Add databricks_aws_unity_catalog_policy data source (#2483)

840 · web-flow · commit 2dd4f7c08171 · 2024-02-08T13:25:44.000Z
* WIP Add `data_aws_unity_catalog_policy` data source * Create `aws_unity_catalog_policy` data with option to provide KMS key * Add tests for `databricks_aws_unity_catalog_policy` * Add documentation for `databricks_aws_unity_catalog_policy` * Refactor `databricks_aws_unity_catalog_policy`, remove redundant test, made ID derive from parameters * Use evaluated conditional to pass role * Revert "Use evaluated conditional to pass role" This reverts commit 272d548. * Use `common.Resource` * Update docs * Correct indentiation for tests * Remove redundant statements in policy * Improve tests
diff --git a/aws/data_aws_unity_catalog_policy.go b/aws/data_aws_unity_catalog_policy.go
@@ -0,0 +1,107 @@
+package aws
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"regexp"
+
+	"github.com/databricks/terraform-provider-databricks/common"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+)
+
+func generateReadContext(ctx context.Context, d *schema.ResourceData, m *common.DatabricksClient) error {
+	bucket := d.Get("bucket_name").(string)
+	awsAccountId := d.Get("aws_account_id").(string)
+	roleName := d.Get("role_name").(string)
+	policy := awsIamPolicy{
+		Version: "2012-10-17",
+		Statements: []*awsIamPolicyStatement{
+			{
+				Effect: "Allow",
+				Actions: []string{
+					"s3:GetObject",
+					"s3:PutObject",
+					"s3:DeleteObject",
+					"s3:ListBucket",
+					"s3:GetBucketLocation",
+				},
+				Resources: []string{
+					fmt.Sprintf("arn:aws:s3:::%s/*", bucket),
+					fmt.Sprintf("arn:aws:s3:::%s", bucket),
+				},
+			},
+			{
+				Effect: "Allow",
+				Actions: []string{
+					"sts:AssumeRole",
+				},
+				Resources: []string{
+					fmt.Sprintf("arn:aws:iam::%s:role/%s", awsAccountId, roleName),
+				},
+			},
+		},
+	}
+	if kmsKey, ok := d.GetOk("kms_name"); ok {
+		policy.Statements = append(policy.Statements, &awsIamPolicyStatement{
+			Effect: "Allow",
+			Actions: []string{
+				"kms:Decrypt",
+				"kms:Encrypt",
+				"kms:GenerateDataKey*",
+			},
+			Resources: []string{
+				fmt.Sprintf("arn:aws:kms:%s", kmsKey),
+			},
+		})
+	}
+	policyJSON, err := json.MarshalIndent(policy, "", "  ")
+	if err != nil {
+		return err
+	}
+	d.SetId(fmt.Sprintf("%s-%s-%s", bucket, awsAccountId, roleName))
+	err = d.Set("json", string(policyJSON))
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func validateSchema() map[string]*schema.Schema {
+	return map[string]*schema.Schema{
+		"kms_name": {
+			Type:     schema.TypeString,
+			Optional: true,
+			ValidateFunc: validation.StringMatch(
+				regexp.MustCompile(`^[0-9a-zA-Z/_-]+$`),
+				"must contain only alphanumeric, hyphens, forward slashes, and underscores characters"),
+		},
+		"bucket_name": {
+			Type:     schema.TypeString,
+			Required: true,
+			ValidateFunc: validation.StringMatch(
+				regexp.MustCompile(`^[0-9a-zA-Z_-]+$`),
+				"must contain only alphanumeric, underscore, and hyphen characters"),
+		},
+		"role_name": {
+			Type:     schema.TypeString,
+			Required: true,
+		},
+		"aws_account_id": {
+			Type:     schema.TypeString,
+			Required: true,
+		},
+		"json": {
+			Type:     schema.TypeString,
+			Computed: true,
+		},
+	}
+}
+
+func DataAwsUnityCatalogPolicy() common.Resource {
+	return common.Resource{
+		Read:   generateReadContext,
+		Schema: validateSchema(),
+	}
+}
diff --git a/aws/data_aws_unity_catalog_policy_test.go b/aws/data_aws_unity_catalog_policy_test.go
@@ -0,0 +1,121 @@
+package aws
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/databricks/terraform-provider-databricks/qa"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDataAwsUnityCatalogPolicy(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Read:        true,
+		Resource:    DataAwsUnityCatalogPolicy(),
+		NonWritable: true,
+		ID:          ".",
+		HCL: `
+        aws_account_id = "123456789098"
+        bucket_name = "databricks-bucket"
+        role_name = "databricks-role"
+        kms_name = "databricks-kms"
+        `,
+	}.Apply(t)
+	assert.NoError(t, err)
+	j := d.Get("json").(string)
+	p := `{
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": [
+                "s3:GetObject",
+                "s3:PutObject",
+                "s3:DeleteObject",
+                "s3:ListBucket",
