From 712dbff6cf275ecee14b7e5b66c5d5522561d060 Mon Sep 17 00:00:00 2001
From: Mark Sliva <marksliva@meta.com>
Date: Fri, 24 Mar 2023 12:09:56 -0700
Subject: [PATCH] Attach glue pass roles directly onto the glue_service_role

Summary:
There is an issue with deployment where the iam:PassRole from the
AWSGlueConsoleFullAccess policy isn't propagating into the glue_service_role.
To resolve, attach the 3 required roles according to the Glue docs:
https://docs.aws.amazon.com/glue/latest/dg/attach-policy-iam-user.html

Differential Revision: D44379301

fbshipit-source-id: b0830e42c4251033aab68bf24a279cfbd4cfedb7
---
 .../infra/cloud_bridge/data_ingestion/glue.tf | 56 +++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/fbpcs/infra/cloud_bridge/data_ingestion/glue.tf b/fbpcs/infra/cloud_bridge/data_ingestion/glue.tf
index 9618b1a1e..d3e57e8ed 100644
--- a/fbpcs/infra/cloud_bridge/data_ingestion/glue.tf
+++ b/fbpcs/infra/cloud_bridge/data_ingestion/glue.tf
@@ -53,6 +53,62 @@ resource "aws_iam_role_policy" "s3_policy" {
 EOF
 }
 
+resource "aws_iam_role_policy" "pass_glue_service_role" {
+  name   = "pass-glue-service-role${var.tag_postfix}"
+  role   = aws_iam_role.glue_service_role.id
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:PassRole"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:iam::*:role/AWSGlueServiceRole*",
+      "Condition": {
+        "StringLike": {
+          "iam:PassedToService": [
+            "glue.amazonaws.com"
+          ]
+        }
+      }
+    },
+    {
+      "Action": [
+        "iam:PassRole"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:iam::*:role/AWSGlueServiceNotebookRole*",
+      "Condition": {
+        "StringLike": {
+          "iam:PassedToService": [
+            "ec2.amazonaws.com"
+          ]
+        }
+      }
+    },
+    {
+      "Action": [
+        "iam:PassRole"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:iam::*:role/service-role/AWSGlueServiceRole*"
+      ],
+      "Condition": {
+        "StringLike": {
+          "iam:PassedToService": [
+            "glue.amazonaws.com"
+          ]
+        }
+      }
+    }
+  ]
+}
+EOF
+}
+
 resource "aws_glue_crawler" "mpc_events_crawler" {
   database_name = aws_glue_catalog_database.mpc_database.name
   name          = "mpc-events-crawler${var.tag_postfix}"