Added support for iam_role_arn in databricks_instance_profile (#1943)

Jorge-Rodriguez · web-flow · commit c27ccd6bae7a · 2023-01-25T11:32:49.000+01:00
* Add IamRoleArn to instance_profile resource

* Add tests

* Add handling for empty string role ARN

* Add documentation

* Modifications according to PR comments

* Fix typo

* Unify ARN validation functions

* Rename validation tests

* Do not allow empty instance profile ARNs

* Remove `omitempty` from required field

* Add default clause
diff --git a/aws/resource_group_instance_profile.go b/aws/resource_group_instance_profile.go
@@ -14,7 +14,7 @@ import (
 func ResourceGroupInstanceProfile() *schema.Resource {
 	r := common.NewPairID("group_id", "instance_profile_id").Schema(func(
 		m map[string]*schema.Schema) map[string]*schema.Schema {
-		m["instance_profile_id"].ValidateDiagFunc = ValidInstanceProfile
+		m["instance_profile_id"].ValidateDiagFunc = ValidArn
 		return m
 	}).BindResource(common.BindResource{
 		ReadContext: func(ctx context.Context, groupID, roleARN string, c *common.DatabricksClient) error {
diff --git a/aws/resource_instance_profile.go b/aws/resource_instance_profile.go
@@ -18,7 +18,8 @@ import (
 
 // InstanceProfileInfo contains the ARN for aws instance profiles
 type InstanceProfileInfo struct {
-	InstanceProfileArn    string `json:"instance_profile_arn,omitempty"`
+	InstanceProfileArn    string `json:"instance_profile_arn"`
+	IamRoleArn            string `json:"iam_role_arn,omitempty"`
 	IsMetaInstanceProfile bool   `json:"is_meta_instance_profile,omitempty"`
 	SkipValidation        bool   `json:"skip_validation,omitempty" tf:"computed"`
 }
@@ -83,6 +84,18 @@ func (a InstanceProfilesAPI) Delete(instanceProfileARN string) error {
 	}, nil)
 }
 
+// Update updates the IAM role ARN of an existing instance profile
+func (a InstanceProfilesAPI) Update(ipi InstanceProfileInfo) error {
+	data := map[string]any{
+		"instance_profile_arn": ipi.InstanceProfileArn,
+		"iam_role_arn":         ipi.InstanceProfileArn,
+	}
+	if ipi.IamRoleArn != "" {
+		data["iam_role_arn"] = ipi.IamRoleArn
+	}
+	return a.client.Post(a.context, "/instance-profiles/edit", data, nil)
+}
+
 // IsRegistered checks if instance profile exists
 func (a InstanceProfilesAPI) IsRegistered(arn string) bool {
 	if _, err := a.Read(arn); err == nil {
@@ -137,7 +150,8 @@ func (a InstanceProfilesAPI) Synchronized(arn string, testCallback func() bool)
 func ResourceInstanceProfile() *schema.Resource {
 	instanceProfileSchema := common.StructToSchema(InstanceProfileInfo{},
 		func(m map[string]*schema.Schema) map[string]*schema.Schema {
-			m["instance_profile_arn"].ValidateDiagFunc = ValidInstanceProfile
+			m["instance_profile_arn"].ValidateDiagFunc = ValidArn
+			m["iam_role_arn"].ValidateDiagFunc = ValidArn
 			m["skip_validation"].DiffSuppressFunc = func(k, old, new string, d *schema.ResourceData) bool {
 				if old == "false" && new == "true" {
 					return true
@@ -167,11 +181,16 @@ func ResourceInstanceProfile() *schema.Resource {
 		Delete: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
 			return NewInstanceProfilesAPI(ctx, c).Delete(d.Id())
 		},
+		Update: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
+			var profile InstanceProfileInfo
+			common.DataToStructPointer(d, instanceProfileSchema, &profile)
+			return NewInstanceProfilesAPI(ctx, c).Update(profile)
+		},
 	}.ToResource()
 }
 
