Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GetAwsCrossAcountPolicy missing "iam:ListInstanceProfiles" permission #21

Open
simonkarman opened this issue Aug 11, 2022 · 3 comments
Open

GetAwsCrossAcountPolicy missing "iam:ListInstanceProfiles" permission #21

simonkarman opened this issue Aug 11, 2022 · 3 comments
Labels
kind/bug Some behavior is incorrect or out of spec

Comments

@simonkarman
Copy link

simonkarman commented Aug 11, 2022
edited by lblackstone
Loading

What happened?

The GetAwsCrossAcountPolicy generates a policy you can use for the workspace, this policy is then used by the workspace to create clusters, however when specifying PassRoles in the GetAwsCrossAccountPolicyArgs (indicating that you're using instance profiles), the outputted policy is missing the "iam:ListInstanceProfiles" permission.

Steps to reproduce

workspaceCrossAccountPolicy, err := databricks.GetAwsCrossAccountPolicy(ctx, &databricks.GetAwsCrossAccountPolicyArgs{
    PassRoles: passRoles,
}, pulumi.Parent(dbricks), pulumi.Provider(mwsDatabricksProvider))

where passRoles has type pulumi.StringArrayInput

Expected Behavior

I expect the resulting policy to contain the "iam:ListInstanceProfiles" permission when the PassRoles property is non empty.

Actual Behavior

The resulting policy does NOT contain the "iam:ListInstanceProfiles" permission when the PassRoles property is non empty.

Versions used

CLI
Version      3.37.2
Go Version   go1.17.12
Go Compiler  gc

Plugins
NAME        VERSION
aws         5.5.0
databricks  1.1.0
go          unknown
kubernetes  3.12.2
snowflake   0.12.0

Host
OS       darwin
Version  12.4
Arch     x86_64

Dependencies:
NAME                                        VERSION
github.com/oklog/run                        v1.1.0
github.com/pulumi/pulumi-aws/sdk/v5         v5.5.0
github.com/pulumi/pulumi-databricks/sdk     v1.1.0
github.com/pulumi/pulumi-kubernetes/sdk/v3  v3.12.2
github.com/pulumi/pulumi-snowflake/sdk      v0.12.0
github.com/pulumi/pulumi/sdk/v3             v3.36.0
github.com/spf13/cobra                      v1.4.0
github.com/stretchr/objx                    v0.4.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@simonkarman simonkarman added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Aug 11, 2022
@simonkarman
Copy link
Author

I understand that this probably needs to be fixed in the underlying terraform provider, and I'm happy to assist with this.

@lblackstone lblackstone removed the needs-triage Needs attention from the triage team label Aug 15, 2022
@lblackstone
Copy link
Member

Thanks for the report @simonkarman! I didn't see any related open issues upstream, so this will need some further investigation to narrow down the problem.

@nfx
Copy link

nfx commented Sep 30, 2022

https://github.com/databricks/terraform-provider-databricks/blob/master/aws/data_aws_crossaccount_policy.go perhaps a PR here? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nfx @simonkarman @lblackstone