UNPKG

@pulumi/databricks

Version:

A Pulumi package for creating and managing databricks cloud resources.

pulumi/pulumi-databricks

257 lines • 10.2 kB

JavaScript

"use strict"; // *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); exports.AccessControlRuleSet = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("./utilities"); /** * > This resource can be used with an account or workspace-level provider. * * This resource allows you to manage access rules on Databricks account level resources. For convenience we allow accessing this resource through the Databricks account and workspace. * * > Currently, we only support managing access rules on specific object resources (service principal, group, budget policies and account) through `databricks.AccessControlRuleSet`. * * !> `databricks.AccessControlRuleSet` cannot be used to manage access rules for resources supported by databricks_permissions. Refer to its documentation for more information. * * > This resource is _authoritative_ for permissions on objects. Configuring this resource for an object will **OVERWRITE** any existing permissions of the same type unless imported, and changes made outside of Pulumi will be reset. * * ## Service principal rule set usage * * Through a Databricks workspace: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const accountId = "00000000-0000-0000-0000-000000000000"; * // account level group * const ds = databricks.getGroup({ * displayName: "Data Science", * }); * const automationSp = new databricks.ServicePrincipal("automation_sp", {displayName: "SP_FOR_AUTOMATION"}); * const automationSpRuleSet = new databricks.AccessControlRuleSet("automation_sp_rule_set", { * name: pulumi.interpolate`accounts/${accountId}/servicePrincipals/${automationSp.applicationId}/ruleSets/default`, * grantRules: [{ * principals: [ds.then(ds => ds.aclPrincipalId)], * role: "roles/servicePrincipal.user", * }], * }); * ``` * * Through AWS Databricks account: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const accountId = "00000000-0000-0000-0000-000000000000"; * // account level group creation * const ds = new databricks.Group("ds", {displayName: "Data Science"}); * const automationSp = new databricks.ServicePrincipal("automation_sp", {displayName: "SP_FOR_AUTOMATION"}); * const automationSpRuleSet = new databricks.AccessControlRuleSet("automation_sp_rule_set", { * name: pulumi.interpolate`accounts/${accountId}/servicePrincipals/${automationSp.applicationId}/ruleSets/default`, * grantRules: [{ * principals: [ds.aclPrincipalId], * role: "roles/servicePrincipal.user", * }], * }); * ``` * * Through Azure Databricks account: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const accountId = "00000000-0000-0000-0000-000000000000"; * // account level group creation * const ds = new databricks.Group("ds", {displayName: "Data Science"}); * const automationSp = new databricks.ServicePrincipal("automation_sp", { * applicationId: "00000000-0000-0000-0000-000000000000", * displayName: "SP_FOR_AUTOMATION", * }); * const automationSpRuleSet = new databricks.AccessControlRuleSet("automation_sp_rule_set", { * name: pulumi.interpolate`accounts/${accountId}/servicePrincipals/${automationSp.applicationId}/ruleSets/default`, * grantRules: [{ * principals: [ds.aclPrincipalId], * role: "roles/servicePrincipal.user", * }], * }); * ``` * * Through GCP Databricks account: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const accountId = "00000000-0000-0000-0000-000000000000"; * // account level group creation * const ds = new databricks.Group("ds", {displayName: "Data Science"}); * const automationSp = new databricks.ServicePrincipal("automation_sp", {displayName: "SP_FOR_AUTOMATION"}); * const automationSpRuleSet = new databricks.AccessControlRuleSet("automation_sp_rule_set", { * name: pulumi.interpolate`accounts/${accountId}/servicePrincipals/${automationSp.applicationId}/ruleSets/default`, * grantRules: [{ * principals: [ds.aclPrincipalId], * role: "roles/servicePrincipal.user", * }], * }); * ``` * * ## Group rule set usage * * Refer to the appropriate provider configuration as shown in the examples for service principal rule set. