databricks.getAwsCrossAccountPolicy
Explore with Pulumi AI
Note This data source can only be used with an account-level provider!
This data source constructs necessary AWS cross-account policy for you, which is based on official documentation.
Example Usage
For more detailed usage please see databricks.getAwsAssumeRolePolicy or databricks_aws_s3_mount pages.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const this = databricks.getAwsCrossAccountPolicy({});
import pulumi
import pulumi_databricks as databricks
this = databricks.get_aws_cross_account_policy()
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.GetAwsCrossAccountPolicy(ctx, &databricks.GetAwsCrossAccountPolicyArgs{}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var @this = Databricks.GetAwsCrossAccountPolicy.Invoke();
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetAwsCrossAccountPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var this = DatabricksFunctions.getAwsCrossAccountPolicy();
}
}
variables:
this:
fn::invoke:
Function: databricks:getAwsCrossAccountPolicy
Arguments: {}
Related Resources
The following resources are used in the same context:
- Provisioning AWS Databricks workspaces with a Hub & Spoke firewall for data exfiltration protection guide
- databricks.getAwsAssumeRolePolicy data to construct the necessary AWS STS assume role policy.
- databricks.getAwsBucketPolicy data to configure a simple access policy for AWS S3 buckets, so that Databricks can access data in it.
- databricks.InstanceProfile to manage AWS EC2 instance profiles that users can launch databricks.Cluster and access data, like databricks_mount.
Using getAwsCrossAccountPolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getAwsCrossAccountPolicy(args: GetAwsCrossAccountPolicyArgs, opts?: InvokeOptions): Promise<GetAwsCrossAccountPolicyResult>
function getAwsCrossAccountPolicyOutput(args: GetAwsCrossAccountPolicyOutputArgs, opts?: InvokeOptions): Output<GetAwsCrossAccountPolicyResult>
def get_aws_cross_account_policy(aws_account_id: Optional[str] = None,
pass_roles: Optional[Sequence[str]] = None,
policy_type: Optional[str] = None,
region: Optional[str] = None,
security_group_id: Optional[str] = None,
vpc_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetAwsCrossAccountPolicyResult
def get_aws_cross_account_policy_output(aws_account_id: Optional[pulumi.Input[str]] = None,
pass_roles: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
policy_type: Optional[pulumi.Input[str]] = None,
region: Optional[pulumi.Input[str]] = None,
security_group_id: Optional[pulumi.Input[str]] = None,
vpc_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetAwsCrossAccountPolicyResult]
func GetAwsCrossAccountPolicy(ctx *Context, args *GetAwsCrossAccountPolicyArgs, opts ...InvokeOption) (*GetAwsCrossAccountPolicyResult, error)
func GetAwsCrossAccountPolicyOutput(ctx *Context, args *GetAwsCrossAccountPolicyOutputArgs, opts ...InvokeOption) GetAwsCrossAccountPolicyResultOutput
> Note: This function is named GetAwsCrossAccountPolicy
in the Go SDK.
public static class GetAwsCrossAccountPolicy
{
public static Task<GetAwsCrossAccountPolicyResult> InvokeAsync(GetAwsCrossAccountPolicyArgs args, InvokeOptions? opts = null)
public static Output<GetAwsCrossAccountPolicyResult> Invoke(GetAwsCrossAccountPolicyInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetAwsCrossAccountPolicyResult> getAwsCrossAccountPolicy(GetAwsCrossAccountPolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: databricks:index/getAwsCrossAccountPolicy:getAwsCrossAccountPolicy
arguments:
# arguments dictionary
The following arguments are supported:
- Aws
Account stringId - — Your AWS account ID, which is a number.
- Pass
Roles List<string> - List of Data IAM role ARNs that are explicitly granted
iam:PassRole
action. The below arguments are only valid forrestricted
policy type - Policy
Type string - The type of cross account policy to generated:
managed
for Databricks-managed VPC andcustomer
for customer-managed VPC,restricted
for customer-managed VPC with policy restrictions - Region string
- — AWS Region name for your VPC deployment, for example
us-west-2
. - Security
Group stringId - — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (
credentials_id
) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects. - Vpc
Id string - — ID of the AWS VPC where you want to launch workspaces.
- Aws
Account stringId - — Your AWS account ID, which is a number.
