Merge pull request #1 from data-platform-hq/feat/databricks_aws_uc_role

feat: databricks aws uc role

README.md

@@ -1,10 +1,54 @@
-# Azure <> Terraform module
-Terraform module for creation Azure <>
+# AWS Databricks Unity Role Terraform module
+Terraform module for creation AWS Databricks Unity Role
 
 ## Usage
 
 <!-- BEGIN_TF_DOCS -->
+## Requirements
 
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~>5.0 |
+| <a name="requirement_databricks"></a> [databricks](#requirement\_databricks) | ~>1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_databricks"></a> [databricks](#provider\_databricks) | ~>1.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_iam_uc_role"></a> [iam\_uc\_role](#module\_iam\_uc\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~>5.0 |
+| <a name="module_iam_uc_role_policy"></a> [iam\_uc\_role\_policy](#module\_iam\_uc\_role\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~>5.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [databricks_storage_credential.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/storage_credential) | resource |
+| [databricks_aws_unity_catalog_assume_role_policy.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/data-sources/aws_unity_catalog_assume_role_policy) | data source |
+| [databricks_aws_unity_catalog_policy.this](https://registry.terraform.io/providers/databricks/databricks/latest/docs/data-sources/aws_unity_catalog_policy) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS account ID | `string` | n/a | yes |
+| <a name="input_bucket_names"></a> [bucket\_names](#input\_bucket\_names) | A map of bucket names to their IDs | `map(string)` | n/a | yes |
+| <a name="input_iam_role_boundary_arn"></a> [iam\_role\_boundary\_arn](#input\_iam\_role\_boundary\_arn) | The ARN of the IAM permissions boundary | `string` | n/a | yes |
+| <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | The name of the IAM role | `string` | n/a | yes |
+| <a name="input_metastore_id"></a> [metastore\_id](#input\_metastore\_id) | The ID of the Databricks metastore | `string` | n/a | yes |
+| <a name="input_storage_credential_name"></a> [storage\_credential\_name](#input\_storage\_credential\_name) | The name of the Databricks storage credential. | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_storage_creds_id"></a> [storage\_creds\_id](#output\_storage\_creds\_id) | The ID of the Databricks storage credential. |
 <!-- END_TF_DOCS -->
 
 ## License

main.tf

@@ -0,0 +1,45 @@
+resource "databricks_storage_credential" "this" {
+  name          = coalesce(var.storage_credential_name, "${var.iam_role_name}-creds")
+  metastore_id  = var.metastore_id
+  force_update  = true
+  force_destroy = true
+
+  aws_iam_role {
+    role_arn = "arn:aws:iam::${var.aws_account_id}:role/${var.iam_role_name}"
+  }
+}
+
+data "databricks_aws_unity_catalog_assume_role_policy" "this" {
+  aws_account_id = var.aws_account_id
+  role_name      = var.iam_role_name
+  external_id    = databricks_storage_credential.this.aws_iam_role[0].external_id
+}
+
+data "databricks_aws_unity_catalog_policy" "this" {
+  for_each = var.bucket_names
+
+  aws_account_id = var.aws_account_id
+  bucket_name    = each.value
+  role_name      = var.iam_role_name
+}
+
+module "iam_uc_role_policy" {
+  for_each = var.bucket_names
+  source   = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version  = "~>5.0"
+
+  name   = each.value
+  policy = data.databricks_aws_unity_catalog_policy.this[each.key].json
+}
+
+module "iam_uc_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "~>5.0"
+
+  role_name                       = var.iam_role_name
+  create_role                     = true
+  create_custom_role_trust_policy = true
+  custom_role_trust_policy        = data.databricks_aws_unity_catalog_assume_role_policy.this.json
+  role_permissions_boundary_arn   = var.iam_role_boundary_arn
+  custom_role_policy_arns         = [for k, v in var.bucket_names : module.iam_uc_role_policy[k].arn]
+}

outputs.tf

@@ -0,0 +1,4 @@
+output "storage_creds_id" {
+  description = "The ID of the Databricks storage credential."
+  value       = databricks_storage_credential.this.id
+}

variables.tf

@@ -0,0 +1,30 @@
+variable "aws_account_id" {
+  description = "The AWS account ID"
+  type        = string
+}
+
+variable "bucket_names" {
+  description = "A map of bucket names to their IDs"
+  type        = map(string)
+}
+
+variable "iam_role_boundary_arn" {
+  description = "The ARN of the IAM permissions boundary"
+  type        = string
+}
+
+variable "metastore_id" {
+  description = "The ID of the Databricks metastore"
+  type        = string
+}
+
+variable "iam_role_name" {
+  description = "The name of the IAM role"
+  type        = string
+}
+
+variable "storage_credential_name" {
+  description = "The name of the Databricks storage credential."
+  type        = string
+  default     = null
+}

versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~>5.0"
+    }
+    databricks = {
+      source  = "databricks/databricks"
+      version = "~>1.0"
+    }
+  }
+}