pulumi-databricks 1.77.0a1760375482__py3-none-any.whl → 1.79.0a1762839813__py3-none-any.whl

pulumi_databricks/mws_customer_managed_keys.py

@@ -254,56 +254,6 @@ class MwsCustomerManagedKeys(pulumi.CustomResource):
 
         You must configure this during workspace creation
 
-        ### For AWS
-
-        ```python
-        import pulumi
-        import pulumi_aws as aws
-        import pulumi_databricks as databricks
-
-        config = pulumi.Config()
-        # Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
-        databricks_account_id = config.require_object("databricksAccountId")
-        current = aws.get_caller_identity()
-        databricks_managed_services_cmk = aws.iam.get_policy_document(version="2012-10-17",
-            statements=[
-                {
-                    "sid": "Enable IAM User Permissions",
-                    "effect": "Allow",
-                    "principals": [{
-                        "type": "AWS",
-                        "identifiers": [current.account_id],
-                    }],
-                    "actions": ["kms:*"],
-                    "resources": ["*"],
-                },
-                {
-                    "sid": "Allow Databricks to use KMS key for control plane managed services",
-                    "effect": "Allow",
-                    "principals": [{
-                        "type": "AWS",
-                        "identifiers": ["arn:aws:iam::414351767826:root"],
-                    }],
-                    "actions": [
-                        "kms:Encrypt",
-                        "kms:Decrypt",
-                    ],
-                    "resources": ["*"],
-                },
-            ])
-        managed_services_customer_managed_key = aws.kms.Key("managed_services_customer_managed_key", policy=databricks_managed_services_cmk.json)
-        managed_services_customer_managed_key_alias = aws.kms.Alias("managed_services_customer_managed_key_alias",
-            name="alias/managed-services-customer-managed-key-alias",
-            target_key_id=managed_services_customer_managed_key.key_id)
-        managed_services = databricks.MwsCustomerManagedKeys("managed_services",
-            account_id=databricks_account_id,
-            aws_key_info={
-                "key_arn": managed_services_customer_managed_key.arn,
-                "key_alias": managed_services_customer_managed_key_alias.name,
-            },
-            use_cases=["MANAGED_SERVICES"])
-        ```
-
         ### For GCP
 
         ```python
@@ -325,100 +275,6 @@ class MwsCustomerManagedKeys(pulumi.CustomResource):
 
         ### Customer-managed key for workspace storage
 
-        ### For AWS
-
-        ```python
-        import pulumi
-        import pulumi_aws as aws
-        import pulumi_databricks as databricks
-
-        config = pulumi.Config()
-        # Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
-        databricks_account_id = config.require_object("databricksAccountId")
-        # AWS ARN for the Databricks cross account role
-        databricks_cross_account_role = config.require_object("databricksCrossAccountRole")
-        current = aws.get_caller_identity()
-        databricks_storage_cmk = aws.iam.get_policy_document(version="2012-10-17",
-            statements=[
-                {
-                    "sid": "Enable IAM User Permissions",
-                    "effect": "Allow",
-                    "principals": [{
-                        "type": "AWS",
-                        "identifiers": [current.account_id],
-                    }],
-                    "actions": ["kms:*"],
-                    "resources": ["*"],
-                },
-                {
-                    "sid": "Allow Databricks to use KMS key for DBFS",
-                    "effect": "Allow",
-                    "principals": [{
-                        "type": "AWS",
-                        "identifiers": ["arn:aws:iam::414351767826:root"],
-                    }],
-                    "actions": [
-                        "kms:Encrypt",
-                        "kms:Decrypt",
-                        "kms:ReEncrypt*",
-                        "kms:GenerateDataKey*",
-                        "kms:DescribeKey",
-                    ],
-                    "resources": ["*"],
-                },
-                {
-                    "sid": "Allow Databricks to use KMS key for DBFS (Grants)",
-                    "effect": "Allow",
-                    "principals": [{
-                        "type": "AWS",
-                        "identifiers": ["arn:aws:iam::414351767826:root"],
-                    }],
-                    "actions": [
-                        "kms:CreateGrant",
-                        "kms:ListGrants",
-                        "kms:RevokeGrant",
-                    ],
-                    "resources": ["*"],
-                    "conditions": [{
-                        "test": "Bool",
-                        "variable": "kms:GrantIsForAWSResource",
-                        "values": ["true"],
-                    }],
-                },
-                {
-                    "sid": "Allow Databricks to use KMS key for EBS",
-                    "effect": "Allow",
-                    "principals": [{
-                        "type": "AWS",
-                        "identifiers": [databricks_cross_account_role],
-                    }],
-                    "actions": [
-                        "kms:Decrypt",
-                        "kms:GenerateDataKey*",
-                        "kms:CreateGrant",
-                        "kms:DescribeKey",
-                    ],
-                    "resources": ["*"],
-                    "conditions": [{
-                        "test": "ForAnyValue:StringLike",
-                        "variable": "kms:ViaService",
-                        "values": ["ec2.*.amazonaws.com"],
-                    }],
-                },
-            ])
-        storage_customer_managed_key = aws.kms.Key("storage_customer_managed_key", policy=databricks_storage_cmk.json)
-        storage_customer_managed_key_alias = aws.kms.Alias("storage_customer_managed_key_alias",
-            name="alias/storage-customer-managed-key-alias",
-            target_key_id=storage_customer_managed_key.key_id)
-        storage = databricks.MwsCustomerManagedKeys("storage",
-            account_id=databricks_account_id,
-            aws_key_info={
-                "key_arn": storage_customer_managed_key.arn,
-                "key_alias": storage_customer_managed_key_alias.name,
-            },
-            use_cases=["STORAGE"])
-        ```
-
         ### For GCP
 