+                "s3:GetBucketLocation"
+              ],
+              "Resource": [
+                "arn:aws:s3:::databricks-bucket/*",
+                "arn:aws:s3:::databricks-bucket"
+              ]
+            },
+            {
+              "Effect": "Allow",
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Resource": [
+                "arn:aws:iam::123456789098:role/databricks-role"
+              ]
+            },
+            {
+              "Effect": "Allow",
+              "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:GenerateDataKey*"
+              ],
+              "Resource": [
+                "arn:aws:kms:databricks-kms"
+              ]
+            }
+          ]
+        }`
+	compareJSON(t, j, p)
+}
+
+func TestDataAwsUnityCatalogPolicyWithoutKMS(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Read:        true,
+		Resource:    DataAwsUnityCatalogPolicy(),
+		NonWritable: true,
+		ID:          ".",
+		HCL: `
+        aws_account_id = "123456789098"
+        bucket_name = "databricks-bucket"
+        role_name = "databricks-role"
+        `,
+	}.Apply(t)
+	assert.NoError(t, err)
+	j := d.Get("json").(string)
+	p := `{
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": [
+                "s3:GetObject",
+                "s3:PutObject",
+                "s3:DeleteObject",
+                "s3:ListBucket",
+                "s3:GetBucketLocation"
+              ],
+              "Resource": [
+                "arn:aws:s3:::databricks-bucket/*",
+                "arn:aws:s3:::databricks-bucket"
+              ]
+            },
+            {
+              "Effect": "Allow",
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Resource": [
+                "arn:aws:iam::123456789098:role/databricks-role"
+              ]
+            }
+          ]
+        }`
+	compareJSON(t, j, p)
+}
+
+func compareJSON(t *testing.T, json1 string, json2 string) {
+	var i1 interface{}
+	var i2 interface{}
+	err := json.Unmarshal([]byte(json1), &i1)
+	assert.NoError(t, err, "error while unmarshalling")
+	err = json.Unmarshal([]byte(json2), &i2)
+	assert.NoError(t, err, "error while unmarshalling")
+	assert.Equal(t, i1, i2)
+}
diff --git a/docs/data-sources/aws_unity_catalog_policy.md b/docs/data-sources/aws_unity_catalog_policy.md
@@ -0,0 +1,75 @@
+---
+subcategory: "Deployment"
+---
+# databricks_aws_unity_catalog_policy Data Source
+
+-> **Note** This resource has an evolving API, which may change in future versions of the provider. Please always consult [latest documentation](https://docs.databricks.com/administration-guide/account-api/iam-role.html#language-Your%C2%A0VPC,%C2%A0default) in case of any questions.
+
+This data source constructs necessary AWS Unity Catalog policy for you, which is based on [official documentation](https://docs.databricks.com/data-governance/unity-catalog/get-started.html#configure-a-storage-bucket-and-iam-role-in-aws).
+
+## Example Usage
+
+```hcl
+data "databricks_aws_unity_catalog_policy" "this" {
+  aws_account_id = var.aws_account_id
+  bucket_name = "databricks-bucket"
+  role_name = "databricks-role"
+  kms_name = "databricks-kms"
+}
+
+data "aws_iam_policy_document" "passrole_for_uc" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      identifiers = [
+        "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL" # Databricks Account ID
+      ]
+      type = "AWS"
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values   = [var.databricks_account_id]
+    }
+  }
+  statement {
+    sid     = "ExplicitSelfRoleAssumption"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.aws_account_id}:root"]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:PrincipalArn"
+      values   = ["arn:aws:iam::${var.aws_account_id}:role/${var.prefix}-uc-access"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "unity_metastore" {
+  name = "${var.prefix}-unity-catalog-metastore-access-iam-policy"
+  policy = data.databricks_aws_unity_catalog_policy.this.json
+}
+
+resource "aws_iam_role" "metastore_data_access" {
+  name                = "${var.prefix}-uc-access"
+  assume_role_policy  = data.aws_iam_policy_document.passrole_for_uc.json
+  managed_policy_arns = [aws_iam_policy.unity_metastore.arn]
+}
+```
+
+## Argument Reference
+
+* `aws_account_id` (Required) The Account ID of the current AWS account (not your Databricks account).
