Skip to content

Commit 3e8a097

Browse files
rpoluriRaj Poluri
rpoluri
and
Raj Poluri
authored
Variable to configure catalog clients (#304)
* table describe permissions for catalog client arns * fix * fix * catalog client system db permissions * fix * update variables.md and changelog.md * add metastore table permissions * update change log --------- Co-authored-by: Raj Poluri <rpoluri@expediagroup.com>
1 parent dc15ea7 commit 3e8a097

File tree

4 files changed

+73
-0
lines changed

4 files changed

+73
-0
lines changed

CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,11 @@ All notable changes to this project will be documented in this file.
33

44
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
55

6+
## [7.10.2] - 2025-03-05
7+
### Added
8+
- Variable to configure catalog client ARNs.
9+
- Add table permissions for metastore IAM role to fix issues with few clients.
10+
611
## [7.10.1] - 2025-03-04
712
### Added
813
- Iceberg metadata files are now always accessible cross-account.

VARIABLES.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@
3030
| disable\_glue\_db\_init | Glue databases are created programatically by default in hms-readwrite bootstrap init action. Setting this variable to true will disable the hms-readwrite bootstrap init action and create Glue databases via Terraform. | `bool` | `false` | no |
3131
| create\_lf\_resource | All available schemas will be registered in Lake Formation as resources if this is enabled. | `bool` | `false` | no |
3232
| lf\_hybrid\_access\_enabled | Lake Formation Hybrid access will be set to `true` in Lake formation resources. | `bool` | `false` | no |
33+
| lf\_catalog\_client\_arns | AWS IAM role ARNs granted describe permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no |
3334
| dashboard\_namespace | k8s namespace to deploy grafana dashboard. | `string` | `"monitoring"` | no |
3435
| db\_apply\_immediately | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | `bool` | `false` | no |
3536
| db\_backup\_retention | The number of days to retain backups for the RDS Metastore DB. | `string` | `"7"` | yes |

lf.tf

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,20 @@ resource "aws_lakeformation_permissions" "hms_db_permissions" {
3535
}
3636
}
3737

38+
resource "aws_lakeformation_permissions" "hms_tbl_permissions" {
39+
for_each = var.disable_glue_db_init && var.create_lf_resource ? {
40+
for schema in local.schemas_info : "${schema["schema_name"]}" => schema
41+
} : {}
42+
43+
principal = aws_iam_role.apiary_hms_readwrite.arn
44+
permissions = ["ALL"]
45+
46+
table {
47+
database_name = aws_glue_catalog_database.apiary_glue_database[each.key].name
48+
wildcard = true
49+
}
50+
}
51+
3852
resource "aws_lakeformation_permissions" "hms_system_db_permissions" {
3953
count = var.disable_glue_db_init && var.create_lf_resource ? 1 : 0
4054

@@ -45,3 +59,50 @@ resource "aws_lakeformation_permissions" "hms_system_db_permissions" {
4559
name = aws_glue_catalog_database.apiary_system_glue_database[0].name
4660
}
4761
}
62+
63+
resource "aws_lakeformation_permissions" "hms_system_tbl_permissions" {
64+
count = var.disable_glue_db_init && var.create_lf_resource ? 1 : 0
65+
66+
principal = aws_iam_role.apiary_hms_readwrite.arn
67+
permissions = ["ALL"]
68+
69+
table {
70+
database_name = aws_glue_catalog_database.apiary_system_glue_database[0].name
71+
wildcard = true
72+
}
73+
}
74+
75+
locals {
76+
catalog_client_schemas = [
77+
for pair in setproduct(local.schemas_info[*]["schema_name"], var.lf_catalog_client_arns) : {
78+
schema_name = pair[0]
79+
client_arn = pair[1]
80+
}
81+
]
82+
}
83+
84+
resource "aws_lakeformation_permissions" "catalog_client_permissions" {
85+
for_each = var.disable_glue_db_init && var.create_lf_resource ? tomap({
86+
for schema in local.catalog_client_schemas : "${schema["schema_name"]}-${schema["client_arn"]}" => schema
87+
}) : {}
88+
89+
principal = each.value.client_arn
90+
permissions = ["DESCRIBE"]
91+
92+
table {
93+
database_name = aws_glue_catalog_database.apiary_glue_database[each.value.schema_name].name
94+
wildcard = true
95+
}
96+
}
97+
98+
resource "aws_lakeformation_permissions" "catalog_client_system_permissions" {
99+
for_each = var.disable_glue_db_init && var.create_lf_resource ? toset(var.lf_catalog_client_arns) : []
100+
101+
principal = each.key
102+
permissions = ["DESCRIBE"]
103+
104+
table {
105+
database_name = aws_glue_catalog_database.apiary_system_glue_database[0].name
106+
wildcard = true
107+
}
108+
}

variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -597,6 +597,12 @@ variable "lf_hybrid_access_enabled" {
597597
default = true
598598
}
599599

600+
variable "lf_catalog_client_arns" {
601+
description = "AWS IAM role ARNs granted describe permissions on all glue databases and tables using LakeFormation."
602+
type = list(string)
603+
default = []
604+
}
605+
600606
variable "disable_glue_db_init" {
601607
description = "Glue databases are created programatically by default in hms-readwrite bootstrap init action. Setting this variable to true will disable the hms-readwrite bootstrap init action and create Glue databases via Terraform."
602608
type = bool

0 commit comments

Comments
 (0)