Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lakeformation: Fix various bugs including SELECT permission issues #20108

Merged
merged 24 commits into from
Jul 8, 2021
Merged

lakeformation: Fix various bugs including SELECT permission issues #20108

Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
50c70f0
i/lakeformation: Add enum file
YakDriver Jul 8, 2021
fa51631
docs/r/lakeformation_permissions: Add docs on IAMAllowedPrincipals
YakDriver Jul 8, 2021
10970c4
tests/lakeformation: Add new tests, rename existing
YakDriver Jul 8, 2021
81b10a5
tests/r/lakeformation_permissions: Fix bugs
YakDriver Jul 8, 2021
1a73d2e
r/lakeformation_permissions: Fix bugs
YakDriver Jul 8, 2021
2199d55
tests/lakeformation_data_lake_setting: Rework for STS
YakDriver Jul 8, 2021
ab8c63f
i/lakeformation: Reduce permissions delete TO
YakDriver Jul 8, 2021
ddedf2e
i/lakeformation: Ensure same principal
YakDriver Jul 8, 2021
1a3c9fa
i/lakeformation: Filter out different principals
YakDriver Jul 8, 2021
db714c3
tests/d/lakeformation_data_lake_settings: Rework for STS
YakDriver Jul 8, 2021
259c816
tests/d/lakeformation_permissions: Rework for STS
YakDriver Jul 8, 2021
fe6da79
d/lakeformation_permissions: Fix bugs
YakDriver Jul 8, 2021
8abe9aa
r/lakeformation_permissions: Add changelog
YakDriver Jul 8, 2021
08bba8d
r/lakeformation_permissions: Linty McLintface
YakDriver Jul 8, 2021
0538764
r/lakeformation_permissions: Linty McLintface
YakDriver Jul 8, 2021
ede6a1a
r/lakeformation_permissions: Linty McLintface
YakDriver Jul 8, 2021
9c50c5c
docs/r/lakeformation_permissions: Curse you trailing whitespace
YakDriver Jul 8, 2021
b60dbff
docs/r/lakeformation_permissions: Clarify behavior
YakDriver Jul 8, 2021
b880067
docs/r/lakeformation_permissions: Heading
YakDriver Jul 8, 2021
306bd03
docs/r/lakeformation_permissions: Soften language
YakDriver Jul 8, 2021
ddab58c
docs/r/lakeformation_permissions: Clarify
YakDriver Jul 8, 2021
fb040dd
docs/r/lakeformation_permissions: Clean up language
YakDriver Jul 8, 2021
ad016d2
r/lakeformation_permissions: Errant newline
YakDriver Jul 8, 2021
8b7cb8e
docs/r/lakeformation_permissions: Remove errants ticks
YakDriver Jul 8, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changelog/20108.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
```release-note:bug
resource/aws_lakeformation_permissions: Fix various problems with permissions including select-only
```

```release-note:bug
data-source/aws_lakeformation_permissions: Fix various problems with permissions including select-only
```
11 changes: 7 additions & 4 deletions aws/data_source_aws_lakeformation_data_lake_settings_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import (
)

func testAccAWSLakeFormationDataLakeSettingsDataSource_basic(t *testing.T) {
callerIdentityName := "data.aws_caller_identity.current"
resourceName := "data.aws_lakeformation_data_lake_settings.test"

resource.Test(t, resource.TestCase{
Expand All @@ -20,9 +19,9 @@ func testAccAWSLakeFormationDataLakeSettingsDataSource_basic(t *testing.T) {
{
Config: testAccAWSLakeFormationDataLakeSettingsDataSourceConfig_basic,
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrPair(resourceName, "catalog_id", callerIdentityName, "account_id"),
resource.TestCheckResourceAttrPair(resourceName, "catalog_id", "data.aws_caller_identity.current", "account_id"),
resource.TestCheckResourceAttr(resourceName, "admins.#", "1"),
resource.TestCheckResourceAttrPair(resourceName, "admins.0", callerIdentityName, "arn"),
resource.TestCheckResourceAttrPair(resourceName, "admins.0", "data.aws_iam_session_context.current", "issuer_arn"),
),
},
},
Expand All @@ -32,9 +31,13 @@ func testAccAWSLakeFormationDataLakeSettingsDataSource_basic(t *testing.T) {
const testAccAWSLakeFormationDataLakeSettingsDataSourceConfig_basic = `
data "aws_caller_identity" "current" {}

data "aws_iam_session_context" "current" {
arn = data.aws_caller_identity.current.arn
}

resource "aws_lakeformation_data_lake_settings" "test" {
catalog_id = data.aws_caller_identity.current.account_id
admins = [data.aws_caller_identity.current.arn]
admins = [data.aws_iam_session_context.current.issuer_arn]
}

data "aws_lakeformation_data_lake_settings" "test" {
Expand Down
12 changes: 12 additions & 0 deletions aws/data_source_aws_lakeformation_permissions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,18 @@ func dataSourceAwsLakeFormationPermissionsRead(d *schema.ResourceData, meta inte
if v, ok := d.GetOk("table"); ok && len(v.([]interface{})) > 0 {
// since perm list could include TableWithColumns, get the right one
for _, perm := range cleanPermissions {
if perm.Resource == nil {
continue
}

if perm.Resource.TableWithColumns != nil && perm.Resource.TableWithColumns.ColumnWildcard != nil {
if err := d.Set("table", []interface{}{flattenLakeFormationTableWithColumnsResourceAsTable(perm.Resource.TableWithColumns)}); err != nil {
return fmt.Errorf("error setting table: %w", err)
}
tableSet = true
break
}

if perm.Resource.Table != nil {
if err := d.Set("table", []interface{}{flattenLakeFormationTableResource(perm.Resource.Table)}); err != nil {
return fmt.Errorf("error setting table: %w", err)
Expand Down
168 changes: 82 additions & 86 deletions aws/data_source_aws_lakeformation_permissions_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,28 +148,28 @@ data "aws_partition" "current" {}

resource "aws_iam_role" "test" {
name = %[1]q
path = "/"