+* `bucket_name` (Required) The name of the S3 bucket used as root storage location for [managed tables](https://docs.databricks.com/data-governance/unity-catalog/index.html#managed-table) in Unity Catalog.
+* `role_name` (Required) The name of the AWS IAM role that you created in the previous step in the [official documentation](https://docs.databricks.com/data-governance/unity-catalog/get-started.html#configure-a-storage-bucket-and-iam-role-in-aws).
+* `kms_name` (Optional) If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `json` - AWS IAM Policy JSON document
diff --git a/provider/provider.go b/provider/provider.go
@@ -52,46 +52,47 @@ func init() {
 func DatabricksProvider() *schema.Provider {
 	p := &schema.Provider{
 		DataSourcesMap: map[string]*schema.Resource{ // must be in alphabetical order
-			"databricks_aws_crossaccount_policy": aws.DataAwsCrossaccountPolicy().ToResource(),
-			"databricks_aws_assume_role_policy":  aws.DataAwsAssumeRolePolicy().ToResource(),
-			"databricks_aws_bucket_policy":       aws.DataAwsBucketPolicy().ToResource(),
-			"databricks_cluster":                 clusters.DataSourceCluster().ToResource(),
-			"databricks_clusters":                clusters.DataSourceClusters().ToResource(),
-			"databricks_cluster_policy":          policies.DataSourceClusterPolicy().ToResource(),
-			"databricks_catalogs":                catalog.DataSourceCatalogs().ToResource(),
-			"databricks_current_config":          mws.DataSourceCurrentConfiguration().ToResource(),
-			"databricks_current_metastore":       catalog.DataSourceCurrentMetastore().ToResource(),
-			"databricks_current_user":            scim.DataSourceCurrentUser().ToResource(),
-			"databricks_dbfs_file":               storage.DataSourceDbfsFile().ToResource(),
-			"databricks_dbfs_file_paths":         storage.DataSourceDbfsFilePaths().ToResource(),
-			"databricks_directory":               workspace.DataSourceDirectory().ToResource(),
-			"databricks_group":                   scim.DataSourceGroup().ToResource(),
-			"databricks_instance_pool":           pools.DataSourceInstancePool().ToResource(),
-			"databricks_instance_profiles":       aws.DataSourceInstanceProfiles().ToResource(),
-			"databricks_jobs":                    jobs.DataSourceJobs().ToResource(),
-			"databricks_job":                     jobs.DataSourceJob().ToResource(),
-			"databricks_metastore":               catalog.DataSourceMetastore().ToResource(),
-			"databricks_metastores":              catalog.DataSourceMetastores().ToResource(),
-			"databricks_mlflow_model":            mlflow.DataSourceModel().ToResource(),
-			"databricks_mws_credentials":         mws.DataSourceMwsCredentials().ToResource(),
-			"databricks_mws_workspaces":          mws.DataSourceMwsWorkspaces().ToResource(),
-			"databricks_node_type":               clusters.DataSourceNodeType().ToResource(),
-			"databricks_notebook":                workspace.DataSourceNotebook().ToResource(),
-			"databricks_notebook_paths":          workspace.DataSourceNotebookPaths().ToResource(),
-			"databricks_pipelines":               pipelines.DataSourcePipelines().ToResource(),
-			"databricks_schemas":                 catalog.DataSourceSchemas().ToResource(),
-			"databricks_service_principal":       scim.DataSourceServicePrincipal().ToResource(),
-			"databricks_service_principals":      scim.DataSourceServicePrincipals().ToResource(),
-			"databricks_share":                   catalog.DataSourceShare().ToResource(),
-			"databricks_shares":                  catalog.DataSourceShares().ToResource(),
-			"databricks_spark_version":           clusters.DataSourceSparkVersion().ToResource(),
-			"databricks_sql_warehouse":           sql.DataSourceWarehouse().ToResource(),
-			"databricks_sql_warehouses":          sql.DataSourceWarehouses().ToResource(),
-			"databricks_tables":                  catalog.DataSourceTables().ToResource(),
-			"databricks_views":                   catalog.DataSourceViews().ToResource(),
