1. Packages
  2. Databricks
  3. API Docs
  4. getAwsUnityCatalogPolicy
Databricks v1.35.0 published on Friday, Mar 29, 2024 by Pulumi

databricks.getAwsUnityCatalogPolicy

Explore with Pulumi AI

databricks logo
Databricks v1.35.0 published on Friday, Mar 29, 2024 by Pulumi

    Note This resource has an evolving API, which may change in future versions of the provider. Please always consult latest documentation in case of any questions.

    This data source constructs necessary AWS Unity Catalog policy for you, which is based on official documentation.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    import * as databricks from "@pulumi/databricks";
    
    const this = databricks.getAwsUnityCatalogPolicy({
        awsAccountId: _var.aws_account_id,
        bucketName: "databricks-bucket",
        roleName: "databricks-role",
        kmsName: "databricks-kms",
    });
    const passroleForUc = aws.iam.getPolicyDocument({
        statements: [
            {
                effect: "Allow",
                actions: ["sts:AssumeRole"],
                principals: [{
                    identifiers: ["arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"],
                    type: "AWS",
                }],
                conditions: [{
                    test: "StringEquals",
                    variable: "sts:ExternalId",
                    values: [_var.databricks_account_id],
                }],
            },
            {
                sid: "ExplicitSelfRoleAssumption",
                effect: "Allow",
                actions: ["sts:AssumeRole"],
                principals: [{
                    type: "AWS",
                    identifiers: [`arn:aws:iam::${_var.aws_account_id}:root`],
                }],
                conditions: [{
                    test: "ArnLike",
                    variable: "aws:PrincipalArn",
                    values: [`arn:aws:iam::${_var.aws_account_id}:role/${_var.prefix}-uc-access`],
                }],
            },
        ],
    });
    const unityMetastore = new aws.iam.Policy("unityMetastore", {policy: _this.then(_this => _this.json)});
    const metastoreDataAccess = new aws.iam.Role("metastoreDataAccess", {
        assumeRolePolicy: passroleForUc.then(passroleForUc => passroleForUc.json),
        managedPolicyArns: [unityMetastore.arn],
    });
    
    import pulumi
    import pulumi_aws as aws
    import pulumi_databricks as databricks
    
