add data location permissions (#305)

* hive metastore data location access permissions

* fix

* fix

* update changelog

---------

Co-authored-by: Raj Poluri <rpoluri@expediagroup.com>

Author: rpoluri

CHANGELOG.md

@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [7.10.3] - 2025-03-07
+### Added
+- Add data location permissions for metastore IAM role.
+
 ## [7.10.2] - 2025-03-05
 ### Added
 - Variable to configure catalog client ARNs.

lf.tf

@@ -49,6 +49,20 @@ resource "aws_lakeformation_permissions" "hms_tbl_permissions" {
   }
 }
 
+resource "aws_lakeformation_permissions" "hms_loc_permissions" {
+  for_each = var.disable_glue_db_init && var.create_lf_resource ? {
+    for schema in local.schemas_info : "${schema["schema_name"]}" => schema
+  } : {}
+
+  principal   = aws_iam_role.apiary_hms_readwrite.arn
+  permissions = ["DATA_LOCATION_ACCESS"]
+
+  data_location {
+    arn = aws_lakeformation_resource.apiary_data_bucket[each.key].arn
+  }
+}
+
+
 resource "aws_lakeformation_permissions" "hms_system_db_permissions" {
   count = var.disable_glue_db_init && var.create_lf_resource ? 1 : 0
 
@@ -72,6 +86,17 @@ resource "aws_lakeformation_permissions" "hms_system_tbl_permissions" {
   }
 }
 
+resource "aws_lakeformation_permissions" "hms_sys_loc_permissions" {
+  count = var.disable_glue_db_init && var.create_lf_resource ? 1 : 0
+
+  principal   = aws_iam_role.apiary_hms_readwrite.arn
+  permissions = ["DATA_LOCATION_ACCESS"]
+
+  data_location {
+    arn = aws_lakeformation_resource.apiary_system_bucket[0].arn
+  }
+}
+
 locals {
   catalog_client_schemas = [
     for pair in setproduct(local.schemas_info[*]["schema_name"], var.lf_catalog_client_arns) : {