diff --git a/.changelog/33298.txt b/.changelog/33298.txt new file mode 100644 index 000000000000..490df7362eaa --- /dev/null +++ b/.changelog/33298.txt @@ -0,0 +1,3 @@ +```release-notes:enhancement +resource/aws_lakeformation_permissions: Allow `principal` to be an AWS federated-user arn +``` diff --git a/internal/service/lakeformation/validate.go b/internal/service/lakeformation/validate.go index 7f80be4868b2..43e183a90f93 100644 --- a/internal/service/lakeformation/validate.go +++ b/internal/service/lakeformation/validate.go @@ -29,9 +29,9 @@ func validPrincipal(v interface{}, k string) (ws []string, errors []error) { ws = append(ws, wsARN...) errors = append(errors, errorsARN...) - pattern := `:(role|user|group|ou|organization)/` + pattern := `:(role|user|federated-user|group|ou|organization)/` if !regexache.MustCompile(pattern).MatchString(value) { - errors = append(errors, fmt.Errorf("%q does not look like a user, role, group, OU, or organization: %q", k, value)) + errors = append(errors, fmt.Errorf("%q does not look like a user, federated-user, role, group, OU, or organization: %q", k, value)) } if len(errors) > 0 { diff --git a/internal/service/lakeformation/validate_test.go b/internal/service/lakeformation/validate_test.go index a5b9f04b1ba4..d9f87b5341de 100644 --- a/internal/service/lakeformation/validate_test.go +++ b/internal/service/lakeformation/validate_test.go @@ -24,6 +24,7 @@ func TestValidPrincipal(t *testing.T) { "111122223333", // lintignore:AWSAT005 // Example Account ID (Valid looking but not real) "arn:aws-us-gov:iam::357342307427:role/tf-acc-test-3217321001347236965", // lintignore:AWSAT005 // IAM Role "arn:aws:iam::123456789012:user/David", // lintignore:AWSAT005 // IAM User + "arn:aws:iam::123456789012:federated-user/David", // lintignore:AWSAT005 // IAM Federated User "arn:aws-us-gov:iam:us-west-2:357342307427:role/tf-acc-test-3217321001347236965", // lintignore:AWSAT003,AWSAT005 // Non-global IAM Role? "arn:aws:iam:us-east-1:123456789012:user/David", // lintignore:AWSAT003,AWSAT005 // Non-global IAM User? "arn:aws:iam::111122223333:saml-provider/idp1:group/data-scientists", // lintignore:AWSAT005 // SAML group diff --git a/website/docs/r/lakeformation_permissions.html.markdown b/website/docs/r/lakeformation_permissions.html.markdown index 48fe50e51f03..c6770a42966b 100644 --- a/website/docs/r/lakeformation_permissions.html.markdown +++ b/website/docs/r/lakeformation_permissions.html.markdown @@ -152,7 +152,7 @@ resource "aws_lakeformation_permissions" "test" { The following arguments are required: * `permissions` – (Required) List of permissions granted to the principal. Valid values may include `ALL`, `ALTER`, `ASSOCIATE`, `CREATE_DATABASE`, `CREATE_TABLE`, `DATA_LOCATION_ACCESS`, `DELETE`, `DESCRIBE`, `DROP`, `INSERT`, and `SELECT`. For details on each permission, see [Lake Formation Permissions Reference](https://docs.aws.amazon.com/lake-formation/latest/dg/lf-permissions-reference.html). -* `principal` – (Required) Principal to be granted the permissions on the resource. Supported principals include `IAM_ALLOWED_PRINCIPALS` (see [Default Behavior and `IAMAllowedPrincipals`](#default-behavior-and-iamallowedprincipals) above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see [Lake Formation Permissions Reference](https://docs.aws.amazon.com/lake-formation/latest/dg/lf-permissions-reference.html). +* `principal` – (Required) Principal to be granted the permissions on the resource. Supported principals include `IAM_ALLOWED_PRINCIPALS` (see [Default Behavior and `IAMAllowedPrincipals`](#default-behavior-and-iamallowedprincipals) above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see [Lake Formation Permissions Reference](https://docs.aws.amazon.com/lake-formation/latest/dg/lf-permissions-reference.html). ~> **NOTE:** We highly recommend that the `principal` _NOT_ be a Lake Formation administrator (granted using `aws_lakeformation_data_lake_settings`). The entity (e.g., IAM role) running Terraform will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.