Docs
Packages
Databricks v1.14.0, May 23 23
Databricks v1.14.0, May 23 23
databricks.InstanceProfile
Explore with Pulumi AI
This resource allows you to manage AWS EC2 instance profiles that users can launch databricks.Cluster and access data, like databricks_mount. The following example demonstrates how to create an instance profile and create a cluster with it. When creating a new databricks.InstanceProfile, Databricks validates that it has sufficient permissions to launch instances with the instance profile. This validation uses AWS dry-run mode for the AWS EC2 RunInstances API.
Note Please switch to databricks.StorageCredential with Unity Catalog to manage storage credentials, which provides a better and faster way for managing credential security.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as databricks from "@pulumi/databricks";
const config = new pulumi.Config();
const crossaccountRoleName = config.require("crossaccountRoleName");
const assumeRoleForEc2 = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
actions: ["sts:AssumeRole"],
principals: [{
identifiers: ["ec2.amazonaws.com"],
type: "Service",
}],
}],
});
const roleForS3Access = new aws.iam.Role("roleForS3Access", {
description: "Role for shared access",
assumeRolePolicy: assumeRoleForEc2.then(assumeRoleForEc2 => assumeRoleForEc2.json),
});
const passRoleForS3AccessPolicyDocument = aws.iam.getPolicyDocumentOutput({
statements: [{
effect: "Allow",
actions: ["iam:PassRole"],
resources: [roleForS3Access.arn],
}],
});
const passRoleForS3AccessPolicy = new aws.iam.Policy("passRoleForS3AccessPolicy", {
path: "/",
policy: passRoleForS3AccessPolicyDocument.apply(passRoleForS3AccessPolicyDocument => passRoleForS3AccessPolicyDocument.json),
});
const crossAccount = new aws.iam.RolePolicyAttachment("crossAccount", {
policyArn: passRoleForS3AccessPolicy.arn,
role: crossaccountRoleName,
});
const sharedInstanceProfile = new aws.iam.InstanceProfile("sharedInstanceProfile", {role: roleForS3Access.name});
const sharedIndex_instanceProfileInstanceProfile = new databricks.InstanceProfile("sharedIndex/instanceProfileInstanceProfile", {instanceProfileArn: sharedInstanceProfile.arn});
const latest = databricks.getSparkVersion({});
const smallest = databricks.getNodeType({
localDisk: true,
});
const _this = new databricks.Cluster("this", {
clusterName: "Shared Autoscaling",
sparkVersion: latest.then(latest => latest.id),
nodeTypeId: smallest.then(smallest => smallest.id),
autoterminationMinutes: 20,
autoscale: {
minWorkers: 1,
maxWorkers: 50,
},
awsAttributes: {
instanceProfileArn: sharedIndex / instanceProfileInstanceProfile.id,
availability: "SPOT",
zoneId: "us-east-1",
firstOnDemand: 1,
spotBidPricePercent: 100,
},
});
import pulumi
import pulumi_aws as aws
import pulumi_databricks as databricks
config = pulumi.Config()
crossaccount_role_name = config.require("crossaccountRoleName")
assume_role_for_ec2 = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["sts:AssumeRole"],
principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
identifiers=["ec2.amazonaws.com"],
type="Service",
)],
)])
role_for_s3_access = aws.iam.Role("roleForS3Access",
description="Role for shared access",
assume_role_policy=assume_role_for_ec2.json)
pass_role_for_s3_access_policy_document = aws.iam.get_policy_document_output(statements=[aws.iam.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["iam:PassRole"],
resources=[role_for_s3_access.arn],
)])
pass_role_for_s3_access_policy = aws.iam.Policy("passRoleForS3AccessPolicy",
path="/",
policy=pass_role_for_s3_access_policy_document.json)
cross_account = aws.iam.RolePolicyAttachment("crossAccount",
policy_arn=pass_role_for_s3_access_policy.arn,
role=crossaccount_role_name)
shared_instance_profile = aws.iam.InstanceProfile("sharedInstanceProfile", role=role_for_s3_access.name)
shared_index_instance_profile_instance_profile = databricks.InstanceProfile("sharedIndex/instanceProfileInstanceProfile", instance_profile_arn=shared_instance_profile.arn)
