Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for LakeFormation ReadOnlyAdmins #33189

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changelog/33189.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
```release-note:enhancement
resource/aws_lakeformation_data_lake_settings: Add `read_only_admins` argument
```

```release-note:enhancement
data-source/aws_lakeformation_data_lake_settings: Add `read_only_admins` attribute
```
15 changes: 15 additions & 0 deletions internal/service/lakeformation/data_lake_settings.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,15 @@ func ResourceDataLakeSettings() *schema.Resource {
ValidateFunc: verify.ValidARN,
},
},
"read_only_admins": {
Type: schema.TypeSet,
Computed: true,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: verify.ValidARN,
},
},
"allow_external_data_filtering": {
Type: schema.TypeBool,
Optional: true,
Expand Down Expand Up @@ -148,6 +157,10 @@ func resourceDataLakeSettingsCreate(ctx context.Context, d *schema.ResourceData,
settings.DataLakeAdmins = expandDataLakeSettingsAdmins(v.(*schema.Set))
}

if v, ok := d.GetOk("read_only_admins"); ok {
settings.ReadOnlyAdmins = expandDataLakeSettingsAdmins(v.(*schema.Set))
}

if v, ok := d.GetOk("allow_external_data_filtering"); ok {
settings.AllowExternalDataFiltering = aws.Bool(v.(bool))
}
Expand Down Expand Up @@ -237,6 +250,7 @@ func resourceDataLakeSettingsRead(ctx context.Context, d *schema.ResourceData, m
settings := output.DataLakeSettings

d.Set("admins", flattenDataLakeSettingsAdmins(settings.DataLakeAdmins))
d.Set("read_only_admins", flattenDataLakeSettingsAdmins(settings.ReadOnlyAdmins))
d.Set("allow_external_data_filtering", settings.AllowExternalDataFiltering)
d.Set("authorized_session_tag_value_list", flex.FlattenStringList(settings.AuthorizedSessionTagValueList))
d.Set("create_database_default_permissions", flattenDataLakeSettingsCreateDefaultPermissions(settings.CreateDatabaseDefaultPermissions))
Expand All @@ -256,6 +270,7 @@ func resourceDataLakeSettingsDelete(ctx context.Context, d *schema.ResourceData,
CreateDatabaseDefaultPermissions: make([]*lakeformation.PrincipalPermissions, 0),
CreateTableDefaultPermissions: make([]*lakeformation.PrincipalPermissions, 0),
DataLakeAdmins: make([]*lakeformation.DataLakePrincipal, 0),
ReadOnlyAdmins: make([]*lakeformation.DataLakePrincipal, 0),
TrustedResourceOwners: make([]*string, 0),
},
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ func DataSourceDataLakeSettings() *schema.Resource {
Computed: true,
Elem: &schema.Schema{Type: schema.TypeString},
},
"read_only_admins": {
Type: schema.TypeSet,
Computed: true,
Elem: &schema.Schema{Type: schema.TypeString},
},
"allow_external_data_filtering": {
Type: schema.TypeBool,
Computed: true,
Expand Down Expand Up @@ -121,6 +126,7 @@ func dataSourceDataLakeSettingsRead(ctx context.Context, d *schema.ResourceData,
settings := output.DataLakeSettings

d.Set("admins", flattenDataLakeSettingsAdmins(settings.DataLakeAdmins))
d.Set("read_only_admins", flattenDataLakeSettingsAdmins(settings.ReadOnlyAdmins))
d.Set("allow_external_data_filtering", settings.AllowExternalDataFiltering)
d.Set("authorized_session_tag_value_list", flex.FlattenStringList(settings.AuthorizedSessionTagValueList))
d.Set("create_database_default_permissions", flattenDataLakeSettingsCreateDefaultPermissions(settings.CreateDatabaseDefaultPermissions))
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,28 @@ func testAccDataLakeSettingsDataSource_basic(t *testing.T) {
})
}

func testAccDataLakeSettingsDataSource_readOnlyAdmins(t *testing.T) {
ctx := acctest.Context(t)
resourceName := "data.aws_lakeformation_data_lake_settings.test"

resource.Test(t, resource.TestCase{
PreCheck: func() { acctest.PreCheck(ctx, t); acctest.PreCheckPartitionHasService(t, lakeformation.EndpointsID) },
ErrorCheck: acctest.ErrorCheck(t, lakeformation.EndpointsID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: testAccCheckDataLakeSettingsDestroy(ctx),
Steps: []resource.TestStep{
{
Config: testAccDataLakeSettingsDataSourceConfig_readOnlyAdmins,
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrPair(resourceName, "catalog_id", "data.aws_caller_identity.current", "account_id"),
resource.TestCheckResourceAttr(resourceName, "read_only_admins.#", "1"),
resource.TestCheckResourceAttrPair(resourceName, "read_only_admins.0", "data.aws_iam_session_context.current", "issuer_arn"),
),
},
},
})
}

const testAccDataLakeSettingsDataSourceConfig_basic = `
data "aws_caller_identity" "current" {}

