Merge pull request #34474 from pixie79/34471

r/lakeformation_data_lake_settings: add `allow_full_table_external_data_access` attribute

.changelog/34474.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_lakeformation_data_lake_settings: Add `allow_full_table_external_data_access` attribute
+```
+
+```release-note:enhancement
+data-source/aws_lakeformation_data_lake_settings: Add `allow_full_table_external_data_access` attribute
+```

internal/service/lakeformation/data_lake_settings.go

@@ -61,6 +61,10 @@ func ResourceDataLakeSettings() *schema.Resource {
 				Type:     schema.TypeBool,
 				Optional: true,
 			},
+			"allow_full_table_external_data_access": {
+				Type:     schema.TypeBool,
+				Optional: true,
+			},
 			"authorized_session_tag_value_list": {
 				Type:     schema.TypeList,
 				Computed: true,
@@ -188,6 +192,10 @@ func resourceDataLakeSettingsCreate(ctx context.Context, d *schema.ResourceData,
 		settings.TrustedResourceOwners = flex.ExpandStringValueList(v.([]interface{}))
 	}
 
+	if v, ok := d.GetOk("allow_full_table_external_data_access"); ok {
+		settings.AllowFullTableExternalDataAccess = aws.Bool(v.(bool))
+	}
+
 	input.DataLakeSettings = settings
 
 	var output *lakeformation.PutDataLakeSettingsOutput
@@ -261,6 +269,7 @@ func resourceDataLakeSettingsRead(ctx context.Context, d *schema.ResourceData, m
 	d.Set("create_table_default_permissions", flattenDataLakeSettingsCreateDefaultPermissions(settings.CreateTableDefaultPermissions))
 	d.Set("external_data_filtering_allow_list", flattenDataLakeSettingsDataFilteringAllowList(settings.ExternalDataFilteringAllowList))
 	d.Set("trusted_resource_owners", flex.FlattenStringValueList(settings.TrustedResourceOwners))
+	d.Set("allow_full_table_external_data_access", settings.AllowFullTableExternalDataAccess)
 
 	return diags
 }

internal/service/lakeformation/data_lake_settings_data_source.go

@@ -41,6 +41,10 @@ func DataSourceDataLakeSettings() *schema.Resource {
 				Type:     schema.TypeBool,
 				Computed: true,
 			},
+			"allow_full_table_external_data_access": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
 			"authorized_session_tag_value_list": {
 				Type:     schema.TypeList,
 				Computed: true,
@@ -134,7 +138,8 @@ func dataSourceDataLakeSettingsRead(ctx context.Context, d *schema.ResourceData,
 	d.Set("create_database_default_permissions", flattenDataLakeSettingsCreateDefaultPermissions(settings.CreateDatabaseDefaultPermissions))
 	d.Set("create_table_default_permissions", flattenDataLakeSettingsCreateDefaultPermissions(settings.CreateTableDefaultPermissions))
 	d.Set("external_data_filtering_allow_list", flattenDataLakeSettingsDataFilteringAllowList(settings.ExternalDataFilteringAllowList))
-	d.Set("trusted_resource_owners", flex.FlattenStringValueList(settings.TrustedResourceOwners))
+	d.Set("trusted_resource_owners", flex.FlattenStringyValueList(settings.TrustedResourceOwners))
+	d.Set("allow_full_table_external_data_access", settings.AllowFullTableExternalDataAccess)
 
 	return diags
 }

internal/service/lakeformation/data_lake_settings_data_source_test.go

@@ -30,6 +30,7 @@ func testAccDataLakeSettingsDataSource_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "allow_external_data_filtering", acctest.CtFalse),
 					resource.TestCheckResourceAttr(resourceName, "external_data_filtering_allow_list.#", acctest.Ct0),
 					resource.TestCheckResourceAttr(resourceName, "authorized_session_tag_value_list.#", acctest.Ct0),
+					resource.TestCheckResourceAttr(resourceName, "allow_full_table_external_data_access", acctest.CtFalse),
 				),
 			},
 		},

internal/service/lakeformation/data_lake_settings_test.go

@@ -50,6 +50,7 @@ func testAccDataLakeSettings_basic(t *testing.T) {
 					resource.TestCheckResourceAttrPair(resourceName, "external_data_filtering_allow_list.0", "data.aws_caller_identity.current", names.AttrAccountID),
 					resource.TestCheckResourceAttr(resourceName, "authorized_session_tag_value_list.#", acctest.Ct1),
 					resource.TestCheckResourceAttr(resourceName, "authorized_session_tag_value_list.0", "engine1"),
+					resource.TestCheckResourceAttr(resourceName, "allow_full_table_external_data_access", acctest.CtTrue),
 				),
 			},
 		},
@@ -205,11 +206,12 @@ resource "aws_lakeformation_data_lake_settings" "test" {
     permissions = ["ALL"]
   }
 
-  admins                             = [data.aws_iam_session_context.current.issuer_arn]
-  trusted_resource_owners            = [data.aws_caller_identity.current.account_id]
-  allow_external_data_filtering      = true
-  external_data_filtering_allow_list = [data.aws_caller_identity.current.account_id]
-  authorized_session_tag_value_list  = ["engine1"]
+  admins                                = [data.aws_iam_session_context.current.issuer_arn]
+  trusted_resource_owners               = [data.aws_caller_identity.current.account_id]
+  allow_external_data_filtering         = true
+  allow_full_table_external_data_access = true
+  external_data_filtering_allow_list    = [data.aws_caller_identity.current.account_id]
+  authorized_session_tag_value_list     = ["engine1"]
 }
 `
 

website/docs/d/lakeformation_data_lake_settings.html.markdown

@@ -36,6 +36,7 @@ This data source exports the following attributes in addition to the arguments a
 * `allow_external_data_filtering` - Whether to allow Amazon EMR clusters to access data managed by Lake Formation.
 * `external_data_filtering_allow_list` - A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.
 * `authorized_session_tag_value_list` - Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it.
+* `allow_full_table_external_data_access` - Whether to allow a third-party query engine to get data access credentials without session tags when a caller has full data access permissions.
 
 ### create_database_default_permissions
 

website/docs/r/lakeformation_data_lake_settings.html.markdown

@@ -56,9 +56,10 @@ resource "aws_lakeformation_data_lake_settings" "example" {
     principal   = aws_iam_role.test.arn
   }
 
-  allow_external_data_filtering      = true
-  external_data_filtering_allow_list = [data.aws_caller_identity.current.account_id, data.aws_caller_identity.third_party.account_id]
-  authorized_session_tag_value_list  = ["Amazon EMR"]
+  allow_external_data_filtering         = true
+  external_data_filtering_allow_list    = [data.aws_caller_identity.current.account_id, data.aws_caller_identity.third_party.account_id]
+  authorized_session_tag_value_list     = ["Amazon EMR"]
+  allow_full_table_external_data_access = true
 }
 ```
 
@@ -75,6 +76,7 @@ The following arguments are optional:
 * `allow_external_data_filtering` - (Optional) Whether to allow Amazon EMR clusters to access data managed by Lake Formation.
 * `external_data_filtering_allow_list` - (Optional) A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.
 * `authorized_session_tag_value_list` - (Optional) Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it.
+* `allow_full_table_external_data_access` - (Optional) Whether to allow a third-party query engine to get data access credentials without session tags when a caller has full data access permissions.
 
 ~> **NOTE:** Although optional, not including `admins`, `create_database_default_permissions`, `create_table_default_permissions`, and/or `trusted_resource_owners` results in the setting being cleared.