latest = databricks.get_spark_version()
smallest = databricks.get_node_type(local_disk=True)
this = databricks.Cluster("this",
cluster_name="Shared Autoscaling",
spark_version=latest.id,
node_type_id=smallest.id,
autotermination_minutes=20,
autoscale=databricks.ClusterAutoscaleArgs(
min_workers=1,
max_workers=50,
),
aws_attributes=databricks.ClusterAwsAttributesArgs(
instance_profile_arn=shared_index / instance_profile_instance_profile["id"],
availability="SPOT",
zone_id="us-east-1",
first_on_demand=1,
spot_bid_price_percent=100,
))
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var config = new Config();
var crossaccountRoleName = config.Require("crossaccountRoleName");
var assumeRoleForEc2 = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Identifiers = new[]
{
"ec2.amazonaws.com",
},
Type = "Service",
},
},
},
},
});
var roleForS3Access = new Aws.Iam.Role("roleForS3Access", new()
{
Description = "Role for shared access",
AssumeRolePolicy = assumeRoleForEc2.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var passRoleForS3AccessPolicyDocument = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"iam:PassRole",
},
Resources = new[]
{
roleForS3Access.Arn,
},
},
},
});
var passRoleForS3AccessPolicy = new Aws.Iam.Policy("passRoleForS3AccessPolicy", new()
{
Path = "/",
PolicyDocument = passRoleForS3AccessPolicyDocument.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var crossAccount = new Aws.Iam.RolePolicyAttachment("crossAccount", new()
{
PolicyArn = passRoleForS3AccessPolicy.Arn,
Role = crossaccountRoleName,
});
var sharedInstanceProfile = new Aws.Iam.InstanceProfile("sharedInstanceProfile", new()
{
Role = roleForS3Access.Name,
});
var sharedIndex_instanceProfileInstanceProfile = new Databricks.InstanceProfile("sharedIndex/instanceProfileInstanceProfile", new()
{
InstanceProfileArn = sharedInstanceProfile.Arn,
});
var latest = Databricks.GetSparkVersion.Invoke();
var smallest = Databricks.GetNodeType.Invoke(new()
{
LocalDisk = true,
});
var @this = new Databricks.Cluster("this", new()
{
ClusterName = "Shared Autoscaling",
SparkVersion = latest.Apply(getSparkVersionResult => getSparkVersionResult.Id),
NodeTypeId = smallest.Apply(getNodeTypeResult => getNodeTypeResult.Id),
AutoterminationMinutes = 20,
Autoscale = new Databricks.Inputs.ClusterAutoscaleArgs
{
MinWorkers = 1,
MaxWorkers = 50,
},
AwsAttributes = new Databricks.Inputs.ClusterAwsAttributesArgs
{
InstanceProfileArn = sharedIndex / instanceProfileInstanceProfile.Id,
Availability = "SPOT",
ZoneId = "us-east-1",
FirstOnDemand = 1,
SpotBidPricePercent = 100,
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cfg := config.New(ctx, "")
crossaccountRoleName := cfg.Require("crossaccountRoleName")
assumeRoleForEc2, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"sts:AssumeRole",
},
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Identifiers: []string{
"ec2.amazonaws.com",
},
Type: "Service",
},
},
},
},
}, nil)
if err != nil {
return err
}
roleForS3Access, err := iam.NewRole(ctx, "roleForS3Access", &iam.RoleArgs{
Description: pulumi.String("Role for shared access"),
AssumeRolePolicy: *pulumi.String(assumeRoleForEc2.Json),
})
if err != nil {
return err
}
passRoleForS3AccessPolicyDocument := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Effect: pulumi.String("Allow"),
Actions: pulumi.StringArray{
pulumi.String("iam:PassRole"),
},
Resources: pulumi.StringArray{
roleForS3Access.Arn,
},
},
},
}, nil)
passRoleForS3AccessPolicy, err := iam.NewPolicy(ctx, "passRoleForS3AccessPolicy", &iam.PolicyArgs{
Path: pulumi.String("/"),
Policy: passRoleForS3AccessPolicyDocument.ApplyT(func(passRoleForS3AccessPolicyDocument iam.GetPolicyDocumentResult) (*string, error) {
return &passRoleForS3AccessPolicyDocument.Json, nil
}).(pulumi.StringPtrOutput),
})
if err != nil {
return err
}
