Merge branch 'main' into aku/fix-mysql-defaults

chanzuckerberg · Aug 20, 2024 · 306f998 · 306f998
2 parents f92cb87 + be84f23
commit 306f998
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## [0.77.2](https://github.com/chanzuckerberg/cztack/compare/v0.77.1...v0.77.2) (2024-08-19)
+
+
+### Bug Fixes
+
+* Allow dbx storage credentials roles to be self-assuming ([#620](https://github.com/chanzuckerberg/cztack/issues/620)) ([47970b3](https://github.com/chanzuckerberg/cztack/commit/47970b36a5220c917605ad1a872acf7f2596f554))
+
 ## [0.77.1](https://github.com/chanzuckerberg/cztack/compare/v0.77.0...v0.77.1) (2024-08-19)
 
 

diff --git a/databricks-catalog-external-location/main.tf b/databricks-catalog-external-location/main.tf
@@ -71,6 +71,21 @@ data "aws_iam_policy_document" "databricks_external_location_assume_role" {
       values = [var.databricks_external_id]
     }
   }
+
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+
+    actions = ["sts:AssumeRole"]
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:PrincipalArn"
+
+      values = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.iam_role_name}"]
+    }
+  }
 }
 
 resource "aws_iam_role" "databricks_external_location_iam_role" {
@@ -98,6 +113,17 @@ data "aws_iam_policy_document" "databricks_external_location_bucket_access" {
       module.catalog_bucket.arn,
     ]
   }
+
+  statement {
+    sid    = "databricksAssumeRole"
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole"
+    ]
+    resources = [
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role${local.path}${local.iam_role_name}"
+    ]
+  }
 }
 
 ### Policies to access bucket

diff --git a/version.txt b/version.txt
@@ -1 +1 @@
-0.77.1
+0.77.2