Adding grantDataLocation() capability.

Author: paulu-aws

lib/constructs/data-lake-enrollment.ts

@@ -13,13 +13,13 @@ import { DataSetEnrollmentProps, DataSetEnrollment } from './data-set-enrollment
 
 export class DataLakeEnrollment extends cdk.Construct {
 
-  public DataEnrollment: DataSetEnrollment;
-  public DataSetName: string;
-  private CoarseAthenaAccessPolicy: iam.ManagedPolicy;
-  private CoarseResourceAccessPolicy: iam.ManagedPolicy;
-  private CoarseIamPolciesApplied: boolean;
+    public DataEnrollment: DataSetEnrollment;
+    public DataSetName: string;
+    private CoarseAthenaAccessPolicy: iam.ManagedPolicy;
+    private CoarseResourceAccessPolicy: iam.ManagedPolicy;
+    private CoarseIamPolciesApplied: boolean;
 
-  constructor(scope: cdk.Construct, id: string, props: DataLakeEnrollment.DataLakeEnrollmentProps) {
+    constructor(scope: cdk.Construct, id: string, props: DataLakeEnrollment.DataLakeEnrollmentProps) {
         super(scope, id);
 
 
@@ -28,6 +28,19 @@ export class DataLakeEnrollment extends cdk.Construct {
 
     }
 
+    protected grantGlueRoleLakeFormationPermissions(DataSetGlueRole: iam.Role, DataSetName: string) {
+
+        this.grantDataLocationPermissions(this.DataEnrollment.DataSetGlueRole, {
+            Grantable: true,
+            GrantResourcePrefix: `${DataSetName}locationGrant`
+        });
+        this.grantDatabasePermission(this.DataEnrollment.DataSetGlueRole,  {		     
+		     DatabasePermissions: [DataLakeEnrollment.DatabasePermission.All],
+             GrantableDatabasePermissions: [DataLakeEnrollment.DatabasePermission.All],
+             GrantResourcePrefix: `${DataSetName}RoleGrant`
+		}, true);
+    }
+
 
     public createCoarseIamPolicy(){
 
@@ -226,6 +239,45 @@ export class DataLakeEnrollment extends cdk.Construct {
 
     }
 
+    public grantDataLocationPermissions(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.DataLocationGrant){
+        
+        var grantIdPrefix = ""
+        var dataLakePrincipal : lakeformation.CfnPermissions.DataLakePrincipalProperty = {
+            dataLakePrincipalIdentifier: ""
+        };
+
+        var dataLocationProperty : lakeformation.CfnPermissions.ResourceProperty = {
+            dataLocationResource: {
+                s3Resource: `arn:aws:s3:::${this.DataEnrollment.DataLakeBucketName}${this.DataEnrollment.DataLakePrefix}`            
+            }            
+        };
+        const resolvedPrincipalType = this.determinePrincipalType(principal);
+
+        if(resolvedPrincipalType === iam.Role) {
+            const resolvedPrincipal = principal as  iam.Role;
+
+            if(permissionGrant.GrantResourcePrefix){
+                grantIdPrefix = `${permissionGrant.GrantResourcePrefix}-${this.DataSetName}`
+            }else{
+                grantIdPrefix = `${resolvedPrincipal.roleName}-${this.DataSetName}`
+            }            
+            dataLakePrincipal = { dataLakePrincipalIdentifier: resolvedPrincipal.roleArn };
+		}
+
+	    if(resolvedPrincipalType === iam.User){
+            const resolvedPrincipal = principal as  iam.User;
+            grantIdPrefix = `${resolvedPrincipal.userName}-${this.DataSetName}`
+            dataLakePrincipal = { dataLakePrincipalIdentifier: resolvedPrincipal.userArn };
+		}
+
+        if(permissionGrant.Grantable){
+            this.createLakeFormationPermission(`${grantIdPrefix}-locationGrant`,dataLakePrincipal , dataLocationProperty, ['DATA_LOCATION_ACCESS'], ['DATA_LOCATION_ACCESS']);
+        }else {
+            this.createLakeFormationPermission(`${grantIdPrefix}-locationGrant`,dataLakePrincipal , dataLocationProperty, ['DATA_LOCATION_ACCESS'], ['']);
+        }                
+
+
+    }
 
     public grantTableWithColumnPermissions(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.TableWithColumnPermissionGrant){
 
