Skip to content

[Fix] Add Sufficient Network Privileges to the Databricks Default Cross Account Policy#4027

Merged
tanmay-db merged 6 commits intodatabricks:mainfrom
caldempsey:caldempsey/should-have-sufficient-workspace-permissions
Oct 7, 2024
Merged

[Fix] Add Sufficient Network Privileges to the Databricks Default Cross Account Policy#4027
tanmay-db merged 6 commits intodatabricks:mainfrom
caldempsey:caldempsey/should-have-sufficient-workspace-permissions

Conversation

@caldempsey
Copy link
Copy Markdown
Contributor

@caldempsey caldempsey commented Sep 17, 2024
edited by alexott
Loading

Changes

Currently, the Databricks-provided Cross Account Policy IAM Role does not include all the necessary permissions to set up a workspace. Attempting to set up a workspace using this policy results in the following error (see Issue #4026):

MALFORMED_REQUEST: Failed credentials validation checks: Allocate Address

This makes it difficult for new engineers to onboard to Databricks without troubleshooting unexpected errors. This PR adds the missing network permissions to the Databricks Managed VPC policy types ("managed" and "customer"), ensuring that all required permissions are included for successful workspace deployment. These changes are not applied to the "restricted" policy type to avoid allowing Elastic IP allocations, which may not be desirable for some Databricks customers. See the bottom of the description for the full list.

Tests

This change has been tested locally and is running in our staging workspace using the same configuration. As this is a fix for 'managed' type Databricks deployment configurations, I have matched this with positive and negative unit tests to guard precise and expected roles. I have then added extra tests to confirm the expected policies across each branch, 'managed', 'customer', and 'restricted'. Feel free to remove these if overboard, as I recognise you could make a similar weaker assertion using 'len'.

  • make test run locally
  • Relevant acceptance tests are passing
  • Relevant change in docs/ folder (if necessary)
  • Covered with integration tests in internal/acceptance
  • Using Go SDK (N/A)

The full list of permissions which align with the Databricks documentation, now included in the "managed" policy type, are:

[
  "ec2:AllocateAddress",
  "ec2:AssignPrivateIpAddresses",
  "ec2:AssociateDhcpOptions",
  "ec2:AssociateIamInstanceProfile",
  "ec2:AssociateRouteTable",
  "ec2:AttachInternetGateway",
  "ec2:AttachVolume",
  "ec2:AuthorizeSecurityGroupEgress",
  "ec2:AuthorizeSecurityGroupIngress",
  "ec2:CancelSpotInstanceRequests",
  "ec2:CreateDhcpOptions",
  "ec2:CreateFleet",
  "ec2:CreateInternetGateway",
  "ec2:CreateLaunchTemplate",
  "ec2:CreateLaunchTemplateVersion",
  "ec2:CreateNatGateway",
  "ec2:CreateRoute",
  "ec2:CreateRouteTable",
  "ec2:CreateSecurityGroup",
  "ec2:CreateSubnet",
  "ec2:CreateTags",
  "ec2:CreateVolume",
  "ec2:CreateVpc",
  "ec2:CreateVpcEndpoint",
  "ec2:DeleteDhcpOptions",
  "ec2:DeleteFleets",
  "ec2:DeleteInternetGateway",
  "ec2:DeleteLaunchTemplate",
  "ec2:DeleteLaunchTemplateVersions",
  "ec2:DeleteNatGateway",
  "ec2:DeleteRoute",
  "ec2:DeleteRouteTable",
  "ec2:DeleteSecurityGroup",
  "ec2:DeleteSubnet",
  "ec2:DeleteTags",
  "ec2:DeleteVolume",
  "ec2:DeleteVpc",
  "ec2:DeleteVpcEndpoints",
  "ec2:DescribeAvailabilityZones",
  "ec2:DescribeFleetHistory",
  "ec2:DescribeFleetInstances",
  "ec2:DescribeFleets",
  "ec2:DescribeIamInstanceProfileAssociations",
  "ec2:DescribeInstanceStatus",
  "ec2:DescribeInstances",
  "ec2:DescribeInternetGateways",
  "ec2:DescribeLaunchTemplates",
  "ec2:DescribeLaunchTemplateVersions",
  "ec2:DescribeNatGateways",
  "ec2:DescribeNetworkAcls",
  "ec2:DescribePrefixLists",
  "ec2:DescribeReservedInstancesOfferings",
  "ec2:DescribeRouteTables",
  "ec2:DescribeSecurityGroups",
  "ec2:DescribeSpotInstanceRequests",
  "ec2:DescribeSpotPriceHistory",
  "ec2:DescribeSubnets",
  "ec2:DescribeVolumes",
  "ec2:DescribeVpcAttribute",
  "ec2:DescribeVpcs",
  "ec2:DetachInternetGateway",
  "ec2:DisassociateIamInstanceProfile",
  "ec2:DisassociateRouteTable",
  "ec2:GetLaunchTemplateData",
  "ec2:GetSpotPlacementScores",
  "ec2:ModifyFleet",
  "ec2:ModifyLaunchTemplate",
  "ec2:ModifyVpcAttribute",
  "ec2:ReleaseAddress",
  "ec2:ReplaceIamInstanceProfileAssociation",
  "ec2:RequestSpotInstances",
  "ec2:RevokeSecurityGroupEgress",
  "ec2:RevokeSecurityGroupIngress",
  "ec2:RunInstances",
  "ec2:TerminateInstances"
]

