Update policy definition in databricks_aws_crossaccount_policy data source (#2262)

alexott · web-flow · commit 66a3bad13450 · 2023-05-05T12:50:27.000+02:00
The policy definition was updated with new permissions as per [Databricks documentation](https://docs.databricks.com/administration-guide/account-settings-e2/credentials.html#step-2-create-an-access-policy). Entries are also sorted to match documentation. This fixes #2255 We need to look if we need the following permissions that aren't mentioned in the documentation, but present in the data source ``` "ec2:CreateKeyPair", "ec2:CreatePlacementGroup", "ec2:DeleteKeyPair", "ec2:DeletePlacementGroup", "ec2:DescribeNetworkAcls", "ec2:DescribePlacementGroups", "ec2:DescribeVpcAttribute", "ec2:DetachVolume", ```
diff --git a/aws/data_aws_crossaccount_policy.go b/aws/data_aws_crossaccount_policy.go
@@ -18,6 +18,8 @@ func DataAwsCrossaccountPolicy() *schema.Resource {
 					{
 						Effect: "Allow",
 						Actions: []string{
+							"ec2:AllocateAddress",
+							"ec2:AssignPrivateIpAddresses",
 							"ec2:AssociateDhcpOptions",
 							"ec2:AssociateIamInstanceProfile",
 							"ec2:AssociateRouteTable",
@@ -27,30 +29,49 @@ func DataAwsCrossaccountPolicy() *schema.Resource {
 							"ec2:AuthorizeSecurityGroupIngress",
 							"ec2:CancelSpotInstanceRequests",
 							"ec2:CreateDhcpOptions",
+							"ec2:CreateFleet",
 							"ec2:CreateInternetGateway",
 							"ec2:CreateKeyPair",
+							"ec2:CreateLaunchTemplate",
+							"ec2:CreateLaunchTemplateVersion",
+							"ec2:CreateNatGateway",
+							"ec2:CreatePlacementGroup",
 							"ec2:CreateRoute",
+							"ec2:CreateRouteTable",
 							"ec2:CreateSecurityGroup",
 							"ec2:CreateSubnet",
 							"ec2:CreateTags",
 							"ec2:CreateVolume",
 							"ec2:CreateVpc",
+							"ec2:CreateVpcEndpoint",
+							"ec2:DeleteDhcpOptions",
+							"ec2:DeleteFleets",
 							"ec2:DeleteInternetGateway",
 							"ec2:DeleteKeyPair",
+							"ec2:DeleteLaunchTemplate",
+							"ec2:DeleteLaunchTemplateVersions",
+							"ec2:DeleteNatGateway",
+							"ec2:DeletePlacementGroup",
 							"ec2:DeleteRoute",
 							"ec2:DeleteRouteTable",
 							"ec2:DeleteSecurityGroup",
 							"ec2:DeleteSubnet",
 							"ec2:DeleteTags",
 							"ec2:DeleteVolume",
 							"ec2:DeleteVpc",
+							"ec2:DeleteVpcEndpoints",
 							"ec2:DescribeAvailabilityZones",
-							"ec2:DescribeNetworkAcls",
-							"ec2:DescribeInternetGateways",
-							"ec2:DescribeVpcAttribute",
+							"ec2:DescribeFleetHistory",
+							"ec2:DescribeFleetInstances",
+							"ec2:DescribeFleets",
 							"ec2:DescribeIamInstanceProfileAssociations",
 							"ec2:DescribeInstanceStatus",
 							"ec2:DescribeInstances",
+							"ec2:DescribeInternetGateways",
+							"ec2:DescribeLaunchTemplates",
+							"ec2:DescribeNatGateways",
+							"ec2:DescribeNetworkAcls",
+							"ec2:DescribePlacementGroups",
 							"ec2:DescribePrefixLists",
 							"ec2:DescribeReservedInstancesOfferings",
 							"ec2:DescribeRouteTables",
@@ -59,30 +80,24 @@ func DataAwsCrossaccountPolicy() *schema.Resource {
 							"ec2:DescribeSpotPriceHistory",
 							"ec2:DescribeSubnets",
 							"ec2:DescribeVolumes",
+							"ec2:DescribeVpcAttribute",
 							"ec2:DescribeVpcs",
 							"ec2:DetachInternetGateway",
+							"ec2:DetachVolume",
 							"ec2:DisassociateIamInstanceProfile",
+							"ec2:DisassociateRouteTable",
+							"ec2:GetLaunchTemplateData",
+							"ec2:GetSpotPlacementScores",
+							"ec2:ModifyFleet",
+							"ec2:ModifyLaunchTemplate",
 							"ec2:ModifyVpcAttribute",
+							"ec2:ReleaseAddress",
 							"ec2:ReplaceIamInstanceProfileAssociation",
 							"ec2:RequestSpotInstances",
 							"ec2:RevokeSecurityGroupEgress",
 							"ec2:RevokeSecurityGroupIngress",
 							"ec2:RunInstances",
 							"ec2:TerminateInstances",
-							"ec2:CreatePlacementGroup",
-							"ec2:DeletePlacementGroup",
-							"ec2:DescribePlacementGroups",
-							"ec2:AllocateAddress",
-							"ec2:CreateNatGateway",
-							"ec2:CreateRouteTable",
-							"ec2:CreateVpcEndpoint",
-							"ec2:DeleteDhcpOptions",
-							"ec2:DeleteNatGateway",
-							"ec2:DeleteVpcEndpoints",
-							"ec2:DescribeNatGateways",
-							"ec2:DisassociateRouteTable",
-							"ec2:ReleaseAddress",
-							"ec2:DetachVolume",
 						},
 						Resources: "*",
 					},
diff --git a/aws/data_aws_crossaccount_policy_test.go b/aws/data_aws_crossaccount_policy_test.go
@@ -16,7 +16,7 @@ func TestDataAwsCrossAccountPolicy(t *testing.T) {
 	}.Apply(t)
 	assert.NoError(t, err)
 	j := d.Get("json")
-	assert.Lenf(t, j, 2759, "Strange length for policy: %s", j)
+	assert.Lenf(t, j, 3294, "Strange length for policy: %s", j)
 }
 
