Skip to content

Commit

Permalink
Merge pull request #34474 from pixie79/34471
Browse files Browse the repository at this point in the history
r/lakeformation_data_lake_settings: add `allow_full_table_external_data_access` attribute
  • Loading branch information
johnsonaj authored Jul 12, 2024
2 parents d7ab117 + d3aa824 commit e9f4926
Show file tree
Hide file tree
Showing 7 changed files with 36 additions and 9 deletions.
7 changes: 7 additions & 0 deletions .changelog/34474.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
```release-note:enhancement
resource/aws_lakeformation_data_lake_settings: Add `allow_full_table_external_data_access` attribute
```

```release-note:enhancement
data-source/aws_lakeformation_data_lake_settings: Add `allow_full_table_external_data_access` attribute
```
9 changes: 9 additions & 0 deletions internal/service/lakeformation/data_lake_settings.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,10 @@ func ResourceDataLakeSettings() *schema.Resource {
Type: schema.TypeBool,
Optional: true,
},
"allow_full_table_external_data_access": {
Type: schema.TypeBool,
Optional: true,
},
"authorized_session_tag_value_list": {
Type: schema.TypeList,
Computed: true,
Expand Down Expand Up @@ -188,6 +192,10 @@ func resourceDataLakeSettingsCreate(ctx context.Context, d *schema.ResourceData,
settings.TrustedResourceOwners = flex.ExpandStringValueList(v.([]interface{}))
}

if v, ok := d.GetOk("allow_full_table_external_data_access"); ok {
settings.AllowFullTableExternalDataAccess = aws.Bool(v.(bool))
}

input.DataLakeSettings = settings

var output *lakeformation.PutDataLakeSettingsOutput
Expand Down Expand Up @@ -261,6 +269,7 @@ func resourceDataLakeSettingsRead(ctx context.Context, d *schema.ResourceData, m
d.Set("create_table_default_permissions", flattenDataLakeSettingsCreateDefaultPermissions(settings.CreateTableDefaultPermissions))
d.Set("external_data_filtering_allow_list", flattenDataLakeSettingsDataFilteringAllowList(settings.ExternalDataFilteringAllowList))
d.Set("trusted_resource_owners", flex.FlattenStringValueList(settings.TrustedResourceOwners))
d.Set("allow_full_table_external_data_access", settings.AllowFullTableExternalDataAccess)

return diags
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ func DataSourceDataLakeSettings() *schema.Resource {
Type: schema.TypeBool,
Computed: true,
},
"allow_full_table_external_data_access": {
Type: schema.TypeBool,
Computed: true,
},
"authorized_session_tag_value_list": {
Type: schema.TypeList,
Computed: true,
Expand Down Expand Up @@ -134,7 +138,8 @@ func dataSourceDataLakeSettingsRead(ctx context.Context, d *schema.ResourceData,
d.Set("create_database_default_permissions", flattenDataLakeSettingsCreateDefaultPermissions(settings.CreateDatabaseDefaultPermissions))
d.Set("create_table_default_permissions", flattenDataLakeSettingsCreateDefaultPermissions(settings.CreateTableDefaultPermissions))
d.Set("external_data_filtering_allow_list", flattenDataLakeSettingsDataFilteringAllowList(settings.ExternalDataFilteringAllowList))
d.Set("trusted_resource_owners", flex.FlattenStringValueList(settings.TrustedResourceOwners))
d.Set("trusted_resource_owners", flex.FlattenStringyValueList(settings.TrustedResourceOwners))
d.Set("allow_full_table_external_data_access", settings.AllowFullTableExternalDataAccess)

return diags
}
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ func testAccDataLakeSettingsDataSource_basic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "allow_external_data_filtering", acctest.CtFalse),
resource.TestCheckResourceAttr(resourceName, "external_data_filtering_allow_list.#", acctest.Ct0),
resource.TestCheckResourceAttr(resourceName, "authorized_session_tag_value_list.#", acctest.Ct0),
resource.TestCheckResourceAttr(resourceName, "allow_full_table_external_data_access", acctest.CtFalse),
),
},
},
Expand Down
12 changes: 7 additions & 5 deletions internal/service/lakeformation/data_lake_settings_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ func testAccDataLakeSettings_basic(t *testing.T) {
resource.TestCheckResourceAttrPair(resourceName, "external_data_filtering_allow_list.0", "data.aws_caller_identity.current", names.AttrAccountID),
resource.TestCheckResourceAttr(resourceName, "authorized_session_tag_value_list.#", acctest.Ct1),
resource.TestCheckResourceAttr(resourceName, "authorized_session_tag_value_list.0", "engine1"),
resource.TestCheckResourceAttr(resourceName, "allow_full_table_external_data_access", acctest.CtTrue),
),
},
},
Expand Down Expand Up @@ -205,11 +206,12 @@ resource "aws_lakeformation_data_lake_settings" "test" {
permissions = ["ALL"]
}
admins = [data.aws_iam_session_context.current.issuer_arn]
trusted_resource_owners = [data.aws_caller_identity.current.account_id]
allow_external_data_filtering = true
external_data_filtering_allow_list = [data.aws_caller_identity.current.account_id]
authorized_session_tag_value_list = ["engine1"]
admins = [data.aws_iam_session_context.current.issuer_arn]
trusted_resource_owners = [data.aws_caller_identity.current.account_id]
allow_external_data_filtering = true
allow_full_table_external_data_access = true
external_data_filtering_allow_list = [data.aws_caller_identity.current.account_id]
authorized_session_tag_value_list = ["engine1"]
}
`

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ This data source exports the following attributes in addition to the arguments a
* `allow_external_data_filtering` - Whether to allow Amazon EMR clusters to access data managed by Lake Formation.
* `external_data_filtering_allow_list` - A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.
* `authorized_session_tag_value_list` - Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it.
* `allow_full_table_external_data_access` - Whether to allow a third-party query engine to get data access credentials without session tags when a caller has full data access permissions.

### create_database_default_permissions

Expand Down
8 changes: 5 additions & 3 deletions website/docs/r/lakeformation_data_lake_settings.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,10 @@ resource "aws_lakeformation_data_lake_settings" "example" {
principal = aws_iam_role.test.arn
}
allow_external_data_filtering = true
external_data_filtering_allow_list = [data.aws_caller_identity.current.account_id, data.aws_caller_identity.third_party.account_id]
authorized_session_tag_value_list = ["Amazon EMR"]
allow_external_data_filtering = true
external_data_filtering_allow_list = [data.aws_caller_identity.current.account_id, data.aws_caller_identity.third_party.account_id]
authorized_session_tag_value_list = ["Amazon EMR"]
allow_full_table_external_data_access = true
}
```

Expand All @@ -75,6 +76,7 @@ The following arguments are optional:
* `allow_external_data_filtering` - (Optional) Whether to allow Amazon EMR clusters to access data managed by Lake Formation.
* `external_data_filtering_allow_list` - (Optional) A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.
* `authorized_session_tag_value_list` - (Optional) Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it.
* `allow_full_table_external_data_access` - (Optional) Whether to allow a third-party query engine to get data access credentials without session tags when a caller has full data access permissions.

~> **NOTE:** Although optional, not including `admins`, `create_database_default_permissions`, `create_table_default_permissions`, and/or `trusted_resource_owners` results in the setting being cleared.

Expand Down

0 comments on commit e9f4926

Please sign in to comment.