elm-3096 Add Lake Formation admin permissions configuration (#8883)

* elm-3096 Add Lake Formation admin permissions configuration * Update Lake Formation resource for development environment configuration
ministryofjustice · Nov 29, 2024 · 4cdac22 · 4cdac22
1 parent 6d0cacc
commit 4cdac22
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/terraform/environments/electronic-monitoring-data/lake_formation.tf b/terraform/environments/electronic-monitoring-data/lake_formation.tf
@@ -0,0 +1,22 @@
+# ------------------------------------------------------------------------
+# Lake Formation - admin permissions
+# https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/adding-admin-data-lake-formation-permissions.html
+# ------------------------------------------------------------------------
+
+data "aws_iam_role" "github_actions_role" {
+  name = "github-actions"
+}
+
+data "aws_iam_roles" "modernisation_platform_sandbox_role" {
+  name_regex  = "AWSReservedSSO_modernisation-platform-sandbox_.*"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
+resource "aws_lakeformation_data_lake_settings" "emds_development" {
+  count = local.is-development ? 1 : 0
+
+  admins = [
+    "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/${data.aws_region.current.name}/${one(data.aws_iam_roles.modernisation_platform_sandbox_role.names)}",
+     data.aws_iam_role.github_actions_role.arn
+  ]
+}