Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Updated AWS UC storage credential to include permissions for file events #4406

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[Feature] Updated AWS UC storage credential to include permissions for file events #4406

wants to merge 4 commits into from

Conversation

borremosch-db
Copy link

Changes

Databricks documentation for storage credentials contains instructions to add permissions for file events, but as of yet these are missing from the terraform provider. This PR adds them for AWS. PRs for Azure and GCP will follow soon

Tests

Updated test: aws/data_aws_unity_catalog_policy_test.go

  • make test run locally
  • relevant change in docs/ folder
  • covered with integration tests in internal/acceptance
  • using Go SDK
  • using TF Plugin Framework

@borremosch-db borremosch-db requested review from a team as code owners January 16, 2025 14:03
@borremosch-db borremosch-db requested review from hectorcast-db and removed request for a team January 16, 2025 14:03
@borremosch-db borremosch-db force-pushed the add-storage-credential-file-events-permissions-aws branch from 3ae3e94 to 9085086 Compare January 16, 2025 14:03
@borremosch-db borremosch-db changed the title Updated AWS UC storage credential to include permissions for file events [FEATURE] Updated AWS UC storage credential to include permissions for file events Jan 16, 2025
@borremosch-db borremosch-db changed the title [FEATURE] Updated AWS UC storage credential to include permissions for file events [Feature] Updated AWS UC storage credential to include permissions for file events Jan 16, 2025
mgyucht
mgyucht reviewed Jan 16, 2025
View reviewed changes
Copy link
Contributor

@mgyucht mgyucht left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good to get @alexott or @nkvuong's thoughts on this change. Would we want to allow users to opt out of this?

aws/data_aws_unity_catalog_policy.go Outdated
Comment on lines 89 to 90
"arn:aws:sqs:*:*:*",
"arn:aws:sns:*:*:*",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are customers comfortable with granting us permission on all SQS queues and SNS destinations? It may be sensible as a default but I expect they will want to be more selective. I wonder if e.g. there is a specific prefix that Databricks always uses so we can restrict this somewhat?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these sns/sqs will be created by Databricks, and will follow the pattern arn:aws:sqs:<region>:<aws_account_id>:csms-*

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added ARN resource ID prefix. LMK if this works.

aws/data_aws_unity_catalog_policy.go Outdated Show resolved Hide resolved
aws/data_aws_unity_catalog_policy.go Outdated Show resolved Hide resolved
nkvuong
nkvuong reviewed Jan 16, 2025
View reviewed changes
aws/data_aws_unity_catalog_policy.go
@@ -60,6 +60,59 @@ func generateReadContext(ctx context.Context, d *schema.ResourceData, m *common.
Resources: []string{kmsArn},
})
}
policy.Statements = append(policy.Statements, &awsIamPolicyStatement{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree with @mgyucht - these can be left as opt-out/in, as our official documentation mentioned this is optional but strongly recommended

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're moving from opt-in/out to mandatory (see PRD: Maximizing coverage of managed file events)

alexott
alexott reviewed Jan 16, 2025
View reviewed changes
aws/data_aws_unity_catalog_policy.go Outdated Show resolved Hide resolved
aws/data_aws_unity_catalog_policy.go Outdated Show resolved Hide resolved
@borremosch-db
Copy link
Author

@mgyucht thanks for the review. Ideally we would not make these changes opt-in/out as we're moving towards making file events mandatory (see PRD: Maximizing coverage of managed file events)

@github-actions GitHub Actions
Copy link

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/terraform

Inputs:

  • PR number: 4406
  • Commit SHA: d1cc672097291d01c55d11d09d859546cf86531e

Checks will be approved automatically on success.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexott alexott alexott approved these changes

@hectorcast-db hectorcast-db Awaiting requested review from hectorcast-db hectorcast-db is a code owner automatically assigned from databricks/eng-plat-auto-exp-reviewers

@nkvuong nkvuong Awaiting requested review from nkvuong

@mgyucht mgyucht Awaiting requested review from mgyucht

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@borremosch-db @alexott @mgyucht @nkvuong