Docs Packages
  1. Packages
  2. Databricks
  3. API Docs
  4. getAwsAssumeRolePolicy
Databricks v1.46.1 published on Friday, Jun 28, 2024 by Pulumi
pulumi/pulumi-databricks

databricks.getAwsAssumeRolePolicy

Explore with Pulumi AI

databricks logo
Databricks v1.46.1 published on Friday, Jun 28, 2024 by Pulumi
pulumi/pulumi-databricks

    This data source constructs necessary AWS STS assume role policy for you.

    Example Usage

    End-to-end example of provisioning Cross-account IAM role with databricks_mws_credentials:

    import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as databricks from "@pulumi/databricks";

const config = new pulumi.Config();
// Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
const databricksAccountId = config.requireObject("databricksAccountId");
const this = databricks.getAwsCrossAccountPolicy({});
const crossAccountPolicy = new aws.iam.Policy("cross_account_policy", {
    name: `${prefix}-crossaccount-iam-policy`,
    policy: _this.then(_this => _this.json),
});
const thisGetAwsAssumeRolePolicy = databricks.getAwsAssumeRolePolicy({
    externalId: databricksAccountId,
});
const crossAccount = new aws.iam.Role("cross_account", {
    name: `${prefix}-crossaccount-iam-role`,
    assumeRolePolicy: thisGetAwsAssumeRolePolicy.then(thisGetAwsAssumeRolePolicy => thisGetAwsAssumeRolePolicy.json),
    description: "Grants Databricks full access to VPC resources",
});
const crossAccountRolePolicyAttachment = new aws.iam.RolePolicyAttachment("cross_account", {
    policyArn: crossAccountPolicy.arn,
    role: crossAccount.name,
});
// required only in case of multi-workspace setup
const thisMwsCredentials = new databricks.MwsCredentials("this", {
    accountId: databricksAccountId,
    credentialsName: `${prefix}-creds`,
    roleArn: crossAccount.arn,
});

    import pulumi
import pulumi_aws as aws
import pulumi_databricks as databricks

config = pulumi.Config()
# Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
databricks_account_id = config.require_object("databricksAccountId")
this = databricks.get_aws_cross_account_policy()
cross_account_policy = aws.iam.Policy("cross_account_policy",
    name=f"{prefix}-crossaccount-iam-policy",
    policy=this.json)
this_get_aws_assume_role_policy = databricks.get_aws_assume_role_policy(external_id=databricks_account_id)
cross_account = aws.iam.Role("cross_account",
    name=f"{prefix}-crossaccount-iam-role",
    assume_role_policy=this_get_aws_assume_role_policy.json,
    description="Grants Databricks full access to VPC resources")
cross_account_role_policy_attachment = aws.iam.RolePolicyAttachment("cross_account",
    policy_arn=cross_account_policy.arn,
    role=cross_account.name)
# required only in case of multi-workspace setup
this_mws_credentials = databricks.MwsCredentials("this",
    account_id=databricks_account_id,
    credentials_name=f"{prefix}-creds",
    role_arn=cross_account.arn)

    package main

import (
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		cfg := config.New(ctx, "")
		// Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
		databricksAccountId := cfg.RequireObject("databricksAccountId")
		this, err := databricks.GetAwsCrossAccountPolicy(ctx, nil, nil)
		if err != nil {
			return err
		}
		crossAccountPolicy, err := iam.NewPolicy(ctx, "cross_account_policy", &iam.PolicyArgs{
			Name:   pulumi.String(fmt.Sprintf("%v-crossaccount-iam-policy", prefix)),
			Policy: pulumi.String(this.Json),
		})
		if err != nil {
			return err
		}
		thisGetAwsAssumeRolePolicy, err := databricks.GetAwsAssumeRolePolicy(ctx, &databricks.GetAwsAssumeRolePolicyArgs{
			ExternalId: databricksAccountId,
		}, nil)
		if err != nil {
			return err
		}
		crossAccount, err := iam.NewRole(ctx, "cross_account", &iam.RoleArgs{
			Name:             pulumi.String(fmt.Sprintf("%v-crossaccount-iam-role", prefix)),
			AssumeRolePolicy: pulumi.String(thisGetAwsAssumeRolePolicy.Json),
			Description:      pulumi.String("Grants Databricks full access to VPC resources"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRolePolicyAttachment(ctx, "cross_account", &iam.RolePolicyAttachmentArgs{
			PolicyArn: crossAccountPolicy.Arn,
			Role:      crossAccount.Name,
		})
		if err != nil {
			return err
		}
		// required only in case of multi-workspace setup
		_, err = databricks.NewMwsCredentials(ctx, "this", &databricks.MwsCredentialsArgs{
			AccountId:       pulumi.Any(databricksAccountId),
			CredentialsName: pulumi.String(fmt.Sprintf("%v-creds", prefix)),
			RoleArn:         crossAccount.Arn,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Databricks = Pulumi.Databricks;

return await Deployment.RunAsync(() => 
{
    var config = new Config();
    // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
    var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
    var @this = Databricks.GetAwsCrossAccountPolicy.Invoke();

