diff --git a/aws/data_aws_unity_catalog_policy.go b/aws/data_aws_unity_catalog_policy.go index 5dbc565b38..edf687a38a 100644 --- a/aws/data_aws_unity_catalog_policy.go +++ b/aws/data_aws_unity_catalog_policy.go @@ -60,6 +60,62 @@ func generateReadContext(ctx context.Context, d *schema.ResourceData, m *common. Resources: []string{kmsArn}, }) } + policy.Statements = append(policy.Statements, &awsIamPolicyStatement{ + Sid: "ManagedFileEventsSetupStatement", + Effect: "Allow", + Actions: []string{ + "s3:GetBucketNotification", + "s3:PutBucketNotification", + "sns:ListSubscriptionsByTopic", + "sns:GetTopicAttributes", + "sns:SetTopicAttributes", + "sns:CreateTopic", + "sns:TagResource", + "sns:Publish", + "sns:Subscribe", + "sqs:CreateQueue", + "sqs:DeleteMessage", + "sqs:ReceiveMessage", + "sqs:SendMessage", + "sqs:GetQueueUrl", + "sqs:GetQueueAttributes", + "sqs:SetQueueAttributes", + "sqs:TagQueue", + "sqs:ChangeMessageVisibility", + "sqs:PurgeQueue", + }, + Resources: []string{ + fmt.Sprintf("arn:%s:s3:::%s", awsPartition, bucket), + fmt.Sprintf("arn:%s:sqs:*:%s:csms-*", awsPartition, awsAccountId), + fmt.Sprintf("arn:%s:sns:*:%s:csms-*", awsPartition, awsAccountId), + }, + }, + &awsIamPolicyStatement{ + Sid: "ManagedFileEventsListStatement", + Effect: "Allow", + Actions: []string{ + "sqs:ListQueues", + "sqs:ListQueueTags", + "sns:ListTopics", + }, + Resources: []string{ + fmt.Sprintf("arn:%s:sqs:*:%s:csms-*", awsPartition, awsAccountId), + fmt.Sprintf("arn:%s:sns:*:%s:csms-*", awsPartition, awsAccountId), + }, + }, + &awsIamPolicyStatement{ + Sid: "ManagedFileEventsTeardownStatement", + Effect: "Allow", + Actions: []string{ + "sns:Unsubscribe", + "sns:DeleteTopic", + "sqs:DeleteQueue", + }, + Resources: []string{ + fmt.Sprintf("arn:%s:sqs:*:%s:csms-*", awsPartition, awsAccountId), + fmt.Sprintf("arn:%s:sns:*:%s:csms-*", awsPartition, awsAccountId), + }, + }) policyJSON, err := json.MarshalIndent(policy, "", " ") if err != nil { return err diff --git a/aws/data_aws_unity_catalog_policy_test.go b/aws/data_aws_unity_catalog_policy_test.go index 6ca159e290..5252959ed5 100644 --- a/aws/data_aws_unity_catalog_policy_test.go +++ b/aws/data_aws_unity_catalog_policy_test.go @@ -59,6 +59,62 @@ func TestDataAwsUnityCatalogPolicy(t *testing.T) { "Resource": [ "arn:aws:kms:databricks-kms" ] + }, + { + "Sid": "ManagedFileEventsSetupStatement", + "Effect": "Allow", + "Action": [ + "s3:GetBucketNotification", + "s3:PutBucketNotification", + "sns:ListSubscriptionsByTopic", + "sns:GetTopicAttributes", + "sns:SetTopicAttributes", + "sns:CreateTopic", + "sns:TagResource", + "sns:Publish", + "sns:Subscribe", + "sqs:CreateQueue", + "sqs:DeleteMessage", + "sqs:ReceiveMessage", + "sqs:SendMessage", + "sqs:GetQueueUrl", + "sqs:GetQueueAttributes", + "sqs:SetQueueAttributes", + "sqs:TagQueue", + "sqs:ChangeMessageVisibility", + "sqs:PurgeQueue" + ], + "Resource": [ + "arn:aws:s3:::databricks-bucket", + "arn:aws:sqs:*:123456789098:csms-*", + "arn:aws:sns:*:123456789098:csms-*" + ] + }, + { + "Sid": "ManagedFileEventsListStatement", + "Effect": "Allow", + "Action": [ + "sqs:ListQueues", + "sqs:ListQueueTags", + "sns:ListTopics" + ], + "Resource": [ + "arn:aws:sqs:*:123456789098:csms-*", + "arn:aws:sns:*:123456789098:csms-*" + ] + }, + { + "Sid": "ManagedFileEventsTeardownStatement", + "Effect": "Allow", + "Action": [ + "sns:Unsubscribe", + "sns:DeleteTopic", + "sqs:DeleteQueue" + ], + "Resource": [ + "arn:aws:sqs:*:123456789098:csms-*", + "arn:aws:sns:*:123456789098:csms-*" + ] } ] }` @@ -116,6 +172,62 @@ func TestDataAwsUnityCatalogPolicyFullKms(t *testing.T) { "Resource": [ "arn:aws:kms:us-west-2:111122223333:key/databricks-kms" ] + }, + { + "Sid": "ManagedFileEventsSetupStatement", + "Effect": "Allow", + "Action": [ + "s3:GetBucketNotification", + "s3:PutBucketNotification", + "sns:ListSubscriptionsByTopic", + "sns:GetTopicAttributes", + "sns:SetTopicAttributes", + "sns:CreateTopic", + "sns:TagResource", + "sns:Publish", + "sns:Subscribe", + "sqs:CreateQueue", + "sqs:DeleteMessage", + "sqs:ReceiveMessage", + "sqs:SendMessage", + "sqs:GetQueueUrl", + "sqs:GetQueueAttributes", + "sqs:SetQueueAttributes", + "sqs:TagQueue", + "sqs:ChangeMessageVisibility", + "sqs:PurgeQueue" + ], + "Resource": [ + "arn:aws:s3:::databricks-bucket", + "arn:aws:sqs:*:123456789098:csms-*", + "arn:aws:sns:*:123456789098:csms-*" + ] + }, + { + "Sid": "ManagedFileEventsListStatement", + "Effect": "Allow", + "Action": [ + "sqs:ListQueues", + "sqs:ListQueueTags", + "sns:ListTopics" + ], + "Resource": [ + "arn:aws:sqs:*:123456789098:csms-*", + "arn:aws:sns:*:123456789098:csms-*" + ] + }, + { + "Sid": "ManagedFileEventsTeardownStatement", + "Effect": "Allow", + "Action": [ + "sns:Unsubscribe", + "sns:DeleteTopic", + "sqs:DeleteQueue" + ], + "Resource": [ + "arn:aws:sqs:*:123456789098:csms-*", + "arn:aws:sns:*:123456789098:csms-*" + ] } ] }` @@ -161,6 +273,62 @@ func TestDataAwsUnityCatalogPolicyWithoutKMS(t *testing.T) { "Resource": [ "arn:aws:iam::123456789098:role/databricks-role" ] + }, + { + "Sid": "ManagedFileEventsSetupStatement", + "Effect": "Allow", + "Action": [ + "s3:GetBucketNotification", + "s3:PutBucketNotification", + "sns:ListSubscriptionsByTopic", + "sns:GetTopicAttributes", + "sns:SetTopicAttributes", + "sns:CreateTopic", + "sns:TagResource", + "sns:Publish", + "sns:Subscribe", + "sqs:CreateQueue", + "sqs:DeleteMessage", + "sqs:ReceiveMessage", + "sqs:SendMessage", + "sqs:GetQueueUrl", + "sqs:GetQueueAttributes", + "sqs:SetQueueAttributes", + "sqs:TagQueue", + "sqs:ChangeMessageVisibility", + "sqs:PurgeQueue" + ], + "Resource": [ + "arn:aws:s3:::databricks-bucket", + "arn:aws:sqs:*:123456789098:csms-*", + "arn:aws:sns:*:123456789098:csms-*" + ] + }, + { + "Sid": "ManagedFileEventsListStatement", + "Effect": "Allow", + "Action": [ + "sqs:ListQueues", + "sqs:ListQueueTags", + "sns:ListTopics" + ], + "Resource": [ + "arn:aws:sqs:*:123456789098:csms-*", + "arn:aws:sns:*:123456789098:csms-*" + ] + }, + { + "Sid": "ManagedFileEventsTeardownStatement", + "Effect": "Allow", + "Action": [ + "sns:Unsubscribe", + "sns:DeleteTopic", + "sqs:DeleteQueue" + ], + "Resource": [ + "arn:aws:sqs:*:123456789098:csms-*", + "arn:aws:sns:*:123456789098:csms-*" + ] } ] }` @@ -219,6 +387,62 @@ func TestDataAwsUnityCatalogPolicyPartionGov(t *testing.T) { "Resource": [ "arn:aws-us-gov:kms:databricks-kms" ] + }, + { + "Sid": "ManagedFileEventsSetupStatement", + "Effect": "Allow", + "Action": [ + "s3:GetBucketNotification", + "s3:PutBucketNotification", + "sns:ListSubscriptionsByTopic", + "sns:GetTopicAttributes", + "sns:SetTopicAttributes", + "sns:CreateTopic", + "sns:TagResource", + "sns:Publish", + "sns:Subscribe", + "sqs:CreateQueue", + "sqs:DeleteMessage", + "sqs:ReceiveMessage", + "sqs:SendMessage", + "sqs:GetQueueUrl", + "sqs:GetQueueAttributes", + "sqs:SetQueueAttributes", + "sqs:TagQueue", + "sqs:ChangeMessageVisibility", + "sqs:PurgeQueue" + ], + "Resource": [ + "arn:aws-us-gov:s3:::databricks-bucket", + "arn:aws-us-gov:sqs:*:123456789098:csms-*", + "arn:aws-us-gov:sns:*:123456789098:csms-*" + ] + }, + { + "Sid": "ManagedFileEventsListStatement", + "Effect": "Allow", + "Action": [ + "sqs:ListQueues", + "sqs:ListQueueTags", + "sns:ListTopics" + ], + "Resource": [ + "arn:aws-us-gov:sqs:*:123456789098:csms-*", + "arn:aws-us-gov:sns:*:123456789098:csms-*" + ] + }, + { + "Sid": "ManagedFileEventsTeardownStatement", + "Effect": "Allow", + "Action": [ + "sns:Unsubscribe", + "sns:DeleteTopic", + "sqs:DeleteQueue" + ], + "Resource": [ + "arn:aws-us-gov:sqs:*:123456789098:csms-*", + "arn:aws-us-gov:sns:*:123456789098:csms-*" + ] } ] }`