_, err = iam.NewRolePolicyAttachment(ctx, "crossAccount", &iam.RolePolicyAttachmentArgs{
PolicyArn: passRoleForS3AccessPolicy.Arn,
Role: pulumi.String(crossaccountRoleName),
})
if err != nil {
return err
}
sharedInstanceProfile, err := iam.NewInstanceProfile(ctx, "sharedInstanceProfile", &iam.InstanceProfileArgs{
Role: roleForS3Access.Name,
})
if err != nil {
return err
}
_, err = databricks.NewInstanceProfile(ctx, "sharedIndex/instanceProfileInstanceProfile", &databricks.InstanceProfileArgs{
InstanceProfileArn: sharedInstanceProfile.Arn,
})
if err != nil {
return err
}
latest, err := databricks.GetSparkVersion(ctx, nil, nil)
if err != nil {
return err
}
smallest, err := databricks.GetNodeType(ctx, &databricks.GetNodeTypeArgs{
LocalDisk: pulumi.BoolRef(true),
}, nil)
if err != nil {
return err
}
_, err = databricks.NewCluster(ctx, "this", &databricks.ClusterArgs{
ClusterName: pulumi.String("Shared Autoscaling"),
SparkVersion: *pulumi.String(latest.Id),
NodeTypeId: *pulumi.String(smallest.Id),
AutoterminationMinutes: pulumi.Int(20),
Autoscale: &databricks.ClusterAutoscaleArgs{
MinWorkers: pulumi.Int(1),
MaxWorkers: pulumi.Int(50),
},
AwsAttributes: &databricks.ClusterAwsAttributesArgs{
InstanceProfileArn: sharedIndex / instanceProfileInstanceProfile.Id,
Availability: pulumi.String("SPOT"),
ZoneId: pulumi.String("us-east-1"),
FirstOnDemand: pulumi.Int(1),
SpotBidPricePercent: pulumi.Int(100),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import com.pulumi.aws.iam.RolePolicyAttachment;
import com.pulumi.aws.iam.RolePolicyAttachmentArgs;
import com.pulumi.aws.iam.InstanceProfile;
import com.pulumi.aws.iam.InstanceProfileArgs;
import com.pulumi.databricks.InstanceProfile;
import com.pulumi.databricks.InstanceProfileArgs;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetSparkVersionArgs;
import com.pulumi.databricks.inputs.GetNodeTypeArgs;
import com.pulumi.databricks.Cluster;
import com.pulumi.databricks.ClusterArgs;
import com.pulumi.databricks.inputs.ClusterAutoscaleArgs;
import com.pulumi.databricks.inputs.ClusterAwsAttributesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var config = ctx.config();
final var crossaccountRoleName = config.get("crossaccountRoleName");
final var assumeRoleForEc2 = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("sts:AssumeRole")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.identifiers("ec2.amazonaws.com")
.type("Service")
.build())
.build())
.build());
var roleForS3Access = new Role("roleForS3Access", RoleArgs.builder()
.description("Role for shared access")
.assumeRolePolicy(assumeRoleForEc2.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
final var passRoleForS3AccessPolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("iam:PassRole")
.resources(roleForS3Access.arn())
.build())
.build());
var passRoleForS3AccessPolicy = new Policy("passRoleForS3AccessPolicy", PolicyArgs.builder()
.path("/")
.policy(passRoleForS3AccessPolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(passRoleForS3AccessPolicyDocument -> passRoleForS3AccessPolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
.build());
var crossAccount = new RolePolicyAttachment("crossAccount", RolePolicyAttachmentArgs.builder()
.policyArn(passRoleForS3AccessPolicy.arn())
.role(crossaccountRoleName)
.build());
var sharedInstanceProfile = new InstanceProfile("sharedInstanceProfile", InstanceProfileArgs.builder()
.role(roleForS3Access.name())
.build());
var sharedIndex_instanceProfileInstanceProfile = new InstanceProfile("sharedIndex/instanceProfileInstanceProfile", InstanceProfileArgs.builder()
.instanceProfileArn(sharedInstanceProfile.arn())
.build());
final var latest = DatabricksFunctions.getSparkVersion();
final var smallest = DatabricksFunctions.getNodeType(GetNodeTypeArgs.builder()
.localDisk(true)
.build());
var this_ = new Cluster("this", ClusterArgs.builder()
.clusterName("Shared Autoscaling")