 func TestDataAwsCrossAccountPolicy_WithPassRoles(t *testing.T) {
@@ -29,5 +29,5 @@ func TestDataAwsCrossAccountPolicy_WithPassRoles(t *testing.T) {
 	}.Apply(t)
 	assert.NoError(t, err)
 	j := d.Get("json")
-	assert.Lenf(t, j, 2895, "Strange length for policy: %s", j)
+	assert.Lenf(t, j, 3430, "Strange length for policy: %s", j)
 }

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ func TestDataAwsCrossAccountPolicy(t *testing.T) {`
`16`	`16`	`}.Apply(t)`
`17`	`17`	`assert.NoError(t, err)`
`18`	`18`	`j := d.Get("json")`
`19`		`- assert.Lenf(t, j, 2759, "Strange length for policy: %s", j)`
	`19`	`+ assert.Lenf(t, j, 3294, "Strange length for policy: %s", j)`
`20`	`20`	`}`
`21`	`21`
`22`	`22`	`func TestDataAwsCrossAccountPolicy_WithPassRoles(t *testing.T) {`
`@@ -29,5 +29,5 @@ func TestDataAwsCrossAccountPolicy_WithPassRoles(t *testing.T) {`
`29`	`29`	`}.Apply(t)`
`30`	`30`	`assert.NoError(t, err)`
`31`	`31`	`j := d.Get("json")`
`32`		`- assert.Lenf(t, j, 2895, "Strange length for policy: %s", j)`
	`32`	`+ assert.Lenf(t, j, 3430, "Strange length for policy: %s", j)`
`33`	`33`	`}`