add aws_unity_catalog_assume_role_policy data source (#3622)

* add `aws_unity_catalog_assume_role_policy` data source

* feedback

Author: nkvuong

aws/data_aws_unity_catalog_assume_role_policy.go

@@ -0,0 +1,63 @@
+package aws
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/databricks/terraform-provider-databricks/common"
+)
+
+func DataAwsUnityCatalogAssumeRolePolicy() common.Resource {
+	type AwsUcAssumeRolePolicy struct {
+		RoleName           string `json:"role_name"`
+		UnityCatalogIamArn string `json:"unity_catalog_iam_arn,omitempty" tf:"computed"`
+		ExternalId         string `json:"external_id"`
+		AwsAccountId       string `json:"aws_account_id"`
+		JSON               string `json:"json" tf:"computed"`
+		Id                 string `json:"id" tf:"computed"`
+	}
+	return common.NoClientData(func(ctx context.Context, data *AwsUcAssumeRolePolicy) error {
+		if data.UnityCatalogIamArn == "" {
+			data.UnityCatalogIamArn = "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"
+		}
+		policy := awsIamPolicy{
+			Version: "2012-10-17",
+			Statements: []*awsIamPolicyStatement{
+				{
+					Sid:     "UnityCatalogAssumeRole",
+					Effect:  "Allow",
+					Actions: "sts:AssumeRole",
+					Condition: map[string]map[string]string{
+						"StringEquals": {
+							"sts:ExternalId": data.ExternalId,
+						},
+					},
+					Principal: map[string]string{
+						"AWS": data.UnityCatalogIamArn,
+					},
+				},
+				{
+					Sid:     "ExplicitSelfRoleAssumption",
+					Effect:  "Allow",
+					Actions: "sts:AssumeRole",
+					Condition: map[string]map[string]string{
+						"ArnLike": {
+							"aws:PrincipalArn": fmt.Sprintf("arn:aws:iam::%s:role/%s", data.AwsAccountId, data.RoleName),
+						},
+					},
+					Principal: map[string]string{
+						"AWS": fmt.Sprintf("arn:aws:iam::%s:root", data.AwsAccountId),
+					},
+				},
+			},
+		}
+		policyJSON, err := json.MarshalIndent(policy, "", "  ")
+		if err != nil {
+			return err
+		}
+		data.Id = fmt.Sprintf("%s-%s-%s", data.AwsAccountId, data.RoleName, data.ExternalId)
+		data.JSON = string(policyJSON)
+		return nil
+	})
+}

aws/data_aws_unity_catalog_assume_role_policy_test.go

@@ -0,0 +1,105 @@
+package aws
+
+import (
+	"testing"
+
+	"github.com/databricks/terraform-provider-databricks/qa"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDataAwsUnityCatalogAssumeRolePolicy(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Read:        true,
+		Resource:    DataAwsUnityCatalogAssumeRolePolicy(),
+		NonWritable: true,
+		ID:          ".",
+		HCL: `
+        aws_account_id = "123456789098"
+        unity_catalog_iam_arn = "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"
+        role_name = "databricks-role"
+        external_id = "12345"
+        `,
+	}.Apply(t)
+	assert.NoError(t, err)
+	j := d.Get("json").(string)
+	p := `{
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Sid": "UnityCatalogAssumeRole",
+              "Effect": "Allow",
+              "Action": "sts:AssumeRole",
+              "Principal": {
+                "AWS": "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"
+              },
+              "Condition": {
+                "StringEquals": {
+                  "sts:ExternalId": "12345"
+                }
+              }
+            },
+            {
+              "Sid": "ExplicitSelfRoleAssumption",
+              "Effect": "Allow",
+              "Action": "sts:AssumeRole",
+              "Principal": {
+                "AWS": "arn:aws:iam::123456789098:root"
+              },
+              "Condition": {
+                "ArnLike": {
+                  "aws:PrincipalArn": "arn:aws:iam::123456789098:role/databricks-role"
+                }
+              }
+            }
+          ]
+        }`
+	compareJSON(t, j, p)
+}
+
+func TestDataAwsUnityCatalogAssumeRolePolicyWithoutUcArn(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Read:        true,
+		Resource:    DataAwsUnityCatalogAssumeRolePolicy(),
+		NonWritable: true,
+		ID:          ".",
+		HCL: `
+        aws_account_id = "123456789098"
+        role_name = "databricks-role"
+        external_id = "12345"
+        `,
+	}.Apply(t)
+	assert.NoError(t, err)
+	j := d.Get("json").(string)
+	p := `{
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Sid": "UnityCatalogAssumeRole",
+              "Effect": "Allow",
+              "Action": "sts:AssumeRole",
+              "Principal": {
+                "AWS": "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"
+              },
+              "Condition": {
+                "StringEquals": {
+                  "sts:ExternalId": "12345"
+                }
+              }
+            },
+            {
+              "Sid": "ExplicitSelfRoleAssumption",
+              "Effect": "Allow",
+              "Action": "sts:AssumeRole",
+              "Principal": {
+                "AWS": "arn:aws:iam::123456789098:root"
+              },
+              "Condition": {
+                "ArnLike": {
+                  "aws:PrincipalArn": "arn:aws:iam::123456789098:role/databricks-role"
+                }
+              }
+            }
+          ]
+        }`
+	compareJSON(t, j, p)
+}