         ```python
@@ -501,56 +357,6 @@ class MwsCustomerManagedKeys(pulumi.CustomResource):
 
         You must configure this during workspace creation
 
-        ### For AWS
-
-        ```python
-        import pulumi
-        import pulumi_aws as aws
-        import pulumi_databricks as databricks
-
-        config = pulumi.Config()
-        # Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
-        databricks_account_id = config.require_object("databricksAccountId")
-        current = aws.get_caller_identity()
-        databricks_managed_services_cmk = aws.iam.get_policy_document(version="2012-10-17",
-            statements=[
-                {
-                    "sid": "Enable IAM User Permissions",
-                    "effect": "Allow",
-                    "principals": [{
-                        "type": "AWS",
-                        "identifiers": [current.account_id],
-                    }],
-                    "actions": ["kms:*"],
-                    "resources": ["*"],
-                },
-                {
-                    "sid": "Allow Databricks to use KMS key for control plane managed services",
-                    "effect": "Allow",
-                    "principals": [{
-                        "type": "AWS",
-                        "identifiers": ["arn:aws:iam::414351767826:root"],
-                    }],
-                    "actions": [
-                        "kms:Encrypt",
-                        "kms:Decrypt",
-                    ],
-                    "resources": ["*"],
-                },
-            ])
-        managed_services_customer_managed_key = aws.kms.Key("managed_services_customer_managed_key", policy=databricks_managed_services_cmk.json)
-        managed_services_customer_managed_key_alias = aws.kms.Alias("managed_services_customer_managed_key_alias",
-            name="alias/managed-services-customer-managed-key-alias",
-            target_key_id=managed_services_customer_managed_key.key_id)
-        managed_services = databricks.MwsCustomerManagedKeys("managed_services",
-            account_id=databricks_account_id,
-            aws_key_info={
-                "key_arn": managed_services_customer_managed_key.arn,
-                "key_alias": managed_services_customer_managed_key_alias.name,
-            },
-            use_cases=["MANAGED_SERVICES"])
-        ```
-
         ### For GCP
 
         ```python
@@ -572,100 +378,6 @@ class MwsCustomerManagedKeys(pulumi.CustomResource):
 
