@pulumi/databricks/instanceProfile.d.ts

A Pulumi package for creating and managing databricks cloud resources.

import * as pulumi from "@pulumi/pulumi";
/**
 * This resource allows you to manage AWS EC2 instance profiles that users can launch databricks.Cluster and access data, like databricks_mount. The following example demonstrates how to create an instance profile and create a cluster with it. When creating a new `databricks.InstanceProfile`, Databricks validates that it has sufficient permissions to launch instances with the instance profile. This validation uses AWS dry-run mode for the [AWS EC2 RunInstances API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html).
 *
 * > Please switch to databricks.StorageCredential with Unity Catalog to manage storage credentials, which provides a better and faster way for managing credential security.
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 * import * as databricks from "@pulumi/databricks";
 *
 * const config = new pulumi.Config();
 * // Role that you've specified on https://accounts.cloud.databricks.com/#aws
 * const crossaccountRoleName = config.require("crossaccountRoleName");
 * const assumeRoleForEc2 = aws.iam.getPolicyDocument({
 *     statements: [{
 *         effect: "Allow",
 *         actions: ["sts:AssumeRole"],
 *         principals: [{
 *             identifiers: ["ec2.amazonaws.com"],
 *             type: "Service",
 *         }],
 *     }],
 * });
 * const roleForS3Access = new aws.iam.Role("role_for_s3_access", {
 *     name: "shared-ec2-role-for-s3",
 *     description: "Role for shared access",
 *     assumeRolePolicy: assumeRoleForEc2.then(assumeRoleForEc2 => assumeRoleForEc2.json),
 * });
 * const passRoleForS3Access = aws.iam.getPolicyDocumentOutput({
 *     statements: [{
 *         effect: "Allow",
 *         actions: ["iam:PassRole"],
 *         resources: [roleForS3Access.arn],
 *     }],
 * });
 * const passRoleForS3AccessPolicy = new aws.iam.Policy("pass_role_for_s3_access", {
 *     name: "shared-pass-role-for-s3-access",
 *     path: "/",
 *     policy: passRoleForS3Access.apply(passRoleForS3Access => passRoleForS3Access.json),
 * });
 * const crossAccount = new aws.iam.RolePolicyAttachment("cross_account", {
 *     policyArn: passRoleForS3AccessPolicy.arn,
 *     role: crossaccountRoleName,
 * });
 * const shared = new aws.iam.InstanceProfile("shared", {
 *     name: "shared-instance-profile",
 *     role: roleForS3Access.name,
 * });
 * const sharedInstanceProfile = new databricks.InstanceProfile("shared", {instanceProfileArn: shared.arn});
 * const latest = databricks.getSparkVersion({});
 * const smallest = databricks.getNodeType({
 *     localDisk: true,
 * });
 * const _this = new databricks.Cluster("this", {
 *     clusterName: "Shared Autoscaling",
 *     sparkVersion: latest.then(latest => latest.id),
 *     nodeTypeId: smallest.then(smallest => smallest.id),
 *     autoterminationMinutes: 20,
 *     autoscale: {
 *         minWorkers: 1,
 *         maxWorkers: 50,
 *     },
 *     awsAttributes: {
 *         instanceProfileArn: sharedInstanceProfile.id,
 *         availability: "SPOT",
 *         zoneId: "us-east-1",
 *         firstOnDemand: 1,
 *         spotBidPricePercent: 100,
 *     },
 * });
 * ```
 *
 * ## Usage with Cluster Policies
 *
 * It is advised to keep all common configurations in Cluster Policies to maintain control of the environments launched, so `databricks.Cluster` above could be replaced with `databricks.ClusterPolicy`:
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as databricks from "@pulumi/databricks";
 *
 * const _this = new databricks.ClusterPolicy("this", {
 *     name: "Policy with predefined instance profile",
 *     definition: JSON.stringify({
 *         "aws_attributes.instance_profile_arn": {
 *             type: "fixed",
 *             value: shared.id,
 *         },
 *     }),
 * });
 * ```
 *
 * ## Granting access to all users
 *
 * You can make instance profile available to all users by associating it with the special group called `users` through databricks.Group data source.
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as databricks from "@pulumi/databricks";
 *
 * const _this = new databricks.InstanceProfile("this", {instanceProfileArn: shared.id});
 * const users = databricks.getGroup({
 *     displayName: "users",
 * });
 * const all = new databricks.GroupInstanceProfile("all", {
 *     groupId: users.then(users => users.id),
 *     instanceProfileId: _this.id,
 * });
 * ```
 *
 * ## Usage with Databricks SQL serverless
 *
 * When the instance profile ARN and its associated IAM role ARN don't match and the instance profile is intended for use with Databricks SQL serverless, the `iamRoleArn` parameter can be specified.
