-
Notifications
You must be signed in to change notification settings - Fork 151
/
Copy pathmain.tf
127 lines (113 loc) · 3.5 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
locals {
prefix = "uc-test"
}
// create users and groups at account level (not workspace user/group)
resource "databricks_user" "unity_users" {
provider = databricks.mws
for_each = toset(concat(var.databricks_users, var.databricks_account_admins))
user_name = each.key
force = true
}
resource "databricks_group" "admin_group" {
provider = databricks.mws
display_name = var.unity_admin_group
}
resource "databricks_group_member" "admin_group_member" {
provider = databricks.mws
for_each = toset(var.databricks_account_admins)
group_id = databricks_group.admin_group.id
member_id = databricks_user.unity_users[each.value].id
}
resource "databricks_user_role" "metastore_admin" { // this group is admin for metastore, also pre-requisite for creating metastore
provider = databricks.mws
for_each = toset(var.databricks_account_admins)
user_id = databricks_user.unity_users[each.value].id
role = "account_admin"
}
/*
resource "aws_s3_bucket" "external" {
bucket = "${local.prefix}-external"
acl = "private"
versioning {
enabled = false
}
// destroy all objects with bucket destroy
force_destroy = true
tags = merge(local.tags, {
Name = "${local.prefix}-external"
})
}
resource "aws_s3_bucket_public_access_block" "external" {
bucket = aws_s3_bucket.external.id
ignore_public_acls = true
depends_on = [aws_s3_bucket.external]
}
resource "aws_iam_policy" "external_data_access" {
// Terraform's "jsonencode" function converts a
// Terraform expression's result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Id = "${aws_s3_bucket.external.id}-access"
Statement = [
{
"Action" : [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource" : [
aws_s3_bucket.external.arn,
"${aws_s3_bucket.external.arn}/*"
],
"Effect" : "Allow"
}
]
})
tags = merge(local.tags, {
Name = "${local.prefix}-unity-catalog external access IAM policy"
})
}
resource "aws_iam_role" "external_data_access" {
name = "${local.prefix}-external-access"
assume_role_policy = data.aws_iam_policy_document.passrole_for_uc.json
managed_policy_arns = [aws_iam_policy.external_data_access.arn]
tags = merge(local.tags, {
Name = "${local.prefix}-unity-catalog external access IAM role"
})
}
resource "databricks_storage_credential" "external" {
provider = databricks.workspace
name = aws_iam_role.external_data_access.name
aws_iam_role {
role_arn = aws_iam_role.external_data_access.arn
}
comment = "Managed by TF"
}
resource "databricks_grants" "external_creds" {
provider = databricks.workspace
storage_credential = databricks_storage_credential.external.id
grant {
principal = "Data Engineers"
privileges = ["CREATE_TABLE"]
}
}
resource "databricks_external_location" "some" {
provider = databricks.workspace
name = "external"
url = "s3://${aws_s3_bucket.external.id}/some"
credential_name = databricks_storage_credential.external.id
comment = "Managed by TF"
}
resource "databricks_grants" "some" {
provider = databricks.workspace
external_location = databricks_external_location.some.id
grant {
principal = "Data Engineers"
privileges = ["CREATE_TABLE", "READ_FILES"]
}
}
*/