Add module for CML on AWS permissions (#94)

Signed-off-by: Jim Enright <jenright@cloudera.com>

README.md

@@ -16,7 +16,8 @@ This repository contains a number of Terraform modules for creation of the pre-r
 | [terraform-aws-fw-vpc](modules/terraform-aws-fw-vpc/README.md) | Module for creation of the VPC networking resources on AWS suitable for running a Firewall in a distributed architecture on AWS. Can be used to create a networking VPC which runs the AWS Network Firewall and connects to a Cloudera on cloud full-private deployment. |
 | [terraform-aws-tgw](modules/terraform-aws-tgw/README.md) | Module for creation of AWS Transity Gateway (TGW) and attaching a specified list of VPCs via the TGW. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where a CDP VPC and Networking VPC are connected using the Transit Gateway. |
 | [terraform-aws-bastion](modules/terraform-aws-bastion/README.md) | Module to create a Bastion EC2 instance on AWS. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a secure environment, where the CDP Environment requires a Bastion host. |
-| [terraform-aws-proxy](modules/terraform-aws-proxy/README.md) | Module to create and configure and EC2 Auto-Scaling Group for a highly available Squid Proxy service with Network Load Balancer (NLB) to forward traffic to the proxy instances. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where a the CDP Environments uses a proxy config via the NLB. |
+| [terraform-aws-cml-permissions](modules/terraform-aws-cml-permissions/README.md) | Module to create AWS IAM policies required for the Cloudera Machine Learning (CML) backup and restore. |
+| [terraform-aws-permissions](modules/terraform-aws-permissions/README.md) | Module for creation of the AWS IAM permissions required by the (CDP) Public Cloud environment and datalake deployment. Note that this module is called from the terraform-cdp-aws-prereqs module. |
 | [terraform-aws-firewall](modules/terraform-aws-firewall/README.md) | Module to create and configure to create and configure an AWS Network Firewall. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where the CDP Environment is connected to a Networking VPC running the Firewall. |
 | [terraform-azure-nfs](modules/terraform-azure-nfs/README.md) | Module for creation of Azure NFS File Share required for Cloudera Machine Learning (CML) Public Cloud. Also optionally creates a Virtual Machine which can be used to mount and set the required ownership for CML workspace's projects folder.|
 | [terraform-azure-cdw-permissions](modules/terraform-azure-cdw-permissions/README.md) | Module for creation of the Azure Kubernetes Service (AKS) managed identity required for the Cloudera Data Warehouse (CDW) service.|

modules/terraform-aws-cml-permissions/README.md

@@ -0,0 +1,61 @@
+<!-- BEGIN_TF_DOCS -->
+# Terraform Module for AWS IAM Permissions for CML
+
+This module contains resource files and example variable definition files for creation of the AWS IAM policies required for the Cloudera Machine Learning (CML) backup and restore functionality. This requirement is described [in this section](https://docs.cloudera.com/machine-learning/cloud/workspaces/topics/ml-backup-restore-prerequisites.html) of the CML documentation.
+
+## Usage
+
+The [examples](./examples) directory has an example AWS IAM policy creation on AWS:
+
+* `ex01-minimal-inputs` uses the minimum set of inputs for the module.
+
+An example `terraform.tfvars.sample` values file is included to show input variable values.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~>5.30 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~>5.30 |
+| <a name="provider_http"></a> [http](#provider\_http) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.cml_backup_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.cml_restore_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role_policy_attachment.cdp_xaccount_role_cml_backup_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.cdp_xaccount_role_cml_restore_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role.xaccount_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
+| [http_http.cml_backup_policy_doc](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
+| [http_http.cml_restore_policy_doc](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cml_backup_policy_name"></a> [cml\_backup\_policy\_name](#input\_cml\_backup\_policy\_name) | CDP CML Backup Policy name | `string` | n/a | yes |
+| <a name="input_cml_restore_policy_name"></a> [cml\_restore\_policy\_name](#input\_cml\_restore\_policy\_name) | CDP CML Restore Policy name | `string` | n/a | yes |
+| <a name="input_xaccount_role_name"></a> [xaccount\_role\_name](#input\_xaccount\_role\_name) | Name of existing cross account Assume role Name. | `string` | n/a | yes |
+| <a name="input_cml_backup_policy_doc"></a> [cml\_backup\_policy\_doc](#input\_cml\_backup\_policy\_doc) | Contents of CDP CML Backup Policy Document. If not specified document is downloaded from Cloudera Document repository | `string` | `null` | no |
+| <a name="input_cml_restore_policy_doc"></a> [cml\_restore\_policy\_doc](#input\_cml\_restore\_policy\_doc) | Contents of CDP CML Restore Policy Document. If not specified document is downloaded from Cloudera Document repository | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags applied to provised resources | `map(any)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_aws_cml_backup_policy_arn"></a> [aws\_cml\_backup\_policy\_arn](#output\_aws\_cml\_backup\_policy\_arn) | CML Backup IAM Policy ARN |
+| <a name="output_aws_cml_restore_policy_arn"></a> [aws\_cml\_restore\_policy\_arn](#output\_aws\_cml\_restore\_policy\_arn) | CML Restore IAM Policy ARN |
+<!-- END_TF_DOCS -->

