Resource: awsLakeformationDataLakeSettings
Manages Lake Formation principals designated as data lake administrators and lists of principal permission entries for default create database and default create table permissions.
\~> NOTE: Lake Formation introduces fine-grained access control for data in your data lake. Part of the changes include the iamAllowedPrincipals
principal in order to make Lake Formation backwards compatible with existing IAM and Glue permissions. For more information, see Changing the Default Security Settings for Your Data Lake and Upgrading AWS Glue Data Permissions to the AWS Lake Formation Model.
Example Usage
Data Lake Admins
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.lakeformationDataLakeSettings.LakeformationDataLakeSettings(
this,
"example",
{
admins: ["${aws_iam_user.test.arn}", "${aws_iam_role.test.arn}"],
}
);
Create Default Permissions
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.lakeformationDataLakeSettings.LakeformationDataLakeSettings(
this,
"example",
{
admins: ["${aws_iam_user.test.arn}", "${aws_iam_role.test.arn}"],
createDatabaseDefaultPermissions: [
{
permissions: ["SELECT", "ALTER", "DROP"],
principal: "${aws_iam_user.test.arn}",
},
],
createTableDefaultPermissions: [
{
permissions: ["ALL"],
principal: "${aws_iam_role.test.arn}",
},
],
}
);
Argument Reference
The following arguments are optional:
admins
– (Optional) Set of ARNs of AWS Lake Formation principals (IAM users or roles).catalogId
– (Optional) Identifier for the Data Catalog. By default, the account ID.createDatabaseDefaultPermissions
- (Optional) Up to three configuration blocks of principal permissions for default create database permissions. Detailed below.createTableDefaultPermissions
- (Optional) Up to three configuration blocks of principal permissions for default create table permissions. Detailed below.trustedResourceOwners
– (Optional) List of the resource-owning account IDs that the caller's account can use to share their user access details (user ARNs).
\~> NOTE: Although optional, not including admins
, createDatabaseDefaultPermissions
, createTableDefaultPermissions
, and/or trustedResourceOwners
results in the setting being cleared.
createDatabaseDefaultPermissions
The following arguments are optional:
permissions
- (Optional) List of permissions that are granted to the principal. Valid values may includeall
,select
,alter
,drop
,delete
,insert
,describe
, andCREATE_TABLE
. For more details, see Lake Formation Permissions Reference.principal
- (Optional) Principal who is granted permissions. To enforce metadata and underlying data access control only by IAM on new databases and tables setprincipal
toIAM_ALLOWED_PRINCIPALS
andpermissions
to["all"]
.
createTableDefaultPermissions
The following arguments are optional:
permissions
- (Optional) List of permissions that are granted to the principal. Valid values may includeall
,select
,alter
,drop
,delete
,insert
, anddescribe
. For more details, see Lake Formation Permissions Reference.principal
- (Optional) Principal who is granted permissions. To enforce metadata and underlying data access control only by IAM on new databases and tables setprincipal
toIAM_ALLOWED_PRINCIPALS
andpermissions
to["all"]
.
Attributes Reference
No additional attributes are exported.