.sparkVersion(latest.applyValue(getSparkVersionResult -> getSparkVersionResult.id()))
.nodeTypeId(smallest.applyValue(getNodeTypeResult -> getNodeTypeResult.id()))
.autoterminationMinutes(20)
.autoscale(ClusterAutoscaleArgs.builder()
.minWorkers(1)
.maxWorkers(50)
.build())
.awsAttributes(ClusterAwsAttributesArgs.builder()
.instanceProfileArn(sharedIndex / instanceProfileInstanceProfile.id())
.availability("SPOT")
.zoneId("us-east-1")
.firstOnDemand(1)
.spotBidPricePercent(100)
.build())
.build());
}
}
Usage with Cluster Policies
It is advised to keep all common configurations in Cluster Policies to maintain control of the environments launched, so databricks.Cluster above could be replaced with databricks.ClusterPolicy:
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const _this = new databricks.ClusterPolicy("this", {definition: JSON.stringify({
"aws_attributes.instance_profile_arn": {
type: "fixed",
value: databricks_instance_profile.shared.arn,
},
})});
import pulumi
import json
import pulumi_databricks as databricks
this = databricks.ClusterPolicy("this", definition=json.dumps({
"aws_attributes.instance_profile_arn": {
"type": "fixed",
"value": databricks_instance_profile["shared"]["arn"],
},
}))
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var @this = new Databricks.ClusterPolicy("this", new()
{
Definition = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["aws_attributes.instance_profile_arn"] = new Dictionary<string, object?>
{
["type"] = "fixed",
["value"] = databricks_instance_profile.Shared.Arn,
},
}),
});
});
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
tmpJSON0, err := json.Marshal(map[string]interface{}{
"aws_attributes.instance_profile_arn": map[string]interface{}{
"type": "fixed",
"value": databricks_instance_profile.Shared.Arn,
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = databricks.NewClusterPolicy(ctx, "this", &databricks.ClusterPolicyArgs{
Definition: pulumi.String(json0),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.ClusterPolicy;
import com.pulumi.databricks.ClusterPolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var this_ = new ClusterPolicy("this", ClusterPolicyArgs.builder()
.definition(serializeJson(
jsonObject(
jsonProperty("aws_attributes.instance_profile_arn", jsonObject(
jsonProperty("type", "fixed"),
jsonProperty("value", databricks_instance_profile.shared().arn())
))
)))
.build());
}
}
resources:
this:
type: databricks:ClusterPolicy
properties:
definition:
fn::toJSON:
aws_attributes.instance_profile_arn:
type: fixed
value: ${databricks_instance_profile.shared.arn}
Granting access to all users
You can make instance profile available to all users by associating it with the special group called users through databricks.Group data source.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const _this = new databricks.InstanceProfile("this", {instanceProfileArn: aws_iam_instance_profile.shared.arn});
const users = databricks.getGroup({
displayName: "users",
});
const all = new databricks.GroupInstanceProfile("all", {
groupId: users.then(users => users.id),
instanceProfileId: _this.id,
});
import pulumi
import pulumi_databricks as databricks
this = databricks.InstanceProfile("this", instance_profile_arn=aws_iam_instance_profile["shared"]["arn"])
users = databricks.get_group(display_name="users")
all = databricks.GroupInstanceProfile("all",
group_id=users.id,
instance_profile_id=this.id)
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var @this = new Databricks.InstanceProfile("this", new()
{
InstanceProfileArn = aws_iam_instance_profile.Shared.Arn,
});
var users = Databricks.GetGroup.Invoke(new()
{
DisplayName = "users",
});
var all = new Databricks.GroupInstanceProfile("all", new()
{
GroupId = users.Apply(getGroupResult => getGroupResult.Id),
InstanceProfileId = @this.Id,
});
});
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
this, err := databricks.NewInstanceProfile(ctx, "this", &databricks.InstanceProfileArgs{