-			"databricks_volumes":                 catalog.DataSourceVolumes().ToResource(),
-			"databricks_user":                    scim.DataSourceUser().ToResource(),
-			"databricks_zones":                   clusters.DataSourceClusterZones().ToResource(),
+			"databricks_aws_crossaccount_policy":  aws.DataAwsCrossaccountPolicy().ToResource(),
+			"databricks_aws_assume_role_policy":   aws.DataAwsAssumeRolePolicy().ToResource(),
+			"databricks_aws_bucket_policy":        aws.DataAwsBucketPolicy().ToResource(),
+			"databricks_aws_unity_catalog_policy": aws.DataAwsUnityCatalogPolicy().ToResource(),
+			"databricks_cluster":                  clusters.DataSourceCluster().ToResource(),
+			"databricks_clusters":                 clusters.DataSourceClusters().ToResource(),
+			"databricks_cluster_policy":           policies.DataSourceClusterPolicy().ToResource(),
+			"databricks_catalogs":                 catalog.DataSourceCatalogs().ToResource(),
+			"databricks_current_config":           mws.DataSourceCurrentConfiguration().ToResource(),
+			"databricks_current_metastore":        catalog.DataSourceCurrentMetastore().ToResource(),
+			"databricks_current_user":             scim.DataSourceCurrentUser().ToResource(),
+			"databricks_dbfs_file":                storage.DataSourceDbfsFile().ToResource(),
+			"databricks_dbfs_file_paths":          storage.DataSourceDbfsFilePaths().ToResource(),
+			"databricks_directory":                workspace.DataSourceDirectory().ToResource(),
+			"databricks_group":                    scim.DataSourceGroup().ToResource(),
+			"databricks_instance_pool":            pools.DataSourceInstancePool().ToResource(),
+			"databricks_instance_profiles":        aws.DataSourceInstanceProfiles().ToResource(),
+			"databricks_jobs":                     jobs.DataSourceJobs().ToResource(),
+			"databricks_job":                      jobs.DataSourceJob().ToResource(),
+			"databricks_metastore":                catalog.DataSourceMetastore().ToResource(),
+			"databricks_metastores":               catalog.DataSourceMetastores().ToResource(),
+			"databricks_mlflow_model":             mlflow.DataSourceModel().ToResource(),
+			"databricks_mws_credentials":          mws.DataSourceMwsCredentials().ToResource(),
+			"databricks_mws_workspaces":           mws.DataSourceMwsWorkspaces().ToResource(),
+			"databricks_node_type":                clusters.DataSourceNodeType().ToResource(),
+			"databricks_notebook":                 workspace.DataSourceNotebook().ToResource(),
+			"databricks_notebook_paths":           workspace.DataSourceNotebookPaths().ToResource(),
+			"databricks_pipelines":                pipelines.DataSourcePipelines().ToResource(),
+			"databricks_schemas":                  catalog.DataSourceSchemas().ToResource(),
+			"databricks_service_principal":        scim.DataSourceServicePrincipal().ToResource(),
+			"databricks_service_principals":       scim.DataSourceServicePrincipals().ToResource(),
+			"databricks_share":                    catalog.DataSourceShare().ToResource(),
+			"databricks_shares":                   catalog.DataSourceShares().ToResource(),
+			"databricks_spark_version":            clusters.DataSourceSparkVersion().ToResource(),
+			"databricks_sql_warehouse":            sql.DataSourceWarehouse().ToResource(),
+			"databricks_sql_warehouses":           sql.DataSourceWarehouses().ToResource(),
+			"databricks_tables":                   catalog.DataSourceTables().ToResource(),
+			"databricks_views":                    catalog.DataSourceViews().ToResource(),
+			"databricks_volumes":                  catalog.DataSourceVolumes().ToResource(),
+			"databricks_user":                     scim.DataSourceUser().ToResource(),
+			"databricks_zones":                    clusters.DataSourceClusterZones().ToResource(),
 		},
 		ResourcesMap: map[string]*schema.Resource{ // must be in alphabetical order
 			"databricks_access_control_rule_set":     permissions.ResourceAccessControlRuleSet().ToResource(),
