Skip to content

Commit ec00abf

Browse files
rpoluriRaj Poluri
rpoluri
and
Raj Poluri
authored
variable to configure lakeformation customer accounts (#306)
* apiary customer account lakeformation permissions * fix * fix * script to grant LF desc permissions * grant permissions using shell script * fix * lf_customer_accounts variable * permissions with grant option * cleanup * all principals permissions * update changelog and variables.md --------- Co-authored-by: Raj Poluri <rpoluri@expediagroup.com>
1 parent 64f7aa7 commit ec00abf

File tree

4 files changed

+72
-0
lines changed

4 files changed

+72
-0
lines changed

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
33

44
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
55

6+
## [7.10.4] - 2025-04-28
7+
### Added
8+
- Variable to configure Lakeformation customer accounts.
9+
610
## [7.10.3] - 2025-03-07
711
### Added
812
- Add data location permissions for metastore IAM role.

VARIABLES.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131
| create\_lf\_resource | All available schemas will be registered in Lake Formation as resources if this is enabled. | `bool` | `false` | no |
3232
| lf\_hybrid\_access\_enabled | Lake Formation Hybrid access will be set to `true` in Lake formation resources. | `bool` | `false` | no |
3333
| lf\_catalog\_client\_arns | AWS IAM role ARNs granted describe permissions on all glue databases and tables using LakeFormation. | `list(string)` | `[]` | no |
34+
| lf\_customer\_accounts | AWS account IDs granted describe permissions on all glue databases using LakeFormation. | `list(string)` | `[]` | no |
3435
| dashboard\_namespace | k8s namespace to deploy grafana dashboard. | `string` | `"monitoring"` | no |
3536
| db\_apply\_immediately | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | `bool` | `false` | no |
3637
| db\_backup\_retention | The number of days to retain backups for the RDS Metastore DB. | `string` | `"7"` | yes |

lf.tf

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,12 @@ locals {
104104
client_arn = pair[1]
105105
}
106106
]
107+
customer_account_schemas = [
108+
for pair in setproduct(local.schemas_info[*]["schema_name"], var.lf_customer_accounts) : {
109+
schema_name = pair[0]
110+
customer_account = pair[1]
111+
}
112+
]
107113
}
108114

109115
resource "aws_lakeformation_permissions" "catalog_client_permissions" {
@@ -131,3 +137,58 @@ resource "aws_lakeformation_permissions" "catalog_client_system_permissions" {
131137
wildcard = true
132138
}
133139
}
140+
141+
resource "aws_lakeformation_permissions" "customer_account_permissions" {
142+
for_each = var.disable_glue_db_init && var.create_lf_resource ? tomap({
143+
for schema in local.customer_account_schemas : "${schema["schema_name"]}-${schema["customer_account"]}" => schema
144+
}) : {}
145+
146+
principal = each.value.customer_account
147+
permissions = ["DESCRIBE"]
148+
permissions_with_grant_option = ["DESCRIBE"]
149+
150+
table {
151+
database_name = aws_glue_catalog_database.apiary_glue_database[each.value.schema_name].name
152+
wildcard = true
153+
}
154+
}
155+
156+
resource "aws_lakeformation_permissions" "customer_account_system_permissions" {
157+
for_each = var.disable_glue_db_init && var.create_lf_resource ? toset(var.lf_customer_accounts) : []
158+
159+
principal = each.key
160+
permissions = ["DESCRIBE"]
161+
permissions_with_grant_option = ["DESCRIBE"]
162+
163+
table {
164+
database_name = aws_glue_catalog_database.apiary_system_glue_database[0].name
165+
wildcard = true
166+
}
167+
}
168+
169+
resource "aws_lakeformation_permissions" "all_principals_tbl_permissions" {
170+
for_each = var.disable_glue_db_init && var.create_lf_resource ? {
171+
for schema in local.schemas_info : "${schema["schema_name"]}" => schema
172+
} : {}
173+
174+
principal = "${data.aws_caller_identity.current.account_id}:IAMPrincipals"
175+
permissions = ["DESCRIBE"]
176+
177+
table {
178+
database_name = aws_glue_catalog_database.apiary_glue_database[each.key].name
179+
wildcard = true
180+
}
181+
182+
}
183+
184+
resource "aws_lakeformation_permissions" "all_principals_system_tbl_permissions" {
185+
count = var.disable_glue_db_init && var.create_lf_resource ? 1 : 0
186+
187+
principal = "${data.aws_caller_identity.current.account_id}:IAMPrincipals"
188+
permissions = ["DESCRIBE"]
189+
190+
table {
191+
database_name = aws_glue_catalog_database.apiary_system_glue_database[0].name
192+
wildcard = true
193+
}
194+
}

variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -603,6 +603,12 @@ variable "lf_catalog_client_arns" {
603603
default = []
604604
}
605605

606+
variable "lf_customer_accounts" {
607+
description = "AWS account IDs granted describe permissions on all glue databases using LakeFormation."
608+
type = list(string)
609+
default = []
610+
}
611+
606612
variable "disable_glue_db_init" {
607613
description = "Glue databases are created programatically by default in hms-readwrite bootstrap init action. Setting this variable to true will disable the hms-readwrite bootstrap init action and create Glue databases via Terraform."
608614
type = bool

0 commit comments

Comments
 (0)