search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.7k stars 9.07k forks source link

Lake Formation Tag-Based Access Control related resources and data sources #19640

Closed maiarareinaldo closed 2 years ago

maiarareinaldo commented 3 years ago

Community Note

Editor's Note

We are going to use this issue as a place to organize work and communicate about design issues. PRs:

Description

The AWS Lake Formation API recently started supporting Tag-Based Access Control. Support for this is not available in the AWS provider but could be added. The API allows:

New or Affected Resource(s)

Affected:

New (suggestions):

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

resource "aws_lakeformation_permissions" "permission_by_tag" {
  ...

  # For granting permissions on Data Catalog resources based on tag policies instead of 
  # resource names
  lf_tag_policy {
    catalog_id = "123456789"
    resourse_type = "DATABASE | TABLE"
    expression = [
      {
        tag_key = "module"
        tag_values = ["*"]
      },
      {
        tag_key = "region"
        tag_values = ["west", "south"]
      }
    ]
  }

  # For granting permissions (DESCRIBE|ASSOCIATE) on tag policies
  lf_tag {
    catalog_id = "123456789"
    tag_key = "region"
    tag_values = ["west", "south"]
  }
}

resource "aws_lakeformation_tag" "region"{
  tag_key = "region"
  tag_values = ["west", "south"]
}

resource "aws_lakeformation_tag_resource" "" {
  catalog_id = "123456789"

  # A block to identify the Data Catalog Resource that the tag is being assigned to. Similar to aws_lakeformation_permissions
  database {
    #similar to aws_lakeformation_permissions
  }
  table {
    #similar to aws_lakeformation_permissions
  }
  table_with_columns {
    #similar to aws_lakeformation_permissions
  }

  # The tags that are being assigned
  lf_tags = [
    {
        catalog_id = "123456789"
        tag_key = "module"
        tag_values = ["A"]
      },
      {
        catalog_id = "123456789"
        tag_key = "region"
        tag_values = ["west"]
      }
  ]
}

References

ewbankkit commented 3 years ago

Related:

danielcmessias commented 3 years ago

Also related:

stevenayers commented 2 years ago

Added in:

Please give them a πŸ‘ so they are reviewed.

breathingdust commented 2 years ago

Hi all πŸ‘‹ Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the "Allow edits from maintainers" box is checked. Thanks for your patience and we are looking forward to getting this merged soon!

YakDriver commented 2 years ago

@danielcmessias @stevenayers @maiarareinaldo Lake Formation Brain Trust

I'm working on the next resource but I have less context than you so let me know if you have opinions on these items:

  1. What about aws_lakeformation_resource_lf_tags for the name? The get operation in the API is GetResourceLFTags.
  2. The add operation returns Failures in a data structure instead of as errors. That seems odd to me so I'm converting those failures to errors. Is there some reason you wouldn't want an error and rather get information on failures without an error?

I should have something to look at soon and would appreciate any feedback.

danielcmessias commented 2 years ago

@danielcmessias @stevenayers @maiarareinaldo Lake Formation Brain Trust

I'm working on the next resource but I have less context than you so let me know if you have opinions on these items:

  1. What about aws_lakeformation_resource_lf_tags for the name? The get operation in the API is GetResourceLFTags.
  2. The add operation returns Failures in a data structure instead of as errors. That seems odd to me so I'm converting those failures to errors. Is there some reason you wouldn't want an error and rather get information on failures without an error?

I should have something to look at soon and would appreciate any feedback.

@YakDriver

  1. Name works for me πŸ‘
  2. My guess is that LF applies as many LF-Tags successfully as it can and returns the list of any failed attempts. So you could have a partially-successful API call with 99 tags applied and 1 failed? I see no reason why these can't be converted to errors so long as the terraform state is updated for any successes though, especially given that failures is an array of LFTagError anyway
github-actions[bot] commented 2 years ago

This functionality has been released in v4.21.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

github-actions[bot] commented 2 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.