modules/terraform-aws-cml-permissions/data.tf

@@ -0,0 +1,29 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+data "aws_iam_role" "xaccount_role" {
+
+  name = var.xaccount_role_name
+}
+
+# HTTP get request to download policy documents
+# ..CML Backup Policy
+data "http" "cml_backup_policy_doc" {
+  url = "https://docs.cloudera.com/machine-learning/cloud/cml-backup-policy.json"
+}
+
+# ..CML Restore Policy
+data "http" "cml_restore_policy_doc" {
+  url = "https://docs.cloudera.com/machine-learning/cloud/cml-restore-policy.json"
+}

modules/terraform-aws-cml-permissions/defaults.tf

@@ -0,0 +1,23 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+locals {
+
+  # CML Backup Policy document
+  cml_backup_policy_doc = coalesce(var.cml_backup_policy_doc, data.http.cml_backup_policy_doc.response_body)
+
+  # CML Backup Policy document
+  cml_restore_policy_doc = coalesce(var.cml_restore_policy_doc, data.http.cml_restore_policy_doc.response_body)
+
+}

modules/terraform-aws-cml-permissions/doc_fragments/header.md

@@ -0,0 +1,11 @@
+# Terraform Module for AWS IAM Permissions for CML
+
+This module contains resource files and example variable definition files for creation of the AWS IAM policies required for the Cloudera Machine Learning (CML) backup and restore functionality. This requirement is described [in this section](https://docs.cloudera.com/machine-learning/cloud/workspaces/topics/ml-backup-restore-prerequisites.html) of the CML documentation.
+
+## Usage
+
+The [examples](./examples) directory has an example AWS IAM policy creation on AWS:
+
+* `ex01-minimal-inputs` uses the minimum set of inputs for the module.
+
+An example `terraform.tfvars.sample` values file is included to show input variable values.

modules/terraform-aws-cml-permissions/examples/ex01-minimal-inputs/main.tf

@@ -0,0 +1,72 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">= 1.5.7"
+  required_providers {
+    cdp = {
+      source  = "cloudera/cdp"
+      version = ">= 0.6.1"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~>5.30"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+module "xaccount_iam_role" {
+  source = "../../../terraform-aws-cred-permissions"
+
+  tags = var.tags
+
+  # Using CDP TF Provider cred pre-reqs data source for values of xaccount account_id and external_id
+  xaccount_account_id  = data.cdp_environments_aws_credential_prerequisites.cdp_prereqs.account_id
+  xaccount_external_id = data.cdp_environments_aws_credential_prerequisites.cdp_prereqs.external_id
+
+  xaccount_policy_name        = "${var.env_prefix}-xaccount-policy"
+  xaccount_account_policy_doc = base64decode(data.cdp_environments_aws_credential_prerequisites.cdp_prereqs.policy)
+
+  xaccount_role_name = "${var.env_prefix}-xaccount-role"
+
+  # Create assume role trust relationship required for CML backup and restore
+  create_cml_assume_role_policy = true
+}
+
+module "ex01_minimal_inputs" {
+  source = "../.."
+
+  tags = var.tags
+
+  cml_backup_policy_name  = "${var.env_prefix}-cml-backup-policy"
+  cml_restore_policy_name = "${var.env_prefix}-cml-restore-policy"
+
+  xaccount_role_name = module.xaccount_iam_role.aws_xaccount_role_name
+
+  depends_on = [module.xaccount_iam_role]
+}
+
+# Use the CDP Terraform Provider to find the xaccount account and external ids
+data "cdp_environments_aws_credential_prerequisites" "cdp_prereqs" {}
+
+# ------- Outputs -------
+output "xaccount_role_arn" {
+  value = module.xaccount_iam_role.aws_xaccount_role_arn
+
+  description = "The ARN of the created Cross Account Role"
+}

