Skip to content

Feature/updates #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jeffreyaven merged 2 commits into from
Mar 14, 2026
+517 −223
Merged

Feature/updates #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1dafd1f
databricks example
jeffreyaven Mar 13, 2026
0cd5bae
show contributors function
jeffreyaven Mar 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions .claude/settings.local.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"permissions": {
"allow": [
"Bash(cargo build:*)",
"Bash(cargo check:*)",
"Bash(where clang:*)",
"Read(//c/Program Files/LLVM/bin/**)",
"Bash(echo \"LIBCLANG_PATH=$LIBCLANG_PATH\")",
"Read(//c/Program Files/**)",
"Bash(winget list:*)",
"Bash(cargo tree:*)",
"Bash(where llvm-config:*)",
"Read(//c/msys64/mingw64/bin/**)",
"Read(//c/msys64/clang64/bin/**)"
]
}
}
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@ examples/databricks/serverless dev \
-e AWS_ACCOUNT_ID=${AWS_ACCOUNT_ID} \
-e DATABRICKS_ACCOUNT_ID=${DATABRICKS_ACCOUNT_ID} \
-e DATABRICKS_AWS_ACCOUNT_ID=${DATABRICKS_AWS_ACCOUNT_ID} \
--show-queries \
--log-level debug \
--dry-run

pgrep -f "stackql srv"
Expand Down
0 ...am/policy_statements/ec2_permissions.json → ...s/cross_account_role/ec2_permissions.json
View file
Open in desktop
File renamed without changes.
0 ...y_statements/iam_service_linked_role.json → ...account_role/iam_service_linked_role.json
View file
Open in desktop
File renamed without changes.
11 changes: 11 additions & 0 deletions ...cks/serverless/resources/aws/iam/policy_statements/metastore_access_role/kms_decrypt.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": [
"arn:aws:kms:<KMS-KEY>"
]
}
13 changes: 13 additions & 0 deletions ...s/resources/aws/iam/policy_statements/metastore_access_role/managed_file_events_list.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"Sid": "ManagedFileEventsListStatement",
"Effect": "Allow",
"Action": [
"sqs:ListQueues",
"sqs:ListQueueTags",
"sns:ListTopics"
],
"Resource": [
"arn:aws:sqs:*:*:csms-*",
"arn:aws:sns:*:*:csms-*"
]
}
30 changes: 30 additions & 0 deletions .../resources/aws/iam/policy_statements/metastore_access_role/managed_file_events_setup.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"Sid": "ManagedFileEventsSetupStatement",
"Effect": "Allow",
"Action": [
"s3:GetBucketNotification",
"s3:PutBucketNotification",
"sns:ListSubscriptionsByTopic",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"sns:CreateTopic",
"sns:TagResource",
"sns:Publish",
"sns:Subscribe",
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:GetQueueUrl",
"sqs:GetQueueAttributes",
"sqs:SetQueueAttributes",
"sqs:TagQueue",
"sqs:ChangeMessageVisibility",
"sqs:PurgeQueue"
],
"Resource": [
"{{ aws_s3_metastore_bucket.arn }}",
"arn:aws:sqs:*:*:csms-*",
"arn:aws:sns:*:*:csms-*"
]
}
13 changes: 13 additions & 0 deletions ...sources/aws/iam/policy_statements/metastore_access_role/managed_file_events_teardown.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"Sid": "ManagedFileEventsTeardownStatement",
"Effect": "Allow",
"Action": [
"sns:Unsubscribe",
"sns:DeleteTopic",
"sqs:DeleteQueue"
],
"Resource": [
"arn:aws:sqs:*:*:csms-*",
"arn:aws:sns:*:*:csms-*"
]
}
17 changes: 17 additions & 0 deletions ...ricks/serverless/resources/aws/iam/policy_statements/metastore_access_role/s3_access.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": [
"{{ aws_s3_metastore_bucket.arn }}/*",
"{{ aws_s3_metastore_bucket.arn }}"
]
}
9 changes: 9 additions & 0 deletions ...serverless/resources/aws/iam/policy_statements/metastore_access_role/sts_assume_role.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::{{ databricks_aws_account_id }}:role/{{ stack_name }}-{{ stack_env }}-metastore-role"
]
}
44 changes: 44 additions & 0 deletions examples/databricks/serverless/resources/aws/s3/bucket_policies.iql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
/*+ exists */
SELECT count(*) as count
FROM awscc.s3.bucket_policies
WHERE region = '{{ region }}' AND
Identifier = '{{ bucket_name }}'
;

/*+ create */
INSERT INTO awscc.s3.bucket_policies (
Bucket,
PolicyDocument,
region
)
SELECT
'{{ bucket_name }}',
'{{ policy_document }}',
'{{ region }}';

/*+ update */
UPDATE awscc.s3.bucket_policies
SET PatchDocument = string('{{ {
"PolicyDocument": policy_document
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ bucket_name }}';

/*+ statecheck, retries=5, retry_delay=10 */
SELECT
count(*) as count
FROM (
SELECT
AWS_POLICY_EQUAL(policy_document, '{{ policy_document }}') as test_policy_document
FROM awscc.s3.bucket_policies
WHERE region = '{{ region }}'
AND Identifier = '{{ bucket_name }}'
)t
WHERE test_policy_document = 1;

/*+ delete */
DELETE FROM awscc.s3.bucket_policies
WHERE
Identifier = '{{ bucket_name }}' AND
region = '{{ region }}';
47 changes: 24 additions & 23 deletions examples/databricks/serverless/resources/aws/s3/buckets.iql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*+ exists */
SELECT count(*) as count
FROM awscc.s3.buckets
WHERE region = 'us-east-1' AND
WHERE region = '{{ region }}' AND
Identifier = '{{ bucket_name }}'
;

