fix: Ensure Databricks external location role exists before making it…

… self-referential (#667) * fix: Associate role with policy containing self-assumption * fix prefix * fix prefix * fix values
chanzuckerberg · Oct 25, 2024 · 6834b5b · 6834b5b
1 parent 094aada
commit 6834b5b
Showing 1 changed file with 16 additions and 14 deletions.
diff --git a/databricks-catalog-external-location/main.tf b/databricks-catalog-external-location/main.tf
@@ -3,10 +3,12 @@ data "aws_caller_identity" "current" {
 }
 
 locals {
-  path                   = "/databricks/"
-  name                   = "${var.tags.project}-${var.tags.env}"
-  bucket_name            = "${local.name}-dbx-catalog-bucket"
-  iam_role_name          = "external_location_dbx_${var.tags.env}_aws_role"
+  iam_role_prefix = "databricks"
+  path            = "/${local.iam_role_prefix}/"
+  name            = "${var.tags.project}-${var.tags.env}"
+  bucket_name     = "${local.name}-dbx-catalog-bucket"
+  iam_role_name   = "external_location_dbx_${var.tags.env}_aws_role"
+  iam_role_arn    = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.iam_role_name}"
 }
 
 ## Bucket and policy
@@ -61,8 +63,7 @@ data "aws_iam_policy_document" "databricks_external_location_assume_role" {
     principals {
       type        = "AWS"
       identifiers = [
-        "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
-        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.iam_role_name}"
+        "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"
       ]
     }
 
@@ -86,7 +87,7 @@ data "aws_iam_policy_document" "databricks_external_location_assume_role" {
       test     = "ArnEquals"
       variable = "aws:PrincipalArn"
 
-      values = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.iam_role_name}"]
+      values = [local.iam_role_arn]
     }
   }
 }
@@ -119,13 +120,8 @@ data "aws_iam_policy_document" "databricks_external_location_bucket_access" {
 
   statement {
     sid    = "databricksAssumeRole"
-    effect = "Allow"
-    actions = [
-      "sts:AssumeRole"
-    ]
-    resources = [
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.iam_role_name}"
-    ]
+    actions = ["sts:AssumeRole"]
+    resources = [local.iam_role_arn]
   }
 }
 
@@ -140,6 +136,12 @@ resource "aws_iam_role_policy_attachment" "databricks_external_location_bucket_a
   role       = aws_iam_role.databricks_external_location_iam_role.name
 }
 
+resource "aws_iam_role_policy" "databricks_external_location_access_role_policy" {
+  name_prefix = local.iam_role_prefix
+  role        = aws_iam_role.databricks_external_location_iam_role.id
+  policy      = data.aws_iam_policy_document.databricks_external_location_bucket_access.json
+}
+
 ### Databricks storage credential - allows workspace to access an external location.
 ### NOTE: names need to be unique across an account, not just a workspace
 resource "databricks_storage_credential" "external" {