iam.RolePolicyAttachmentArgs{
    			PolicyArn: crossAccountPolicy.Arn,
    			Role:      crossAccountRole.Name,
    		})
    		if err != nil {
    			return err
    		}
    		// required only in case of multi-workspace setup
    		_, err = databricks.NewMwsCredentials(ctx, "thisMwsCredentials", &databricks.MwsCredentialsArgs{
    			AccountId:       pulumi.Any(databricksAccountId),
    			CredentialsName: pulumi.String(fmt.Sprintf("%v-creds", _var.Prefix)),
    			RoleArn:         crossAccountRole.Arn,
    		}, pulumi.Provider(databricks.Mws))
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    using Databricks = Pulumi.Databricks;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Config();
        var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
        var thisAwsCrossAccountPolicy = Databricks.GetAwsCrossAccountPolicy.Invoke();
    
        var crossAccountPolicy = new Aws.Iam.Policy("crossAccountPolicy", new()
        {
            PolicyDocument = thisAwsCrossAccountPolicy.Apply(getAwsCrossAccountPolicyResult => getAwsCrossAccountPolicyResult.Json),
        });
    
        var thisAwsAssumeRolePolicy = Databricks.GetAwsAssumeRolePolicy.Invoke(new()
        {
            ExternalId = databricksAccountId,
        });
    
        var crossAccountRole = new Aws.Iam.Role("crossAccountRole", new()
        {
            AssumeRolePolicy = thisAwsAssumeRolePolicy.Apply(getAwsAssumeRolePolicyResult => getAwsAssumeRolePolicyResult.Json),
            Description = "Grants Databricks full access to VPC resources",
        });
    
        var crossAccountRolePolicyAttachment = new Aws.Iam.RolePolicyAttachment("crossAccountRolePolicyAttachment", new()
        {
            PolicyArn = crossAccountPolicy.Arn,
            Role = crossAccountRole.Name,
        });
    
        // required only in case of multi-workspace setup
        var thisMwsCredentials = new Databricks.MwsCredentials("thisMwsCredentials", new()
        {
            AccountId = databricksAccountId,
            CredentialsName = $"{@var.Prefix}-creds",
            RoleArn = crossAccountRole.Arn,
        }, new CustomResourceOptions
        {
            Provider = databricks.Mws,
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.databricks.DatabricksFunctions;
    import com.pulumi.databricks.inputs.GetAwsCrossAccountPolicyArgs;
    import com.pulumi.aws.iam.Policy;
    import com.pulumi.aws.iam.PolicyArgs;
    import com.pulumi.databricks.inputs.GetAwsAssumeRolePolicyArgs;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import com.pulumi.aws.iam.RolePolicyAttachment;
    import com.pulumi.aws.iam.RolePolicyAttachmentArgs;
    import com.pulumi.databricks.MwsCredentials;
    import com.pulumi.databricks.MwsCredentialsArgs;
    import com.pulumi.resources.CustomResourceOptions;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var config = ctx.config();
            final var databricksAccountId = config.get("databricksAccountId");
            final var thisAwsCrossAccountPolicy = DatabricksFunctions.getAwsCrossAccountPolicy();
    
            var crossAccountPolicy = new Policy("crossAccountPolicy", PolicyArgs.builder()        
                .policy(thisAwsCrossAccountPolicy.applyValue(getAwsCrossAccountPolicyResult -> getAwsCrossAccountPolicyResult.json()))
                .build());
    
            final var thisAwsAssumeRolePolicy = DatabricksFunctions.getAwsAssumeRolePolicy(GetAwsAssumeRolePolicyArgs.builder()
                .externalId(databricksAccountId)
                .build());
    
            var crossAccountRole = new Role("crossAccountRole", RoleArgs.builder()        
                .assumeRolePolicy(thisAwsAssumeRolePolicy.applyValue(getAwsAssumeRolePolicyResult -> getAwsAssumeRolePolicyResult.json()))
                .description("Grants Databricks full access to VPC resources")
                .build());
    
            var crossAccountRolePolicyAttachment = new RolePolicyAttachment("crossAccountRolePolicyAttachment", RolePolicyAttachmentArgs.builder()        
                .policyArn(crossAccountPolicy.arn())
                .role(crossAccountRole.name())
                .build());
    
            var thisMwsCredentials = new MwsCredentials("thisMwsCredentials", MwsCredentialsArgs.builder()        
                .accountId(databricksAccountId)
                .credentialsName(String.format("%s-creds", var_.prefix()))
                .roleArn(crossAccountRole.arn())
                .build(), CustomResourceOptions.builder()
                    .provider(databricks.mws())
                    .build());
    
        }
    }
    
    configuration:
      databricksAccountId:
        type: dynamic
    resources:
      crossAccountPolicy:
        type: aws:iam:Policy
        properties:
          policy: ${thisAwsCrossAccountPolicy.json}
      crossAccountRole:
        type: aws:iam:Role
        properties:
          assumeRolePolicy: ${thisAwsAssumeRolePolicy.json}
          description: Grants Databricks full access to VPC resources
      crossAccountRolePolicyAttachment:
        type: aws:iam:RolePolicyAttachment
        properties:
          policyArn: ${crossAccountPolicy.arn}
          role: ${crossAccountRole.name}
      # required only in case of multi-workspace setup
      thisMwsCredentials:
        type: databricks:MwsCredentials
        properties:
          accountId: ${databricksAccountId}
          credentialsName: ${var.prefix}-creds
          roleArn: ${crossAccountRole.arn}
        options:
          provider: ${databricks.mws}
    variables:
      thisAwsCrossAccountPolicy:
        fn::invoke:
          Function: databricks:getAwsCrossAccountPolicy
          Arguments: {}
      thisAwsAssumeRolePolicy:
        fn::invoke:
          Function: databricks:getAwsAssumeRolePolicy
          Arguments:
            externalId: ${databricksAccountId}
    

    The following resources are used in the same context:

    • Provisioning AWS Databricks E2 with a Hub & Spoke firewall for data exfiltration protection guide
    • databricks.getAwsBucketPolicy data to configure a simple access policy for AWS S3 buckets, so that Databricks can access data in it.
    • databricks.getAwsCrossAccountPolicy data to construct the necessary AWS cross-account policy for you, which is based on official documentation.