docs/data-sources/aws_unity_catalog_assume_role_policy.md

@@ -0,0 +1,49 @@
+---
+subcategory: "Deployment"
+---
+# databricks_aws_unity_catalog_assume_role_policy Data Source
+
+-> **Note** This resource has an evolving API, which may change in future versions of the provider. Please always consult [latest documentation](https://docs.databricks.com/data-governance/unity-catalog/get-started.html#configure-a-storage-bucket-and-iam-role-in-aws) in case of any questions.
+
+This data source constructs necessary AWS Unity Catalog assume role policy for you.
+
+## Example Usage
+
+```hcl
+data "databricks_aws_unity_catalog_policy" "this" {
+  aws_account_id = var.aws_account_id
+  bucket_name    = "databricks-bucket"
+  role_name      = "${var.prefix}-uc-access"
+  kms_name       = "databricks-kms"
+}
+
+data "databricks_aws_unity_catalog_assume_role_policy" "this" {
+  aws_account_id = var.aws_account_id
+  role_name      = "${var.prefix}-uc-access"
+  external_id    = "12345"
+}
+
+resource "aws_iam_policy" "unity_metastore" {
+  name   = "${var.prefix}-unity-catalog-metastore-access-iam-policy"
+  policy = data.databricks_aws_unity_catalog_policy.this.json
+}
+
+resource "aws_iam_role" "metastore_data_access" {
+  name                = "${var.prefix}-uc-access"
+  assume_role_policy  = data.aws_iam_policy_document.passrole_for_uc.json
+  managed_policy_arns = [aws_iam_policy.unity_metastore.arn]
+}
+```
+
+## Argument Reference
+
+* `aws_account_id` (Required) The Account ID of the current AWS account (not your Databricks account).
+* `external_id` (Required) The [storage credential](../resources/storage_credential.md) external id.
+* `role_name` (Required) The name of the AWS IAM role that you created in the previous step in the [official documentation](https://docs.databricks.com/data-governance/unity-catalog/get-started.html#configure-a-storage-bucket-and-iam-role-in-aws).
+* `unity_catalog_iam_arn` (Optional) The Databricks Unity Catalog IAM Role ARN. Defaults to `arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL`
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `json` - AWS IAM Policy JSON document for assume role

docs/data-sources/aws_unity_catalog_policy.md

@@ -3,50 +3,24 @@ subcategory: "Deployment"
 ---
 # databricks_aws_unity_catalog_policy Data Source
 
--> **Note** This resource has an evolving API, which may change in future versions of the provider. Please always consult [latest documentation](https://docs.databricks.com/administration-guide/account-api/iam-role.html#language-Your%C2%A0VPC,%C2%A0default) in case of any questions.
+-> **Note** This resource has an evolving API, which may change in future versions of the provider. Please always consult [latest documentation](https://docs.databricks.com/data-governance/unity-catalog/get-started.html#configure-a-storage-bucket-and-iam-role-in-aws) in case of any questions.
 
-This data source constructs necessary AWS Unity Catalog policy for you, which is based on [official documentation](https://docs.databricks.com/data-governance/unity-catalog/get-started.html#configure-a-storage-bucket-and-iam-role-in-aws).
+This data source constructs necessary AWS Unity Catalog policy for you.
 
 ## Example Usage
 
 ```hcl
 data "databricks_aws_unity_catalog_policy" "this" {
   aws_account_id = var.aws_account_id
   bucket_name    = "databricks-bucket"
-  role_name      = "databricks-role"
+  role_name      = "${var.prefix}-uc-access"
   kms_name       = "databricks-kms"
 }
 
-data "aws_iam_policy_document" "passrole_for_uc" {
-  statement {
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-    principals {
-      identifiers = [
-        "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL" # Databricks Account ID
-      ]
-      type = "AWS"
-    }
-    condition {
-      test     = "StringEquals"
-      variable = "sts:ExternalId"
-      values   = [var.databricks_account_id]
-    }
-  }
-  statement {
-    sid     = "ExplicitSelfRoleAssumption"
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.aws_account_id}:root"]
-    }
-    condition {
-      test     = "ArnLike"
-      variable = "aws:PrincipalArn"
-      values   = ["arn:aws:iam::${var.aws_account_id}:role/${var.prefix}-uc-access"]
-    }
-  }
+data "databricks_aws_unity_catalog_assume_role_policy" "this" {
+  aws_account_id = var.aws_account_id
+  role_name      = "${var.prefix}-uc-access"
+  external_id    = "12345"
 }
 
 resource "aws_iam_policy" "unity_metastore" {