Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fix] Add Sufficient Network Privileges to the Databricks Default Cross Account Policy #4027

Merged
merged 6 commits into from
Oct 7, 2024
Merged

[Fix] Add Sufficient Network Privileges to the Databricks Default Cross Account Policy #4027

merged 6 commits into from
Oct 7, 2024
+473 −2

Conversation

caldempsey
Copy link
Contributor

@caldempsey caldempsey commented Sep 17, 2024
edited by alexott
Loading

Changes

Currently, the Databricks-provided Cross Account Policy IAM Role does not include all the necessary permissions to set up a workspace. Attempting to set up a workspace using this policy results in the following error (see Issue #4026):

MALFORMED_REQUEST: Failed credentials validation checks: Allocate Address

This makes it difficult for new engineers to onboard to Databricks without troubleshooting unexpected errors. This PR adds the missing network permissions to the Databricks Managed VPC policy types ("managed" and "customer"), ensuring that all required permissions are included for successful workspace deployment. These changes are not applied to the "restricted" policy type to avoid allowing Elastic IP allocations, which may not be desirable for some Databricks customers. See the bottom of the description for the full list.

Tests

This change has been tested locally and is running in our staging workspace using the same configuration. As this is a fix for 'managed' type Databricks deployment configurations, I have matched this with positive and negative unit tests to guard precise and expected roles. I have then added extra tests to confirm the expected policies across each branch, 'managed', 'customer', and 'restricted'. Feel free to remove these if overboard, as I recognise you could make a similar weaker assertion using 'len'.

  • make test run locally
  • Relevant acceptance tests are passing
  • Relevant change in docs/ folder (if necessary)
  • Covered with integration tests in internal/acceptance
  • Using Go SDK (N/A)

The full list of permissions which align with the Databricks documentation, now included in the "managed" policy type, are:

[
  "ec2:AllocateAddress",
  "ec2:AssignPrivateIpAddresses",
  "ec2:AssociateDhcpOptions",
  "ec2:AssociateIamInstanceProfile",
  "ec2:AssociateRouteTable",
  "ec2:AttachInternetGateway",
  "ec2:AttachVolume",
  "ec2:AuthorizeSecurityGroupEgress",
  "ec2:AuthorizeSecurityGroupIngress",
  "ec2:CancelSpotInstanceRequests",
  "ec2:CreateDhcpOptions",
  "ec2:CreateFleet",
  "ec2:CreateInternetGateway",
  "ec2:CreateLaunchTemplate",
  "ec2:CreateLaunchTemplateVersion",
  "ec2:CreateNatGateway",
  "ec2:CreateRoute",
  "ec2:CreateRouteTable",
  "ec2:CreateSecurityGroup",
  "ec2:CreateSubnet",
  "ec2:CreateTags",
  "ec2:CreateVolume",
  "ec2:CreateVpc",
  "ec2:CreateVpcEndpoint",
  "ec2:DeleteDhcpOptions",
  "ec2:DeleteFleets",
  "ec2:DeleteInternetGateway",
  "ec2:DeleteLaunchTemplate",
  "ec2:DeleteLaunchTemplateVersions",
  "ec2:DeleteNatGateway",
  "ec2:DeleteRoute",
  "ec2:DeleteRouteTable",
  "ec2:DeleteSecurityGroup",
  "ec2:DeleteSubnet",
  "ec2:DeleteTags",
  "ec2:DeleteVolume",
  "ec2:DeleteVpc",
  "ec2:DeleteVpcEndpoints",
  "ec2:DescribeAvailabilityZones",
  "ec2:DescribeFleetHistory",
  "ec2:DescribeFleetInstances",
  "ec2:DescribeFleets",
  "ec2:DescribeIamInstanceProfileAssociations",
  "ec2:DescribeInstanceStatus",
  "ec2:DescribeInstances",
  "ec2:DescribeInternetGateways",
  "ec2:DescribeLaunchTemplates",
  "ec2:DescribeLaunchTemplateVersions",
  "ec2:DescribeNatGateways",
  "ec2:DescribeNetworkAcls",
  "ec2:DescribePrefixLists",
  "ec2:DescribeReservedInstancesOfferings",
  "ec2:DescribeRouteTables",
  "ec2:DescribeSecurityGroups",
  "ec2:DescribeSpotInstanceRequests",
  "ec2:DescribeSpotPriceHistory",
  "ec2:DescribeSubnets",
  "ec2:DescribeVolumes",
  "ec2:DescribeVpcAttribute",
  "ec2:DescribeVpcs",
  "ec2:DetachInternetGateway",
  "ec2:DisassociateIamInstanceProfile",
  "ec2:DisassociateRouteTable",
  "ec2:GetLaunchTemplateData",
  "ec2:GetSpotPlacementScores",
  "ec2:ModifyFleet",
  "ec2:ModifyLaunchTemplate",
  "ec2:ModifyVpcAttribute",
  "ec2:ReleaseAddress",
  "ec2:ReplaceIamInstanceProfileAssociation",
  "ec2:RequestSpotInstances",
  "ec2:RevokeSecurityGroupEgress",
  "ec2:RevokeSecurityGroupIngress",
  "ec2:RunInstances",
  "ec2:TerminateInstances"
]

