I want to use Terraform to manage the cross-account IAM role required to run Databricks on AWS. I want to use the "Customer Managed VPC" option that is outlined here.
Currently, the Terraform provider does have an aws_crossaccount_role_policy for IAM, but it's the default deployment policy, not the customer managed VPC policy. This means it has additional permissions like:
"ec2:CreateVpc", "ec2:CreateVpcEndpoint"
which are not necessary for customer managed VPC deployments. Customer managed VPC deployments are quite popular on Databricks on AWS.
Attempted Solutions
You can work around this by defining the JSON policy yourself, copying it from the Databricks docs and then passing it in to the aws_iam_role_policy. But given how popular this deployment method is, it would be easier to have the policy predefined.
Another option is to use the policy and add overriding json elements that deny access to actions that are not needed. This is something that we have used for now.
Use-cases
I want to use Terraform to manage the cross-account IAM role required to run Databricks on AWS. I want to use the "Customer Managed VPC" option that is outlined here.
Currently, the Terraform provider does have an aws_crossaccount_role_policy for IAM, but it's the default deployment policy, not the customer managed VPC policy. This means it has additional permissions like:
"ec2:CreateVpc", "ec2:CreateVpcEndpoint"
which are not necessary for customer managed VPC deployments. Customer managed VPC deployments are quite popular on Databricks on AWS.
Attempted Solutions
You can work around this by defining the JSON policy yourself, copying it from the Databricks docs and then passing it in to the
aws_iam_role_policy
. But given how popular this deployment method is, it would be easier to have the policy predefined.