         ### Customer-managed key for workspace storage
 
-        ### For AWS
-
-        ```python
-        import pulumi
-        import pulumi_aws as aws
-        import pulumi_databricks as databricks
-
-        config = pulumi.Config()
-        # Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
-        databricks_account_id = config.require_object("databricksAccountId")
-        # AWS ARN for the Databricks cross account role
-        databricks_cross_account_role = config.require_object("databricksCrossAccountRole")
-        current = aws.get_caller_identity()
-        databricks_storage_cmk = aws.iam.get_policy_document(version="2012-10-17",
-            statements=[
-                {
-                    "sid": "Enable IAM User Permissions",
-                    "effect": "Allow",
-                    "principals": [{
-                        "type": "AWS",
-                        "identifiers": [current.account_id],
-                    }],
-                    "actions": ["kms:*"],
-                    "resources": ["*"],
-                },
-                {
-                    "sid": "Allow Databricks to use KMS key for DBFS",
-                    "effect": "Allow",
-                    "principals": [{
-                        "type": "AWS",
-                        "identifiers": ["arn:aws:iam::414351767826:root"],
-                    }],
-                    "actions": [
-                        "kms:Encrypt",
-                        "kms:Decrypt",
-                        "kms:ReEncrypt*",
-                        "kms:GenerateDataKey*",
-                        "kms:DescribeKey",
-                    ],
-                    "resources": ["*"],
-                },
-                {
-                    "sid": "Allow Databricks to use KMS key for DBFS (Grants)",
-                    "effect": "Allow",
-                    "principals": [{
-                        "type": "AWS",
-                        "identifiers": ["arn:aws:iam::414351767826:root"],
-                    }],
-                    "actions": [
-                        "kms:CreateGrant",
-                        "kms:ListGrants",
-                        "kms:RevokeGrant",
-                    ],
-                    "resources": ["*"],
-                    "conditions": [{
-                        "test": "Bool",
-                        "variable": "kms:GrantIsForAWSResource",
-                        "values": ["true"],
-                    }],
-                },
-                {
-                    "sid": "Allow Databricks to use KMS key for EBS",
-                    "effect": "Allow",
-                    "principals": [{
-                        "type": "AWS",
-                        "identifiers": [databricks_cross_account_role],
-                    }],
-                    "actions": [
-                        "kms:Decrypt",
-                        "kms:GenerateDataKey*",
-                        "kms:CreateGrant",
-                        "kms:DescribeKey",
-                    ],
-                    "resources": ["*"],
-                    "conditions": [{
-                        "test": "ForAnyValue:StringLike",
-                        "variable": "kms:ViaService",
-                        "values": ["ec2.*.amazonaws.com"],
-                    }],
-                },
-            ])
-        storage_customer_managed_key = aws.kms.Key("storage_customer_managed_key", policy=databricks_storage_cmk.json)
-        storage_customer_managed_key_alias = aws.kms.Alias("storage_customer_managed_key_alias",
-            name="alias/storage-customer-managed-key-alias",
-            target_key_id=storage_customer_managed_key.key_id)
-        storage = databricks.MwsCustomerManagedKeys("storage",
-            account_id=databricks_account_id,
-            aws_key_info={
-                "key_arn": storage_customer_managed_key.arn,
-                "key_alias": storage_customer_managed_key_alias.name,
-            },
-            use_cases=["STORAGE"])
-        ```
-
         ### For GCP
 
         ```python

pulumi_databricks/mws_log_delivery.py

@@ -404,6 +404,79 @@ class MwsLogDelivery(pulumi.CustomResource):
 
         You cannot delete a log delivery configuration, but you can disable it when you no longer need it. This fact is important because there is a limit to the number of enabled log delivery configurations that you can create for an account. You can create a maximum of two enabled configurations that use the account level (no workspace filter) and two enabled configurations for every specific workspace (a workspaceId can occur in the workspace filter for two configurations). You can re-enable a disabled configuration, but the request fails if it violates the limits previously described.
 
