[Enhancement]: support for aws_lakeformation_permissions hybrid mode opt-in

[mlnrt]

Description

In order to use Lake Formation hybrid mode, either

• permissions must be opted in for hybrid mode when being granted
• or be granted separately as Hybrid access mode permissions. This seems to be done using the CreateLakeFormationOptIn [1], [2]

Terraform provides hybrid_mode parameter for the aws_lakeformation_resource resource, but there is no such option to create the optin for the permissions, nor there is a resource to create such optin

Affected Resource(s) and/or Data Source(s)

aws_lakeformation_permissions

Potential Terraform Configuration

resource "aws_lakeformation_permissions" "example" {
  principal             = aws_iam_role.workflow_role.arn
  permissions           = ["CREATE_TABLE", "ALTER", "DROP"]
  hybrid_access_enabled = true

  database {
    name       = aws_glue_catalog_database.example.name
    catalog_id = "110376042874"
  }
}

##### OR a new resource

resource "aws_lakeformation_optin" "example" {
  principal   = aws_iam_role.workflow_role.arn

  database {
    name       = aws_glue_catalog_database.example.name
    catalog_id = "110376042874"
  }
}

References

API References: [1] https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_CreateLakeFormationOptIn.html [2] https://docs.aws.amazon.com/lake-formation/latest/dg/aws-lake-formation-api-hybrid-access-mode.html

Documentation: Setting up hybrid access mode - common scenarios [3] https://docs.aws.amazon.com/lake-formation/latest/dg/hybrid-access-setup.html

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[nickdelnano]

From the Naming Guide this should be its own resource. The schema for opt in is a near subset of aws_lakeformation_resource_lf_tag. Includes Database and Table and an addition of principal.