Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lake Formation Tag-Based Access Control related resources and data sources #19640

Closed
maiarareinaldo opened this issue Jun 3, 2021 · 8 comments · Fixed by #25565
Closed

Lake Formation Tag-Based Access Control related resources and data sources #19640

maiarareinaldo opened this issue Jun 3, 2021 · 8 comments · Fixed by #25565
Assignees
@YakDriver
Labels
enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. service/lakeformation Issues and PRs that pertain to the lakeformation service.
Milestone
v4.21.0

Comments

@maiarareinaldo
Copy link

maiarareinaldo commented Jun 3, 2021
edited by YakDriver
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Editor's Note

We are going to use this issue as a place to organize work and communicate about design issues. PRs:

Description

The AWS Lake Formation API recently started supporting Tag-Based Access Control. Support for this is not available in the AWS provider but could be added. The API allows:

  • The creation/deletion of policy tags
  • Adding/removing policy tags from Data Catalog resources
  • Granting/revoking policy tag permissions (ASSOCIATE and DESCRIBE)
  • Granting/revoking Data Catalog permissions based on tag policies.

New or Affected Resource(s)

Affected:

  • aws_lakeformation_permissions

New (suggestions):

  • aws_lakeformation_tag
  • aws_lakeformation_tag_resource

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

resource "aws_lakeformation_permissions" "permission_by_tag" {
  ...

  # For granting permissions on Data Catalog resources based on tag policies instead of 
  # resource names
  lf_tag_policy {
    catalog_id = "123456789"
    resourse_type = "DATABASE | TABLE"
    expression = [
      {
        tag_key = "module"
        tag_values = ["*"]
      },
      {
        tag_key = "region"
        tag_values = ["west", "south"]
      }
    ]
  }

  # For granting permissions (DESCRIBE|ASSOCIATE) on tag policies
  lf_tag {
    catalog_id = "123456789"
    tag_key = "region"
    tag_values = ["west", "south"]
  }
}

resource "aws_lakeformation_tag" "region"{
  tag_key = "region"
  tag_values = ["west", "south"]
}

resource "aws_lakeformation_tag_resource" "" {
  catalog_id = "123456789"

  # A block to identify the Data Catalog Resource that the tag is being assigned to. Similar to aws_lakeformation_permissions
  database {
    #similar to aws_lakeformation_permissions
  }
  table {
    #similar to aws_lakeformation_permissions
  }
  table_with_columns {
    #similar to aws_lakeformation_permissions
  }

  # The tags that are being assigned
  lf_tags = [
    {
        catalog_id = "123456789"
        tag_key = "module"
        tag_values = ["A"]
      },
      {
        catalog_id = "123456789"
        tag_key = "region"
        tag_values = ["west"]
      }
  ]
}

References
@maiarareinaldo maiarareinaldo added the enhancement Requests to existing resources that expand the functionality or scope. label Jun 3, 2021
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/lakeformation Issues and PRs that pertain to the lakeformation service. labels Jun 3, 2021
@ewbankkit
Copy link
Contributor

Related:

@ewbankkit ewbankkit added new-resource Introduces a new resource. and removed needs-triage Waiting for first response or review from a maintainer. labels Jun 3, 2021
@danielcmessias
Copy link
Contributor

danielcmessias commented Aug 5, 2021
edited
Loading

Also related:

@sbrandtb sbrandtb mentioned this issue Jan 28, 2022
Closed
This was referenced Mar 21, 2022
Merged
Merged
This was referenced Apr 20, 2022
Closed
Closed
@stevenayers
Copy link
Contributor

stevenayers commented Apr 20, 2022
edited
Loading

Added in:

Please give them a 👍 so they are reviewed.

@danielcmessias danielcmessias mentioned this issue Apr 20, 2022
Closed
@breathingdust
Copy link
Member

Hi all 👋 Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the "Allow edits from maintainers" box is checked. Thanks for your patience and we are looking forward to getting this merged soon!

@YakDriver YakDriver self-assigned this Jun 20, 2022
@YakDriver
Copy link
Member

YakDriver commented Jun 23, 2022
edited
Loading

@danielcmessias @stevenayers @maiarareinaldo Lake Formation Brain Trust

I'm working on the next resource but I have less context than you so let me know if you have opinions on these items:

  1. What about aws_lakeformation_resource_lf_tags for the name? The get operation in the API is GetResourceLFTags.
  2. The add operation returns Failures in a data structure instead of as errors. That seems odd to me so I'm converting those failures to errors. Is there some reason you wouldn't want an error and rather get information on failures without an error?

I should have something to look at soon and would appreciate any feedback.

@danielcmessias
Copy link
Contributor

danielcmessias commented Jun 24, 2022
edited
Loading

@danielcmessias @stevenayers @maiarareinaldo Lake Formation Brain Trust

I'm working on the next resource but I have less context than you so let me know if you have opinions on these items:

  1. What about aws_lakeformation_resource_lf_tags for the name? The get operation in the API is GetResourceLFTags.
  2. The add operation returns Failures in a data structure instead of as errors. That seems odd to me so I'm converting those failures to errors. Is there some reason you wouldn't want an error and rather get information on failures without an error?

I should have something to look at soon and would appreciate any feedback.

@YakDriver

  1. Name works for me 👍
  2. My guess is that LF applies as many LF-Tags successfully as it can and returns the list of any failed attempts. So you could have a partially-successful API call with 99 tags applied and 1 failed? I see no reason why these can't be converted to errors so long as the terraform state is updated for any successes though, especially given that failures is an array of LFTagError anyway

@YakDriver YakDriver mentioned this issue Jun 24, 2022
Merged
@github-actions github-actions bot added this to the v4.21.0 milestone Jun 28, 2022
@github-actions
Copy link

github-actions bot commented Jul 1, 2022

This functionality has been released in v4.21.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 31, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@YakDriver YakDriver

Labels
enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. service/lakeformation Issues and PRs that pertain to the lakeformation service.
Projects
None yet
Milestone
v4.21.0
Development

Successfully merging a pull request may close this issue.

lakeformation: Add new aws_lakeformation_resource_lf_tags resource hashicorp/terraform-provider-aws
6 participants
@breathingdust @danielcmessias @ewbankkit @stevenayers @YakDriver @maiarareinaldo