UNPKG

@pulumi/databricks

Version:

A Pulumi package for creating and managing databricks cloud resources.

www.pulumi.com

pulumi/pulumi-databricks

162 lines (161 loc) 7.04 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
import * as pulumi from "@pulumi/pulumi"; /** * This data source constructs necessary AWS STS assume role policy for you. * * ## Example Usage * * End-to-end example of provisioning Cross-account IAM role with databricks.MwsCredentials and aws_iam_role: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * import * as databricks from "@pulumi/databricks"; * * const config = new pulumi.Config(); * // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/ * const databricksAccountId = config.requireObject<any>("databricksAccountId"); * const _this = databricks.getAwsCrossAccountPolicy({}); * const crossAccountPolicy = new aws.iam.Policy("cross_account_policy", { * name: `${prefix}-crossaccount-iam-policy`, * policy: _this.then(_this => _this.json), * }); * const thisGetAwsAssumeRolePolicy = databricks.getAwsAssumeRolePolicy({ * externalId: databricksAccountId, * }); * const crossAccount = new aws.iam.Role("cross_account", { * name: `${prefix}-crossaccount-iam-role`, * assumeRolePolicy: thisGetAwsAssumeRolePolicy.then(thisGetAwsAssumeRolePolicy => thisGetAwsAssumeRolePolicy.json), * description: "Grants Databricks full access to VPC resources", * }); * const crossAccountRolePolicyAttachment = new aws.iam.RolePolicyAttachment("cross_account", { * policyArn: crossAccountPolicy.arn, * role: crossAccount.name, * }); * // required only in case of multi-workspace setup * const thisMwsCredentials = new databricks.MwsCredentials("this", { * accountId: databricksAccountId, * credentialsName: `${prefix}-creds`, * roleArn: crossAccount.arn, * }); * ``` * * ## Related Resources * * The following resources are used in the same context: * * * Provisioning AWS Databricks workspaces with a Hub & Spoke firewall for data exfiltration protection guide * * databricks.getAwsBucketPolicy data to configure a simple access policy for AWS S3 buckets, so that Databricks can access data in it. * * databricks.getAwsCrossAccountPolicy data to construct the necessary AWS cross-account policy for you, which is based on [official documentation](https://docs.databricks.com/administration-guide/account-api/iam-role.html#language-Your%C2%A0VPC,%C2%A0default). */ export declare function getAwsAssumeRolePolicy(args: GetAwsAssumeRolePolicyArgs, opts?: pulumi.InvokeOptions): Promise<GetAwsAssumeRolePolicyResult>; /** * A collection of arguments for invoking getAwsAssumeRolePolicy. */ export interface GetAwsAssumeRolePolicyArgs { /** * AWS partition. The options are `aws`, `aws-us-gov`, or `aws-us-gov-dod`. Defaults to `aws` */ awsPartition?: string; /** * @deprecated databricks_account_id will be will be removed in the next major release. */ databricksAccountId?: string; /** * Account Id that could be found in the top right corner of [Accounts Console](https://accounts.cloud.databricks.com/). */ externalId: string; /** * Either or not this assume role policy should be created for usage log delivery. Defaults to false. */ forLogDelivery?: boolean; } /** * A collection of values returned by getAwsAssumeRolePolicy. */ export interface GetAwsAssumeRolePolicyResult { readonly awsPartition?: string; /** * @deprecated databricks_account_id will be will be removed in the next major release. */ readonly databricksAccountId?: string; readonly externalId: string; readonly forLogDelivery?: boolean; /** * The provider-assigned unique ID for this managed resource. */ readonly id: string; /** * AWS IAM Policy JSON document */ readonly json: string; } /** * This data source constructs necessary AWS STS assume role policy for you. * * ## Example Usage * * End-to-end example of provisioning Cross-account IAM role with databricks.MwsCredentials and aws_iam_role: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * import * as databricks from "@pulumi/databricks"; * * const config = new pulumi.Config(); * // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/ * const databricksAccountId = config.requireObject<any>("databricksAccountId"); * const _this = databricks.getAwsCrossAccountPolicy({}); * const crossAccountPolicy = new aws.iam.Policy("cross_account_policy", { * name: `${prefix}-crossaccount-iam-policy`, * policy: _this.then(_this => _this.json), * }); * const thisGetAwsAssumeRolePolicy = databricks.getAwsAssumeRolePolicy({ * externalId: databricksAccountId, * }); * const crossAccount = new aws.iam.Role("cross_account", { * name: `${prefix}-crossaccount-iam-role`, * assumeRolePolicy: thisGetAwsAssumeRolePolicy.then(thisGetAwsAssumeRolePolicy => thisGetAwsAssumeRolePolicy.json), * description: "Grants Databricks full access to VPC resources", * }); * const crossAccountRolePolicyAttachment = new aws.iam.RolePolicyAttachment("cross_account", { * policyArn: crossAccountPolicy.arn, * role: crossAccount.name, * }); * // required only in case of multi-workspace setup * const thisMwsCredentials = new databricks.MwsCredentials("this", { * accountId: databricksAccountId, * credentialsName: `${prefix}-creds`, * roleArn: crossAccount.arn, * }); * ``` * * ## Related Resources * * The following resources are used in the same context: * * * Provisioning AWS Databricks workspaces with a Hub & Spoke firewall for data exfiltration protection guide * * databricks.getAwsBucketPolicy data to configure a simple access policy for AWS S3 buckets, so that Databricks can access data in it. * * databricks.getAwsCrossAccountPolicy data to construct the necessary AWS cross-account policy for you, which is based on [official documentation](https://docs.databricks.com/administration-guide/account-api/iam-role.html#language-Your%C2%A0VPC,%C2%A0default). */ export declare function getAwsAssumeRolePolicyOutput(args: GetAwsAssumeRolePolicyOutputArgs, opts?: pulumi.InvokeOutputOptions): pulumi.Output<GetAwsAssumeRolePolicyResult>; /** * A collection of arguments for invoking getAwsAssumeRolePolicy. */ export interface GetAwsAssumeRolePolicyOutputArgs { /** * AWS partition. The options are `aws`, `aws-us-gov`, or `aws-us-gov-dod`. Defaults to `aws` */ awsPartition?: pulumi.Input<string>; /** * @deprecated databricks_account_id will be will be removed in the next major release. */ databricksAccountId?: pulumi.Input<string>; /** * Account Id that could be found in the top right corner of [Accounts Console](https://accounts.cloud.databricks.com/). */ externalId: pulumi.Input<string>; /** * Either or not this assume role policy should be created for usage log delivery. Defaults to false. */ forLogDelivery?: pulumi.Input<boolean>; }