Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Updated AWS UC storage credential to include permissions for file events #4406

Merged
merged 5 commits into from
Jan 27, 2025
Merged

[Feature] Updated AWS UC storage credential to include permissions for file events #4406

merged 5 commits into from
Jan 27, 2025

Conversation

borremosch-db
Copy link
Contributor

Changes

Databricks documentation for storage credentials contains instructions to add permissions for file events, but as of yet these are missing from the terraform provider. This PR adds them for AWS. PRs for Azure and GCP will follow soon

Tests

Updated test: aws/data_aws_unity_catalog_policy_test.go

  • make test run locally
  • relevant change in docs/ folder
  • covered with integration tests in internal/acceptance
  • using Go SDK
  • using TF Plugin Framework

@borremosch-db borremosch-db requested review from a team as code owners January 16, 2025 14:03
@borremosch-db borremosch-db requested review from hectorcast-db and removed request for a team January 16, 2025 14:03
@borremosch-db borremosch-db force-pushed the add-storage-credential-file-events-permissions-aws branch from 3ae3e94 to 9085086 Compare January 16, 2025 14:03
@borremosch-db borremosch-db changed the title Updated AWS UC storage credential to include permissions for file events [FEATURE] Updated AWS UC storage credential to include permissions for file events Jan 16, 2025
@borremosch-db borremosch-db changed the title [FEATURE] Updated AWS UC storage credential to include permissions for file events [Feature] Updated AWS UC storage credential to include permissions for file events Jan 16, 2025
mgyucht
mgyucht reviewed Jan 16, 2025
View reviewed changes
Copy link
Contributor

@mgyucht mgyucht left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good to get @alexott or @nkvuong's thoughts on this change. Would we want to allow users to opt out of this?

alexott
alexott reviewed Jan 16, 2025
View reviewed changes
@borremosch-db
Copy link
Contributor Author

@mgyucht thanks for the review. Ideally we would not make these changes opt-in/out as we're moving towards making file events mandatory (see PRD: Maximizing coverage of managed file events)

@borremosch-db
Copy link
Contributor Author

@mgyucht @nkvuong could you have another look at this?

mgyucht
mgyucht reviewed Jan 24, 2025
View reviewed changes
Copy link
Contributor

@mgyucht mgyucht left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can make the requested resources slightly narrower, which would be marginally better from a security stance. Otherwise, seems OK to me.

aws/data_aws_unity_catalog_policy.go Outdated
Comment on lines 89 to 90
fmt.Sprintf("arn:%s:sqs:*:*:csms-*", awsPartition),
fmt.Sprintf("arn:%s:sns:*:*:csms-*", awsPartition),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the other policies, we restrict the resource templates to a single account. Can we do that here as well for consistency, or do we need to allow access to all accounts? (Understanding that this would also require cross-account policy on the target account, but with defence in depth in mind, we shouldn't force people to give broader access than necessary.) Ditto for the other resources. We already accept awsAccountId as a parameter.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mgyucht I considered scoping down to the account, but this is not the case for the S3 permissions in this specific file and I believe we should align the new permissions because they're targeting resources for the same use case.

@borremosch-db borremosch-db requested a review from mgyucht January 24, 2025 13:46
@github-actions GitHub Actions
Copy link

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/terraform

Inputs:

  • PR number: 4406
  • Commit SHA: 0fb1ec4d2cd97109d1e626bc782c9380700eb167

Checks will be approved automatically on success.

@mgyucht mgyucht enabled auto-merge January 24, 2025 16:00
@mgyucht mgyucht added this pull request to the merge queue Jan 27, 2025
Merged via the queue into databricks:main with commit 119a6c0 Jan 27, 2025
12 checks passed
@alexott alexott mentioned this pull request Jan 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexott alexott alexott approved these changes

@mgyucht mgyucht mgyucht approved these changes

@nkvuong nkvuong nkvuong approved these changes

@hectorcast-db hectorcast-db Awaiting requested review from hectorcast-db hectorcast-db is a code owner automatically assigned from databricks/eng-plat-auto-exp-reviewers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@borremosch-db @alexott @mgyucht @nkvuong