generated from ministryofjustice/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EM: Lakeformation for Cloud platform roles #9186
Open
matt-heery
wants to merge
66
commits into
main
Choose a base branch
from
test-lf-tf-perms
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+287
−3
Open
Changes from all commits
Commits
Show all changes
66 commits
Select commit
Hold shift + click to select a range
a9b8f6f
add lake formation permissions to only see current changes
matt-heery d7bf568
fix: add acutal permissions and reference cols correctly
matt-heery 649ea2b
d
matt-heery 9583e50
no exclusions
matt-heery 9c2c550
remove hidden columns
matt-heery 55060bd
remove deleted
matt-heery 8628844
remove select *
matt-heery 69e59be
bad tf docs
matt-heery 592c42b
forgot to press save
matt-heery cce7886
reference data filter
matt-heery 0ba3cd4
allow to assume role
matt-heery ffa3331
update cloud platform policy
matt-heery 57ec8c6
attach policy to role
matt-heery 5547542
adding cadt bucket as the lakefromation resource
matt-heery b52e900
remove ;
matt-heery 80ed84a
proper syntax
matt-heery 0fd3ede
escape quotes
matt-heery 6a7e7ba
TRUE
matt-heery 91095b9
escape keyword
matt-heery f15575e
remove cols
matt-heery 6f2f8ea
no excluded cols
matt-heery 8082617
add a space
matt-heery fe1e529
exclude all cols
matt-heery 1f6128d
remove list
matt-heery 17ce8c6
glue
matt-heery 9bfb9f5
database
matt-heery 67b254d
describe
matt-heery 5e8266d
add get table policy
matt-heery af4ec65
add de role as super admin
matt-heery 1d22183
add starred databases
matt-heery 1053dd9
all databases
matt-heery 4e7fb1a
add modulisation of lake formation
matt-heery 1656e49
update to key
matt-heery d7e7146
use single lf resource
matt-heery 940756e
change ref
matt-heery 51cf4fc
missing table
matt-heery 60e4ee3
add lf resource de permissions
matt-heery 39f53f0
add explicit table permissions
matt-heery 6e3fa16
update config for not dev
matt-heery 8086044
clean specials
matt-heery 509b0d6
remove count
matt-heery f2c7a29
local.
matt-heery 16f445b
empty life
matt-heery e86aced
parentheses
matt-heery c338a74
allowing a specials role as well
matt-heery b4a1921
add no filter
matt-heery dcbf095
update module to allow for no data filter
matt-heery 332ddad
update filter with all rows wildcard
matt-heery 62f8e3f
adding ap access
matt-heery 4db5748
only for test for now
matt-heery 196cb1e
for each
matt-heery 8a53c31
remove needless secret
matt-heery 039c0c3
remove optional args
matt-heery 6803876
add module
matt-heery 4f66b8b
updated config
matt-heery 6a6c287
update to the correct env_
matt-heery 07e04d9
select only
matt-heery 8fd4712
sandbox
matt-heery 9f11b60
remove dash
matt-heery 0a5042d
add test assume role again
matt-heery f4b3345
fixes and removal of other bits
matt-heery 08bfa50
random id
matt-heery e0a695f
fix: remove non-existent bit of code
matt-heery 1a08673
terraform random provider
matt-heery 39d11ad
update names and add AM tables infra
matt-heery 1f3d493
update the specials set up
matt-heery File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
69 changes: 69 additions & 0 deletions
69
terraform/environments/electronic-monitoring-data/lake_formation_cloud_platform.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| locals { | ||
| env_ = "${local.environment_shorthand}_" | ||
| cap_dw_tables = local.is-production ? ["contact_history", "equipment_details", "event_history", "incident", "order_details", "services", "suspension_of_visits", "violations", "visit_details"] : [] | ||
| am_tables = local.is-production ? ["am_contact_history", "am_equipment_details", "am_incident", "am_order_details", "am_services", "am_visit_details"] : [] | ||
| } | ||
|
|
||
| resource "aws_lakeformation_resource" "data_bucket" { | ||
| arn = module.s3-create-a-derived-table-bucket.bucket.arn | ||
| } | ||
|
|
||
| module "share_current_version" { | ||
| count = local.is-test ? 1 : 0 | ||
| source = "./modules/lakeformation" | ||
| table_filters = { | ||
| "account" = "__current=true" | ||
| } | ||
| role_arn = module.cmt_front_end_assumable_role.iam_role_arn | ||
| database_name = "staged_fms_${local.env_}dbt" | ||
| data_engineer_role_arn = try(one(data.aws_iam_roles.data_engineering_roles.arns)) | ||
| data_bucket_lf_resource = aws_lakeformation_resource.data_bucket.arn | ||
| } | ||
|
|
||
| module "cap_dw_excluding_specials" { | ||
| for_each = toset(local.cap_dw_tables) | ||
| source = "./modules/lakeformation" | ||
| table_filters = { | ||
| (each.key) = "specials_flag=0" | ||
| } | ||
| role_arn = module.cmt_front_end_assumable_role.iam_role_arn | ||
| database_name = "historic_api_mart_historic_dev_dbt" | ||
| data_engineer_role_arn = try(one(data.aws_iam_roles.data_engineering_roles.arns)) | ||
| data_bucket_lf_resource = aws_lakeformation_resource.data_bucket.arn | ||
| } | ||
|
|
||
| module "cap_dw_including_specials" { | ||
| for_each = toset(local.cap_dw_tables) | ||
| source = "./modules/lakeformation" | ||
| table_filters = { | ||
| (each.key) = "" | ||
| } | ||
| role_arn = module.specials_cmt_front_end_assumable_role.iam_role_arn | ||
| database_name = "historic_api_mart_historic_dev_dbt" | ||
| data_engineer_role_arn = try(one(data.aws_iam_roles.data_engineering_roles.arns)) | ||