Expand Down Expand Up @@ -36,29 +36,30 @@ SET PatchDocument = string('{{ {
WHERE region = '{{ region }}'
AND Identifier = '{{ bucket_name }}';

/*+ statecheck, retries=3, retry_delay=2 */
SELECT count(*) as count
FROM awscc.s3.buckets
WHERE
region = 'us-east-1' AND
Identifier = '{{ bucket_name }}' AND
JSON_EQUAL(bucket_encryption, '{{ bucket_encryption }}') AND
JSON_EQUAL(ownership_controls, '{{ ownership_controls }}') AND
JSON_EQUAL(public_access_block_configuration, '{{ public_access_block_configuration }}') AND
JSON_EQUAL(tags, '{{ tags }}') AND
JSON_EQUAL(versioning_configuration, '{{ versioning_configuration }}')
;


/*+ exports */
SELECT
bucket_name,
arn
FROM awscc.s3.buckets
WHERE region = 'us-east-1' AND
Identifier = '{{ bucket_name }}';
/*+ exports, retries=3, retry_delay=5 */
SELECT
arn,
bucket_name
FROM (
SELECT
arn,
bucket_name,
JSON_EQUAL(ownership_controls, '{{ ownership_controls }}') as test_ownership_controls,
JSON_EQUAL(bucket_encryption, '{{ bucket_encryption }}') as test_bucket_encryption,
JSON_EQUAL(public_access_block_configuration, '{{ public_access_block_configuration }}') as test_public_access_block_configuration,
JSON_EQUAL(versioning_configuration, '{{ versioning_configuration }}') as test_versioning_configuration,
AWS_POLICY_EQUAL(tags, '{{ tags }}') as test_tags
FROM awscc.s3.buckets
WHERE region = '{{ region }}'
AND Identifier = '{{ bucket_name }}'
)t
WHERE test_ownership_controls = 1
AND test_bucket_encryption = 1
AND test_public_access_block_configuration = 1
AND test_versioning_configuration = 1
AND test_tags = 1;

/*+ delete */
DELETE FROM awscc.s3.buckets
WHERE Identifier = '{{ bucket_name }}'
AND region = 'us-east-1';
AND region = '{{ region }}';
83 changes: 83 additions & 0 deletions examples/databricks/serverless/resources/databricks_account/account_groups.iql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
/*+ exists */
SELECT count(*) as count
FROM databricks_account.iam.account_groups
WHERE account_id = '{{ account_id }}'
AND filter = 'displayName Eq "{{ displayName }}"'
;

/*+ create */
INSERT INTO databricks_account.iam.account_groups (
display_name,
external_id,
id,
members,
meta,
roles,
account_id
)
SELECT
'{{ display_name }}',
'{{ external_id }}',
'{{ id }}',
'{{ members }}',
'{{ meta }}',
'{{ roles }}',
'{{ account_id }}'
RETURNING
id,
account_id,
displayName,
externalId,
members,
meta,
roles
;

/*+ update */
UPDATE databricks_account.iam.account_groups
SET
operations = '{{ operations }}',
schemas = '{{ schemas }}'
WHERE
account_id = '{{ account_id }}' --required
AND id = '{{ id }}' --required;

/*+ statecheck, retries=5, retry_delay=10 */
SELECT count(*) as count
FROM databricks_account.iam.account_groups
WHERE
id = '{{ id }}' AND
members = '{{ members }}' AND
meta = '{{ meta }}' AND
roles = '{{ roles }}' AND
account_id = '{{ account_id }}' -- required
AND attributes = '{{ attributes }}'
AND count = '{{ count }}'
AND excluded_attributes = '{{ excluded_attributes }}'
AND filter = '{{ filter }}'
AND sort_by = '{{ sort_by }}'
AND sort_order = '{{ sort_order }}'
AND start_index = '{{ start_index }}'
;

/*+ exports */
SELECT id,
members,
meta,
roles
FROM databricks_account.iam.account_groups
WHERE account_id = '{{ account_id }}' -- required
AND attributes = '{{ attributes }}'
AND count = '{{ count }}'
AND excluded_attributes = '{{ excluded_attributes }}'
AND filter = '{{ filter }}'
AND sort_by = '{{ sort_by }}'
AND sort_order = '{{ sort_order }}'
AND start_index = '{{ start_index }}'
;

/*+ delete */
DELETE FROM databricks_account.iam.account_groups
WHERE account_id = '{{ account_id }}' --required
AND id = '{{ id }}' --required
;
30 changes: 30 additions & 0 deletions examples/databricks/serverless/resources/databricks_account/storage.iql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
/*+ exists */
SELECT count(*) as count
FROM databricks_account.provisioning.storage
WHERE account_id = '{{ account_id }}'
AND storage_configuration_name = '{{ storage_configuration_name }}'
;

/*+ create */
INSERT INTO databricks_account.provisioning.storage (
storage_configuration_name,
root_bucket_info,
account_id
)
SELECT
'{{ storage_configuration_name }}',
'{{ root_bucket_info }}',
'{{ account_id }}';

/*+ exports, retries=5, retry_delay=10 */
SELECT storage_configuration_id
FROM databricks_account.provisioning.storage
WHERE account_id = '{{ account_id }}'
AND storage_configuration_name = '{{ storage_configuration_name }}'
AND JSON_EXTRACT(root_bucket_info, '$.bucket_name') = '{{ root_bucket_info | from_json | get(key="bucket_name") }}';

/*+ delete */
DELETE FROM databricks_account.provisioning.storage
WHERE account_id = '{{ account_id }}'
AND storage_configuration_id = '{{ storage_configuration_id }}'
;
Loading
Loading