AWS LakeFormation Tag-Based Access Control (TBAC)

[simonB2020]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Relates #19640 (duplicate?)

Description

Requesting addition of functionality to support Tag-Based Control. https://docs.aws.amazon.com/lake-formation/latest/dg/TBAC-overview.html

New or Affected Resource(s)

(1) New resources for the following APIs: aws.lakeformation

create-lf-tag / update-lf-tag / delete-lf-tag add-lf-tags-to-resource / remove-lf-tags-from-resource

(2) Modify aws_lakeformation_permissions to include the following resource types:

LFTag LFTagPolicy

Potential Terraform Configuration

References

https://docs.aws.amazon.com/lake-formation/latest/dg/TBAC-overview.html https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lakeformation/index.html#cli-aws-lakeformation

• 0000

[distributedlock]

This addition of this feature would be very helpful in reducing the overall number of resources that terraform has to manage when dealing with a very large number of lake formation permissions.

We are seeing significant degradation in execution time during the state refresh part of the terraform plan phase at work as we manage ~1500 LF permissions via terraform and it has become completely unmanageable. The execution time with around ~1500 LF permissions managed via aws_lakeformation_permissions has gone to around ~2h. We are very large users of Lake Formation and the addition of LF-Tags to be managed via the AWS provider would be of great help.

We are now thinking about dropping the usage of aws_lakeformation_permissions and moving to local-exec provisioner to use AWS CLI to manage LF tags in an adhoc manner until the LF-Tag support is added into the AWS provider.

[simonB2020]

Ranadeep, We are trying to keep LF permissions done in TF to a minimum. Implementing only permissions for for core roles & services.

The majority of 'end user' permissions being maintained outside of TF. It's a pain developing the external tools to do that, but like you've found - TF is not practical for managing any volume of permissions.

[sbrandtb]

Is this pretty much covered by #19640?

[stevenayers]

Added in:

• https://github.com/hashicorp/terraform-provider-aws/pull/24314
• https://github.com/hashicorp/terraform-provider-aws/pull/24315

Please give them a 👍 so they are reviewed.

[github-actions[bot]]

This functionality has been released in v4.21.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.