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const accountId = "00000000-0000-0000-0000-000000000000"; * // account level group * const ds = databricks.getGroup({ * displayName: "Data Science", * }); * const john = databricks.getUser({ * userName: "john.doe@example.com", * }); * const dsGroupRuleSet = new databricks.AccessControlRuleSet("ds_group_rule_set", { * name: `accounts/${accountId}/groups/${dsDatabricksGroup.id}/ruleSets/default`, * grantRules: [{ * principals: [john.then(john => john.aclPrincipalId)], * role: "roles/group.manager", * }], * }); * ``` * * ## Account rule set usage * * Refer to the appropriate provider configuration as shown in the examples for service principal rule set. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const accountId = "00000000-0000-0000-0000-000000000000"; * // account level group * const ds = databricks.getGroup({ * displayName: "Data Science", * }); * // account level group * const marketplaceAdmins = databricks.getGroup({ * displayName: "Marketplace Admins", * }); * const john = databricks.getUser({ * userName: "john.doe@example.com", * }); * const accountRuleSet = new databricks.AccessControlRuleSet("account_rule_set", { * name: `accounts/${accountId}/ruleSets/default`, * grantRules: [ * { * principals: [john.then(john => john.aclPrincipalId)], * role: "roles/group.manager", * }, * { * principals: [ds.then(ds => ds.aclPrincipalId)], * role: "roles/servicePrincipal.manager", * }, * { * principals: [marketplaceAdmins.then(marketplaceAdmins => marketplaceAdmins.aclPrincipalId)], * role: "roles/marketplace.admin", * }, * ], * }); * ``` * * ## Budget policy usage * * Access to budget policies could be controlled with this resource: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const accountId = "00000000-0000-0000-0000-000000000000"; * // account level group * const ds = databricks.getGroup({ * displayName: "Data Science", * }); * const john = databricks.getUser({ * userName: "john.doe@example.com", * }); * const _this = new databricks.BudgetPolicy("this", { * policyName: "data-science-budget-policy", * customTags: [{ * key: "mykey", * value: "myvalue", * }], * }); * const budgetPolicyUsage = new databricks.AccessControlRuleSet("budget_policy_usage", { * name: pulumi.interpolate`accounts/${accountId}/budgetPolicies/${_this.policyId}/ruleSets/default`, * grantRules: [ * { * principals: [john.then(john => john.aclPrincipalId)], * role: "roles/budgetPolicy.manager", * }, * { * principals: [ds.then(ds => ds.aclPrincipalId)], * role: "roles/budgetPolicy.user", * }, * ], * }); * ``` * * ## Related Resources * * The following resources are often used in the same context: * * * databricks.Group * * databricks.User * * databricks.ServicePrincipal */ class AccessControlRuleSet extends pulumi.CustomResource { /** * Get an existing AccessControlRuleSet resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, state, opts) { return new AccessControlRuleSet(name, state, Object.assign(Object.assign({}, opts), { id: id })); } /** * Returns true if the given object is an instance of AccessControlRuleSet. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } return obj['__pulumiType'] === AccessControlRuleSet.__pulumiType; } constructor(name, argsOrState, opts) { let resourceInputs = {}; opts = opts || {}; if (opts.id) { const state = argsOrState; resourceInputs["etag"] = state ? state.etag : undefined; resourceInputs["grantRules"] = state ? state.grantRules : undefined; resourceInputs["name"] = state ? state.name : undefined; } else { const args = argsOrState; resourceInputs["grantRules"] = args ? args.grantRules : undefined; resourceInputs["name"] = args ? args.name : undefined; resourceInputs["etag"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); super(AccessControlRuleSet.__pulumiType, name, resourceInputs, opts); } } exports.AccessControlRuleSet = AccessControlRuleSet; /** @internal */ AccessControlRuleSet.__pulumiType = 'databricks:index/accessControlRuleSet:AccessControlRuleSet'; //# sourceMappingURL=accessControlRuleSet.js.map