InstanceProfileArn: pulumi.Any(aws_iam_instance_profile.Shared.Arn),
})
if err != nil {
return err
}
users, err := databricks.LookupGroup(ctx, &databricks.LookupGroupArgs{
DisplayName: "users",
}, nil)
if err != nil {
return err
}
_, err = databricks.NewGroupInstanceProfile(ctx, "all", &databricks.GroupInstanceProfileArgs{
GroupId: *pulumi.String(users.Id),
InstanceProfileId: this.ID(),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.InstanceProfile;
import com.pulumi.databricks.InstanceProfileArgs;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetGroupArgs;
import com.pulumi.databricks.GroupInstanceProfile;
import com.pulumi.databricks.GroupInstanceProfileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var this_ = new InstanceProfile("this", InstanceProfileArgs.builder()
.instanceProfileArn(aws_iam_instance_profile.shared().arn())
.build());
final var users = DatabricksFunctions.getGroup(GetGroupArgs.builder()
.displayName("users")
.build());
var all = new GroupInstanceProfile("all", GroupInstanceProfileArgs.builder()
.groupId(users.applyValue(getGroupResult -> getGroupResult.id()))
.instanceProfileId(this_.id())
.build());
}
}
resources:
this:
type: databricks:InstanceProfile
properties:
instanceProfileArn: ${aws_iam_instance_profile.shared.arn}
all:
type: databricks:GroupInstanceProfile
properties:
groupId: ${users.id}
instanceProfileId: ${this.id}
variables:
users:
fn::invoke:
Function: databricks:getGroup
Arguments:
displayName: users
Usage with Databricks SQL serverless
When the instance profile ARN and its associated IAM role ARN don’t match and the instance profile is intended for use with Databricks SQL serverless, the iam_role_arn parameter can be specified.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as databricks from "@pulumi/databricks";
const sqlServerlessAssumeRole = aws.iam.getPolicyDocument({
statements: [{
actions: ["sts:AssumeRole"],
principals: [{
type: "AWS",
identifiers: ["arn:aws:iam::790110701330:role/serverless-customer-resource-role"],
}],
conditions: [{
test: "StringEquals",
variable: "sts:ExternalID",
values: [
"databricks-serverless-<YOUR_WORKSPACE_ID1>",
"databricks-serverless-<YOUR_WORKSPACE_ID2>",
],
}],
}],
});
const thisRole = new aws.iam.Role("thisRole", {assumeRolePolicy: sqlServerlessAssumeRole.then(sqlServerlessAssumeRole => sqlServerlessAssumeRole.json)});
const thisInstanceProfile = new aws.iam.InstanceProfile("thisInstanceProfile", {role: thisRole.name});
const thisIndex_instanceProfileInstanceProfile = new databricks.InstanceProfile("thisIndex/instanceProfileInstanceProfile", {
instanceProfileArn: thisInstanceProfile.arn,
iamRoleArn: thisRole.arn,
});
import pulumi
import pulumi_aws as aws
import pulumi_databricks as databricks
sql_serverless_assume_role = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
actions=["sts:AssumeRole"],
principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="AWS",
identifiers=["arn:aws:iam::790110701330:role/serverless-customer-resource-role"],
)],
conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
test="StringEquals",
variable="sts:ExternalID",
values=[
"databricks-serverless-<YOUR_WORKSPACE_ID1>",
"databricks-serverless-<YOUR_WORKSPACE_ID2>",
],
)],
)])
this_role = aws.iam.Role("thisRole", assume_role_policy=sql_serverless_assume_role.json)
this_instance_profile = aws.iam.InstanceProfile("thisInstanceProfile", role=this_role.name)
this_index_instance_profile_instance_profile = databricks.InstanceProfile("thisIndex/instanceProfileInstanceProfile",
instance_profile_arn=this_instance_profile.arn,
iam_role_arn=this_role.arn)
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var sqlServerlessAssumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
"arn:aws:iam::790110701330:role/serverless-customer-resource-role",
},
},
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringEquals",
Variable = "sts:ExternalID",
