diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a3298b..e3666ef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [7.12.5] - 2025-11-12 +### Added +- Added var `lf_catalog_data_location_access_producer_arns` that is used to give `DATA_LOCATION_ACCESS` permission in LakeFormation on s3 locations of all databases. + ## [7.12.4] - 2025-10-24 ### Changed - Fixed `GlueStatsServiceRole` name to avoid name conflicts when there are multiple apiary instances in same account. diff --git a/VARIABLES.md b/VARIABLES.md index 19d46ac..b78d092 100644 --- a/VARIABLES.md +++ b/VARIABLES.md @@ -34,6 +34,8 @@ | lf\_readonly\_client\_arns | AWS IAM role ARNs granted describe and select permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no | | lf\_catalog\_client\_arns | AWS IAM role ARNs granted describe permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no | | lf\_customer\_accounts | AWS account IDs granted describe permissions on all glue databases using LakeFormation. | `list(string)` | `[]` | no | +| lf\_catalog\_producer\_arns | AWS IAM role ARNs granted ALL permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no | +| lf\_catalog\_data\_location\_access\_producer\_arns | AWS IAM role ARNs granted `DATA_LOCATION_ACCESS` permissions on all database s3 locations using LakeFormation. NOTE this permission is not granted by `lf_catalog_producer_arns` | `list(string)` | `[]` | no | | dashboard\_namespace | k8s namespace to deploy grafana dashboard. | `string` | `"monitoring"` | no | | db\_apply\_immediately | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | `bool` | `false` | no | | db\_backup\_retention | The number of days to retain backups for the RDS Metastore DB. | `string` | `"7"` | yes | diff --git a/lf.tf b/lf.tf index 8dd97b1..a859986 100644 --- a/lf.tf +++ b/lf.tf @@ -101,6 +101,19 @@ resource "aws_lakeformation_permissions" "hms_sys_loc_permissions" { } } +resource "aws_lakeformation_permissions" "data_location_access_permissions" { + for_each = var.disable_glue_db_init && var.create_lf_resource ? { + for schema in local.catalog_data_location_access_producer_schemas : "${schema["schema_name"]}-${schema["producer_arn"]}" => schema + } : {} + + principal = each.value.producer_arn + permissions = ["DATA_LOCATION_ACCESS"] + + data_location { + arn = aws_lakeformation_resource.apiary_data_bucket[each.value.schema_name].arn + } +} + locals { # Read clients catalog_client_schemas = [ @@ -129,6 +142,12 @@ locals { producer_arn = pair[1] } ] + catalog_data_location_access_producer_schemas = [ + for pair in setproduct(local.schemas_info[*]["schema_name"], var.lf_catalog_data_location_access_producer_arns) : { + schema_name = pair[0] + producer_arn = pair[1] + } + ] } resource "aws_lakeformation_permissions" "catalog_client_permissions" { diff --git a/variables.tf b/variables.tf index adc1dac..156a8df 100644 --- a/variables.tf +++ b/variables.tf @@ -627,6 +627,12 @@ variable "lf_catalog_producer_arns" { default = [] } +variable lf_catalog_data_location_access_producer_arns { + description = "AWS IAM role ARNs granted `DATA_LOCATION_ACCESS` permissions on all database s3 locations using LakeFormation. NOTE this permission is not granted by `lf_catalog_producer_arns`" + type = list(string) + default = [] +} + variable "lf_catalog_glue_sync_arn" { description = "AWS IAM role ARN for glue sync to update table metadata. If empty, aws_iam_role.apiary_hms_readwrite.arn will be used." type = string