    this = databricks.get_aws_unity_catalog_policy(aws_account_id=var["aws_account_id"],
        bucket_name="databricks-bucket",
        role_name="databricks-role",
        kms_name="databricks-kms")
    passrole_for_uc = aws.iam.get_policy_document(statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            effect="Allow",
            actions=["sts:AssumeRole"],
            principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                identifiers=["arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"],
                type="AWS",
            )],
            conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
                test="StringEquals",
                variable="sts:ExternalId",
                values=[var["databricks_account_id"]],
            )],
        ),
        aws.iam.GetPolicyDocumentStatementArgs(
            sid="ExplicitSelfRoleAssumption",
            effect="Allow",
            actions=["sts:AssumeRole"],
            principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                type="AWS",
                identifiers=[f"arn:aws:iam::{var['aws_account_id']}:root"],
            )],
            conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
                test="ArnLike",
                variable="aws:PrincipalArn",
                values=[f"arn:aws:iam::{var['aws_account_id']}:role/{var['prefix']}-uc-access"],
            )],
        ),
    ])
    unity_metastore = aws.iam.Policy("unityMetastore", policy=this.json)
    metastore_data_access = aws.iam.Role("metastoreDataAccess",
        assume_role_policy=passrole_for_uc.json,
        managed_policy_arns=[unity_metastore.arn])
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
    	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    this, err := databricks.GetAwsUnityCatalogPolicy(ctx, &databricks.GetAwsUnityCatalogPolicyArgs{
    AwsAccountId: _var.Aws_account_id,
    BucketName: "databricks-bucket",
    RoleName: "databricks-role",
    KmsName: pulumi.StringRef("databricks-kms"),
    }, nil);
    if err != nil {
    return err
    }
    passroleForUc, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Effect: pulumi.StringRef("Allow"),
    Actions: []string{
    "sts:AssumeRole",
    },
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Identifiers: []string{
    "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
    },
    Type: "AWS",
    },
    },
    Conditions: []iam.GetPolicyDocumentStatementCondition{
    {
    Test: "StringEquals",
    Variable: "sts:ExternalId",
    Values: interface{}{
    _var.Databricks_account_id,
    },
    },
    },
    },
    {
    Sid: pulumi.StringRef("ExplicitSelfRoleAssumption"),
    Effect: pulumi.StringRef("Allow"),
    Actions: []string{
    "sts:AssumeRole",
    },
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: []string{
    fmt.Sprintf("arn:aws:iam::%v:root", _var.Aws_account_id),
    },
    },
    },
    Conditions: []iam.GetPolicyDocumentStatementCondition{
    {
    Test: "ArnLike",
    Variable: "aws:PrincipalArn",
    Values: []string{
    fmt.Sprintf("arn:aws:iam::%v:role/%v-uc-access", _var.Aws_account_id, _var.Prefix),
    },
    },
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    unityMetastore, err := iam.NewPolicy(ctx, "unityMetastore", &iam.PolicyArgs{
    Policy: pulumi.String(this.Json),
    })
    if err != nil {
    return err
    }
    _, err = iam.NewRole(ctx, "metastoreDataAccess", &iam.RoleArgs{
    AssumeRolePolicy: pulumi.String(passroleForUc.Json),
    ManagedPolicyArns: pulumi.StringArray{
    unityMetastore.Arn,
    },
    })
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    using Databricks = Pulumi.Databricks;
    
    return await Deployment.RunAsync(() => 
    {
        var @this = Databricks.GetAwsUnityCatalogPolicy.Invoke(new()
        {
            AwsAccountId = @var.Aws_account_id,
            BucketName = "databricks-bucket",
            RoleName = "databricks-role",
            KmsName = "databricks-kms",
        });
    
        var passroleForUc = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Effect = "Allow",
                    Actions = new[]
                    {
                        "sts:AssumeRole",
                    },
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Identifiers = new[]
                            {
                                "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
                            },
                            Type = "AWS",
                        },
                    },
                    Conditions = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "StringEquals",
                            Variable = "sts:ExternalId",
                            Values = new[]
                            {
                                @var.Databricks_account_id,
                            },
                        },
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "ExplicitSelfRoleAssumption",
                    Effect = "Allow",
                    Actions = new[]
                    {
                        "sts:AssumeRole",
                    },
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                $"arn:aws:iam::{@var.Aws_account_id}:root",
                            },
                        },
                    },
                    Conditions = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "ArnLike",
                            Variable = "aws:PrincipalArn",
                            Values = new[]
                            {
                                $"arn:aws:iam::{@var.Aws_account_id}:role/{@var.Prefix}-uc-access",
                            },
                        },
                    },
                },
            },
        });
    
        var unityMetastore = new Aws.Iam.Policy("unityMetastore", new()
        {
            PolicyDocument = @this.Apply(@this => @this.Apply(getAwsUnityCatalogPolicyResult => getAwsUnityCatalogPolicyResult.Json)),
        });
    
        var metastoreDataAccess = new Aws.Iam.Role("metastoreDataAccess", new()
        {
            AssumeRolePolicy = passroleForUc.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            ManagedPolicyArns = new[]
            {
                unityMetastore.Arn,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.databricks.DatabricksFunctions;
    import com.pulumi.databricks.inputs.GetAwsUnityCatalogPolicyArgs;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.iam.Policy;
    import com.pulumi.aws.iam.PolicyArgs;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var this = DatabricksFunctions.getAwsUnityCatalogPolicy(GetAwsUnityCatalogPolicyArgs.builder()
                .awsAccountId(var_.aws_account_id())
                .bucketName("databricks-bucket")
                .roleName("databricks-role")
                .kmsName("databricks-kms")
                .build());
    
