Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

r/lakeformation_data_lake_settings: add allow_full_table_external_data_access attribute #34474

Merged
merged 11 commits into from
Jul 12, 2024
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ BUG FIXES:
* resource/aws_appflow_flow: Fix `InvalidParameter: 2 validation error(s) found` error when `destination_flow_config` or `task` is updated ([#34456](https://github.com/hashicorp/terraform-provider-aws/issues/34456))
* resource/aws_appflow_flow: Fix `interface conversion: interface {} is nil, not map[string]interface {}` panic ([#34456](https://github.com/hashicorp/terraform-provider-aws/issues/34456))

ENHANCEMENTS:
* resource/aws_lakeformation_datalake_settings: Add `allow_full_table_external_data_access` ([34471](https://github.com/hashicorp/terraform-provider-aws/issues/34471))
* data-source/aws_lakeformation_datalake_settings: Add `allow_full_table_external_data_access` ([34471](https://github.com/hashicorp/terraform-provider-aws/issues/34471))


## 5.26.0 (November 16, 2023)

FEATURES:
Expand Down
9 changes: 9 additions & 0 deletions internal/service/lakeformation/data_lake_settings.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,10 @@ func ResourceDataLakeSettings() *schema.Resource {
Type: schema.TypeBool,
Optional: true,
},
"allow_full_table_external_data_access": {
Type: schema.TypeBool,
Optional: true,
},
"authorized_session_tag_value_list": {
Type: schema.TypeList,
Computed: true,
Expand Down Expand Up @@ -185,6 +189,10 @@ func resourceDataLakeSettingsCreate(ctx context.Context, d *schema.ResourceData,
settings.TrustedResourceOwners = flex.ExpandStringList(v.([]interface{}))
}

if v, ok := d.GetOk("allow_full_table_external_data_access"); ok {
settings.AllowFullTableExternalDataAccess = aws.Bool(v.(bool))
}

input.DataLakeSettings = settings

var output *lakeformation.PutDataLakeSettingsOutput
Expand Down Expand Up @@ -257,6 +265,7 @@ func resourceDataLakeSettingsRead(ctx context.Context, d *schema.ResourceData, m
d.Set("create_table_default_permissions", flattenDataLakeSettingsCreateDefaultPermissions(settings.CreateTableDefaultPermissions))
d.Set("external_data_filtering_allow_list", flattenDataLakeSettingsDataFilteringAllowList(settings.ExternalDataFilteringAllowList))
d.Set("trusted_resource_owners", flex.FlattenStringList(settings.TrustedResourceOwners))
d.Set("allow_full_table_external_data_access", settings.AllowFullTableExternalDataAccess)

return diags
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ func DataSourceDataLakeSettings() *schema.Resource {
Type: schema.TypeBool,
Computed: true,
},
"allow_full_table_external_data_access": {
Type: schema.TypeBool,
Computed: true,
},
"authorized_session_tag_value_list": {
Type: schema.TypeList,
Computed: true,
Expand Down Expand Up @@ -133,6 +137,7 @@ func dataSourceDataLakeSettingsRead(ctx context.Context, d *schema.ResourceData,
d.Set("create_table_default_permissions", flattenDataLakeSettingsCreateDefaultPermissions(settings.CreateTableDefaultPermissions))
d.Set("external_data_filtering_allow_list", flattenDataLakeSettingsDataFilteringAllowList(settings.ExternalDataFilteringAllowList))
d.Set("trusted_resource_owners", flex.FlattenStringList(settings.TrustedResourceOwners))
d.Set("allow_full_table_external_data_access", settings.AllowFullTableExternalDataAccess)

return diags
}
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ func testAccDataLakeSettingsDataSource_basic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "allow_external_data_filtering", "false"),
resource.TestCheckResourceAttr(resourceName, "external_data_filtering_allow_list.#", "0"),
resource.TestCheckResourceAttr(resourceName, "authorized_session_tag_value_list.#", "0"),
resource.TestCheckResourceAttr(resourceName, "allow_full_table_external_data_access", "false"),
),
},
},
Expand Down
12 changes: 7 additions & 5 deletions internal/service/lakeformation/data_lake_settings_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ func testAccDataLakeSettings_basic(t *testing.T) {
resource.TestCheckResourceAttrPair(resourceName, "external_data_filtering_allow_list.0", "data.aws_caller_identity.current", "account_id"),
resource.TestCheckResourceAttr(resourceName, "authorized_session_tag_value_list.#", "1"),
resource.TestCheckResourceAttr(resourceName, "authorized_session_tag_value_list.0", "engine1"),
resource.TestCheckResourceAttr(resourceName, "allow_full_table_external_data_access", "true"),
),
},
},
Expand Down Expand Up @@ -203,11 +204,12 @@ resource "aws_lakeformation_data_lake_settings" "test" {
permissions = ["ALL"]
}