    var crossAccountPolicy = new Aws.Iam.Policy("cross_account_policy", new()
    {
        Name = $"{prefix}-crossaccount-iam-policy",
        PolicyDocument = @this.Apply(@this => @this.Apply(getAwsCrossAccountPolicyResult => getAwsCrossAccountPolicyResult.Json)),
    });

    var thisGetAwsAssumeRolePolicy = Databricks.GetAwsAssumeRolePolicy.Invoke(new()
    {
        ExternalId = databricksAccountId,
    });

    var crossAccount = new Aws.Iam.Role("cross_account", new()
    {
        Name = $"{prefix}-crossaccount-iam-role",
        AssumeRolePolicy = thisGetAwsAssumeRolePolicy.Apply(getAwsAssumeRolePolicyResult => getAwsAssumeRolePolicyResult.Json),
        Description = "Grants Databricks full access to VPC resources",
    });

    var crossAccountRolePolicyAttachment = new Aws.Iam.RolePolicyAttachment("cross_account", new()
    {
        PolicyArn = crossAccountPolicy.Arn,
        Role = crossAccount.Name,
    });

    // required only in case of multi-workspace setup
    var thisMwsCredentials = new Databricks.MwsCredentials("this", new()
    {
        AccountId = databricksAccountId,
        CredentialsName = $"{prefix}-creds",
        RoleArn = crossAccount.Arn,
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetAwsCrossAccountPolicyArgs;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import com.pulumi.databricks.inputs.GetAwsAssumeRolePolicyArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.RolePolicyAttachment;
import com.pulumi.aws.iam.RolePolicyAttachmentArgs;
import com.pulumi.databricks.MwsCredentials;
import com.pulumi.databricks.MwsCredentialsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var config = ctx.config();
        final var databricksAccountId = config.get("databricksAccountId");
        final var this = DatabricksFunctions.getAwsCrossAccountPolicy();

        var crossAccountPolicy = new Policy("crossAccountPolicy", PolicyArgs.builder()
            .name(String.format("%s-crossaccount-iam-policy", prefix))
            .policy(this_.json())
            .build());

        final var thisGetAwsAssumeRolePolicy = DatabricksFunctions.getAwsAssumeRolePolicy(GetAwsAssumeRolePolicyArgs.builder()
            .externalId(databricksAccountId)
            .build());

        var crossAccount = new Role("crossAccount", RoleArgs.builder()
            .name(String.format("%s-crossaccount-iam-role", prefix))
            .assumeRolePolicy(thisGetAwsAssumeRolePolicy.applyValue(getAwsAssumeRolePolicyResult -> getAwsAssumeRolePolicyResult.json()))
            .description("Grants Databricks full access to VPC resources")
            .build());

        var crossAccountRolePolicyAttachment = new RolePolicyAttachment("crossAccountRolePolicyAttachment", RolePolicyAttachmentArgs.builder()
            .policyArn(crossAccountPolicy.arn())
            .role(crossAccount.name())
            .build());

        // required only in case of multi-workspace setup
        var thisMwsCredentials = new MwsCredentials("thisMwsCredentials", MwsCredentialsArgs.builder()
            .accountId(databricksAccountId)
            .credentialsName(String.format("%s-creds", prefix))
            .roleArn(crossAccount.arn())
            .build());

    }
}

    configuration:
  databricksAccountId:
    type: dynamic
resources:
  crossAccountPolicy:
    type: aws:iam:Policy
    name: cross_account_policy
    properties:
      name: ${prefix}-crossaccount-iam-policy
      policy: ${this.json}
  crossAccount:
    type: aws:iam:Role
    name: cross_account
    properties:
      name: ${prefix}-crossaccount-iam-role
      assumeRolePolicy: ${thisGetAwsAssumeRolePolicy.json}
      description: Grants Databricks full access to VPC resources
  crossAccountRolePolicyAttachment:
    type: aws:iam:RolePolicyAttachment
    name: cross_account
    properties:
      policyArn: ${crossAccountPolicy.arn}
      role: ${crossAccount.name}
  # required only in case of multi-workspace setup
  thisMwsCredentials:
    type: databricks:MwsCredentials
    name: this
    properties:
      accountId: ${databricksAccountId}
      credentialsName: ${prefix}-creds
      roleArn: ${crossAccount.arn}
variables:
  this:
    fn::invoke:
      Function: databricks:getAwsCrossAccountPolicy
      Arguments: {}
  thisGetAwsAssumeRolePolicy:
    fn::invoke:
      Function: databricks:getAwsAssumeRolePolicy
      Arguments:
        externalId: ${databricksAccountId}

    The following resources are used in the same context:

    • Provisioning AWS Databricks workspaces with a Hub & Spoke firewall for data exfiltration protection guide
    • databricks.getAwsBucketPolicy data to configure a simple access policy for AWS S3 buckets, so that Databricks can access data in it.
    • databricks.getAwsCrossAccountPolicy data to construct the necessary AWS cross-account policy for you, which is based on official documentation.