Resolves #4026

@caldempsey caldempsey requested review from a team as code owners September 17, 2024 21:00
@caldempsey caldempsey requested review from hectorcast-db and removed request for a team September 17, 2024 21:00
@caldempsey caldempsey changed the title Add Sufficient Network Privileges to the Databricks Default Cross Account Policy [Fix] Add Sufficient Network Privileges to the Databricks Default Cross Account Policy Sep 17, 2024
alexott
alexott approved these changes Sep 18, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@alexott alexott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good...

@caldempsey
Copy link
Copy Markdown
Contributor Author

caldempsey commented Sep 19, 2024

Thanks!

@alexott alexott mentioned this pull request Oct 7, 2024
Merged
@tanmay-db tanmay-db added this pull request to the merge queue Oct 7, 2024
Merged via the queue into databricks:main with commit c56bc90 Oct 7, 2024
github-merge-queue bot pushed a commit that referenced this pull request Oct 7, 2024
@parthban-db
[Release] Release v1.53.0 (#4076)
2557380 
### New Features and Improvements

* Add `databricks_budget` resource
([#3955](#3955)).
* Add `databricks_mlflow_models` data source
([#3874](#3874)).
* Add computed attribute `table_serving_url` to
`databricks_online_table`
([#4048](#4048)).
* Add support for Identity Column in `databricks_sql_table`
([#4035](#4035)).


### Bug Fixes

* Add Sufficient Network Privileges to the Databricks Default Cross
Account Policy
([#4027](#4027))
* Ignore presence or absence of `/Workspace` prefix for dashboard
resource
([#4061](#4061)).
* Refactor `databricks_permissions` and allow the current user to set
their own permissions
([#3956](#3956)).
* Set ID for online table resource if creation succeeds but it isn't
available yet
([#4072](#4072)).


### Documentation

* Update CONTRIBUTING guide for plugin framework resources
([#4078](#4078))
* Add guide for OIDC authentication
([#4016](#4016)).
* Correctly use native markdown callouts supported by TF Registry
([#4073](#4073)).
* Fixing links to `databricks_service_principal` in TF guides
([#4020](#4020)).


### Internal Changes

* Fix Permissions Dashboard Test
([#4071](#4071)).
* Bump Go SDK to latest and generate TF structs
([#4062](#4062)).
* Skip Budget tests on GCP
([#4070](#4070)).
* Update to latest OpenAPI spec and bump Go SDK
([#4069](#4069)).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexott alexott alexott approved these changes

@tanmay-db tanmay-db tanmay-db approved these changes

@hectorcast-db hectorcast-db Awaiting requested review from hectorcast-db hectorcast-db is a code owner automatically assigned from databricks/eng-plat-auto-exp-reviewers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ISSUE] The data databricks_aws_crossaccount_policy resource never outputs the correct list of resources.

3 participants

@caldempsey @alexott @tanmay-db