admins = [data.aws_iam_session_context.current.issuer_arn]
trusted_resource_owners = [data.aws_caller_identity.current.account_id]
allow_external_data_filtering = true
external_data_filtering_allow_list = [data.aws_caller_identity.current.account_id]
authorized_session_tag_value_list = ["engine1"]
admins = [data.aws_iam_session_context.current.issuer_arn]
trusted_resource_owners = [data.aws_caller_identity.current.account_id]
allow_external_data_filtering = true
allow_full_table_external_data_access = true
external_data_filtering_allow_list = [data.aws_caller_identity.current.account_id]
authorized_session_tag_value_list = ["engine1"]
}
`

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ This data source exports the following attributes in addition to the arguments a
* `allow_external_data_filtering` - Whether to allow Amazon EMR clusters to access data managed by Lake Formation.
* `external_data_filtering_allow_list` - A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.
* `authorized_session_tag_value_list` - Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it.
* `allow_full_table_external_data_access` - Whether to allow a third-party query engine to get data access credentials without session tags when a caller has full data access permissions.

### create_database_default_permissions

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ class MyConvertedCode(TerraformStack):
admins=[test.arn, Token.as_string(aws_iam_role_test.arn)],
allow_external_data_filtering=True,
authorized_session_tag_value_list=["Amazon EMR"],
allow_full_table_external_data_access=True,
create_database_default_permissions=[LakeformationDataLakeSettingsCreateDatabaseDefaultPermissions(
permissions=["SELECT", "ALTER", "DROP"],
principal=test.arn
Expand Down Expand Up @@ -112,6 +113,7 @@ The following arguments are optional:
* `allow_external_data_filtering` - (Optional) Whether to allow Amazon EMR clusters to access data managed by Lake Formation.
* `external_data_filtering_allow_list` - (Optional) A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.
* `authorized_session_tag_value_list` - (Optional) Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it.
* `allow_full_table_external_data_access` - (Optional) Whether to allow a third-party query engine to get data access credentials without session tags when a caller has full data access permissions.

~> **NOTE:** Although optional, not including `admins`, `create_database_default_permissions`, `create_table_default_permissions`, and/or `trusted_resource_owners` results in the setting being cleared.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ This data source exports the following attributes in addition to the arguments a
* `allow_external_data_filtering` - Whether to allow Amazon EMR clusters to access data managed by Lake Formation.
* `external_data_filtering_allow_list` - A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.
* `authorized_session_tag_value_list` - Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it.
* `allow_full_table_external_data_access` - Whether to allow a third-party query engine to get data access credentials without session tags when a caller has full data access permissions.

### create_database_default_permissions

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,10 @@ resource "aws_lakeformation_data_lake_settings" "example" {
principal = aws_iam_role.test.arn
}
allow_external_data_filtering = true
external_data_filtering_allow_list = [data.aws_caller_identity.current.account_id, data.aws_caller_identity.third_party.account_id]
authorized_session_tag_value_list = ["Amazon EMR"]
allow_external_data_filtering = true
external_data_filtering_allow_list = [data.aws_caller_identity.current.account_id, data.aws_caller_identity.third_party.account_id]
authorized_session_tag_value_list = ["Amazon EMR"]
allow_full_table_external_data_access = true
}
```

Expand All @@ -75,6 +76,7 @@ The following arguments are optional:
* `allow_external_data_filtering` - (Optional) Whether to allow Amazon EMR clusters to access data managed by Lake Formation.
* `external_data_filtering_allow_list` - (Optional) A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.
* `authorized_session_tag_value_list` - (Optional) Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it.
* `allow_full_table_external_data_access` - (Optional) Whether to allow a third-party query engine to get data access credentials without session tags when a caller has full data access permissions.

~> **NOTE:** Although optional, not including `admins`, `create_database_default_permissions`, `create_table_default_permissions`, and/or `trusted_resource_owners` results in the setting being cleared.

Expand Down