import * as pulumi from "@pulumi/pulumi";
/**
 * This data source constructs necessary AWS STS assume role policy for you.
 *
 * ## Example Usage
 *
 * End-to-end example of provisioning Cross-account IAM role with databricks.MwsCredentials and aws_iam_role:
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 * import * as databricks from "@pulumi/databricks";
 *
 * const config = new pulumi.Config();
 * // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
 * const databricksAccountId = config.requireObject<any>("databricksAccountId");
 * const _this = databricks.getAwsCrossAccountPolicy({});
 * const crossAccountPolicy = new aws.iam.Policy("cross_account_policy", {
 *     name: `${prefix}-crossaccount-iam-policy`,
 *     policy: _this.then(_this => _this.json),
 * });
 * const thisGetAwsAssumeRolePolicy = databricks.getAwsAssumeRolePolicy({
 *     externalId: databricksAccountId,
 * });
 * const crossAccount = new aws.iam.Role("cross_account", {
 *     name: `${prefix}-crossaccount-iam-role`,
 *     assumeRolePolicy: thisGetAwsAssumeRolePolicy.then(thisGetAwsAssumeRolePolicy => thisGetAwsAssumeRolePolicy.json),
 *     description: "Grants Databricks full access to VPC resources",
 * });
 * const crossAccountRolePolicyAttachment = new aws.iam.RolePolicyAttachment("cross_account", {
 *     policyArn: crossAccountPolicy.arn,
 *     role: crossAccount.name,
 * });
 * // required only in case of multi-workspace setup
 * const thisMwsCredentials = new databricks.MwsCredentials("this", {
 *     accountId: databricksAccountId,
 *     credentialsName: `${prefix}-creds`,
 *     roleArn: crossAccount.arn,
 * });
 * ```
 *
 * ## Related Resources
 *
 * The following resources are used in the same context:
 *
 * * Provisioning AWS Databricks workspaces with a Hub & Spoke firewall for data exfiltration protection guide
 * * databricks.getAwsBucketPolicy data to configure a simple access policy for AWS S3 buckets, so that Databricks can access data in it.
 * * databricks.getAwsCrossAccountPolicy data to construct the necessary AWS cross-account policy for you, which is based on [official documentation](https://docs.databricks.com/administration-guide/account-api/iam-role.html#language-Your%C2%A0VPC,%C2%A0default).
 */
export declare function getAwsAssumeRolePolicy(args: GetAwsAssumeRolePolicyArgs, opts?: pulumi.InvokeOptions): Promise<GetAwsAssumeRolePolicyResult>;
/**
 * A collection of arguments for invoking getAwsAssumeRolePolicy.
 */
export interface GetAwsAssumeRolePolicyArgs {
    /**
     * AWS partition. The options are `aws`, `aws-us-gov`, or `aws-us-gov-dod`. Defaults to `aws`
     */
    awsPartition?: string;
    /**
     * @deprecated databricks_account_id will be will be removed in the next major release.
     */
    databricksAccountId?: string;
    /**
     * Account Id that could be found in the top right corner of [Accounts Console](https://accounts.cloud.databricks.com/).
     */
    externalId: string;
    /**
     * Either or not this assume role policy should be created for usage log delivery. Defaults to false.
     */
    forLogDelivery?: boolean;
}
/**
 * A collection of values returned by getAwsAssumeRolePolicy.
 */
export interface GetAwsAssumeRolePolicyResult {
    readonly awsPartition?: string;
    /**
     * @deprecated databricks_account_id will be will be removed in the next major release.
     */
    readonly databricksAccountId?: string;
    readonly externalId: string;
    readonly forLogDelivery?: boolean;
    /**
     * The provider-assigned unique ID for this managed resource.
     */
    readonly id: string;
    /**
     * AWS IAM Policy JSON document
     */
    readonly json: string;
}
/**
 * This data source constructs necessary AWS STS assume role policy for you.
 *
 * ## Example Usage
 *
 * End-to-end example of provisioning Cross-account IAM role with databricks.MwsCredentials and aws_iam_role:
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as aws from "@pulumi/aws";
 * import * as databricks from "@pulumi/databricks";
 *
 * const config = new pulumi.Config();
 * // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
 * const databricksAccountId = config.requireObject<any>("databricksAccountId");
 * const _this = databricks.getAwsCrossAccountPolicy({});
 * const crossAccountPolicy = new aws.iam.Policy("cross_account_policy", {
 *     name: `${prefix}-crossaccount-iam-policy`,
 *     policy: _this.then(_this => _this.json),
 * });
 * const thisGetAwsAssumeRolePolicy = databricks.getAwsAssumeRolePolicy({
 *     externalId: databricksAccountId,
 * });
 * const crossAccount = new aws.iam.Role("cross_account", {
 *     name: `${prefix}-crossaccount-iam-role`,
 *     assumeRolePolicy: thisGetAwsAssumeRolePolicy.then(thisGetAwsAssumeRolePolicy => thisGetAwsAssumeRolePolicy.json),
 *     description: "Grants Databricks full access to VPC resources",
 * });
 * const crossAccountRolePolicyAttachment = new aws.iam.RolePolicyAttachment("cross_account", {
 *     policyArn: crossAccountPolicy.arn,
 *     role: crossAccount.name,
 * });
 * // required only in case of multi-workspace setup
 * const thisMwsCredentials = new databricks.MwsCredentials("this", {
 *     accountId: databricksAccountId,
 *     credentialsName: `${prefix}-creds`,
 *     roleArn: crossAccount.arn,
 * });
 * ```
 *
 * ## Related Resources
 *
 * The following resources are used in the same context:
 *
 * * Provisioning AWS Databricks workspaces with a Hub & Spoke firewall for data exfiltration protection guide
 * * databricks.getAwsBucketPolicy data to configure a simple access policy for AWS S3 buckets, so that Databricks can access data in it.
 * * databricks.getAwsCrossAccountPolicy data to construct the necessary AWS cross-account policy for you, which is based on [official documentation](https://docs.databricks.com/administration-guide/account-api/iam-role.html#language-Your%C2%A0VPC,%C2%A0default).
 */
export declare function getAwsAssumeRolePolicyOutput(args: GetAwsAssumeRolePolicyOutputArgs, opts?: pulumi.InvokeOutputOptions): pulumi.Output<GetAwsAssumeRolePolicyResult>;
/**
 * A collection of arguments for invoking getAwsAssumeRolePolicy.
 */
export interface GetAwsAssumeRolePolicyOutputArgs {
    /**
     * AWS partition. The options are `aws`, `aws-us-gov`, or `aws-us-gov-dod`. Defaults to `aws`
     */
    awsPartition?: pulumi.Input<string>;
    /**
     * @deprecated databricks_account_id will be will be removed in the next major release.
     */
    databricksAccountId?: pulumi.Input<string>;
    /**
     * Account Id that could be found in the top right corner of [Accounts Console](https://accounts.cloud.databricks.com/).
     */
    externalId: pulumi.Input<string>;
    /**
     * Either or not this assume role policy should be created for usage log delivery. Defaults to false.
     */
    forLogDelivery?: pulumi.Input<boolean>;
}