    Using getAwsAssumeRolePolicy

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getAwsAssumeRolePolicy(args: GetAwsAssumeRolePolicyArgs, opts?: InvokeOptions): Promise<GetAwsAssumeRolePolicyResult>
function getAwsAssumeRolePolicyOutput(args: GetAwsAssumeRolePolicyOutputArgs, opts?: InvokeOptions): Output<GetAwsAssumeRolePolicyResult>
    def get_aws_assume_role_policy(databricks_account_id: Optional[str] = None,
                               external_id: Optional[str] = None,
                               for_log_delivery: Optional[bool] = None,
                               opts: Optional[InvokeOptions] = None) -> GetAwsAssumeRolePolicyResult
def get_aws_assume_role_policy_output(databricks_account_id: Optional[pulumi.Input[str]] = None,
                               external_id: Optional[pulumi.Input[str]] = None,
                               for_log_delivery: Optional[pulumi.Input[bool]] = None,
                               opts: Optional[InvokeOptions] = None) -> Output[GetAwsAssumeRolePolicyResult]
    func GetAwsAssumeRolePolicy(ctx *Context, args *GetAwsAssumeRolePolicyArgs, opts ...InvokeOption) (*GetAwsAssumeRolePolicyResult, error)
func GetAwsAssumeRolePolicyOutput(ctx *Context, args *GetAwsAssumeRolePolicyOutputArgs, opts ...InvokeOption) GetAwsAssumeRolePolicyResultOutput

    > Note: This function is named GetAwsAssumeRolePolicy in the Go SDK.

    public static class GetAwsAssumeRolePolicy 
{
    public static Task<GetAwsAssumeRolePolicyResult> InvokeAsync(GetAwsAssumeRolePolicyArgs args, InvokeOptions? opts = null)
    public static Output<GetAwsAssumeRolePolicyResult> Invoke(GetAwsAssumeRolePolicyInvokeArgs args, InvokeOptions? opts = null)
}
    public static CompletableFuture<GetAwsAssumeRolePolicyResult> getAwsAssumeRolePolicy(GetAwsAssumeRolePolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet

    fn::invoke:
  function: databricks:index/getAwsAssumeRolePolicy:getAwsAssumeRolePolicy
  arguments:
    # arguments dictionary

    The following arguments are supported:

    ExternalId string
    Account Id that could be found in the top right corner of Accounts Console.
    DatabricksAccountId string
    ForLogDelivery bool
    Either or not this assume role policy should be created for usage log delivery. Defaults to false.
    ExternalId string
    Account Id that could be found in the top right corner of Accounts Console.
    DatabricksAccountId string
    ForLogDelivery bool
    Either or not this assume role policy should be created for usage log delivery. Defaults to false.
    externalId String
    Account Id that could be found in the top right corner of Accounts Console.
    databricksAccountId String
    forLogDelivery Boolean
    Either or not this assume role policy should be created for usage log delivery. Defaults to false.
    externalId string
    Account Id that could be found in the top right corner of Accounts Console.
    databricksAccountId string
    forLogDelivery boolean
    Either or not this assume role policy should be created for usage log delivery. Defaults to false.
    external_id str
    Account Id that could be found in the top right corner of Accounts Console.
    databricks_account_id str
    for_log_delivery bool
    Either or not this assume role policy should be created for usage log delivery. Defaults to false.
    externalId String
    Account Id that could be found in the top right corner of Accounts Console.
    databricksAccountId String
    forLogDelivery Boolean
    Either or not this assume role policy should be created for usage log delivery. Defaults to false.

    getAwsAssumeRolePolicy Result

    The following output properties are available:

    ExternalId string
    Id string
    The provider-assigned unique ID for this managed resource.
    Json string
    AWS IAM Policy JSON document
    DatabricksAccountId string
    ForLogDelivery bool
    ExternalId string
    Id string
    The provider-assigned unique ID for this managed resource.
    Json string
    AWS IAM Policy JSON document
    DatabricksAccountId string
    ForLogDelivery bool
    externalId String
    id String
    The provider-assigned unique ID for this managed resource.
    json String
    AWS IAM Policy JSON document
    databricksAccountId String
    forLogDelivery Boolean
    externalId string
    id string
    The provider-assigned unique ID for this managed resource.
    json string
    AWS IAM Policy JSON document
    databricksAccountId string
    forLogDelivery boolean
    external_id str
    id str
    The provider-assigned unique ID for this managed resource.
    json str
    AWS IAM Policy JSON document
    databricks_account_id str
    for_log_delivery bool
    externalId String
    id String
    The provider-assigned unique ID for this managed resource.
    json String
    AWS IAM Policy JSON document
    databricksAccountId String
    forLogDelivery Boolean

    Package Details

    Repository
    databricks pulumi/pulumi-databricks
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the databricks Terraform Provider.
    databricks logo
    Databricks v1.46.1 published on Friday, Jun 28, 2024 by Pulumi
    pulumi/pulumi-databricks