Values = new[]
{
"databricks-serverless-<YOUR_WORKSPACE_ID1>",
"databricks-serverless-<YOUR_WORKSPACE_ID2>",
},
},
},
},
},
});
var thisRole = new Aws.Iam.Role("thisRole", new()
{
AssumeRolePolicy = sqlServerlessAssumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var thisInstanceProfile = new Aws.Iam.InstanceProfile("thisInstanceProfile", new()
{
Role = thisRole.Name,
});
var thisIndex_instanceProfileInstanceProfile = new Databricks.InstanceProfile("thisIndex/instanceProfileInstanceProfile", new()
{
InstanceProfileArn = thisInstanceProfile.Arn,
IamRoleArn = thisRole.Arn,
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
sqlServerlessAssumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"sts:AssumeRole",
},
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "AWS",
Identifiers: []string{
"arn:aws:iam::790110701330:role/serverless-customer-resource-role",
},
},
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
{
Test: "StringEquals",
Variable: "sts:ExternalID",
Values: []string{
"databricks-serverless-<YOUR_WORKSPACE_ID1>",
"databricks-serverless-<YOUR_WORKSPACE_ID2>",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
thisRole, err := iam.NewRole(ctx, "thisRole", &iam.RoleArgs{
AssumeRolePolicy: *pulumi.String(sqlServerlessAssumeRole.Json),
})
if err != nil {
return err
}
thisInstanceProfile, err := iam.NewInstanceProfile(ctx, "thisInstanceProfile", &iam.InstanceProfileArgs{
Role: thisRole.Name,
})
if err != nil {
return err
}
_, err = databricks.NewInstanceProfile(ctx, "thisIndex/instanceProfileInstanceProfile", &databricks.InstanceProfileArgs{
InstanceProfileArn: thisInstanceProfile.Arn,
IamRoleArn: thisRole.Arn,
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.InstanceProfile;
import com.pulumi.aws.iam.InstanceProfileArgs;
import com.pulumi.databricks.InstanceProfile;
import com.pulumi.databricks.InstanceProfileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var sqlServerlessAssumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions("sts:AssumeRole")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers("arn:aws:iam::790110701330:role/serverless-customer-resource-role")
.build())
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.test("StringEquals")
.variable("sts:ExternalID")
.values(
"databricks-serverless-<YOUR_WORKSPACE_ID1>",
"databricks-serverless-<YOUR_WORKSPACE_ID2>")
.build())
.build())
.build());
var thisRole = new Role("thisRole", RoleArgs.builder()
.assumeRolePolicy(sqlServerlessAssumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
var thisInstanceProfile = new InstanceProfile("thisInstanceProfile", InstanceProfileArgs.builder()
.role(thisRole.name())
.build());
var thisIndex_instanceProfileInstanceProfile = new InstanceProfile("thisIndex/instanceProfileInstanceProfile", InstanceProfileArgs.builder()
.instanceProfileArn(thisInstanceProfile.arn())
.iamRoleArn(thisRole.arn())
.build());
}
}
resources:
thisRole:
type: aws:iam:Role
properties:
assumeRolePolicy: ${sqlServerlessAssumeRole.json}
thisInstanceProfile:
type: aws:iam:InstanceProfile
properties:
role: ${thisRole.name}
thisIndex/instanceProfileInstanceProfile:
type: databricks:InstanceProfile
properties:
instanceProfileArn: ${thisInstanceProfile.arn}
iamRoleArn: ${thisRole.arn}
variables:
sqlServerlessAssumeRole:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- sts:AssumeRole
principals:
- type: AWS
identifiers:
- arn:aws:iam::790110701330:role/serverless-customer-resource-role
conditions:
- test: StringEquals
variable: sts:ExternalID
values:
- databricks-serverless-<YOUR_WORKSPACE_ID1>
- databricks-serverless-<YOUR_WORKSPACE_ID2>
Create InstanceProfile Resource
new InstanceProfile(name: string, args: InstanceProfileArgs, opts?: CustomResourceOptions);@overload
def InstanceProfile(resource_name: str,
opts: Optional[ResourceOptions] = None,
iam_role_arn: Optional[str] = None,
instance_profile_arn: Optional[str] = None,
