Skip to content

Adding access #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
patduin merged 9 commits into from
Nov 12, 2025
Merged

Adding access #333

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
85b88e2
Adding access
patduin Nov 3, 2025
ddea2be
Adding access
patduin Nov 3, 2025
c785fcf
Adding access
patduin Nov 3, 2025
030edbd
Adding access
patduin Nov 4, 2025
cef57c3
separated in own var
patduin Nov 4, 2025
35d143a
Update CHANGELOG.md
javsanbel2 Nov 4, 2025
098dd2b
Clarifying changelog description
patduin Nov 4, 2025
397b570
Clarifying changelog description
patduin Nov 4, 2025
37f284d
Update CHANGELOG.md
patduin Nov 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [7.12.5] - 2025-11-03
Comment thread
javsanbel2 marked this conversation as resolved.
Outdated
### Changed
- Fixed LakeFormation `DATA_LOCATION_ACCESS` to `lf_catalog_producer_arns`.

## [7.12.4] - 2025-10-24
### Changed
- Fixed `GlueStatsServiceRole` name to avoid name conflicts when there are multiple apiary instances in same account.
Expand Down
2 changes: 2 additions & 0 deletions VARIABLES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@
| lf\_readonly\_client\_arns | AWS IAM role ARNs granted describe and select permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no |
| lf\_catalog\_client\_arns | AWS IAM role ARNs granted describe permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no |
| lf\_customer\_accounts | AWS account IDs granted describe permissions on all glue databases using LakeFormation. | `list(string)` | `[]` | no |
| lf\_catalog\_producer\_arns | AWS IAM role ARNs granted ALL permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no |
| lf\_catalog\_data\_location\_access\_producer\_arns | AWS IAM role ARNs granted `DATA_LOCATION_ACCESS` permissions on all database s3 locations using LakeFormation. NOTE this permission is not granted by `lf_catalog_producer_arns` | `list(string)` | `[]` | no |
| dashboard\_namespace | k8s namespace to deploy grafana dashboard. | `string` | `"monitoring"` | no |
| db\_apply\_immediately | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | `bool` | `false` | no |
| db\_backup\_retention | The number of days to retain backups for the RDS Metastore DB. | `string` | `"7"` | yes |
Expand Down
19 changes: 19 additions & 0 deletions lf.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,19 @@ resource "aws_lakeformation_permissions" "hms_sys_loc_permissions" {
}
}

resource "aws_lakeformation_permissions" "data_location_access_permissions" {
for_each = var.disable_glue_db_init && var.create_lf_resource ? {
for schema in local.catalog_data_location_access_producer_schemas : "${schema["schema_name"]}-${schema["producer_arn"]}" => schema
} : {}

principal = each.value.producer_arn
permissions = ["DATA_LOCATION_ACCESS"]

data_location {
arn = aws_lakeformation_resource.apiary_data_bucket[each.value.schema_name].arn
}
}

locals {
# Read clients
catalog_client_schemas = [
Expand Down Expand Up @@ -129,6 +142,12 @@ locals {
producer_arn = pair[1]
}
]
catalog_data_location_access_producer_schemas = [
for pair in setproduct(local.schemas_info[*]["schema_name"], var.lf_catalog_data_location_access_producer_arns) : {
schema_name = pair[0]
producer_arn = pair[1]
}
]
}

resource "aws_lakeformation_permissions" "catalog_client_permissions" {
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -627,6 +627,12 @@ variable "lf_catalog_producer_arns" {
default = []
}

variable lf_catalog_data_location_access_producer_arns {
description = "AWS IAM role ARNs granted `DATA_LOCATION_ACCESS` permissions on all database s3 locations using LakeFormation. NOTE this permission is not granted by `lf_catalog_producer_arns`"
type = list(string)
default = []
}

variable "lf_catalog_glue_sync_arn" {
description = "AWS IAM role ARN for glue sync to update table metadata. If empty, aws_iam_role.apiary_hms_readwrite.arn will be used."
type = string
Expand Down
Loading