    Using getAwsAssumeRolePolicy

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getAwsAssumeRolePolicy(args: GetAwsAssumeRolePolicyArgs, opts?: InvokeOptions): Promise<GetAwsAssumeRolePolicyResult>
    function getAwsAssumeRolePolicyOutput(args: GetAwsAssumeRolePolicyOutputArgs, opts?: InvokeOptions): Output<GetAwsAssumeRolePolicyResult>
    def get_aws_assume_role_policy(databricks_account_id: Optional[str] = None,
                                   external_id: Optional[str] = None,
                                   for_log_delivery: Optional[bool] = None,
                                   opts: Optional[InvokeOptions] = None) -> GetAwsAssumeRolePolicyResult
    def get_aws_assume_role_policy_output(databricks_account_id: Optional[pulumi.Input[str]] = None,
                                   external_id: Optional[pulumi.Input[str]] = None,
                                   for_log_delivery: Optional[pulumi.Input[bool]] = None,
                                   opts: Optional[InvokeOptions] = None) -> Output[GetAwsAssumeRolePolicyResult]
    func GetAwsAssumeRolePolicy(ctx *Context, args *GetAwsAssumeRolePolicyArgs, opts ...InvokeOption) (*GetAwsAssumeRolePolicyResult, error)
    func GetAwsAssumeRolePolicyOutput(ctx *Context, args *GetAwsAssumeRolePolicyOutputArgs, opts ...InvokeOption) GetAwsAssumeRolePolicyResultOutput

    > Note: This function is named GetAwsAssumeRolePolicy in the Go SDK.

    public static class GetAwsAssumeRolePolicy 
    {
        public static Task<GetAwsAssumeRolePolicyResult> InvokeAsync(GetAwsAssumeRolePolicyArgs args, InvokeOptions? opts = null)
        public static Output<GetAwsAssumeRolePolicyResult> Invoke(GetAwsAssumeRolePolicyInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetAwsAssumeRolePolicyResult> getAwsAssumeRolePolicy(GetAwsAssumeRolePolicyArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: databricks:index/getAwsAssumeRolePolicy:getAwsAssumeRolePolicy
      arguments:
        # arguments dictionary

    The following arguments are supported:

    ExternalId string
    Account Id that could be found in the top right corner of Accounts Console.
    DatabricksAccountId string
    ForLogDelivery bool
    Either or not this assume role policy should be created for usage log delivery. Defaults to false.
    ExternalId string
    Account Id that could be found in the top right corner of Accounts Console.
    DatabricksAccountId string
    ForLogDelivery bool
    Either or not this assume role policy should be created for usage log delivery. Defaults to false.
    externalId String
    Account Id that could be found in the top right corner of Accounts Console.
    databricksAccountId String
    forLogDelivery Boolean
    Either or not this assume role policy should be created for usage log delivery. Defaults to false.
    externalId string
    Account Id that could be found in the top right corner of Accounts Console.
    databricksAccountId string
    forLogDelivery boolean
    Either or not this assume role policy should be created for usage log delivery. Defaults to false.
    external_id str
    Account Id that could be found in the top right corner of Accounts Console.
    databricks_account_id str
    for_log_delivery bool
    Either or not this assume role policy should be created for usage log delivery. Defaults to false.
    externalId String
    Account Id that could be found in the top right corner of Accounts Console.
    databricksAccountId String
    forLogDelivery Boolean
    Either or not this assume role policy should be created for usage log delivery. Defaults to false.

    getAwsAssumeRolePolicy Result

    The following output properties are available:

    ExternalId string
    Id string
    The provider-assigned unique ID for this managed resource.
    Json string
    AWS IAM Policy JSON document
    DatabricksAccountId string
    ForLogDelivery bool
    ExternalId string
    Id string
    The provider-assigned unique ID for this managed resource.
    Json string
    AWS IAM Policy JSON document
    DatabricksAccountId string
    ForLogDelivery bool
    externalId String
    id String
    The provider-assigned unique ID for this managed resource.
    json String
    AWS IAM Policy JSON document
    databricksAccountId String
    forLogDelivery Boolean
    externalId string
    id string
    The provider-assigned unique ID for this managed resource.
    json string
    AWS IAM Policy JSON document
    databricksAccountId string
    forLogDelivery boolean
    external_id str
    id str
    The provider-assigned unique ID for this managed resource.
    json str
    AWS IAM Policy JSON document
    databricks_account_id str
    for_log_delivery bool
    externalId String
    id String
    The provider-assigned unique ID for this managed resource.
    json String
    AWS IAM Policy JSON document
    databricksAccountId String
    forLogDelivery Boolean

    Package Details

    Repository
    databricks pulumi/pulumi-databricks
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the databricks Terraform Provider.
    databricks logo
    Databricks v1.35.0 published on Friday, Mar 29, 2024 by Pulumi