is_meta_instance_profile: Optional[bool] = None,
skip_validation: Optional[bool] = None)
@overload
def InstanceProfile(resource_name: str,
args: InstanceProfileArgs,
opts: Optional[ResourceOptions] = None)func NewInstanceProfile(ctx *Context, name string, args InstanceProfileArgs, opts ...ResourceOption) (*InstanceProfile, error)public InstanceProfile(string name, InstanceProfileArgs args, CustomResourceOptions? opts = null)
public InstanceProfile(String name, InstanceProfileArgs args)
public InstanceProfile(String name, InstanceProfileArgs args, CustomResourceOptions options)
type: databricks:InstanceProfile
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args InstanceProfileArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args InstanceProfileArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args InstanceProfileArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args InstanceProfileArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args InstanceProfileArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
InstanceProfile Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The InstanceProfile resource accepts the following input properties:
- Instance
Profile stringArn ARNattribute ofaws_iam_instance_profileoutput, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.- Iam
Role stringArn The AWS IAM role ARN of the role associated with the instance profile. It must have the form
arn:aws:iam::<account-id>:role/<name>. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.- Is
Meta boolInstance Profile Whether the instance profile is a meta instance profile. Used only in IAM credential passthrough.
- Skip
Validation bool For advanced usage only. If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
- Instance
Profile stringArn ARNattribute ofaws_iam_instance_profileoutput, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.- Iam
Role stringArn The AWS IAM role ARN of the role associated with the instance profile. It must have the form
arn:aws:iam::<account-id>:role/<name>. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.- Is
Meta boolInstance Profile Whether the instance profile is a meta instance profile. Used only in IAM credential passthrough.
- Skip
Validation bool For advanced usage only. If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
- instance
Profile StringArn ARNattribute ofaws_iam_instance_profileoutput, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.- iam
Role StringArn The AWS IAM role ARN of the role associated with the instance profile. It must have the form
arn:aws:iam::<account-id>:role/<name>. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.- is
Meta BooleanInstance Profile Whether the instance profile is a meta instance profile. Used only in IAM credential passthrough.
- skip
Validation Boolean For advanced usage only. If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
- instance
Profile stringArn ARNattribute ofaws_iam_instance_profileoutput, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.- iam
Role stringArn The AWS IAM role ARN of the role associated with the instance profile. It must have the form
arn:aws:iam::<account-id>:role/<name>. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.- is
Meta booleanInstance Profile Whether the instance profile is a meta instance profile. Used only in IAM credential passthrough.
- skip
Validation boolean For advanced usage only. If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
- instance_
profile_ strarn ARNattribute ofaws_iam_instance_profileoutput, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.- iam_
role_ strarn The AWS IAM role ARN of the role associated with the instance profile. It must have the form
arn:aws:iam::<account-id>:role/<name>. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.- is_
meta_ boolinstance_ profile Whether the instance profile is a meta instance profile. Used only in IAM credential passthrough.