- Pass
Roles []string - List of Data IAM role ARNs that are explicitly granted
iam:PassRole
action. The below arguments are only valid forrestricted
policy type - Policy
Type string - The type of cross account policy to generated:
managed
for Databricks-managed VPC andcustomer
for customer-managed VPC,restricted
for customer-managed VPC with policy restrictions - Region string
- — AWS Region name for your VPC deployment, for example
us-west-2
. - Security
Group stringId - — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (
credentials_id
) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects. - Vpc
Id string - — ID of the AWS VPC where you want to launch workspaces.
- aws
Account StringId - — Your AWS account ID, which is a number.
- pass
Roles List<String> - List of Data IAM role ARNs that are explicitly granted
iam:PassRole
action. The below arguments are only valid forrestricted
policy type - policy
Type String - The type of cross account policy to generated:
managed
for Databricks-managed VPC andcustomer
for customer-managed VPC,restricted
for customer-managed VPC with policy restrictions - region String
- — AWS Region name for your VPC deployment, for example
us-west-2
. - security
Group StringId - — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (
credentials_id
) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects. - vpc
Id String - — ID of the AWS VPC where you want to launch workspaces.
- aws
Account stringId - — Your AWS account ID, which is a number.
- pass
Roles string[] - List of Data IAM role ARNs that are explicitly granted
iam:PassRole
action. The below arguments are only valid forrestricted
policy type - policy
Type string - The type of cross account policy to generated:
managed
for Databricks-managed VPC andcustomer
for customer-managed VPC,restricted
for customer-managed VPC with policy restrictions - region string
- — AWS Region name for your VPC deployment, for example
us-west-2
. - security
Group stringId - — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (
credentials_id
) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects. - vpc
Id string - — ID of the AWS VPC where you want to launch workspaces.
- aws_
account_ strid - — Your AWS account ID, which is a number.
- pass_
roles Sequence[str] - List of Data IAM role ARNs that are explicitly granted
iam:PassRole
action. The below arguments are only valid forrestricted
policy type - policy_
type str - The type of cross account policy to generated:
managed
for Databricks-managed VPC andcustomer
for customer-managed VPC,restricted
for customer-managed VPC with policy restrictions - region str
- — AWS Region name for your VPC deployment, for example
us-west-2
. - security_
group_ strid - — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (
credentials_id
) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects. - vpc_
id str - — ID of the AWS VPC where you want to launch workspaces.
- aws
Account StringId - — Your AWS account ID, which is a number.
- pass
Roles List<String> - List of Data IAM role ARNs that are explicitly granted
iam:PassRole
action. The below arguments are only valid forrestricted
policy type - policy
Type String - The type of cross account policy to generated:
managed
for Databricks-managed VPC andcustomer
for customer-managed VPC,restricted
for customer-managed VPC with policy restrictions - region String
- — AWS Region name for your VPC deployment, for example
us-west-2
. - security
Group StringId - — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (
credentials_id
) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects. - vpc
Id String - — ID of the AWS VPC where you want to launch workspaces.
getAwsCrossAccountPolicy Result
The following output properties are available:
- Id string
- The provider-assigned unique ID for this managed resource.
- Json string
- AWS IAM Policy JSON document
- Aws
Account stringId - Pass
Roles List<string> - Policy
Type string - Region string
- Security
Group stringId - Vpc
Id string
- Id string
- The provider-assigned unique ID for this managed resource.
- Json string
- AWS IAM Policy JSON document
- Aws
Account stringId - Pass
Roles []string - Policy
Type string - Region string
- Security
Group stringId - Vpc
Id string
- id String
- The provider-assigned unique ID for this managed resource.
- json String
- AWS IAM Policy JSON document
- aws
Account StringId - pass
Roles List<String> - policy
Type String - region String
- security
Group StringId - vpc
Id String
- id string
- The provider-assigned unique ID for this managed resource.
- json string
- AWS IAM Policy JSON document
- aws
Account stringId - pass
Roles string[] - policy
Type string - region string
- security
Group stringId - vpc
Id string
- id str
- The provider-assigned unique ID for this managed resource.
- json str
- AWS IAM Policy JSON document
- aws_
account_ strid - pass_
roles Sequence[str] - policy_
type str - region str
- security_
group_ strid - vpc_
id str
- id String
- The provider-assigned unique ID for this managed resource.
- json String
- AWS IAM Policy JSON document
- aws
Account StringId - pass
Roles List<String> - policy
Type String - region String
- security
Group StringId - vpc
Id String
Package Details
- Repository
- databricks pulumi/pulumi-databricks
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
databricks
Terraform Provider.