-// ValidInstanceProfile validate if it's valid instance profile ARN
-func ValidInstanceProfile(v any, c cty.Path) diag.Diagnostics {
+// ValidArn validate if it's valid instance profile or role ARN
+func ValidArn(v any, c cty.Path) diag.Diagnostics {
 	s, ok := v.(string)
 	if !ok {
 		return diag.Diagnostics{
@@ -182,6 +201,24 @@ func ValidInstanceProfile(v any, c cty.Path) diag.Diagnostics {
 			},
 		}
 	}
+	var arnType string
+	switch c[0].(cty.GetAttrStep).Name {
+	case "instance_profile_arn", "instance_profile_id":
+		arnType = "instance-profile"
+	case "iam_role_arn":
+		arnType = "role"
+	default:
+		return diag.Diagnostics{
+			diag.Diagnostic{
+				AttributePath: c,
+				Summary:       "Unknown attribute",
+				Detail:        "ARN type associated with attribute is not known",
+			},
+		}
+	}
+	if s == "" && arnType == "role" {
+		return nil
+	}
 	if !strings.HasPrefix(s, "arn:") {
 		return diag.Diagnostics{
 			diag.Diagnostic{
@@ -201,12 +238,12 @@ func ValidInstanceProfile(v any, c cty.Path) diag.Diagnostics {
 			},
 		}
 	}
-	if !strings.HasPrefix(arnSections[5], "instance-profile") {
+	if !strings.HasPrefix(arnSections[5], arnType) {
 		return diag.Diagnostics{
 			diag.Diagnostic{
 				AttributePath: c,
 				Summary:       "Invalid ARN",
-				Detail:        fmt.Sprintf("Not an instance profile ARN: %s", v),
+				Detail:        fmt.Sprintf("Not a %s ARN: %s", arnType, v),
 			},
 		}
 	}
diff --git a/aws/resource_instance_profile_test.go b/aws/resource_instance_profile_test.go
@@ -42,6 +42,73 @@ func TestResourceInstanceProfileCreate(t *testing.T) {
 	assert.Equal(t, "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile", d.Id())
 }
 
+func TestResourceInstanceProfileWithRoleCreate(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "POST",
+				Resource: "/api/2.0/instance-profiles/add",
+				ExpectedRequest: InstanceProfileInfo{
+					InstanceProfileArn: "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+					IamRoleArn:         "arn:aws:iam::999999999999:role/my-fake-instance-profile-role",
+				},
+			},
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/instance-profiles/list",
+				Response: InstanceProfileList{
+					InstanceProfiles: []InstanceProfileInfo{
+						{
+							InstanceProfileArn: "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+						},
+					},
+				},
+			},
+		},
+		Resource: ResourceInstanceProfile(),
+		State: map[string]any{
+			"instance_profile_arn": "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+			"iam_role_arn":         "arn:aws:iam::999999999999:role/my-fake-instance-profile-role",
+		},
+		Create: true,
+	}.Apply(t)
+	assert.NoError(t, err, err)
+	assert.Equal(t, "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile", d.Id())
+}
+
+func TestResourceInstanceProfileWithEmptyRoleCreate(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "POST",
+				Resource: "/api/2.0/instance-profiles/add",
+				ExpectedRequest: InstanceProfileInfo{
+					InstanceProfileArn: "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+				},
+			},
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/instance-profiles/list",
+				Response: InstanceProfileList{
+					InstanceProfiles: []InstanceProfileInfo{
+						{
+							InstanceProfileArn: "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+						},
+					},
+				},
+			},
+		},
+		Resource: ResourceInstanceProfile(),
+		State: map[string]any{
+			"instance_profile_arn": "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+			"iam_role_arn":         "",
+		},
+		Create: true,
+	}.Apply(t)
+	assert.NoError(t, err, err)
+	assert.Equal(t, "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile", d.Id())
+}
+
 func TestResourceInstanceProfileCreate_Error(t *testing.T) {
 	d, err := qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{
@@ -65,7 +132,7 @@ func TestResourceInstanceProfileCreate_Error(t *testing.T) {
 	assert.Equal(t, "", d.Id(), "Id should be empty for error creates")
 }
 
