Add clients variable which have access to all tables (#308)

javsanbel2 · Raj Poluri · web-flow · commit 018ce5e1d0b8 · 2025-05-05T17:38:34.000+02:00
* add DB sg self permissions

* changelog

* cahnge

* space

* add db

* fix

* fix TF formatting

* remove all on dbs

---------

Co-authored-by: Raj Poluri &lt;rpoluri@expediagroup.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [7.10.6] - 2025-05-02
+### Added
+- Add catalog producer roles with access to ALL Glue databases.
+
 ## [7.10.5] - 2025-04-29
 ### Fixed
 - Include describe permission in hive metastore lakeformation policy to fix terraform reconcilation.
diff --git a/lf.tf b/lf.tf
@@ -98,18 +98,27 @@ resource "aws_lakeformation_permissions" "hms_sys_loc_permissions" {
 }
 
 locals {
+  # Read clients
   catalog_client_schemas = [
     for pair in setproduct(local.schemas_info[*]["schema_name"], var.lf_catalog_client_arns) : {
       schema_name = pair[0]
       client_arn  = pair[1]
     }
   ]
+  # Read accounts
   customer_account_schemas = [
     for pair in setproduct(local.schemas_info[*]["schema_name"], var.lf_customer_accounts) : {
       schema_name      = pair[0]
       customer_account = pair[1]
     }
   ]
+  # Write producers
+  catalog_producer_schemas = [
+    for pair in setproduct(local.schemas_info[*]["schema_name"], var.lf_catalog_producer_arns) : {
+      schema_name  = pair[0]
+      producer_arn = pair[1]
+    }
+  ]
 }
 
 resource "aws_lakeformation_permissions" "catalog_client_permissions" {
@@ -192,3 +201,57 @@ resource "aws_lakeformation_permissions" "all_principals_system_tbl_permissions"
     wildcard      = true
   }
 }
+
+# Catalog Producer permissions
+
+resource "aws_lakeformation_permissions" "catalog_producer_db_permissions" {
+  for_each = var.disable_glue_db_init && var.create_lf_resource ? tomap({
+    for schema in local.catalog_producer_schemas : "${schema["schema_name"]}-${schema["producer_arn"]}" => schema
+  }) : {}
+
+  principal   = each.value.producer_arn
+  permissions = ["DESCRIBE", "CREATE_TABLE"]
+
+  database {
+    name = aws_glue_catalog_database.apiary_glue_database[each.value.schema_name].name
+  }
+}
+
+resource "aws_lakeformation_permissions" "catalog_producer_db_system_permissions" {
+  for_each = var.disable_glue_db_init && var.create_lf_resource ? tomap({
+    for schema in local.catalog_producer_schemas : "${schema["schema_name"]}-${schema["producer_arn"]}" => schema
+  }) : {}
+
+  principal   = each.value.producer_arn
+  permissions = ["DESCRIBE", "CREATE_TABLE"]
+
+  database {
+    name = aws_glue_catalog_database.apiary_system_glue_database[0].name
+  }
+}
+
+resource "aws_lakeformation_permissions" "catalog_producer_permissions" {
+  for_each = var.disable_glue_db_init && var.create_lf_resource ? tomap({
+    for schema in local.catalog_producer_schemas : "${schema["schema_name"]}-${schema["producer_arn"]}" => schema
+  }) : {}
+
+  principal   = each.value.producer_arn
+  permissions = ["ALL", "DESCRIBE"]
+
+  table {
+    database_name = aws_glue_catalog_database.apiary_glue_database[each.value.schema_name].name
+    wildcard      = true
+  }
+}
+
+resource "aws_lakeformation_permissions" "catalog_producer_system_permissions" {
+  for_each = var.disable_glue_db_init && var.create_lf_resource ? toset(var.lf_catalog_producer_arns) : []
+
+  principal   = each.key
+  permissions = ["ALL", "DESCRIBE"]
+
+  table {
+    database_name = aws_glue_catalog_database.apiary_system_glue_database[0].name
+    wildcard      = true
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -598,7 +598,13 @@ variable "lf_hybrid_access_enabled" {
 }
 
 variable "lf_catalog_client_arns" {
-  description = "AWS IAM role ARNs granted describe permissions on all glue databases and tables using LakeFormation."
+  description = "AWS IAM role ARNs granted DESCRIBE permissions on all glue databases and tables using LakeFormation."
+  type        = list(string)
+  default     = []
+}
+
+variable "lf_catalog_producer_arns" {
+  description = "AWS IAM role ARNs granted ALL permissions on all glue databases and tables using LakeFormation."
   type        = list(string)
   default     = []
 }

Original file line number	Diff line number	Diff line change
`@@ -598,7 +598,13 @@ variable "lf_hybrid_access_enabled" {`
`598`	`598`	`}`
`599`	`599`
`600`	`600`	`variable "lf_catalog_client_arns" {`
`601`		`- description = "AWS IAM role ARNs granted describe permissions on all glue databases and tables using LakeFormation."`
	`601`	`+ description = "AWS IAM role ARNs granted DESCRIBE permissions on all glue databases and tables using LakeFormation."`
	`602`	`+ type = list(string)`
	`603`	`+ default = []`
	`604`	`+}`
	`605`	`+`
	`606`	`+variable "lf_catalog_producer_arns" {`
	`607`	`+ description = "AWS IAM role ARNs granted ALL permissions on all glue databases and tables using LakeFormation."`
`602`	`608`	`type = list(string)`
`603`	`609`	`default = []`
`604`	`610`	`}`