Skip to content

Commit cce6044

Browse files
rpoluriRaj Poluri
rpoluri
and
Raj Poluri
authored
Add Lakeformation customer account default database permissions (#320)
Co-authored-by: Raj Poluri <rpoluri@expediagroup.com>
1 parent 1a9b75e commit cce6044

File tree

2 files changed

+24
-7
lines changed

2 files changed

+24
-7
lines changed

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
33

44
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
55

6+
## [7.10.18] - 2025-06-10
7+
### Changed
8+
- Add Lakeformation customer account default database permissions.
9+
610
## [7.10.17] - 2025-05-30
711
### Changed
812
- Optional variable to create lakeformation data access role.

lf.tf

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -179,6 +179,19 @@ resource "aws_lakeformation_permissions" "customer_account_system_permissions" {
179179
}
180180
}
181181

182+
resource "aws_lakeformation_permissions" "customer_account_default_permissions" {
183+
for_each = var.disable_glue_db_init && var.create_lf_resource ? toset(var.lf_customer_accounts) : []
184+
185+
principal = each.key
186+
permissions = ["DESCRIBE"]
187+
permissions_with_grant_option = ["DESCRIBE"]
188+
189+
table {
190+
database_name = "default" # required by most glue clients to browse cross account tables
191+
wildcard = true
192+
}
193+
}
194+
182195
resource "aws_lakeformation_permissions" "all_principals_tbl_permissions" {
183196
for_each = var.disable_glue_db_init && var.create_lf_resource ? {
184197
for schema in local.schemas_info : "${schema["schema_name"]}" => schema
@@ -295,9 +308,9 @@ EOF
295308
}
296309

297310
resource "aws_iam_role_policy" "lf_data_access_s3" {
298-
count = var.create_lf_resource && var.create_lf_data_access_role ? 1 : 0
299-
name = "s3_access"
300-
role = aws_iam_role.lf_data_access[0].id
311+
count = var.create_lf_resource && var.create_lf_data_access_role ? 1 : 0
312+
name = "s3_access"
313+
role = aws_iam_role.lf_data_access[0].id
301314
policy = <<EOF
302315
{
303316
"Version": "2012-10-17",
@@ -328,9 +341,9 @@ EOF
328341
}
329342

330343
resource "aws_iam_role_policy" "lf_data_access_cloudwatch" {
331-
count = var.create_lf_resource && var.create_lf_data_access_role ? 1 : 0
332-
name = "cloudwatch_access"
333-
role = aws_iam_role.lf_data_access[0].id
344+
count = var.create_lf_resource && var.create_lf_data_access_role ? 1 : 0
345+
name = "cloudwatch_access"
346+
role = aws_iam_role.lf_data_access[0].id
334347
policy = <<EOF
335348
{
336349
"Version": "2012-10-17",
@@ -351,4 +364,4 @@ resource "aws_iam_role_policy" "lf_data_access_cloudwatch" {
351364
]
352365
}
353366
EOF
354-
}
367+
}

0 commit comments

Comments
 (0)