Resolves #4026

@caldempsey caldempsey requested review from a team as code owners September 17, 2024 21:00
@caldempsey caldempsey requested review from hectorcast-db and removed request for a team September 17, 2024 21:00
@caldempsey caldempsey changed the title Add Sufficient Network Privileges to the Databricks Default Cross Account Policy [Fix] Add Sufficient Network Privileges to the Databricks Default Cross Account Policy Sep 17, 2024
alexott
alexott approved these changes Sep 18, 2024
View reviewed changes
Copy link
Contributor

@alexott alexott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good...

@caldempsey
Copy link
Contributor Author

Thanks!

@alexott alexott mentioned this pull request Oct 7, 2024
Merged
@tanmay-db tanmay-db added this pull request to the merge queue Oct 7, 2024
Merged via the queue into databricks:main with commit c56bc90 Oct 7, 2024
7 checks passed
github-merge-queue bot pushed a commit that referenced this pull request Oct 7, 2024
@parthban-db
[Release] Release v1.53.0 (#4076)
2557380 
### New Features and Improvements

* Add `databricks_budget` resource
([#3955](#3955)).
* Add `databricks_mlflow_models` data source
([#3874](#3874)).
* Add computed attribute `table_serving_url` to
`databricks_online_table`
([#4048](#4048)).
* Add support for Identity Column in `databricks_sql_table`
([#4035](#4035)).


### Bug Fixes

* Add Sufficient Network Privileges to the Databricks Default Cross
Account Policy
([#4027](#4027))
* Ignore presence or absence of `/Workspace` prefix for dashboard
resource
([#4061](#4061)).
* Refactor `databricks_permissions` and allow the current user to set
their own permissions
([#3956](#3956)).
* Set ID for online table resource if creation succeeds but it isn't
available yet
([#4072](#4072)).


### Documentation

* Update CONTRIBUTING guide for plugin framework resources
([#4078](#4078))
* Add guide for OIDC authentication
([#4016](#4016)).
* Correctly use native markdown callouts supported by TF Registry
([#4073](#4073)).
* Fixing links to `databricks_service_principal` in TF guides
([#4020](#4020)).


### Internal Changes

* Fix Permissions Dashboard Test
([#4071](#4071)).
* Bump Go SDK to latest and generate TF structs
([#4062](#4062)).
* Skip Budget tests on GCP
([#4070](#4070)).
* Update to latest OpenAPI spec and bump Go SDK
([#4069](#4069)).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tanmay-db tanmay-db tanmay-db approved these changes

@alexott alexott alexott approved these changes

@hectorcast-db hectorcast-db Awaiting requested review from hectorcast-db hectorcast-db is a code owner automatically assigned from databricks/eng-plat-auto-exp-reviewers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[ISSUE] The data databricks_aws_crossaccount_policy resource never outputs the correct list of resources.
3 participants
@caldempsey @alexott @tanmay-db