Skip to content

Commit cef57c3

Browse files
patduinpatduin
committed
separated in own var
1 parent 030edbd commit cef57c3

File tree

3 files changed

+16
-2
lines changed

3 files changed

+16
-2
lines changed

VARIABLES.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,8 @@
3434
| lf\_readonly\_client\_arns | AWS IAM role ARNs granted describe and select permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no |
3535
| lf\_catalog\_client\_arns | AWS IAM role ARNs granted describe permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no |
3636
| lf\_customer\_accounts | AWS account IDs granted describe permissions on all glue databases using LakeFormation. | `list(string)` | `[]` | no |
37+
| lf\_catalog\_producer\_arns | AWS IAM role ARNs granted ALL permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no |
38+
| lf\_catalog\_data\_location\_access\_producer\_arns | AWS IAM role ARNs granted `DATA_LOCATION_ACCESS` permissions on all database s3 locations using LakeFormation. NOTE this permission is not granted by `lf_catalog_producer_arns` | `list(string)` | `[]` | no |
3739
| dashboard\_namespace | k8s namespace to deploy grafana dashboard. | `string` | `"monitoring"` | no |
3840
| db\_apply\_immediately | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | `bool` | `false` | no |
3941
| db\_backup\_retention | The number of days to retain backups for the RDS Metastore DB. | `string` | `"7"` | yes |

lf.tf

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -101,9 +101,9 @@ resource "aws_lakeformation_permissions" "hms_sys_loc_permissions" {
101101
}
102102
}
103103

104-
resource "aws_lakeformation_permissions" "producer_loc_permissions" {
104+
resource "aws_lakeformation_permissions" "data_location_access_permissions" {
105105
for_each = var.disable_glue_db_init && var.create_lf_resource ? {
106-
for schema in local.catalog_producer_schemas : "${schema["schema_name"]}-${schema["producer_arn"]}" => schema
106+
for schema in local.catalog_data_location_access_producer_schemas : "${schema["schema_name"]}-${schema["producer_arn"]}" => schema
107107
} : {}
108108

109109
principal = each.value.producer_arn
@@ -142,6 +142,12 @@ locals {
142142
producer_arn = pair[1]
143143
}
144144
]
145+
catalog_data_location_access_producer_schemas = [
146+
for pair in setproduct(local.schemas_info[*]["schema_name"], var.lf_catalog_data_location_access_producer_arns) : {
147+
schema_name = pair[0]
148+
producer_arn = pair[1]
149+
}
150+
]
145151
}
146152

147153
resource "aws_lakeformation_permissions" "catalog_client_permissions" {

variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -627,6 +627,12 @@ variable "lf_catalog_producer_arns" {
627627
default = []
628628
}
629629

630+
variable lf_catalog_data_location_access_producer_arns {
631+
description = "AWS IAM role ARNs granted `DATA_LOCATION_ACCESS` permissions on all database s3 locations using LakeFormation. NOTE this permission is not granted by `lf_catalog_producer_arns`"
632+
type = list(string)
633+
default = []
634+
}
635+
630636
variable "lf_catalog_glue_sync_arn" {
631637
description = "AWS IAM role ARN for glue sync to update table metadata. If empty, aws_iam_role.apiary_hms_readwrite.arn will be used."
632638
type = string

0 commit comments

Comments
 (0)