modules/terraform-aws-cml-permissions/examples/ex01-minimal-inputs/terraform.tfvars.sample

@@ -0,0 +1,27 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------- Global settings -------
+env_prefix = "<ENTER_VALUE>" # Required name prefix for cloud and CDP resources, e.g. cldr1
+
+# ------- Cloud Settings -------
+aws_region = "<ENTER_VALUE>" # Change this to specify Cloud Provider region, e.g. eu-west-1
+
+# ------- Resource Tagging -------
+# **NOTE: An example of how to specify tags is below; uncomment & edit if required
+tags = {
+  owner   = "<ENTER_VALUE>"
+  project = "<ENTER_VALUE>"
+  enddate = "<ENTER_VALUE>"
+}

modules/terraform-aws-cml-permissions/examples/ex01-minimal-inputs/variables.tf

@@ -0,0 +1,31 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------- Global settings -------
+variable "aws_region" {
+  type        = string
+  description = "Region which Cloud resources will be created"
+}
+
+variable "env_prefix" {
+  type        = string
+  description = "Shorthand name for the environment. Used in resource descriptions"
+}
+
+variable "tags" {
+  type        = map(any)
+  description = "Tags applied to provised resources"
+
+  default = null
+}

modules/terraform-aws-cml-permissions/main.tf

@@ -0,0 +1,44 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------- Cross Account Policy -------
+resource "aws_iam_policy" "cml_backup_policy" {
+  name        = var.cml_backup_policy_name
+  description = "CDP CML Workspace Backup policy"
+
+  tags = merge(var.tags, { Name = var.cml_backup_policy_name })
+
+  policy = local.cml_backup_policy_doc
+}
+
+resource "aws_iam_policy" "cml_restore_policy" {
+  name        = var.cml_restore_policy_name
+  description = "CDP CML Workspace Restore policy"
+
+  tags = merge(var.tags, { Name = var.cml_restore_policy_name })
+
+  policy = local.cml_restore_policy_doc
+}
+
+# Attach CML backup policy to the xaccount role 
+resource "aws_iam_role_policy_attachment" "cdp_xaccount_role_cml_backup_attach" {
+  role       = data.aws_iam_role.xaccount_role.name
+  policy_arn = aws_iam_policy.cml_backup_policy.arn
+}
+
+# Attach CML restore policy to the xaccount role 
+resource "aws_iam_role_policy_attachment" "cdp_xaccount_role_cml_restore_attach" {
+  role       = data.aws_iam_role.xaccount_role.name
+  policy_arn = aws_iam_policy.cml_restore_policy.arn
+}

modules/terraform-aws-cml-permissions/outputs.tf

@@ -0,0 +1,25 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+output "aws_cml_backup_policy_arn" {
+  value = aws_iam_policy.cml_backup_policy.arn
+
+  description = "CML Backup IAM Policy ARN"
+}
+
+output "aws_cml_restore_policy_arn" {
+  value = aws_iam_policy.cml_restore_policy.arn
+
+  description = "CML Restore IAM Policy ARN"
+}

modules/terraform-aws-cml-permissions/provider.tf

@@ -0,0 +1,28 @@
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~>5.30"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = ">= 3.2.1"
+    }
+  }
+
+  required_version = ">= 1.3.0"
+}