@@ -285,8 +337,7 @@ export class DataLakeEnrollment extends cdk.Construct {
         var dataLakePrincipal : lakeformation.CfnPermissions.DataLakePrincipalProperty = {
             dataLakePrincipalIdentifier: ""
         };
-        var databaseResourceProperty : lakeformation.CfnPermissions.ResourceProperty = {
-            //dataLocationResource: {resourceArn: this.DataEnrollment.DataLakeBucketName},
+        var databaseResourceProperty : lakeformation.CfnPermissions.ResourceProperty = {            
             databaseResource: {name: this.DataEnrollment.Dataset_Datalake.databaseName}
         };
 
@@ -327,7 +378,7 @@ export class DataLakeEnrollment extends cdk.Construct {
 
 
     public grantTablePermissions(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.TablePermissionGrant){
-
+        
         const coreGrant = this.setupIamAndLakeFormationDatabasePermissionForPrincipal(principal, permissionGrant.DatabasePermissions, permissionGrant.GrantableDatabasePermissions);
 
         permissionGrant.tables.forEach(table => {
@@ -483,6 +534,10 @@ export namespace DataLakeEnrollment
         GrantResourcePrefix?: string;
     }
 
+    export interface DataLocationGrant{
+        Grantable: boolean;
+        GrantResourcePrefix?: string;
+    }
 
     export interface TablePermissionGrant {
         tables: Array<string>;

lib/constructs/rds-data-set-enrollment.ts

@@ -64,12 +64,7 @@ export class RDSPostgresDataSetEnrollment extends DataLakeEnrollment {
 
 
 		this.createCoarseIamPolicy();
-
-        this.grantDatabasePermission(this.DataEnrollment.DataSetGlueRole,  {		     
-			DatabasePermissions: [DataLakeEnrollment.DatabasePermission.All],
-			GrantableDatabasePermissions: [DataLakeEnrollment.DatabasePermission.All],
-			GrantResourcePrefix: `${props.DataSetName}RoleGrant`
-	   }, true);
+		this.grantGlueRoleLakeFormationPermissions(this.DataEnrollment.DataSetGlueRole, props.DataSetName); 
 
 	}
 }

lib/constructs/s3-data-set-enrollment.ts

@@ -16,6 +16,22 @@ export interface S3dataSetEnrollmentProps extends DataLakeEnrollment.DataLakeEnr
 
 
 export class S3dataSetEnrollment extends DataLakeEnrollment{
+
+
+
+    grantGlueRoleLakeFormationPermissions(DataSetGlueRole: iam.Role, DataSetName: string) {
+
+        this.grantDataLocationPermissions(this.DataEnrollment.DataSetGlueRole, {
+            Grantable: true,
+            GrantResourcePrefix: `${DataSetName}locationGrant`
+        });
+        this.grantDatabasePermission(this.DataEnrollment.DataSetGlueRole,  {		     
+		     DatabasePermissions: [DataLakeEnrollment.DatabasePermission.All],
+             GrantableDatabasePermissions: [DataLakeEnrollment.DatabasePermission.All],
+             GrantResourcePrefix: `${DataSetName}RoleGrant`
+		}, true);
+    }
+
 	constructor(scope: cdk.Construct, id: string, props: S3dataSetEnrollmentProps) {
 		super(scope, id, props);
 
@@ -59,13 +75,10 @@ export class S3dataSetEnrollment extends DataLakeEnrollment{
 		});
 
         this.createCoarseIamPolicy();
-        
 
-        this.grantDatabasePermission(this.DataEnrollment.DataSetGlueRole,  {		     
-		     DatabasePermissions: [DataLakeEnrollment.DatabasePermission.All],
-             GrantableDatabasePermissions: [DataLakeEnrollment.DatabasePermission.All],
-             GrantResourcePrefix: `${props.DataSetName}RoleGrant`
-		}, true);
+        this.grantGlueRoleLakeFormationPermissions(this.DataEnrollment.DataSetGlueRole, props.DataSetName); 
+        
+        
 
 
 	}