Expand All @@ -52,3 +74,20 @@ data "aws_lakeformation_data_lake_settings" "test" {
catalog_id = aws_lakeformation_data_lake_settings.test.catalog_id
}
`

const testAccDataLakeSettingsDataSourceConfig_readOnlyAdmins = `
data "aws_caller_identity" "current" {}

data "aws_iam_session_context" "current" {
arn = data.aws_caller_identity.current.arn
}

resource "aws_lakeformation_data_lake_settings" "test" {
catalog_id = data.aws_caller_identity.current.account_id
read_only_admins = [data.aws_iam_session_context.current.issuer_arn]
}

data "aws_lakeformation_data_lake_settings" "test" {
catalog_id = aws_lakeformation_data_lake_settings.test.catalog_id
}
`
40 changes: 40 additions & 0 deletions internal/service/lakeformation/data_lake_settings_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,28 @@ func testAccDataLakeSettings_withoutCatalogID(t *testing.T) {
})
}

func testAccDataLakeSettings_readOnlyAdmins(t *testing.T) {
ctx := acctest.Context(t)
resourceName := "aws_lakeformation_data_lake_settings.test"

resource.Test(t, resource.TestCase{
PreCheck: func() { acctest.PreCheck(ctx, t) },
ErrorCheck: acctest.ErrorCheck(t, lakeformation.EndpointsID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: testAccCheckDataLakeSettingsDestroy(ctx),
Steps: []resource.TestStep{
{
Config: testAccDataLakeSettingsConfig_readOnlyAdmins,
Check: resource.ComposeTestCheckFunc(
testAccCheckDataLakeSettingsExists(ctx, resourceName),
resource.TestCheckResourceAttr(resourceName, "read_only_admins.#", "1"),
resource.TestCheckResourceAttrPair(resourceName, "read_only_admins.0", "data.aws_iam_session_context.current", "issuer_arn"),
),
},
},
})
}

func testAccCheckDataLakeSettingsDestroy(ctx context.Context) resource.TestCheckFunc {
return func(s *terraform.State) error {
conn := acctest.Provider.Meta().(*conns.AWSClient).LakeFormationConn(ctx)
Expand Down Expand Up @@ -126,6 +148,10 @@ func testAccCheckDataLakeSettingsDestroy(ctx context.Context) resource.TestCheck
if output != nil && output.DataLakeSettings != nil && len(output.DataLakeSettings.DataLakeAdmins) > 0 {
return fmt.Errorf("Lake Formation data lake admin(s) (%s) still exist", rs.Primary.ID)
}

if output != nil && output.DataLakeSettings != nil && len(output.DataLakeSettings.ReadOnlyAdmins) > 0 {
return fmt.Errorf("Lake Formation data lake read only admin(s) (%s) still exist", rs.Primary.ID)
}
}

return nil
Expand Down Expand Up @@ -196,3 +222,17 @@ resource "aws_lakeformation_data_lake_settings" "test" {
admins = [data.aws_iam_session_context.current.issuer_arn]
}
`

const testAccDataLakeSettingsConfig_readOnlyAdmins = `
data "aws_caller_identity" "current" {}

data "aws_iam_session_context" "current" {
arn = data.aws_caller_identity.current.arn
}

resource "aws_lakeformation_data_lake_settings" "test" {
catalog_id = data.aws_caller_identity.current.account_id

read_only_admins = [data.aws_iam_session_context.current.issuer_arn]
}
`
6 changes: 5 additions & 1 deletion internal/service/lakeformation/lakeformation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,13 @@ func TestAccLakeFormation_serial(t *testing.T) {
testCases := map[string]map[string]func(t *testing.T){
"DataLakeSettings": {
"basic": testAccDataLakeSettings_basic,
"dataSource": testAccDataLakeSettingsDataSource_basic,
"disappears": testAccDataLakeSettings_disappears,
"withoutCatalogId": testAccDataLakeSettings_withoutCatalogID,
"readOnlyAdmins": testAccDataLakeSettings_readOnlyAdmins,
},
"DataLakeSettingsDataSource": {
"basic": testAccDataLakeSettingsDataSource_basic,
"readOnlyAdmins": testAccDataLakeSettingsDataSource_readOnlyAdmins,
},
"PermissionsBasic": {
"basic": testAccPermissions_basic,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ The following arguments are optional:
This data source exports the following attributes in addition to the arguments above:

* `admins` – List of ARNs of AWS Lake Formation principals (IAM users or roles).
* `read_only_admins` – List of ARNs of AWS Lake Formation principals (IAM users or roles) with only view access to the resources.
* `create_database_default_permissions` - Up to three configuration blocks of principal permissions for default create database permissions. Detailed below.
* `create_table_default_permissions` - Up to three configuration blocks of principal permissions for default create table permissions. Detailed below.
* `trusted_resource_owners` – List of the resource-owning account IDs that the caller's account can use to share their user access details (user ARNs).
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ resource "aws_lakeformation_data_lake_settings" "example" {
The following arguments are optional:

* `admins` – (Optional) Set of ARNs of AWS Lake Formation principals (IAM users or roles).
* `read_only_admins` – (Optional) Set of ARNs of AWS Lake Formation principals (IAM users or roles) with only view access to the resources.
* `catalog_id` – (Optional) Identifier for the Data Catalog. By default, the account ID.
* `create_database_default_permissions` - (Optional) Up to three configuration blocks of principal permissions for default create database permissions. Detailed below.
* `create_table_default_permissions` - (Optional) Up to three configuration blocks of principal permissions for default create table permissions. Detailed below.
Expand Down