Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_lakeformation_permissions support AllIAMPrincipals special principal #38600

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

aws_lakeformation_permissions support AllIAMPrincipals special principal #38600

wants to merge 3 commits into from

Conversation

nickdelnano
Copy link

@nickdelnano nickdelnano commented Jul 30, 2024
edited
Loading

Issue: #29767

Lake Formation supports two special principal values that are defined by the Lake Formation service:

  • IAMAllowedPrincipals (already supported by aws_lakeformation_permissions resource since its creation)
  • AllIAMPrincipals (Added in this PR)

The implementation and test cases for AllIAMPrincipals closely follows that of IAMAllowedPrincipals.

Principal is an IAM group - ALLIAMPrincipals
When you grant permissions to ALLIAMPrincipals group on a Data Catalog resource, every principal in the account gets
access to the Data Catalog resource using Lake Formation permissions and IAM permissions.
Example:

--principal DataLakePrincipalIdentifier=123456789012:IAMPrincipals

https://docs.aws.amazon.com/lake-formation/latest/dg/lf-permissions-reference.html

@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/lakeformation Issues and PRs that pertain to the lakeformation service. needs-triage Waiting for first response or review from a maintainer. labels Jul 30, 2024
@nickdelnano nickdelnano force-pushed the b-aws_lakeformation_permissions-iamprincipals branch from 32819ff to 063a75c Compare July 30, 2024 17:27
@github-actions github-actions bot added the documentation Introduces or discusses updates to documentation. label Jul 30, 2024
nickdelnano
nickdelnano commented Jul 30, 2024
View reviewed changes
website/docs/r/lakeformation_permissions.html.markdown
Comment on lines +90 to +104
## `ALLIAMPrincipals` group

AllIAMPrincipals is a pseudo-entity group that acts like a Lake Formation principal. The group includes all IAMs in the account that is defined.

resource "aws_lakeformation_permissions" "example" {
permissions = ["SELECT"]
principal = "123456789012:IAMPrincipals"

table_with_columns {
database_name = aws_glue_catalog_table.example.database_name
name = aws_glue_catalog_table.example.name
column_names = ["event"]
}
}

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.aws.amazon.com/lake-formation/latest/dg/lf-permissions-reference.html

@nickdelnano nickdelnano marked this pull request as ready for review July 30, 2024 17:28
@nickdelnano nickdelnano requested a review from a team as a code owner July 30, 2024 17:28
nickdelnano
nickdelnano commented Jul 30, 2024
View reviewed changes
internal/service/lakeformation/validate_test.go
"1234567890125", //not an account id
"1234567890125", //not an account id
"IAMPrincipals", // incorrect representation
"1234567890125:IAMPrincipals", // incorrect representation, account id invalid length
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

best viewed with "hide whitespace" enabled

nickdelnano
nickdelnano commented Jul 30, 2024
View reviewed changes
internal/service/lakeformation/lakeformation_test.go
@@ -54,6 +55,7 @@ func TestAccLakeFormation_serial(t *testing.T) {
"PermissionsTable": {
acctest.CtBasic: testAccPermissions_tableBasic,
"iamAllowed": testAccPermissions_tableIAMAllowed,
"iamPrincipals": testAccPermissions_tableIAMPrincipals,
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

best viewed with "hide whitespace" enabled

@nickdelnano nickdelnano mentioned this pull request Jul 30, 2024
Open
@nickdelnano nickdelnano changed the title aws_lakeformation_permissions support IAMPrincipals special principal aws_lakeformation_permissions support AllIAMPrincipals special principal Jul 30, 2024
@justinretzolk justinretzolk added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. documentation Introduces or discusses updates to documentation. service/lakeformation Issues and PRs that pertain to the lakeformation service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nickdelnano @justinretzolk