Skip to content

Commit

Permalink
added sample datasets to s3 endpoint policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@JDBraun
JDBraun committed Nov 19, 2024
1 parent bcec4f9 commit 89a6fbe
Showing 1 changed file with 34 additions and 8 deletions.
42 changes: 34 additions & 8 deletions aws/tf/modules/sra/privatelink.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,11 +131,12 @@ data "aws_iam_policy_document" "s3_vpc_endpoint_policy" {
}

statement {
sid = "Grant access to Databricks Log Bucket"
sid = "Grant access to Databricks System Tables Bucket"
effect = "Allow"
actions = [
"s3:PutObject",
"s3:ListBucket",
"s3:GetObjectVersion",
"s3:GetObject",
"s3:GetBucketLocation"
]

Expand All @@ -145,8 +146,8 @@ data "aws_iam_policy_document" "s3_vpc_endpoint_policy" {
}

resources = [
"arn:aws:s3:::databricks-prod-storage-${var.region_bucket_name}/*",
"arn:aws:s3:::databricks-prod-storage-${var.region_bucket_name}"
"arn:aws:s3:::system-tables-prod-${var.region}-uc-metastore-bucket/*",
"arn:aws:s3:::system-tables-prod-${var.region}-uc-metastore-bucket"
]

condition {
Expand All @@ -157,7 +158,7 @@ data "aws_iam_policy_document" "s3_vpc_endpoint_policy" {
}

statement {
sid = "Grant access to Databricks System Tables Bucket"
sid = "Grant access to Databricks Sample Data Bucket"
effect = "Allow"
actions = [
"s3:ListBucket",
Expand All @@ -172,8 +173,8 @@ data "aws_iam_policy_document" "s3_vpc_endpoint_policy" {
}

resources = [
"arn:aws:s3:::system-tables-prod-${var.region}-uc-metastore-bucket/*",
"arn:aws:s3:::system-tables-prod-${var.region}-uc-metastore-bucket"
"arn:aws:s3:::databricks-datasets-${var.region_bucket_name}/*",
"arn:aws:s3:::databricks-datasets-${var.region_bucket_name}"
]

condition {
Expand All @@ -182,8 +183,33 @@ data "aws_iam_policy_document" "s3_vpc_endpoint_policy" {
values = ["414351767826"]
}
}
}

statement {
sid = "Grant access to Databricks Log Bucket"
effect = "Allow"
actions = [
"s3:PutObject",
"s3:ListBucket",
"s3:GetBucketLocation"
]

principals {
type = "AWS"
identifiers = ["*"]
}

resources = [
"arn:aws:s3:::databricks-prod-storage-${var.region_bucket_name}/*",
"arn:aws:s3:::databricks-prod-storage-${var.region_bucket_name}"
]

condition {
test = "StringEquals"
variable = "aws:PrincipalAccount"
values = ["414351767826"]
}
}
}

// Restrictive STS endpoint policy:
data "aws_iam_policy_document" "sts_vpc_endpoint_policy" {
Expand Down

0 comments on commit 89a6fbe

Please sign in to comment.