Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_lakeformation_permissions support AllIAMPrincipals special principal #38600

Conversation

nickdelnano
Copy link
Contributor

@nickdelnano nickdelnano commented Jul 30, 2024

Closes #29767

Lake Formation supports two special principal values that are defined by the Lake Formation service:

  • IAMAllowedPrincipals (already supported by aws_lakeformation_permissions resource since its creation)
  • AllIAMPrincipals (Added in this PR)

The implementation and test cases for AllIAMPrincipals closely follows that of IAMAllowedPrincipals.

Principal is an IAM group - ALLIAMPrincipals
When you grant permissions to ALLIAMPrincipals group on a Data Catalog resource, every principal in the account gets
access to the Data Catalog resource using Lake Formation permissions and IAM permissions.
Example:

--principal DataLakePrincipalIdentifier=123456789012:IAMPrincipals

https://docs.aws.amazon.com/lake-formation/latest/dg/lf-permissions-reference.html

Copy link

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/lakeformation Issues and PRs that pertain to the lakeformation service. needs-triage Waiting for first response or review from a maintainer. labels Jul 30, 2024
@nickdelnano nickdelnano force-pushed the b-aws_lakeformation_permissions-iamprincipals branch from 32819ff to 063a75c Compare July 30, 2024 17:27
@github-actions github-actions bot added the documentation Introduces or discusses updates to documentation. label Jul 30, 2024
Comment on lines +90 to +104
## `ALLIAMPrincipals` group

AllIAMPrincipals is a pseudo-entity group that acts like a Lake Formation principal. The group includes all IAMs in the account that is defined.

resource "aws_lakeformation_permissions" "example" {
permissions = ["SELECT"]
principal = "123456789012:IAMPrincipals"

table_with_columns {
database_name = aws_glue_catalog_table.example.database_name
name = aws_glue_catalog_table.example.name
column_names = ["event"]
}
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nickdelnano nickdelnano marked this pull request as ready for review July 30, 2024 17:28
@nickdelnano nickdelnano requested a review from a team as a code owner July 30, 2024 17:28
"1234567890125", //not an account id
"1234567890125", //not an account id
"IAMPrincipals", // incorrect representation
"1234567890125:IAMPrincipals", // incorrect representation, account id invalid length
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

best viewed with "hide whitespace" enabled

@@ -54,6 +55,7 @@ func TestAccLakeFormation_serial(t *testing.T) {
"PermissionsTable": {
acctest.CtBasic: testAccPermissions_tableBasic,
"iamAllowed": testAccPermissions_tableIAMAllowed,
"iamPrincipals": testAccPermissions_tableIAMPrincipals,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

best viewed with "hide whitespace" enabled

@nickdelnano nickdelnano changed the title aws_lakeformation_permissions support IAMPrincipals special principal aws_lakeformation_permissions support AllIAMPrincipals special principal Jul 30, 2024
@justinretzolk justinretzolk added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Jul 31, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
@nickdelnano
Copy link
Contributor Author

Hi @justinretzolk , do you know when this change could be reviewed and hopefully merged? Its a small change but meaningfully adds support for a missing primitive in AWS Lake Formation permissions.

Thank you for your time! I know there is a considerable workload in reviewing PRs.

@nickdelnano
Copy link
Contributor Author

@johnsonaj (pinging you since I saw you review some similar PRs recently) - could this one please get a review? Its a small change but meaningfully adds support for a missing primitive in AWS Lake Formation permissions.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
Copy link
Contributor

@johnsonaj johnsonaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

% go test -count=1 -v ./internal/service/lakeformation/... -run='TestValidPrincipal’

2024/12/18 09:34:51 Initializing Terraform AWS Provider...
=== RUN   TestValidPrincipal
=== PAUSE TestValidPrincipal
=== CONT  TestValidPrincipal
--- PASS: TestValidPrincipal (0.00s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/lakeformation	10.935s
% make testacc TESTARGS="-run=TestAccLakeFormation_serial" PKG=lakeformation