- skip_
validation bool For advanced usage only. If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
- instance
Profile StringArn ARNattribute ofaws_iam_instance_profileoutput, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.- iam
Role StringArn The AWS IAM role ARN of the role associated with the instance profile. It must have the form
arn:aws:iam::<account-id>:role/<name>. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.- is
Meta BooleanInstance Profile Whether the instance profile is a meta instance profile. Used only in IAM credential passthrough.
- skip
Validation Boolean For advanced usage only. If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
Outputs
All input properties are implicitly available as output properties. Additionally, the InstanceProfile resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Id string
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
- id string
The provider-assigned unique ID for this managed resource.
- id str
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
Look up Existing InstanceProfile Resource
Get an existing InstanceProfile resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: InstanceProfileState, opts?: CustomResourceOptions): InstanceProfile@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
iam_role_arn: Optional[str] = None,
instance_profile_arn: Optional[str] = None,
is_meta_instance_profile: Optional[bool] = None,
skip_validation: Optional[bool] = None) -> InstanceProfilefunc GetInstanceProfile(ctx *Context, name string, id IDInput, state *InstanceProfileState, opts ...ResourceOption) (*InstanceProfile, error)public static InstanceProfile Get(string name, Input<string> id, InstanceProfileState? state, CustomResourceOptions? opts = null)public static InstanceProfile get(String name, Output<String> id, InstanceProfileState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Iam
Role stringArn The AWS IAM role ARN of the role associated with the instance profile. It must have the form
arn:aws:iam::<account-id>:role/<name>. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.- Instance
Profile stringArn ARNattribute ofaws_iam_instance_profileoutput, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.- Is
Meta boolInstance Profile Whether the instance profile is a meta instance profile. Used only in IAM credential passthrough.
- Skip
Validation bool For advanced usage only. If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
- Iam
Role stringArn The AWS IAM role ARN of the role associated with the instance profile. It must have the form
arn:aws:iam::<account-id>:role/<name>. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.- Instance
Profile stringArn ARNattribute ofaws_iam_instance_profileoutput, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.- Is
Meta boolInstance Profile Whether the instance profile is a meta instance profile. Used only in IAM credential passthrough.
- Skip
Validation bool For advanced usage only. If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
- iam
Role StringArn The AWS IAM role ARN of the role associated with the instance profile. It must have the form
arn:aws:iam::<account-id>:role/<name>. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.- instance
Profile StringArn ARNattribute ofaws_iam_instance_profileoutput, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.- is
Meta BooleanInstance Profile Whether the instance profile is a meta instance profile. Used only in IAM credential passthrough.
- skip
Validation Boolean For advanced usage only. If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
- iam
Role stringArn The AWS IAM role ARN of the role associated with the instance profile. It must have the form
arn:aws:iam::<account-id>:role/<name>. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.- instance
Profile stringArn ARNattribute ofaws_iam_instance_profileoutput, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.- is
Meta booleanInstance Profile Whether the instance profile is a meta instance profile. Used only in IAM credential passthrough.
- skip
Validation boolean For advanced usage only. If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
- iam_
role_ strarn The AWS IAM role ARN of the role associated with the instance profile. It must have the form
arn:aws:iam::<account-id>:role/<name>. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.- instance_
profile_ strarn ARNattribute ofaws_iam_instance_profileoutput, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.- is_
meta_ boolinstance_ profile Whether the instance profile is a meta instance profile. Used only in IAM credential passthrough.
- skip_
validation bool For advanced usage only. If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
- iam
Role StringArn The AWS IAM role ARN of the role associated with the instance profile. It must have the form
arn:aws:iam::<account-id>:role/<name>. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.- instance
Profile StringArn ARNattribute ofaws_iam_instance_profileoutput, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.- is
Meta BooleanInstance Profile Whether the instance profile is a meta instance profile. Used only in IAM credential passthrough.
- skip
Validation Boolean For advanced usage only. If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
Import
The resource instance profile can be imported using the ARN of it bash
$ pulumi import databricks:index/instanceProfile:InstanceProfile this <instance-profile-arn>
Package Details
- Repository
- databricks pulumi/pulumi-databricks
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
databricksTerraform Provider.