Skip to content

Commit 5bf3443

Browse files
danielcmessiasdanielcmessias
committed
Policy tag support for aws_lakeformation_permissions
1 parent ba62404 commit 5bf3443

7 files changed

+443
-6
lines changed

aws/data_source_aws_lakeformation_permissions.go

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,45 @@ func dataSourceAwsLakeFormationPermissions() *schema.Resource {
8585
Type: schema.TypeString,
8686
},
8787
},
88+
"policy_tag": {
89+
Type: schema.TypeList,
90+
Optional: true,
91+
Computed: true,
92+
MaxItems: 1,
93+
ExactlyOneOf: []string{
94+
"catalog_resource",
95+
"data_location",
96+
"database",
97+
"table",
98+
"table_with_columns",
99+
"policy_tag",
100+
},
101+
Elem: &schema.Resource{
102+
Schema: map[string]*schema.Schema{
103+
"key": {
104+
Type: schema.TypeString,
105+
Required: true,
106+
ValidateFunc: validation.StringLenBetween(1, 128),
107+
},
108+
"values": {
109+
Type: schema.TypeSet,
110+
Required: true,
111+
MinItems: 1,
112+
MaxItems: 15,
113+
Elem: &schema.Schema{
114+
Type: schema.TypeString,
115+
ValidateFunc: validatePolicyTagValues(),
116+
},
117+
Set: schema.HashString,
118+
},
119+
"catalog_id": {
120+
Type: schema.TypeString,
121+
Optional: true,
122+
Computed: true,
123+
},
124+
},
125+
},
126+
},
88127
"principal": {
89128
Type: schema.TypeString,
90129
Required: true,
@@ -194,6 +233,10 @@ func dataSourceAwsLakeFormationPermissionsRead(d *schema.ResourceData, meta inte
194233
input.Resource.Database = expandLakeFormationDatabaseResource(v.([]interface{})[0].(map[string]interface{}))
195234
}
196235

236+
if v, ok := d.GetOk("policy_tag"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
237+
input.Resource.LFTag = expandLakeFormationLFTagKeyResource(v.([]interface{})[0].(map[string]interface{}))
238+
}
239+
197240
tableType := ""
198241

199242
if v, ok := d.GetOk("table"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
@@ -264,6 +307,10 @@ func dataSourceAwsLakeFormationPermissionsRead(d *schema.ResourceData, meta inte
264307
cleanPermissions = filterLakeFormationDatabasePermissions(allPermissions)
265308
}
266309

310+
if input.Resource.LFTag != nil {
311+
cleanPermissions = filterLakeFormationLFTagPermissions(allPermissions)
312+
}
313+
267314
if tableType == TableTypeTable {
268315
cleanPermissions = filterLakeFormationTablePermissions(
269316
aws.StringValue(input.Resource.Table.Name),
@@ -310,6 +357,14 @@ func dataSourceAwsLakeFormationPermissionsRead(d *schema.ResourceData, meta inte
310357
d.Set("database", nil)
311358
}
312359

360+
if cleanPermissions[0].Resource.LFTag != nil {
361+
if err := d.Set("policy_tag", []interface{}{flattenLakeFormationLFTagKeyResource(cleanPermissions[0].Resource.LFTag)}); err != nil {
362+
return fmt.Errorf("error setting policy tag: %w", err)
363+
}
364+
} else {
365+
d.Set("policy_tag", nil)
366+
}
367+
313368
tableSet := false
314369

315370
if v, ok := d.GetOk("table"); ok && len(v.([]interface{})) > 0 {

aws/data_source_aws_lakeformation_permissions_test.go

Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,36 @@ func testAccAWSLakeFormationPermissionsDataSource_database(t *testing.T) {
8787
})
8888
}
8989

