terraform-provider-databricks icon indicating copy to clipboard operation
terraform-provider-databricks copied to clipboard

Published 20 hours ago verified publisher icon databricks

[ISSUE] Issue with `databricks_aws_bucket_policy` resource does not work in other partitions

Open drew-altana opened this issue 1 year ago • 2 comments

Configuration

# Copy-paste your Terraform configuration here
data "databricks_aws_bucket_policy" "this" {
  bucket = "mycoolbucket"
}

resource "aws_s3_bucket_policy" "root_bucket_policy" {
  bucket = "mycoolbucket"
  policy = data.databricks_aws_bucket_policy.this.json
}

Expected Behavior

Arns generated are in the wrong partiton

Actual Behavior

api error MalformedPolicy: Invalid principal in policy

  "bucketPolicy": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": [
                        "s3:GetObject",
                        "s3:GetObjectVersion",
                        "s3:PutObject",
                        "s3:DeleteObject",
                        "s3:ListBucket",
                        "s3:GetBucketLocation"
                    ],
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": "arn:aws:iam::414351767826:root"
                    },
                    "Resource": [
                        "arn:aws:s3:::mycoolbucket/*",
                        "arn:aws:s3:::mycoolbucket"
                    ]
                }
            ]
        },
        "bucketName": "mycoolbucket",
        "Host": "mycoolbucket.s3.us-gov-west-1.amazonaws.com",
        "policy": ""
    },

Steps to Reproduce

  1. terraform apply-->

Terraform and provider versions

1.51.0

Is it a regression?

unknown

Debug Output

Important Factoids

This is for us-gov-west-1 it's obvious the code here is not partition aware:

https://github.com/databricks/terraform-provider-databricks/blob/b827aeccb86c1cd7c5803e8a755d7085ebbdb207/aws/data_aws_bucket_policy.go#L33

Would you like to implement a fix?

No

drew-altana avatar Sep 27 '24 15:09 drew-altana

Appears that a bunch of places have the partition hard coded? https://github.com/search?q=repo%3Adatabricks%2Fterraform-provider-databricks+%22arn%3Aaws%22+path%3Aaws%2F*.go&type=code

I guess it's safe to assume govcloud support isn't available via this terraform provider yet?

drew-altana avatar Sep 27 '24 15:09 drew-altana

@drew-altana can you create a separate feature request to support partitions in the data sources? Or convert current issue into feature request

alexott avatar Oct 06 '24 14:10 alexott

I am also seeing pretty much the same error following the tutorial instructions here: https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/guides/aws-workspace

That was my conclusion as well; the principal is hard-coded as "arn:aws:iam::414351767826:root", and is not applicable to the govcloud/us-gov-west-1 partition.

My workaround was: Instead of setting assume_role_policy to data.databricks_aws_assume_role_policy.this.json, I defined an inline policy thusly:

    assume_role_policy = jsonencode(
      {
        Version = "2012-10-17"
        Statement = [
          {
            Action = "sts:AssumeRole"
            Effect = "Allow"
            Sid    = ""
            Principal = {
              AWS = "arn:${data.aws_partition.current.partition}:iam::044793339203:root"
            }
            Condition = {
              "StringEquals" = {
                "sts:ExternalId" = "${var.databricks_account_id}"
              }
            }
          }
        ]
      }
    )

(also declaring the data source: data "aws_partition" "current" {})

neilpvirtualitics avatar Oct 24 '24 16:10 neilpvirtualitics

okay, made it a feature request.

drew-altana avatar Oct 24 '24 20:10 drew-altana