-func TestResourceInstanceProfileCreate_Error_InvalidARN(t *testing.T) {
+func TestResourceInstanceProfileValidate_Error_InvalidInstanceProfileARN(t *testing.T) {
 	_, err := qa.ResourceFixture{
 		Resource: ResourceInstanceProfile(),
 		State: map[string]any{
@@ -76,6 +143,64 @@ func TestResourceInstanceProfileCreate_Error_InvalidARN(t *testing.T) {
 	assert.EqualError(t, err, "invalid config supplied. [instance_profile_arn] Invalid ARN")
 }
 
+func TestResourceInstanceProfileValidate_Error_InvalidRoleARN(t *testing.T) {
+	_, err := qa.ResourceFixture{
+		Resource: ResourceInstanceProfile(),
+		State: map[string]any{
+			"instance_profile_arn": "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+			"iam_role_arn":         "abc",
+		},
+		Create: true,
+	}.Apply(t)
+	assert.EqualError(t, err, "invalid config supplied. [iam_role_arn] Invalid ARN")
+}
+
+func TestResourceInstanceProfileValidate_Error_MalformedARN(t *testing.T) {
+	_, err := qa.ResourceFixture{
+		Resource: ResourceInstanceProfile(),
+		State: map[string]any{
+			"instance_profile_arn": "arn:aws:iam::instance-profile/my-fake-instance-profile",
+		},
+		Create: true,
+	}.Apply(t)
+	assert.EqualError(t, err, "invalid config supplied. [instance_profile_arn] Invalid ARN")
+}
+
+func TestResourceInstanceProfileValidate_Error_WrongTypeProfileARN(t *testing.T) {
+	_, err := qa.ResourceFixture{
+		Resource: ResourceInstanceProfile(),
+		State: map[string]any{
+			"instance_profile_arn": "arn:aws:iam::999999999999:failure/my-fake-instance-profile",
+		},
+		Create: true,
+	}.Apply(t)
+	assert.EqualError(t, err, "invalid config supplied. [instance_profile_arn] Invalid ARN")
+}
+
+func TestResourceInstanceProfileValidate_Error_WrongTypeRoleARN(t *testing.T) {
+	_, err := qa.ResourceFixture{
+		Resource: ResourceInstanceProfile(),
+		State: map[string]any{
+			"instance_profile_arn": "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+			"iam_role_arn":         "arn:aws:iam::999999999999:failure/my-fake-instance-profile-role",
+		},
+		Create: true,
+	}.Apply(t)
+	assert.EqualError(t, err, "invalid config supplied. [iam_role_arn] Invalid ARN")
+}
+
+func TestResourceInstanceProfileValidate_Error_EmptyInstanceProfileARN(t *testing.T) {
+	_, err := qa.ResourceFixture{
+		Resource: ResourceInstanceProfile(),
+		State: map[string]any{
+			"instance_profile_arn": "",
+			"iam_role_arn":         "arn:aws:iam::999999999999:role/my-fake-instance-profile-role",
+		},
+		Create: true,
+	}.Apply(t)
+	assert.EqualError(t, err, "invalid config supplied. [instance_profile_arn] Invalid ARN")
+}
+
 func TestResourceInstanceProfileRead(t *testing.T) {
 	d, err := qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{
@@ -180,6 +305,77 @@ func TestResourceInstanceProfileDelete_Error(t *testing.T) {
 	assert.Equal(t, "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile", d.Id())
 }
 