            final var passroleForUc = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .effect("Allow")
                        .actions("sts:AssumeRole")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .identifiers("arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL")
                            .type("AWS")
                            .build())
                        .conditions(GetPolicyDocumentStatementConditionArgs.builder()
                            .test("StringEquals")
                            .variable("sts:ExternalId")
                            .values(var_.databricks_account_id())
                            .build())
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("ExplicitSelfRoleAssumption")
                        .effect("Allow")
                        .actions("sts:AssumeRole")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers(String.format("arn:aws:iam::%s:root", var_.aws_account_id()))
                            .build())
                        .conditions(GetPolicyDocumentStatementConditionArgs.builder()
                            .test("ArnLike")
                            .variable("aws:PrincipalArn")
                            .values(String.format("arn:aws:iam::%s:role/%s-uc-access", var_.aws_account_id(),var_.prefix()))
                            .build())
                        .build())
                .build());
    
            var unityMetastore = new Policy("unityMetastore", PolicyArgs.builder()        
                .policy(this_.json())
                .build());
    
            var metastoreDataAccess = new Role("metastoreDataAccess", RoleArgs.builder()        
                .assumeRolePolicy(passroleForUc.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .managedPolicyArns(unityMetastore.arn())
                .build());
    
        }
    }
    
    resources:
      unityMetastore:
        type: aws:iam:Policy
        properties:
          policy: ${this.json}
      metastoreDataAccess:
        type: aws:iam:Role
        properties:
          assumeRolePolicy: ${passroleForUc.json}
          managedPolicyArns:
            - ${unityMetastore.arn}
    variables:
      this:
        fn::invoke:
          Function: databricks:getAwsUnityCatalogPolicy
          Arguments:
            awsAccountId: ${var.aws_account_id}
            bucketName: databricks-bucket
            roleName: databricks-role
            kmsName: databricks-kms
      passroleForUc:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - effect: Allow
                actions:
                  - sts:AssumeRole
                principals:
                  - identifiers:
                      - arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL
                    type: AWS
                conditions:
                  - test: StringEquals
                    variable: sts:ExternalId
                    values:
                      - ${var.databricks_account_id}
              - sid: ExplicitSelfRoleAssumption
                effect: Allow
                actions:
                  - sts:AssumeRole
                principals:
                  - type: AWS
                    identifiers:
                      - arn:aws:iam::${var.aws_account_id}:root
                conditions:
                  - test: ArnLike
                    variable: aws:PrincipalArn
                    values:
                      - arn:aws:iam::${var.aws_account_id}:role/${var.prefix}-uc-access
    

    Using getAwsUnityCatalogPolicy

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getAwsUnityCatalogPolicy(args: GetAwsUnityCatalogPolicyArgs, opts?: InvokeOptions): Promise<GetAwsUnityCatalogPolicyResult>
    function getAwsUnityCatalogPolicyOutput(args: GetAwsUnityCatalogPolicyOutputArgs, opts?: InvokeOptions): Output<GetAwsUnityCatalogPolicyResult>
    def get_aws_unity_catalog_policy(aws_account_id: Optional[str] = None,
                                     bucket_name: Optional[str] = None,
                                     kms_name: Optional[str] = None,
                                     role_name: Optional[str] = None,
                                     opts: Optional[InvokeOptions] = None) -> GetAwsUnityCatalogPolicyResult
    def get_aws_unity_catalog_policy_output(aws_account_id: Optional[pulumi.Input[str]] = None,
                                     bucket_name: Optional[pulumi.Input[str]] = None,
                                     kms_name: Optional[pulumi.Input[str]] = None,
                                     role_name: Optional[pulumi.Input[str]] = None,
                                     opts: Optional[InvokeOptions] = None) -> Output[GetAwsUnityCatalogPolicyResult]
    func GetAwsUnityCatalogPolicy(ctx *Context, args *GetAwsUnityCatalogPolicyArgs, opts ...InvokeOption) (*GetAwsUnityCatalogPolicyResult, error)
    func GetAwsUnityCatalogPolicyOutput(ctx *Context, args *GetAwsUnityCatalogPolicyOutputArgs, opts ...InvokeOption) GetAwsUnityCatalogPolicyResultOutput