| data_bucket_lf_resource = aws_lakeformation_resource.data_bucket.arn | ||
| } | ||
|
|
||
| module "am_for_non_specials_role" { | ||
| for_each = toset(local.am_tables) | ||
| source = "./modules/lakeformation" | ||
| table_filters = { | ||
| (each.key) = "" | ||
| } | ||
| role_arn = module.cmt_front_end_assumable_role.iam_role_arn | ||
| database_name = "historic_api_mart_historic_dev_dbt" | ||
| data_engineer_role_arn = try(one(data.aws_iam_roles.data_engineering_roles.arns)) | ||
| data_bucket_lf_resource = aws_lakeformation_resource.data_bucket.arn | ||
| } | ||
|
|
||
| module "am_for_specials_role" { | ||
| for_each = toset(local.am_tables) | ||
| source = "./modules/lakeformation" | ||
| table_filters = { | ||
| (each.key) = "" | ||
| } | ||
| role_arn = module.specials_cmt_front_end_assumable_role.iam_role_arn | ||
| database_name = "historic_api_mart_historic_dev_dbt" | ||
| data_engineer_role_arn = try(one(data.aws_iam_roles.data_engineering_roles.arns)) | ||
| data_bucket_lf_resource = aws_lakeformation_resource.data_bucket.arn | ||
| } |
82 changes: 82 additions & 0 deletions
82
terraform/environments/electronic-monitoring-data/modules/lakeformation/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| data "aws_caller_identity" "current" {} | ||
|
|
||
| resource "aws_lakeformation_permissions" "data_engineering_permissions" { | ||
| permissions = ["ALL"] | ||
| principal = var.data_engineer_role_arn | ||
|
|
||
| database { | ||
| name = var.database_name | ||
| } | ||
| } | ||
|
|
||
| resource "random_id" "suffix" { | ||
| byte_length = 32 | ||
| } | ||
|
|
||
| resource "aws_lakeformation_permissions" "data_engineering_table_permissions" { | ||
| for_each = var.table_filters | ||
| permissions = ["ALL"] | ||
| principal = var.data_engineer_role_arn | ||
|
|
||
| table { | ||
| database_name = var.database_name | ||
| name = each.key | ||
| } | ||
| } | ||
|
|
||
| resource "aws_lakeformation_permissions" "de_s3_bucket_permissions" { | ||
| principal = var.data_engineer_role_arn | ||
|
|
||
| permissions = ["DATA_LOCATION_ACCESS"] | ||
|
|
||
| data_location { | ||
| arn = var.data_bucket_lf_resource | ||
| } | ||
| } | ||
|
|
||
| resource "aws_lakeformation_permissions" "s3_bucket_permissions" { | ||
| principal = var.role_arn | ||
|
|
||
| permissions = ["DATA_LOCATION_ACCESS"] | ||
|
|
||
| data_location { | ||
| arn = var.data_bucket_lf_resource | ||
| } | ||
| } | ||
|
|
||
| resource "aws_lakeformation_data_cells_filter" "data_filter" { | ||
| for_each = tomap(var.table_filters) | ||
| table_data { | ||
| database_name = var.database_name | ||
| name = "filter-${each.key}-${random_id.suffix.hex}" | ||
| table_catalog_id = data.aws_caller_identity.current.account_id | ||
| table_name = each.key | ||
| column_wildcard { | ||
| excluded_column_names = [] | ||
| } | ||
| dynamic "row_filter" { | ||
| for_each = each.value != "" ? [each.value] : [] | ||
| content { | ||
| filter_expression = each.value | ||
| } | ||
| } | ||
| dynamic "row_filter" { | ||
| for_each = each.value == "" ? [each.value] : [] | ||
| content { | ||
| all_rows_wildcard {} | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
|
||
| resource "aws_lakeformation_permissions" "share_filtered_data_with_role" { | ||
| for_each = tomap(var.table_filters) | ||
| principal = var.role_arn | ||
| permissions = ["DESCRIBE", "SELECT"] | ||
| data_cells_filter { | ||
| database_name = var.database_name | ||
| table_name = each.key | ||
| table_catalog_id = data.aws_caller_identity.current.account_id | ||
| name = aws_lakeformation_data_cells_filter.data_filter[each.key].table_data[0].name | ||
| } | ||
| } |
25 changes: 25 additions & 0 deletions
25
terraform/environments/electronic-monitoring-data/modules/lakeformation/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| variable "table_filters" { | ||
| description = "Map of names of the tables and filters to apply" | ||
| type = map(string) | ||
| } | ||
|
|
||
| variable "database_name" { | ||
| description = "Name of the database the table belongs to" | ||
| type = string | ||
|
|
||
| } | ||
|
|
||
| variable "data_engineer_role_arn" { | ||
| description = "ARN of the DE role" | ||
| type = string | ||
| } | ||
|
|
||
| variable "data_bucket_lf_resource" { | ||
| description = "arn of the lake formation resource for the data bucket" | ||
| type = string | ||
| } | ||
|
|
||
| variable "role_arn" { | ||
| description = "Role to grant permissions to" | ||
| type = string | ||
| } |
13 changes: 13 additions & 0 deletions
13
terraform/environments/electronic-monitoring-data/modules/lakeformation/versions.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| terraform { | ||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = "~> 5.0" | ||
| } | ||
| random = { | ||
| source = "hashicorp/random" | ||
| version = "~> 3.0" | ||
| } | ||
| } | ||
| required_version = ">= 1.0.1" | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Learn something new everyday, I didn't realise flatten can work on singular variables too always thought it had to be put as a list of lists!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is a list of lists if not a list of items? ;)