90+
func testAccAWSLakeFormationPermissionsDataSource_policy_tag(t *testing.T) {
91+
rName := acctest.RandomWithPrefix("tf-acc-test")
92+
resourceName := "aws_lakeformation_permissions.test"
93+
dataSourceName := "data.aws_lakeformation_permissions.test"
94+
95+
resource.Test(t, resource.TestCase{
96+
PreCheck: func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(lakeformation.EndpointsID, t) },
97+
ErrorCheck: testAccErrorCheck(t, lakeformation.EndpointsID),
98+
Providers: testAccProviders,
99+
CheckDestroy: testAccCheckAWSLakeFormationPermissionsDestroy,
100+
Steps: []resource.TestStep{
101+
{
102+
Config: testAccAWSLakeFormationPermissionsDataSourceConfig_policy_tag(rName),
103+
Check: resource.ComposeTestCheckFunc(
104+
resource.TestCheckResourceAttrPair(resourceName, "principal", dataSourceName, "principal"),
105+
resource.TestCheckResourceAttrPair(resourceName, "policy_tag.#", dataSourceName, "policy_tag.#"),
106+
resource.TestCheckResourceAttrPair(resourceName, "policy_tag.0.key", dataSourceName, "policy_tag.0.key"),
107+
resource.TestCheckResourceAttrPair(resourceName, "policy_tag.0.values", dataSourceName, "policy_tag.0.values"),
108+
resource.TestCheckResourceAttrPair(resourceName, "permissions.#", dataSourceName, "permissions.#"),
109+
resource.TestCheckResourceAttrPair(resourceName, "permissions.0", dataSourceName, "permissions.0"),
110+
resource.TestCheckResourceAttrPair(resourceName, "permissions.1", dataSourceName, "permissions.1"),
111+
resource.TestCheckResourceAttrPair(resourceName, "permissions_with_grant_option.#", dataSourceName, "permissions_with_grant_option.#"),
112+
resource.TestCheckResourceAttrPair(resourceName, "permissions_with_grant_option.0", dataSourceName, "permissions_with_grant_option.0"),
113+
resource.TestCheckResourceAttrPair(resourceName, "permissions_with_grant_option.1", dataSourceName, "permissions_with_grant_option.1"),
114+
),
115+
},
116+
},
117+
})
118+
}
119+
90120
func testAccAWSLakeFormationPermissionsDataSource_table(t *testing.T) {
91121
rName := acctest.RandomWithPrefix("tf-acc-test")
92122
resourceName := "aws_lakeformation_permissions.test"
@@ -313,6 +343,70 @@ data "aws_lakeformation_permissions" "test" {
313343
`, rName)
314344
}
315345

346+
func testAccAWSLakeFormationPermissionsDataSourceConfig_policy_tag(rName string) string {
347+
return fmt.Sprintf(`
348+
data "aws_partition" "current" {}
349+
350+
resource "aws_iam_role" "test" {
351+
name = %[1]q
352+
path = "/"
353+
354+
assume_role_policy = <<EOF
355+
{
356+
"Version": "2012-10-17",
357+
"Statement": [
358+
{
359+
"Action": "sts:AssumeRole",
360+
"Principal": {
361+
"Service": "glue.${data.aws_partition.current.dns_suffix}"
362+
},
363+
"Effect": "Allow",
364+
"Sid": ""
365+
}
366+
]
367+
}
368+
EOF
369+
}
370+
371+
data "aws_caller_identity" "current" {}
372+
373+
resource "aws_lakeformation_data_lake_settings" "test" {
374+
admins = [data.aws_caller_identity.current.arn]
375+
}
376+
377+
resource "aws_lakeformation_policy_tag" "test" {
378+
key = %[1]q
379+
values = ["value1", "value2"]
380+
381+
# for consistency, ensure that admins are setup before testing
382+
depends_on = [aws_lakeformation_data_lake_settings.test]
383+
}
384+
385+
resource "aws_lakeformation_permissions" "test" {
386+
permissions = ["ASSOCIATE", "DESCRIBE"]
387+
permissions_with_grant_option = ["ASSOCIATE", "DESCRIBE"]
388+
principal = aws_iam_role.test.arn
389+
390+
policy_tag {
391+
key = aws_lakeformation_policy_tag.test.key
392+
values = aws_lakeformation_policy_tag.test.values
393+
}
394+
395+
# for consistency, ensure that admins are setup before testing
396+
depends_on = [aws_lakeformation_data_lake_settings.test]
397+
}
398+
399+
data "aws_lakeformation_permissions" "test" {
400+
principal = aws_lakeformation_permissions.test.principal
401+
402+
policy_tag {
403+
key = aws_lakeformation_policy_tag.test.key
404+
values = aws_lakeformation_policy_tag.test.values
405+
}
406+
}
407+
`, rName)
408+
}
409+
316410
func testAccAWSLakeFormationPermissionsDataSourceConfig_table(rName string) string {
317411
return fmt.Sprintf(`
318412
data "aws_partition" "current" {}

0 commit comments

Comments
 (0)