    > Note: This function is named GetAwsUnityCatalogPolicy in the Go SDK.

    public static class GetAwsUnityCatalogPolicy 
    {
        public static Task<GetAwsUnityCatalogPolicyResult> InvokeAsync(GetAwsUnityCatalogPolicyArgs args, InvokeOptions? opts = null)
        public static Output<GetAwsUnityCatalogPolicyResult> Invoke(GetAwsUnityCatalogPolicyInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetAwsUnityCatalogPolicyResult> getAwsUnityCatalogPolicy(GetAwsUnityCatalogPolicyArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: databricks:index/getAwsUnityCatalogPolicy:getAwsUnityCatalogPolicy
      arguments:
        # arguments dictionary

    The following arguments are supported:

    AwsAccountId string
    The Account ID of the current AWS account (not your Databricks account).
    BucketName string
    The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
    RoleName string
    The name of the AWS IAM role that you created in the previous step in the official documentation.
    KmsName string
    If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.
    AwsAccountId string
    The Account ID of the current AWS account (not your Databricks account).
    BucketName string
    The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
    RoleName string
    The name of the AWS IAM role that you created in the previous step in the official documentation.
    KmsName string
    If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.
    awsAccountId String
    The Account ID of the current AWS account (not your Databricks account).
    bucketName String
    The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
    roleName String
    The name of the AWS IAM role that you created in the previous step in the official documentation.
    kmsName String
    If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.
    awsAccountId string
    The Account ID of the current AWS account (not your Databricks account).
    bucketName string
    The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
    roleName string
    The name of the AWS IAM role that you created in the previous step in the official documentation.
    kmsName string
    If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.
    aws_account_id str
    The Account ID of the current AWS account (not your Databricks account).
    bucket_name str
    The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
    role_name str
    The name of the AWS IAM role that you created in the previous step in the official documentation.
    kms_name str
    If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.
    awsAccountId String
    The Account ID of the current AWS account (not your Databricks account).
    bucketName String
    The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
    roleName String
    The name of the AWS IAM role that you created in the previous step in the official documentation.
    kmsName String
    If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.

    getAwsUnityCatalogPolicy Result

    The following output properties are available:

    AwsAccountId string
    BucketName string
    Id string
    The provider-assigned unique ID for this managed resource.
    Json string
    AWS IAM Policy JSON document
    RoleName string
    KmsName string
    AwsAccountId string
    BucketName string
    Id string
    The provider-assigned unique ID for this managed resource.
    Json string
    AWS IAM Policy JSON document
    RoleName string
    KmsName string
    awsAccountId String
    bucketName String
    id String
    The provider-assigned unique ID for this managed resource.
    json String
    AWS IAM Policy JSON document
    roleName String
    kmsName String
    awsAccountId string
    bucketName string
    id string
    The provider-assigned unique ID for this managed resource.
    json string
    AWS IAM Policy JSON document
    roleName string
    kmsName string
    aws_account_id str
    bucket_name str
    id str
    The provider-assigned unique ID for this managed resource.
    json str
    AWS IAM Policy JSON document
    role_name str
    kms_name str
    awsAccountId String
    bucketName String
    id String
    The provider-assigned unique ID for this managed resource.
    json String
    AWS IAM Policy JSON document
    roleName String
    kmsName String

    Package Details

    Repository
    databricks pulumi/pulumi-databricks
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the databricks Terraform Provider.
    databricks logo
    Databricks v1.35.0 published on Friday, Mar 29, 2024 by Pulumi