search

pulumi / pulumi-databricks

Apache License 2.0
15 stars 7 forks source link

GetAwsCrossAcountPolicy missing "iam:ListInstanceProfiles" permission #21

Open simonkarman opened 2 years ago

simonkarman commented 2 years ago

What happened?

The GetAwsCrossAcountPolicy generates a policy you can use for the workspace, this policy is then used by the workspace to create clusters, however when specifying PassRoles in the GetAwsCrossAccountPolicyArgs (indicating that you're using instance profiles), the outputted policy is missing the "iam:ListInstanceProfiles" permission.

Steps to reproduce

workspaceCrossAccountPolicy, err := databricks.GetAwsCrossAccountPolicy(ctx, &databricks.GetAwsCrossAccountPolicyArgs{
    PassRoles: passRoles,
}, pulumi.Parent(dbricks), pulumi.Provider(mwsDatabricksProvider))

where passRoles has type pulumi.StringArrayInput

Expected Behavior

I expect the resulting policy to contain the "iam:ListInstanceProfiles" permission when the PassRoles property is non empty.

Actual Behavior

The resulting policy does NOT contain the "iam:ListInstanceProfiles" permission when the PassRoles property is non empty.

Versions used

CLI
Version      3.37.2
Go Version   go1.17.12
Go Compiler  gc

Plugins
NAME        VERSION
aws         5.5.0
databricks  1.1.0
go          unknown
kubernetes  3.12.2
snowflake   0.12.0

Host
OS       darwin
Version  12.4
Arch     x86_64

Dependencies:
NAME                                        VERSION
github.com/oklog/run                        v1.1.0
github.com/pulumi/pulumi-aws/sdk/v5         v5.5.0
github.com/pulumi/pulumi-databricks/sdk     v1.1.0
github.com/pulumi/pulumi-kubernetes/sdk/v3  v3.12.2
github.com/pulumi/pulumi-snowflake/sdk      v0.12.0
github.com/pulumi/pulumi/sdk/v3             v3.36.0
github.com/spf13/cobra                      v1.4.0
github.com/stretchr/objx                    v0.4.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

simonkarman commented 2 years ago

I understand that this probably needs to be fixed in the underlying terraform provider, and I'm happy to assist with this.

lblackstone commented 2 years ago

Thanks for the report @simonkarman! I didn't see any related open issues upstream, so this will need some further investigation to narrow down the problem.

nfx commented 1 year ago

https://github.com/databricks/terraform-provider-databricks/blob/master/aws/data_aws_crossaccount_policy.go perhaps a PR here? :)