terraform-provider-databricks icon indicating copy to clipboard operation
terraform-provider-databricks copied to clipboard

Published 20 hours ago verified publisher icon databricks

[ISSUE] Issue with `databricks_aws_unity_catalog_policy` resource - invalid KMS ARN

Open eriktim opened this issue 1 year ago • 0 comments

Configuration

// copied from https://registry.terraform.io/providers/databricks/databricks/latest/docs/data-sources/aws_unity_catalog_policy

data "databricks_aws_unity_catalog_policy" "this" {
  aws_account_id = var.aws_account_id
  bucket_name    = "databricks-bucket"
  role_name      = "${var.prefix}-uc-access"
  kms_name       = "databricks-kms"
}

data "databricks_aws_unity_catalog_assume_role_policy" "this" {
  aws_account_id = var.aws_account_id
  role_name      = "${var.prefix}-uc-access"
  external_id    = "12345"
}

resource "aws_iam_policy" "unity_metastore" {
  name   = "${var.prefix}-unity-catalog-metastore-access-iam-policy"
  policy = data.databricks_aws_unity_catalog_policy.this.json
}

resource "aws_iam_role" "metastore_data_access" {
  name                = "${var.prefix}-uc-access"
  assume_role_policy  = data.aws_iam_policy_document.passrole_for_uc.json
  managed_policy_arns = [aws_iam_policy.unity_metastore.arn]
}

⚠️ Please note that I think the docs are not right here. In the above data.aws_iam_policy_document.passrole_for_uc.json should be replaced with data.databricks_aws_unity_catalog_assume_role_policy.this.json.

Expected Behavior

The resulting policy should enable decryption using the KMS key, we get

  ...,
  {
      Action   = [
          "kms:Decrypt",
          "kms:Encrypt",
          "kms:GenerateDataKey*",
        ]
      Effect   = "Allow"
      Resource = [
          "arn:aws:kms:<region>:<account-id>:key/databricks-kms", // for some region, account-id
        ]
    },

Actual Behavior

  ...,
  {
      Action   = [
          "kms:Decrypt",
          "kms:Encrypt",
          "kms:GenerateDataKey*",
        ]
      Effect   = "Allow"
      Resource = [
          "arn:aws:kms:databricks-kms", // invalid ARN
        ]
    },

Steps to Reproduce

  1. terraform plan

Terraform and provider versions

terraform --version
Terraform v1.1.2
on darwin_arm64
+ provider registry.terraform.io/databricks/databricks v1.47.0

Is it a regression?

No

Debug Output

Don't think that's relevant here

Important Factoids

Nope

Would you like to implement a fix?

Sure and I can also update the example in the docs (for both databricks_aws_unity_catalog_policy and databricks_aws_unity_catalog_assume_role_policy)

eriktim avatar Jun 21 '24 07:06 eriktim