+        ## Example Usage
+
+        End-to-end example of usage and audit log delivery:
+
+        ```python
+        import pulumi
+        import pulumi_aws as aws
+        import pulumi_databricks as databricks
+        import pulumi_std as std
+        import pulumiverse_time as time
+
+        config = pulumi.Config()
+        # Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
+        databricks_account_id = config.require_object("databricksAccountId")
+        logdelivery_s3_bucket = aws.index.S3Bucket("logdelivery",
+            bucket=f{prefix}-logdelivery,
+            acl=private,
+            force_destroy=True,
+            tags=std.merge(input=[
+                tags,
+                {
+                    name: f{prefix}-logdelivery,
+                },
+            ]).result)
+        logdelivery_s3_bucket_public_access_block = aws.index.S3BucketPublicAccessBlock("logdelivery",
+            bucket=logdelivery_s3_bucket.id,
+            ignore_public_acls=True)
+        logdelivery = databricks.get_aws_assume_role_policy(external_id=databricks_account_id,
+            for_log_delivery=True)
+        logdelivery_versioning = aws.index.S3BucketVersioning("logdelivery_versioning",
+            bucket=logdelivery_s3_bucket.id,
+            versioning_configuration=[{
+                status: Disabled,
+            }])
+        logdelivery_iam_role = aws.index.IamRole("logdelivery",
+            name=f{prefix}-logdelivery,
+            description=f({prefix}) UsageDelivery role,
+            assume_role_policy=logdelivery.json,
+            tags=tags)
+        logdelivery_get_aws_bucket_policy = databricks.get_aws_bucket_policy(full_access_role=logdelivery_iam_role["arn"],
+            bucket=logdelivery_s3_bucket["bucket"])
+        logdelivery_s3_bucket_policy = aws.index.S3BucketPolicy("logdelivery",
+            bucket=logdelivery_s3_bucket.id,
+            policy=logdelivery_get_aws_bucket_policy.json)
+        wait = time.Sleep("wait", create_duration="10s",
+        opts = pulumi.ResourceOptions(depends_on=[logdelivery_iam_role]))
+        log_writer = databricks.MwsCredentials("log_writer",
+            account_id=databricks_account_id,
+            credentials_name="Usage Delivery",
+            role_arn=logdelivery_iam_role["arn"],
+            opts = pulumi.ResourceOptions(depends_on=[wait]))
+        log_bucket = databricks.MwsStorageConfigurations("log_bucket",
+            account_id=databricks_account_id,
+            storage_configuration_name="Usage Logs",
+            bucket_name=logdelivery_s3_bucket["bucket"])
+        usage_logs = databricks.MwsLogDelivery("usage_logs",
+            account_id=databricks_account_id,
+            credentials_id=log_writer.credentials_id,
+            storage_configuration_id=log_bucket.storage_configuration_id,
+            delivery_path_prefix="billable-usage",
+            config_name="Usage Logs",
+            log_type="BILLABLE_USAGE",
+            output_format="CSV")
+        audit_logs = databricks.MwsLogDelivery("audit_logs",
+            account_id=databricks_account_id,
+            credentials_id=log_writer.credentials_id,
+            storage_configuration_id=log_bucket.storage_configuration_id,
+            delivery_path_prefix="audit-logs",
+            config_name="Audit Logs",
+            log_type="AUDIT_LOGS",
+            output_format="JSON")
+        ```
+
         ## Billable Usage
 
         CSV files are delivered to `<delivery_path_prefix>/billable-usage/csv/` and are named `workspaceId=<workspace-id>-usageMonth=<month>.csv`, which are delivered daily by overwriting the month's CSV file for each workspace. Format of CSV file, as well as some usage examples, can be found [here](https://docs.databricks.com/administration-guide/account-settings/usage.html#download-usage-as-a-csv-file).
@@ -484,6 +557,79 @@ class MwsLogDelivery(pulumi.CustomResource):
 
         You cannot delete a log delivery configuration, but you can disable it when you no longer need it. This fact is important because there is a limit to the number of enabled log delivery configurations that you can create for an account. You can create a maximum of two enabled configurations that use the account level (no workspace filter) and two enabled configurations for every specific workspace (a workspaceId can occur in the workspace filter for two configurations). You can re-enable a disabled configuration, but the request fails if it violates the limits previously described.
 
