Skip to content

Commit 0d1eb30

Browse files
patduinpatduin
authored
fix: Adding LF data_location_access (#333)
Added var `lf_catalog_data_location_access_producer_arns` that is used to give `DATA_LOCATION_ACCESS` permission in LakeFormation on s3 locations of all databases.
1 parent e6611a2 commit 0d1eb30

File tree

4 files changed

+31
-0
lines changed

4 files changed

+31
-0
lines changed

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
33

44
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
55

6+
## [7.12.5] - 2025-11-12
7+
### Added
8+
- Added var `lf_catalog_data_location_access_producer_arns` that is used to give `DATA_LOCATION_ACCESS` permission in LakeFormation on s3 locations of all databases.
9+
610
## [7.12.4] - 2025-10-24
711
### Changed
812
- Fixed `GlueStatsServiceRole` name to avoid name conflicts when there are multiple apiary instances in same account.

VARIABLES.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,8 @@
3434
| lf\_readonly\_client\_arns | AWS IAM role ARNs granted describe and select permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no |
3535
| lf\_catalog\_client\_arns | AWS IAM role ARNs granted describe permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no |
3636
| lf\_customer\_accounts | AWS account IDs granted describe permissions on all glue databases using LakeFormation. | `list(string)` | `[]` | no |
37+
| lf\_catalog\_producer\_arns | AWS IAM role ARNs granted ALL permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no |
38+
| lf\_catalog\_data\_location\_access\_producer\_arns | AWS IAM role ARNs granted `DATA_LOCATION_ACCESS` permissions on all database s3 locations using LakeFormation. NOTE this permission is not granted by `lf_catalog_producer_arns` | `list(string)` | `[]` | no |
3739
| dashboard\_namespace | k8s namespace to deploy grafana dashboard. | `string` | `"monitoring"` | no |
3840
| db\_apply\_immediately | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | `bool` | `false` | no |
3941
| db\_backup\_retention | The number of days to retain backups for the RDS Metastore DB. | `string` | `"7"` | yes |

lf.tf

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,19 @@ resource "aws_lakeformation_permissions" "hms_sys_loc_permissions" {
101101
}
102102
}
103103

104+
resource "aws_lakeformation_permissions" "data_location_access_permissions" {
105+
for_each = var.disable_glue_db_init && var.create_lf_resource ? {
106+
for schema in local.catalog_data_location_access_producer_schemas : "${schema["schema_name"]}-${schema["producer_arn"]}" => schema
107+
} : {}
108+
109+
principal = each.value.producer_arn
110+
permissions = ["DATA_LOCATION_ACCESS"]
111+
112+
data_location {
113+
arn = aws_lakeformation_resource.apiary_data_bucket[each.value.schema_name].arn
114+
}
115+
}
116+
104117
locals {
105118
# Read clients
106119
catalog_client_schemas = [
@@ -129,6 +142,12 @@ locals {
129142
producer_arn = pair[1]
130143
}
131144
]
145+
catalog_data_location_access_producer_schemas = [
146+
for pair in setproduct(local.schemas_info[*]["schema_name"], var.lf_catalog_data_location_access_producer_arns) : {
147+
schema_name = pair[0]
148+
producer_arn = pair[1]
149+
}
150+
]
132151
}
133152

134153
resource "aws_lakeformation_permissions" "catalog_client_permissions" {

variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -627,6 +627,12 @@ variable "lf_catalog_producer_arns" {
627627
default = []
628628
}
629629

630+
variable lf_catalog_data_location_access_producer_arns {
631+
description = "AWS IAM role ARNs granted `DATA_LOCATION_ACCESS` permissions on all database s3 locations using LakeFormation. NOTE this permission is not granted by `lf_catalog_producer_arns`"
632+
type = list(string)
633+
default = []
634+
}
635+
630636
variable "lf_catalog_glue_sync_arn" {
631637
description = "AWS IAM role ARN for glue sync to update table metadata. If empty, aws_iam_role.apiary_hms_readwrite.arn will be used."
632638
type = string

0 commit comments

Comments
 (0)