make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.23.2 test ./internal/service/lakeformation/... -v -count 1 -parallel 20  -run=TestAccLakeFormation_serial -timeout 360m
2024/12/17 14:02:46 Initializing Terraform AWS Provider...
--- PASS: TestAccLakeFormation_serial (1408.45s)
    --- PASS: TestAccLakeFormation_serial/PermissionsTableWithColumns (149.30s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTableWithColumns/wildcardSelectPlus (25.40s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTableWithColumns/basic (55.89s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTableWithColumns/implicit (22.18s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTableWithColumns/wildcardExcludedColumns (22.93s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTableWithColumns/wildcardSelectOnly (22.90s)
    --- PASS: TestAccLakeFormation_serial/LFTags (100.30s)
        --- PASS: TestAccLakeFormation_serial/LFTags/basic (15.53s)
        --- PASS: TestAccLakeFormation_serial/LFTags/disappears (12.73s)
        --- PASS: TestAccLakeFormation_serial/LFTags/tagKeyComplex (12.02s)
        --- PASS: TestAccLakeFormation_serial/LFTags/values (25.72s)
        --- PASS: TestAccLakeFormation_serial/LFTags/valuesOverFifty (34.30s)
    --- PASS: TestAccLakeFormation_serial/ResourceLFTag (59.45s)
        --- PASS: TestAccLakeFormation_serial/ResourceLFTag/basic (14.02s)
        --- PASS: TestAccLakeFormation_serial/ResourceLFTag/disappears (15.21s)
        --- PASS: TestAccLakeFormation_serial/ResourceLFTag/table (15.34s)
        --- PASS: TestAccLakeFormation_serial/ResourceLFTag/tableWithColumns (14.89s)
    --- PASS: TestAccLakeFormation_serial/DataCellsFilter (74.82s)
        --- PASS: TestAccLakeFormation_serial/DataCellsFilter/basic (18.35s)
        --- PASS: TestAccLakeFormation_serial/DataCellsFilter/columnWildcard (14.99s)
        --- PASS: TestAccLakeFormation_serial/DataCellsFilter/disappears (16.02s)
        --- PASS: TestAccLakeFormation_serial/DataCellsFilter/rowFilter (25.45s)
    --- PASS: TestAccLakeFormation_serial/PermissionsBasic (317.72s)
        --- PASS: TestAccLakeFormation_serial/PermissionsBasic/basic (21.50s)
        --- PASS: TestAccLakeFormation_serial/PermissionsBasic/database (22.18s)
        --- PASS: TestAccLakeFormation_serial/PermissionsBasic/databaseIAMAllowed (43.58s)
        --- PASS: TestAccLakeFormation_serial/PermissionsBasic/databaseIAMPrincipals (13.93s)
        --- PASS: TestAccLakeFormation_serial/PermissionsBasic/dataLocation (20.17s)
        --- PASS: TestAccLakeFormation_serial/PermissionsBasic/disappears (82.23s)
        --- PASS: TestAccLakeFormation_serial/PermissionsBasic/lfTag (22.50s)
        --- PASS: TestAccLakeFormation_serial/PermissionsBasic/lfTagPolicyMultiple (22.07s)
        --- PASS: TestAccLakeFormation_serial/PermissionsBasic/databaseMultiple (22.51s)
        --- PASS: TestAccLakeFormation_serial/PermissionsBasic/dataCellsFilter (24.52s)
        --- PASS: TestAccLakeFormation_serial/PermissionsBasic/lfTagPolicy (22.53s)
    --- PASS: TestAccLakeFormation_serial/PermissionsTable (248.17s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTable/wildcardNoSelect (22.15s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTable/wildcardSelectPlus (23.46s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTable/iamAllowed (45.09s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTable/iamPrincipals (15.21s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTable/implicit (23.59s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTable/multipleRoles (24.12s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTable/basic (23.58s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTable/selectOnly (23.71s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTable/selectPlus (23.62s)
        --- PASS: TestAccLakeFormation_serial/PermissionsTable/wildcardSelectOnly (23.64s)
    --- PASS: TestAccLakeFormation_serial/ResourceLFTags (163.59s)
        --- PASS: TestAccLakeFormation_serial/ResourceLFTags/disappears (14.55s)
        --- PASS: TestAccLakeFormation_serial/ResourceLFTags/hierarchy (30.53s)
        --- PASS: TestAccLakeFormation_serial/ResourceLFTags/table (26.80s)
        --- PASS: TestAccLakeFormation_serial/ResourceLFTags/tableWithColumns (27.02s)
        --- PASS: TestAccLakeFormation_serial/ResourceLFTags/basic (14.52s)
        --- PASS: TestAccLakeFormation_serial/ResourceLFTags/database (25.50s)
        --- PASS: TestAccLakeFormation_serial/ResourceLFTags/databaseMultipleTags (24.67s)
    --- PASS: TestAccLakeFormation_serial/DataLakeSettings (85.26s)
        --- PASS: TestAccLakeFormation_serial/DataLakeSettings/basic (12.12s)
        --- PASS: TestAccLakeFormation_serial/DataLakeSettings/disappears (13.20s)
        --- PASS: TestAccLakeFormation_serial/DataLakeSettings/withoutCatalogId (12.52s)
        --- PASS: TestAccLakeFormation_serial/DataLakeSettings/readOnlyAdmins (12.02s)
        --- PASS: TestAccLakeFormation_serial/DataLakeSettings/parameters (35.39s)
    --- PASS: TestAccLakeFormation_serial/DataLakeSettingsDataSource (25.53s)
        --- PASS: TestAccLakeFormation_serial/DataLakeSettingsDataSource/readOnlyAdmins (12.95s)
        --- PASS: TestAccLakeFormation_serial/DataLakeSettingsDataSource/basic (12.58s)
    --- PASS: TestAccLakeFormation_serial/PermissionsDataSource (184.32s)
        --- PASS: TestAccLakeFormation_serial/PermissionsDataSource/basic (22.18s)
        --- PASS: TestAccLakeFormation_serial/PermissionsDataSource/dataCellsFilter (24.78s)
        --- PASS: TestAccLakeFormation_serial/PermissionsDataSource/database (23.18s)
        --- PASS: TestAccLakeFormation_serial/PermissionsDataSource/dataLocation (21.77s)
        --- PASS: TestAccLakeFormation_serial/PermissionsDataSource/lfTag (22.71s)
        --- PASS: TestAccLakeFormation_serial/PermissionsDataSource/lfTagPolicy (23.04s)
        --- PASS: TestAccLakeFormation_serial/PermissionsDataSource/table (22.40s)
        --- PASS: TestAccLakeFormation_serial/PermissionsDataSource/tableWithColumns (24.26s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/lakeformation	1414.830s

@johnsonaj
Copy link
Contributor

@nickdelnano thank you for the contribution! 🎉

@johnsonaj johnsonaj merged commit 3d299e2 into hashicorp:main Dec 18, 2024
42 checks passed
@github-actions github-actions bot added this to the v5.82.0 milestone Dec 18, 2024
Copy link

This functionality has been released in v5.82.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Addresses a defect in current functionality. documentation Introduces or discusses updates to documentation. service/lakeformation Issues and PRs that pertain to the lakeformation service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug]: aws_lakeformation_permissions does not support IAMPrincipals
4 participants