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 * import * as databricks from "@pulumi/databricks";
 *
 * const sqlServerlessAssumeRole = aws.iam.getPolicyDocument({
 *     statements: [{
 *         actions: ["sts:AssumeRole"],
 *         principals: [{
 *             type: "AWS",
 *             identifiers: ["arn:aws:iam::790110701330:role/serverless-customer-resource-role"],
 *         }],
 *         conditions: [{
 *             test: "StringEquals",
 *             variable: "sts:ExternalID",
 *             values: [
 *                 "databricks-serverless-<YOUR_WORKSPACE_ID1>",
 *                 "databricks-serverless-<YOUR_WORKSPACE_ID2>",
 *             ],
 *         }],
 *     }],
 * });
 * const _this = new aws.iam.Role("this", {
 *     name: "my-databricks-sql-serverless-role",
 *     assumeRolePolicy: sqlServerlessAssumeRole.then(sqlServerlessAssumeRole => sqlServerlessAssumeRole.json),
 * });
 * const thisInstanceProfile = new aws.iam.InstanceProfile("this", {
 *     name: "my-databricks-sql-serverless-instance-profile",
 *     role: _this.name,
 * });
 * const thisInstanceProfile2 = new databricks.InstanceProfile("this", {
 *     instanceProfileArn: thisInstanceProfile.arn,
 *     iamRoleArn: _this.arn,
 * });
 * ```
 *
 * ## Import
 *
 * The resource instance profile can be imported using the ARN of it
 *
 * bash
 *
 * ```sh
 * $ pulumi import databricks:index/instanceProfile:InstanceProfile this <instance-profile-arn>
 * ```
 */
export declare class InstanceProfile extends pulumi.CustomResource {
    /**
     * Get an existing InstanceProfile resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: InstanceProfileState, opts?: pulumi.CustomResourceOptions): InstanceProfile;
    /**
     * Returns true if the given object is an instance of InstanceProfile.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is InstanceProfile;
    /**
     * The AWS IAM role ARN of the role associated with the instance profile. It must have the form `arn:aws:iam::<account-id>:role/<name>`. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.
     */
    readonly iamRoleArn: pulumi.Output<string | undefined>;
    /**
     * `ARN` attribute of `awsIamInstanceProfile` output, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.
     */
    readonly instanceProfileArn: pulumi.Output<string>;
    /**
     * Whether the instance profile is a meta instance profile. Used only in [IAM credential passthrough](https://docs.databricks.com/security/credential-passthrough/iam-passthrough.html).
     */
    readonly isMetaInstanceProfile: pulumi.Output<boolean | undefined>;
    /**
     * **For advanced usage only.** If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
     */
    readonly skipValidation: pulumi.Output<boolean>;
    /**
     * Create a InstanceProfile resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: InstanceProfileArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering InstanceProfile resources.
 */
export interface InstanceProfileState {
    /**
     * The AWS IAM role ARN of the role associated with the instance profile. It must have the form `arn:aws:iam::<account-id>:role/<name>`. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.
     */
    iamRoleArn?: pulumi.Input<string>;
    /**
     * `ARN` attribute of `awsIamInstanceProfile` output, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.
     */
    instanceProfileArn?: pulumi.Input<string>;
    /**
     * Whether the instance profile is a meta instance profile. Used only in [IAM credential passthrough](https://docs.databricks.com/security/credential-passthrough/iam-passthrough.html).
     */
    isMetaInstanceProfile?: pulumi.Input<boolean>;
    /**
     * **For advanced usage only.** If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
     */
    skipValidation?: pulumi.Input<boolean>;
}
/**
 * The set of arguments for constructing a InstanceProfile resource.
 */
export interface InstanceProfileArgs {
    /**
     * The AWS IAM role ARN of the role associated with the instance profile. It must have the form `arn:aws:iam::<account-id>:role/<name>`. This field is required if your role name and instance profile name do not match and you want to use the instance profile with Databricks SQL Serverless.
     */
    iamRoleArn?: pulumi.Input<string>;
    /**
     * `ARN` attribute of `awsIamInstanceProfile` output, the EC2 instance profile association to AWS IAM role. This ARN would be validated upon resource creation.
     */
    instanceProfileArn: pulumi.Input<string>;
    /**
     * Whether the instance profile is a meta instance profile. Used only in [IAM credential passthrough](https://docs.databricks.com/security/credential-passthrough/iam-passthrough.html).
     */
    isMetaInstanceProfile?: pulumi.Input<boolean>;
    /**
     * **For advanced usage only.** If validation fails with an error message that does not indicate an IAM related permission issue, (e.g. "Your requested instance type is not supported in your requested availability zone"), you can pass this flag to skip the validation and forcibly add the instance profile.
     */
    skipValidation?: pulumi.Input<boolean>;
}