@pulumi/databricks

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "./types/input"; import * as outputs from "./types/output"; /** * [![Public Preview](https://img.shields.io/badge/Release_Stage-Public_Preview-yellowgreen)](https://docs.databricks.com/aws/en/release-notes/release-types) * * Attribute-Based Access Control (ABAC) policies in Unity Catalog provide high leverage governance for enforcing compliance policies. With ABAC policies, access is controlled in a hierarchical and scalable manner, based on data attributes rather than specific resources, enabling more flexible and comprehensive access control. * * ABAC policies in Unity Catalog support conditions on governance tags and the user identity. Callers must have the `MANAGE` privilege on a securable to view, create, update, or delete ABAC policies. * * ## Example Usage * * ### Row Filter Policy * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const piiRowFilter = new databricks.PolicyInfo("pii_row_filter", { * onSecurableType: "catalog", * onSecurableFullname: "main", * name: "pii_data_policy", * policyType: "POLICY_TYPE_ROW_FILTER", * forSecurableType: "table", * toPrincipals: ["account users"], * whenCondition: "hasTag('pii')", * matchColumns: [{ * condition: "hasTag('pii')", * alias: "pii_col", * }], * rowFilter: { * functionName: "main.filters.mask_pii_rows", * usings: [{ * alias: "pii_col", * }], * }, * }); * ``` * * ### Column Mask Policy * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as databricks from "@pulumi/databricks"; * * const sensitiveColumnMask = new databricks.PolicyInfo("sensitive_column_mask", { * onSecurableType: "schema", * onSecurableFullname: "main.finance", * name: "sensitive_data_mask", * policyType: "POLICY_TYPE_COLUMN_MASK", * forSecurableType: "table", * toPrincipals: ["account users"], * exceptPrincipals: ["finance_admins"], * whenCondition: "hasTag('pii')", * matchColumns: [{ * condition: "hasTag('pii')", * alias: "sensitive_col", * }], * columnMask: { * functionName: "main.masks.redact_sensitive", * onColumn: "sensitive_col", * usings: [{ * constant: "4", * }], * }, * }); * ``` * * ## Import * * As of Pulumi v1.5, resources can be imported through configuration. * * hcl * * import { * * id = "on_securable_type,on_securable_fullname,name" * * to = databricks_policy_info.this * * } * * If you are using an older version of Pulumi, import the resource using the `pulumi import` command as follows: * * ```sh * $ pulumi import databricks:index/policyInfo:PolicyInfo this "on_securable_type,on_securable_fullname,name" * ``` */ export declare class PolicyInfo extends pulumi.CustomResource { /** * Get an existing PolicyInfo resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicyInfoState, opts?: pulumi.CustomResourceOptions): PolicyInfo; /** * Returns true if the given object is an instance of PolicyInfo. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is PolicyInfo; /** * Options for column mask policies. Valid only if `policyType` is `POLICY_TYPE_COLUMN_MASK`. * Required on create and optional on update. When specified on update, * the new options will replace the existing options as a whole */ readonly columnMask: pulumi.Output<outputs.PolicyInfoColumnMask | undefined>; /** * Optional description of the policy */ readonly comment: pulumi.Output<string | undefined>; /** * (integer) - Time at which the policy was created, in epoch milliseconds. Output only */ readonly createdAt: pulumi.Output<number>; /** * (string) - Username of the user who created the policy. Output only */ readonly createdBy: pulumi.Output<string>; /** * Optional list of user or group names that should be excluded from the policy */ readonly exceptPrincipals: pulumi.Output<string[] | undefined>; /** * Type of securables that the policy should take effect on. * Only `TABLE` is supported at this moment. * Required on create and optional on update. Possible values are: `CATALOG`, `CLEAN_ROOM`, `CONNECTION`, `CREDENTIAL`, `EXTERNAL_LOCATION`, `EXTERNAL_METADATA`, `FUNCTION`, `METASTORE`, `PIPELINE`, `PROVIDER`, `RECIPIENT`, `SCHEMA`, `SHARE`, `STAGING_TABLE`, `STORAGE_CREDENTIAL`, `TABLE`, `VOLUME` */ readonly forSecurableType: pulumi.Output<string>; /** * Optional list of condition expressions used