search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 54 forks source link

AWS::LakeFormation::DataLakeSettings Full Support #1399

Closed jliu0812 closed 1 year ago

jliu0812 commented 1 year ago

Name of the resource

AWS::LakeFormation::DataLakeSettings

Resource name

No response

Description

I would like LakeFormation DataLakeSettings to be able to fully support what was represent what was declared with the API.

Currently, the API supports the following fields:

{
  "CatalogId": "string",
  "DataLakeSettings": {
    "DataLakeAdmins": [
      {
        "DataLakePrincipalIdentifier": "string"
      }
    ],
    "CreateDatabaseDefaultPermissions": [
      {
        "Principal": {
          "DataLakePrincipalIdentifier": "string"
        },
        "Permissions": [
          "ALL"
        ]
      }
    ],
    "CreateTableDefaultPermissions": [
      {
        "Principal": {
          "DataLakePrincipalIdentifier": "string"
        },
        "Permissions": [
          "ALL"
        ]
      }
    ],
    "Parameters": {
      "string": "string"
    },
    "TrustedResourceOwners": [
      "string"
    ],
    "AllowExternalDataFiltering": true,
    "ExternalDataFilteringAllowList": [
      {
        "DataLakePrincipalIdentifier": "string"
      }
    ],
    "AuthorizedSessionTagValueList": [
      "string"
    ]
  }
}

However, the CloudFormation equivalent of this resource only supports the following fields:

{
  "Type" : "AWS::LakeFormation::DataLakeSettings",
  "Properties" : {
      "Admins" : Admins,
      "TrustedResourceOwners" : [ String, ... ]
    }
}

Namely, CloudFormation does not support the CreateDatabaseDefaultPermissions, CreateTableDefaultPermissions, Parameters, TrustedResourceOwners, AllowExternalDataFiltering, ExternalDataFilteringAllowList, AuthorizedSessionTagValueList fields.

Expected Behavior

I would expect CloudFormation to be able to spin up the LakeFormation DataLakeSettings similarly with the API.

Other Details

Link to PutDataLakeSettings API: https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_PutDataLakeSettings.html Link to CloudFormation equivalent resource: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lakeformation-datalakesettings.html

aws-kaushal-partani commented 1 year ago

Hi,

We will look into this issue, although we are not currently tracking it with an ECD.

In the meantime, if it's absolutely needed, a workaround can be created via CFN custom resources: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html

Closing this ticket, since we are aware of the issue and internally tracking it now.

jliu0812 commented 1 year ago

Hello, any update on this? This would be a great future to have.

aws-kaushal-partani commented 1 year ago

Hi, the new fields are now supported. We will continue adding to our public docs, but as of now, the new fields are supported: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lakeformation-datalakesettings.html

acourtois commented 1 year ago

Hi ! It seems that the following does not remove IAM "CreateTableDefaultPermissions" and "CreateDatabaseDefaultPermissions".

LakeFormationSettings:
    Type: AWS::LakeFormation::DataLakeSettings
    Properties:
      Admins:
        - DataLakePrincipalIdentifier: "arn:aws:iam::*****:*****"
      CreateDatabaseDefaultPermissions: []
      CreateTableDefaultPermissions: []

But it does well with the API put-data-lake-settings with this json input:

{
    "DataLakeSettings": {
        "DataLakeAdmins": [
            {
                "DataLakePrincipalIdentifier": "arn:aws:iam::*****:*****"
            }
        ],
        "CreateDatabaseDefaultPermissions": [],
        "CreateTableDefaultPermissions": []
    }
}
jliu0812 commented 1 year ago

Can confirm. I am facing the exact same scenario. Please reopen the ticket.

Hi ! It seems that the following does not remove IAM "CreateTableDefaultPermissions" and "CreateDatabaseDefaultPermissions".

LakeFormationSettings:
    Type: AWS::LakeFormation::DataLakeSettings
    Properties:
      Admins:
        - DataLakePrincipalIdentifier: "arn:aws:iam::*****:*****"
      CreateDatabaseDefaultPermissions: []
      CreateTableDefaultPermissions: []

But it does well with the API put-data-lake-settings with this json input:

{
    "DataLakeSettings": {
        "DataLakeAdmins": [
            {
                "DataLakePrincipalIdentifier": "arn:aws:iam::*****:*****"
            }
        ],
        "CreateDatabaseDefaultPermissions": [],
        "CreateTableDefaultPermissions": []
  }
}