Doc updates (#1254)

* clarify sql_permissions edge cases on UC workspaces
* set encryption on root bucket and block public acl
* clarify default_catalog_name

Author: nkvuong

docs/guides/aws-workspace.md

@@ -212,10 +212,23 @@ resource "aws_s3_bucket" "root_storage_bucket" {
   })
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "root_storage_bucket" {
+  bucket = aws_s3_bucket.root_storage_bucket.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "AES256"
+    }
+  }
+} 
+
 resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
-  bucket             = aws_s3_bucket.root_storage_bucket.id
-  ignore_public_acls = true
-  depends_on         = [aws_s3_bucket.root_storage_bucket]
+  bucket                  = aws_s3_bucket.root_storage_bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+  depends_on              = [aws_s3_bucket.root_storage_bucket]
 }
 
 data "databricks_aws_bucket_policy" "this" {

docs/guides/unity-catalog.md

@@ -145,10 +145,13 @@ resource "aws_s3_bucket" "metastore" {
   })
 }
 
-resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
-  bucket             = aws_s3_bucket.metastore.id
-  ignore_public_acls = true
-  depends_on         = [aws_s3_bucket.metastore]
+resource "aws_s3_bucket_public_access_block" "metastore" {
+  bucket                  = aws_s3_bucket.metastore.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+  depends_on              = [aws_s3_bucket.metastore]
 }
 
 data "aws_iam_policy_document" "passrole_for_uc" {

docs/resources/mws_workspaces.md

@@ -141,9 +141,23 @@ resource "aws_s3_bucket" "root_storage_bucket" {
   tags          = var.tags
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "root_storage_bucket" {
+  bucket = aws_s3_bucket.root_storage_bucket.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "AES256"
+    }
+  }
+} 
+
 resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
-  bucket             = aws_s3_bucket.root_storage_bucket.id
-  ignore_public_acls = true
+  bucket                  = aws_s3_bucket.root_storage_bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+  depends_on              = [aws_s3_bucket.root_storage_bucket]
 }
 
 data "databricks_aws_bucket_policy" "this" {
@@ -153,6 +167,7 @@ data "databricks_aws_bucket_policy" "this" {
 resource "aws_s3_bucket_policy" "root_bucket_policy" {
   bucket = aws_s3_bucket.root_storage_bucket.id
   policy = data.databricks_aws_bucket_policy.this.json
+  depends_on = [aws_s3_bucket_public_access_block.root_storage_bucket]  
 }
 
 resource "databricks_mws_storage_configurations" "this" {

docs/resources/sql_permissions.md

@@ -5,6 +5,8 @@ subcategory: "Security"
 
 -> **Note** Please switch to [databricks_grants](grants.md) with Unity Catalog to manage data access, which provides better and faster way for managing data security. `databricks_grants` resource *doesn't require a technical cluster to perform operations*. `databricks_sql_permissions` will be removed, once Unity Catalog is Generally Available.
 
+-> **Note** On workspaces with Unity Catalog enabled, you may run into errors such as `Error: cannot create sql permissions: cannot read current grants: For unity catalog, please specify the catalog name explicitly. E.g. SHOW GRANT ``[email protected]`` ON CATALOG main`. This happens if your `default_catalog_name` was set to a UC catalog instead of `hive_metastore`. The workaround is to re-assign the metastore again with the default catalog set to be `hive_metastore`. See [databricks_metastore_assignment](metastore_assignment.md).
+
 This resource manages data object access control lists in Databricks workspaces for things like tables, views, databases, and [more](https://docs.databricks.com/security/access-control/table-acls/object-privileges.html). In order to enable Table Access control, you have to login to the workspace as administrator, go to `Admin Console`, pick `Access Control` tab, click on `Enable` button in `Table Access Control` section, and click `Confirm`. The security guarantees of table access control **will only be effective if cluster access control is also turned on**. Please make sure that no users can create clusters in your workspace and all [databricks_cluster](cluster.md) have approximately the following configuration:
 
 ```hcl