to match table columns. * Only valid when `forSecurableType` is `TABLE`. * When specified, the policy only applies to tables whose columns satisfy all match conditions */ readonly matchColumns: pulumi.Output<outputs.PolicyInfoMatchColumn[] | undefined>; /** * Name of the policy. Required on create and optional on update. * To rename the policy, set `name` to a different value on update */ readonly name: pulumi.Output<string>; /** * Full name of the securable on which the policy is defined. * Required on create and ignored on update */ readonly onSecurableFullname: pulumi.Output<string | undefined>; /** * Type of the securable on which the policy is defined. * Only `CATALOG`, `SCHEMA` and `TABLE` are supported at this moment. * Required on create and ignored on update. Possible values are: `CATALOG`, `CLEAN_ROOM`, `CONNECTION`, `CREDENTIAL`, `EXTERNAL_LOCATION`, `EXTERNAL_METADATA`, `FUNCTION`, `METASTORE`, `PIPELINE`, `PROVIDER`, `RECIPIENT`, `SCHEMA`, `SHARE`, `STAGING_TABLE`, `STORAGE_CREDENTIAL`, `TABLE`, `VOLUME` */ readonly onSecurableType: pulumi.Output<string | undefined>; /** * Type of the policy. Required on create and ignored on update. Possible values are: `POLICY_TYPE_COLUMN_MASK`, `POLICY_TYPE_ROW_FILTER` */ readonly policyType: pulumi.Output<string>; /** * Options for row filter policies. Valid only if `policyType` is `POLICY_TYPE_ROW_FILTER`. * Required on create and optional on update. When specified on update, * the new options will replace the existing options as a whole */ readonly rowFilter: pulumi.Output<outputs.PolicyInfoRowFilter | undefined>; /** * List of user or group names that the policy applies to. * Required on create and optional on update */ readonly toPrincipals: pulumi.Output<string[]>; /** * (integer) - Time at which the policy was last modified, in epoch milliseconds. Output only */ readonly updatedAt: pulumi.Output<number>; /** * (string) - Username of the user who last modified the policy. Output only */ readonly updatedBy: pulumi.Output<string>; /** * Optional condition when the policy should take effect */ readonly whenCondition: pulumi.Output<string | undefined>; /** * Create a PolicyInfo resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: PolicyInfoArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering PolicyInfo resources. */ export interface PolicyInfoState { /** * Options for column mask policies. Valid only if `policyType` is `POLICY_TYPE_COLUMN_MASK`. * Required on create and optional on update. When specified on update, * the new options will replace the existing options as a whole */ columnMask?: pulumi.Input<inputs.PolicyInfoColumnMask>; /** * Optional description of the policy */ comment?: pulumi.Input<string>; /** * (integer) - Time at which the policy was created, in epoch milliseconds. Output only */ createdAt?: pulumi.Input<number>; /** * (string) - Username of the user who created the policy. Output only */ createdBy?: pulumi.Input<string>; /** * Optional list of user or group names that should be excluded from the policy */ exceptPrincipals?: pulumi.Input<pulumi.Input<string>[]>; /** * Type of securables that the policy should take effect on. * Only `TABLE` is supported at this moment. * Required on create and optional on update. Possible values are: `CATALOG`, `CLEAN_ROOM`, `CONNECTION`, `CREDENTIAL`, `EXTERNAL_LOCATION`, `EXTERNAL_METADATA`, `FUNCTION`, `METASTORE`, `PIPELINE`, `PROVIDER`, `RECIPIENT`, `SCHEMA`, `SHARE`, `STAGING_TABLE`, `STORAGE_CREDENTIAL`, `TABLE`, `VOLUME` */ forSecurableType?: pulumi.Input<string>; /** * Optional list of condition expressions used to match table columns. * Only valid when `forSecurableType` is `TABLE`. * When specified, the policy only applies to tables whose columns satisfy all match conditions */ matchColumns?: pulumi.Input<pulumi.Input<inputs.PolicyInfoMatchColumn>[]>; /** * Name of the policy. Required on create and optional on update. * To rename the policy, set `name` to a different value on update */ name?: pulumi.Input<string>; /** * Full name of the securable on which the policy is defined. * Required on create and ignored on update */ onSecurableFullname?: pulumi.Input<string>; /** * Type of the securable on which the policy is defined. * Only `CATALOG`, `SCHEMA` and `TABLE` are supported at this moment. * Required on create and ignored on update. Possible values are: `CATALOG`, `CLEAN_ROOM`, `CONNECTION`, `CREDENTIAL`, `EXTERNAL_LOCATION`, `EXTERNAL_METADATA`, `FUNCTION`, `METASTORE`, `PIPELINE`, `PROVIDER`, `RECIPIENT`, `SCHEMA`, `SHARE`, `STAGING_TABLE`, `STORAGE_CREDENTIAL`, `TABLE`, `VOLUME` */ onSecurableType?: pulumi.Input<string>; /** * Type of the policy. Required on create and ignored on update. Possible values are: `POLICY_TYPE_COLUMN_MASK`, `POLICY_TYPE_ROW_FILTER` */ policyType?: pulumi.Input<string>; /** * Options for row filter policies. Valid only if `policyType` is `POLICY_TYPE_ROW_FILTER`. * Required on create and optional on update. When specified on update, * the new options will replace the existing options as a whole */ rowFilter?: pulumi.Input<inputs.PolicyInfoRowFilter>; /** * List of user or group names that the policy applies to. * Required on create and optional on update */ toPrincipals?: pulumi.Input<pulumi.Input<string>[]>; /** * (integer) - Time at which the policy was last modified, in epoch milliseconds. Output only */ updatedAt?: pulumi.Input<number>; /** * (string) - Username of the user who last modified the policy. Output only */ updatedBy?: pulumi.Input<string>; /** * Optional condition when the policy should take effect */ whenCondition?: pulumi.Input<string>; } /** * The set of arguments for constructing a PolicyInfo resource. */ export interface PolicyInfoArgs { /** * Options for column mask policies. Valid only if `policyType` is `POLICY_TYPE_COLUMN_MASK`. * Required on create and optional on update. When specified on update, * the new options will replace the existing options as a whole */ columnMask?: pulumi.Input<inputs.PolicyInfoColumnMask>; /** * Optional description of the policy */ comment?: pulumi.Input<string>; /** * Optional list of user or group names that should be excluded from the policy */ exceptPrincipals?: pulumi.Input<pulumi.Input<string>[]>; /** * Type of securables that the policy should take effect on. * Only `TABLE` is supported at this moment. * Required on create and optional on update. Possible values are: `CATALOG`, `CLEAN_ROOM`, `CONNECTION`, `CREDENTIAL`, `EXTERNAL_LOCATION`, `EXTERNAL_METADATA`, `FUNCTION`, `METASTORE`, `PIPELINE`, `PROVIDER`, `RECIPIENT`, `SCHEMA`, `SHARE`, `STAGING_TABLE`, `STORAGE_CREDENTIAL`, `TABLE`, `VOLUME` */ forSecurableType: pulumi.Input<string>; /** * Optional list of condition expressions used to match table columns. * Only valid when `forSecurableType` is `TABLE`. * When specified, the policy only applies to tables whose columns satisfy all match conditions */ matchColumns?: pulumi.Input<pulumi.Input<inputs.PolicyInfoMatchColumn>[]>; /** * Name of the policy. Required on create and optional on update. * To rename the policy, set `name` to a different value on update */ name?: pulumi.Input<string>; /** * Full name of the securable on which the policy is defined. * Required on create and ignored on update */ onSecurableFullname?: pulumi.Input<string>; /** * Type of the securable on which the policy is defined. * Only `CATALOG`, `SCHEMA` and `TABLE` are supported at this moment. * Required on create and ignored on update. Possible values are: `CATALOG`, `CLEAN_ROOM`, `CONNECTION`, `CREDENTIAL`, `EXTERNAL_LOCATION`, `EXTERNAL_METADATA`, `FUNCTION`, `METASTORE`, `PIPELINE`, `PROVIDER`, `RECIPIENT`, `SCHEMA`, `SHARE`, `STAGING_TABLE`, `STORAGE_CREDENTIAL`, `TABLE`, `VOLUME` */ onSecurableType?: pulumi.Input<string>; /** * Type of the policy. Required on create and ignored on update. Possible values are: `POLICY_TYPE_COLUMN_MASK`, `POLICY_TYPE_ROW_FILTER` */ policyType: pulumi.Input<string>; /** * Options for row filter policies. Valid only if `policyType` is `POLICY_TYPE_ROW_FILTER`. * Required on create and optional on update. When specified on update, * the new options will replace the existing options as a whole */ rowFilter?: pulumi.Input<inputs.PolicyInfoRowFilter>; /** * List of user or group names that the policy applies to. * Required on create and optional on update */ toPrincipals: pulumi.Input<pulumi.Input<string>[]>; /** * Optional condition when the policy should take effect */ whenCondition?: pulumi.Input<string>; }