+        ## Example Usage
+
+        End-to-end example of usage and audit log delivery:
+
+        ```python
+        import pulumi
+        import pulumi_aws as aws
+        import pulumi_databricks as databricks
+        import pulumi_std as std
+        import pulumiverse_time as time
+
+        config = pulumi.Config()
+        # Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
+        databricks_account_id = config.require_object("databricksAccountId")
+        logdelivery_s3_bucket = aws.index.S3Bucket("logdelivery",
+            bucket=f{prefix}-logdelivery,
+            acl=private,
+            force_destroy=True,
+            tags=std.merge(input=[
+                tags,
+                {
+                    name: f{prefix}-logdelivery,
+                },
+            ]).result)
+        logdelivery_s3_bucket_public_access_block = aws.index.S3BucketPublicAccessBlock("logdelivery",
+            bucket=logdelivery_s3_bucket.id,
+            ignore_public_acls=True)
+        logdelivery = databricks.get_aws_assume_role_policy(external_id=databricks_account_id,
+            for_log_delivery=True)
+        logdelivery_versioning = aws.index.S3BucketVersioning("logdelivery_versioning",
+            bucket=logdelivery_s3_bucket.id,
+            versioning_configuration=[{
+                status: Disabled,
+            }])
+        logdelivery_iam_role = aws.index.IamRole("logdelivery",
+            name=f{prefix}-logdelivery,
+            description=f({prefix}) UsageDelivery role,
+            assume_role_policy=logdelivery.json,
+            tags=tags)
+        logdelivery_get_aws_bucket_policy = databricks.get_aws_bucket_policy(full_access_role=logdelivery_iam_role["arn"],
+            bucket=logdelivery_s3_bucket["bucket"])
+        logdelivery_s3_bucket_policy = aws.index.S3BucketPolicy("logdelivery",
+            bucket=logdelivery_s3_bucket.id,
+            policy=logdelivery_get_aws_bucket_policy.json)
+        wait = time.Sleep("wait", create_duration="10s",
+        opts = pulumi.ResourceOptions(depends_on=[logdelivery_iam_role]))
+        log_writer = databricks.MwsCredentials("log_writer",
+            account_id=databricks_account_id,
+            credentials_name="Usage Delivery",
+            role_arn=logdelivery_iam_role["arn"],
+            opts = pulumi.ResourceOptions(depends_on=[wait]))
+        log_bucket = databricks.MwsStorageConfigurations("log_bucket",
+            account_id=databricks_account_id,
+            storage_configuration_name="Usage Logs",
+            bucket_name=logdelivery_s3_bucket["bucket"])
+        usage_logs = databricks.MwsLogDelivery("usage_logs",
+            account_id=databricks_account_id,
+            credentials_id=log_writer.credentials_id,
+            storage_configuration_id=log_bucket.storage_configuration_id,
+            delivery_path_prefix="billable-usage",
+            config_name="Usage Logs",
+            log_type="BILLABLE_USAGE",
+            output_format="CSV")
+        audit_logs = databricks.MwsLogDelivery("audit_logs",
+            account_id=databricks_account_id,
+            credentials_id=log_writer.credentials_id,
+            storage_configuration_id=log_bucket.storage_configuration_id,
+            delivery_path_prefix="audit-logs",
+            config_name="Audit Logs",
+            log_type="AUDIT_LOGS",
+            output_format="JSON")
+        ```
+
         ## Billable Usage
 
         CSV files are delivered to `<delivery_path_prefix>/billable-usage/csv/` and are named `workspaceId=<workspace-id>-usageMonth=<month>.csv`, which are delivered daily by overwriting the month's CSV file for each workspace. Format of CSV file, as well as some usage examples, can be found [here](https://docs.databricks.com/administration-guide/account-settings/usage.html#download-usage-as-a-csv-file).

pulumi_databricks/mws_storage_configurations.py

@@ -174,18 +174,18 @@ class MwsStorageConfigurations(pulumi.CustomResource):
         config = pulumi.Config()
         # Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
         databricks_account_id = config.require_object("databricksAccountId")
-        root_storage_bucket = aws.s3.BucketV2("root_storage_bucket",
-            bucket=f"{prefix}-rootbucket",
-            acl="private")
-        root_versioning = aws.s3.BucketVersioningV2("root_versioning",
+        root_storage_bucket = aws.index.S3Bucket("root_storage_bucket",
+            bucket=f{prefix}-rootbucket,
+            acl=private)
+        root_versioning = aws.index.S3BucketVersioning("root_versioning",
             bucket=root_storage_bucket.id,
-            versioning_configuration={
-                "status": "Disabled",
-            })
+            versioning_configuration=[{
+                status: Disabled,
+            }])
         this = databricks.MwsStorageConfigurations("this",
             account_id=databricks_account_id,
             storage_configuration_name=f"{prefix}-storage",
-            bucket_name=root_storage_bucket.bucket)
+            bucket_name=root_storage_bucket["bucket"])
         ```
 
         ## Related Resources
@@ -251,18 +251,18 @@ class MwsStorageConfigurations(pulumi.CustomResource):
         config = pulumi.Config()
         # Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
         databricks_account_id = config.require_object("databricksAccountId")
-        root_storage_bucket = aws.s3.BucketV2("root_storage_bucket",
-            bucket=f"{prefix}-rootbucket",
-            acl="private")
-        root_versioning = aws.s3.BucketVersioningV2("root_versioning",
+        root_storage_bucket = aws.index.S3Bucket("root_storage_bucket",
+            bucket=f{prefix}-rootbucket,
+            acl=private)
+        root_versioning = aws.index.S3BucketVersioning("root_versioning",
             bucket=root_storage_bucket.id,
-            versioning_configuration={
-                "status": "Disabled",
-            })
+            versioning_configuration=[{
+                status: Disabled,
+            }])
         this = databricks.MwsStorageConfigurations("this",
             account_id=databricks_account_id,
             storage_configuration_name=f"{prefix}-storage",
-            bucket_name=root_storage_bucket.bucket)
+            bucket_name=root_storage_bucket["bucket"])
         ```
 
         ## Related Resources