feat: add LakeFormation table permissions for Glue stats vendor role (#336)

Added var `create_glue_stats_vendor_role_tbl_permissions` and corresponding
`aws_lakeformation_permissions` resource granting DESCRIBE/INSERT/DELETE on
all schema tables to the Glue stats service role in EGDP.

Co-authored-by: javbeltran_expedia <javbeltran@expediagroup.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 3 people

CHANGELOG.md

@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [7.12.8] - 2026-04-15
+### Added
+- Added var `create_glue_stats_vendor_role_tbl_permissions` to create LakeFormation table permissions (`DESCRIBE`, `INSERT`, `DELETE`) for the Glue stats service role on all schemas.
+
 ## [7.12.7] - 2026-04-13
 ### Added
 - Added LakeFormation permissions for `glue_stats_service_role` on Glue databases and tables.

lf.tf

@@ -102,9 +102,9 @@ resource "aws_lakeformation_permissions" "hms_sys_loc_permissions" {
 }
 
 resource "aws_lakeformation_permissions" "data_location_access_permissions" {
-    for_each = var.disable_glue_db_init && var.create_lf_resource ? {
-      for schema in local.catalog_data_location_access_producer_schemas : "${schema["schema_name"]}-${schema["producer_arn"]}"  => schema
-    } : {}
+  for_each = var.disable_glue_db_init && var.create_lf_resource ? {
+    for schema in local.catalog_data_location_access_producer_schemas : "${schema["schema_name"]}-${schema["producer_arn"]}" => schema
+  } : {}
 
   principal   = each.value.producer_arn
   permissions = ["DATA_LOCATION_ACCESS"]
@@ -170,7 +170,7 @@ resource "aws_lakeformation_permissions" "readonly_client_permissions" {
   }) : {}
 
   principal   = each.value.client_arn
-  permissions = ["DESCRIBE","SELECT"]
+  permissions = ["DESCRIBE", "SELECT"]
 
   table {
     database_name = aws_glue_catalog_database.apiary_glue_database[each.value.schema_name].name
@@ -352,6 +352,18 @@ resource "aws_lakeformation_permissions" "glue_stats_service_role_tbl_permission
   }
 }
 
+resource "aws_lakeformation_permissions" "glue_stats_vendor_role_tbl_permissions" {
+  for_each = var.enable_glue_stats && var.create_lf_resource && var.create_glue_stats_vendor_role_tbl_permissions ? local.schemas_info_map : {}
+
+  principal   = aws_iam_role.lf_data_access[0].arn
+  permissions = ["DESCRIBE", "INSERT", "DELETE"]
+
+  table {
+    database_name = aws_glue_catalog_database.apiary_glue_database[each.key].name
+    wildcard      = true
+  }
+}
+
 resource "aws_iam_role" "lf_data_access" {
   count = var.create_lf_resource && var.create_lf_data_access_role ? 1 : 0
   name  = "${local.instance_alias}-lf-data-access-role-${var.aws_region}"

variables.tf

@@ -627,7 +627,7 @@ variable "lf_catalog_producer_arns" {
   default     = []
 }
 
-variable lf_catalog_data_location_access_producer_arns {
+variable "lf_catalog_data_location_access_producer_arns" {
   description = "AWS IAM role ARNs granted `DATA_LOCATION_ACCESS` permissions on all database s3 locations using LakeFormation. NOTE this permission is not granted by `lf_catalog_producer_arns`"
   type        = list(string)
   default     = []
@@ -1221,6 +1221,12 @@ variable "enable_glue_stats" {
   default     = false
 }
 
+variable "create_glue_stats_vendor_role_tbl_permissions" {
+  description = "Create LakeFormation table permissions (DESCRIBE, INSERT, DELETE) for the Glue stats service role on all schemas."
+  type        = bool
+  default     = false
+}
+
 variable "splunk_hec_token" {
   description = "The token used for authentication with the Splunk HTTP Event Collector (HEC). This is required for sending logs to Splunk. Compatible with both EC2 and FARGATE ECS task definitions."
   type        = string