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lakeformation.${data.aws_partition.current.dns_suffix}"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
assume_role_policy = jsonencode({
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "glue.${data.aws_partition.current.dns_suffix}"
}
}]
Version = "2012-10-17"
})
}

data "aws_caller_identity" "current" {}

data "aws_iam_session_context" "current" {
arn = data.aws_caller_identity.current.arn
}

resource "aws_lakeformation_data_lake_settings" "test" {
admins = [data.aws_caller_identity.current.arn]
admins = [data.aws_iam_session_context.current.issuer_arn]
}

resource "aws_lakeformation_permissions" "test" {
Expand All @@ -196,21 +196,16 @@ resource "aws_iam_role" "test" {
name = %[1]q
path = "/"

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "glue.${data.aws_partition.current.dns_suffix}"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
assume_role_policy = jsonencode({
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "glue.${data.aws_partition.current.dns_suffix}"
}
}]
Version = "2012-10-17"
})
}

resource "aws_s3_bucket" "test" {
Expand All @@ -225,8 +220,12 @@ resource "aws_lakeformation_resource" "test" {

data "aws_caller_identity" "current" {}

data "aws_iam_session_context" "current" {
arn = data.aws_caller_identity.current.arn
}

resource "aws_lakeformation_data_lake_settings" "test" {
admins = [data.aws_caller_identity.current.arn]
admins = [data.aws_iam_session_context.current.issuer_arn]
}

resource "aws_lakeformation_permissions" "test" {
Expand Down Expand Up @@ -259,25 +258,18 @@ resource "aws_iam_role" "test" {
name = %[1]q
path = "/"

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "glue.${data.aws_partition.current.dns_suffix}"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
assume_role_policy = jsonencode({
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "glue.${data.aws_partition.current.dns_suffix}"
}
}]
Version = "2012-10-17"
})
}

data "aws_caller_identity" "current" {}

resource "aws_s3_bucket" "test" {
bucket = %[1]q
}
Expand All @@ -286,8 +278,14 @@ resource "aws_glue_catalog_database" "test" {
name = %[1]q
}

data "aws_caller_identity" "current" {}

data "aws_iam_session_context" "current" {
arn = data.aws_caller_identity.current.arn
}

resource "aws_lakeformation_data_lake_settings" "test" {
admins = [data.aws_caller_identity.current.arn]
admins = [data.aws_iam_session_context.current.issuer_arn]
}

resource "aws_lakeformation_permissions" "test" {
Expand Down Expand Up @@ -321,25 +319,18 @@ resource "aws_iam_role" "test" {
name = %[1]q
path = "/"

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "glue.${data.aws_partition.current.dns_suffix}"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
assume_role_policy = jsonencode({
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "glue.${data.aws_partition.current.dns_suffix}"
}
}]
Version = "2012-10-17"
})
}

data "aws_caller_identity" "current" {}

resource "aws_s3_bucket" "test" {
bucket = %[1]q
}
Expand All @@ -353,8 +344,14 @@ resource "aws_glue_catalog_table" "test" {
database_name = aws_glue_catalog_database.test.name
}

data "aws_caller_identity" "current" {}

data "aws_iam_session_context" "current" {
arn = data.aws_caller_identity.current.arn
}

resource "aws_lakeformation_data_lake_settings" "test" {
admins = [data.aws_caller_identity.current.arn]
admins = [data.aws_iam_session_context.current.issuer_arn]
}

resource "aws_lakeformation_permissions" "test" {
Expand Down Expand Up @@ -389,25 +386,18 @@ resource "aws_iam_role" "test" {
name = %[1]q
path = "/"

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "glue.${data.aws_partition.current.dns_suffix}"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
assume_role_policy = jsonencode({
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "glue.${data.aws_partition.current.dns_suffix}"
}
}]
Version = "2012-10-17"
})
}

data "aws_caller_identity" "current" {}

resource "aws_glue_catalog_database" "test" {
name = %[1]q
}
Expand All @@ -432,8 +422,14 @@ resource "aws_glue_catalog_table" "test" {
}
}

data "aws_caller_identity" "current" {}

data "aws_iam_session_context" "current" {
arn = data.aws_caller_identity.current.arn
}

resource "aws_lakeformation_data_lake_settings" "test" {
admins = [data.aws_caller_identity.current.arn]
admins = [data.aws_iam_session_context.current.issuer_arn]
}

resource "aws_lakeformation_permissions" "test" {
Expand Down
8 changes: 8 additions & 0 deletions aws/internal/service/lakeformation/enum.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
package lakeformation

const (
TableNameAllTables = "ALL_TABLES"
TableTypeTable = "Table"
TableTypeTableWithColumns = "TableWithColumns"
IAMAllowedPrincipals = "IAM_ALLOWED_PRINCIPALS"
)
Loading