+func TestResourceInstanceProfileUpdate(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/instance-profiles/list",
+				Response: InstanceProfileList{
+					InstanceProfiles: []InstanceProfileInfo{
+						{
+							InstanceProfileArn: "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+						},
+					},
+				},
+			},
+			{
+				Method:   "POST",
+				Resource: "/api/2.0/instance-profiles/edit",
+				ExpectedRequest: InstanceProfileInfo{
+					InstanceProfileArn: "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+					IamRoleArn:         "arn:aws:iam::999999999999:role/my-fake-instance-profile-role",
+				},
+			},
+		},
+		Resource: ResourceInstanceProfile(),
+		State: map[string]any{
+			"instance_profile_arn": "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+			"iam_role_arn":         "arn:aws:iam::999999999999:role/my-fake-instance-profile-role",
+		},
+		Update: true,
+		ID:     "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+	}.Apply(t)
+	assert.NoError(t, err, err)
+	assert.Equal(t, "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile", d.Id())
+}
+
+func TestResourceInstanceProfileUpdate_Error(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/instance-profiles/list",
+				Response: InstanceProfileList{
+					InstanceProfiles: []InstanceProfileInfo{
+						{
+							InstanceProfileArn: "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+						},
+					},
+				},
+			},
+			{
+				Method:   "POST",
+				Resource: "/api/2.0/instance-profiles/edit",
+				Response: common.APIErrorBody{
+					ErrorCode: "INVALID_REQUEST",
+					Message:   "Internal error happened",
+				},
+				Status: 400,
+			},
+		},
+		Resource: ResourceInstanceProfile(),
+		State: map[string]any{
+			"instance_profile_arn": "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+			"iam_role_arn":         "",
+		},
+		Update: true,
+		ID:     "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile",
+	}.Apply(t)
+	qa.AssertErrorStartsWith(t, err, "Internal error happened")
+	assert.Equal(t, "arn:aws:iam::999999999999:instance-profile/my-fake-instance-profile", d.Id())
+}
+
 func TestAccAwsInstanceProfiles(t *testing.T) {
 	arn := qa.GetEnvOrSkipTest(t, "TEST_EC2_INSTANCE_PROFILE")
 	client := common.NewClientFromEnvironment()
diff --git a/aws/resource_user_instance_profile.go b/aws/resource_user_instance_profile.go
@@ -14,7 +14,7 @@ import (
 func ResourceUserInstanceProfile() *schema.Resource {
 	r := common.NewPairID("user_id", "instance_profile_id").Schema(func(
 		m map[string]*schema.Schema) map[string]*schema.Schema {
-		m["instance_profile_id"].ValidateDiagFunc = ValidInstanceProfile
+		m["instance_profile_id"].ValidateDiagFunc = ValidArn
 		return m
 	}).BindResource(common.BindResource{
 		CreateContext: func(ctx context.Context, userID, roleARN string, c *common.DatabricksClient) error {
diff --git a/docs/resources/instance_profile.md b/docs/resources/instance_profile.md
@@ -108,12 +108,50 @@ resource "databricks_group_instance_profile" "all" {
   instance_profile_id = databricks_instance_profile.this.id
 }
 ```
+## Usage with Databricks SQL serverless
+When the instance profile ARN and its associated IAM role ARN don't match and the instance profile is intended for use with Databricks SQL serverless, the `iam_role_arn` parameter can be specified
+
+```hcl
+data "aws_iam_policy_document" "sql_serverless_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::790110701330:role/serverless-customer-resource-role"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalID"
+      values = [
+        "databricks-serverless-<YOUR_WORKSPACE_ID1>",
+        "databricks-serverless-<YOUR_WORKSPACE_ID2>"
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role" "this" {
+  name               = "my-databricks-sql-serverless-role"
+  assume_role_policy = data.aws_iam_policy_document.sql_serverless_assume_role.json
+}
+
+resource "aws_iam_instance_profile" "this" {
+  name = "my-databricks-sql-serverless-instance-profile"
+  role = aws_iam_role.this.name
+}
+
+resource "databricks_instance_profile" "this" {
+  instance_profile_arn = aws_iam_instance_profile.this.arn
+  iam_role_arn         = aws_iam_role.this.arn
+}
+```
 
 ## Argument Reference
 
 The following arguments are supported:
 
 * `instance_profile_arn` - (Required) `ARN` attribute of `aws_iam_instance_profile` output, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.
+* `iam_role_arn` - (Optional) The AWS IAM role ARN of the role associated with the instance profile. It must have the form `arn:aws:iam::<account-id>:role/<name>`. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.
 * `is_meta_instance_profile` - (Optional) Whether the instance profile is a meta instance profile. Used only in [IAM credential passthrough](https://docs.databricks.com/security/credential-passthrough/iam-passthrough.html).
 * `skip_validation` - (Optional) **For advanced usage only.** If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. “Your requested instance type is not supported in your requested availability zone”), you can pass this flag to skip the validation and forcibly add the instance profile.
 
