@@ -226,9 +226,7 @@ export class DataLakeEnrollment extends cdk.Construct {
226226
227227 private createLakeFormationPermission ( resourceId : string , dataLakePrincipal : lakeformation . CfnPermissions . DataLakePrincipalProperty ,
228228 resource : lakeformation . CfnPermissions . ResourceProperty , permissions : string [ ] , grantablePremissions : string [ ] ) {
229-
230- console . log ( "CREATING lakeformation permission" ) ;
231-
229+
232230 new lakeformation . CfnPermissions ( this , resourceId , {
233231 dataLakePrincipal : dataLakePrincipal ,
234232 resource : resource ,
@@ -238,8 +236,7 @@ export class DataLakeEnrollment extends cdk.Construct {
238236 }
239237
240238 public grantLakeFormationPermissions ( principal : iam . IPrincipal , permissionGrant : DataLakeEnrollment . LakeFormationPermissionGrant ) {
241-
242- console . log ( "Granting lakeformation permission" ) ;
239+
243240
244241 this . grantCoarseIamRead ( principal ) ;
245242
@@ -252,34 +249,18 @@ export class DataLakeEnrollment extends cdk.Construct {
252249 databaseResource : { name : this . DataEnrollment . Dataset_Datalake . databaseName }
253250 } ;
254251
255- if ( principal instanceof iam . Role ) {
256- grantIdPrefix = `${ principal . roleName } ${ this . DataSetName }
257- dataLakePrincipal = { dataLakePrincipalIdentifier : principal . roleArn } ;
258- }
252+ const resolvedPrincipalType = this . determinePrincipalType ( principal ) ;
259253
260- if ( principal instanceof iam . User ) {
261- grantIdPrefix = `${ principal . userName } ${ this . DataSetName }
262- dataLakePrincipal = { dataLakePrincipalIdentifier : principal . userName } ;
254+ if ( resolvedPrincipalType === iam . Role ) {
255+ const resolvedPrincipal = principal as iam . Role ;
256+ grantIdPrefix = `${ resolvedPrincipal . roleArn } ${ this . DataSetName }
257+ dataLakePrincipal = { dataLakePrincipalIdentifier : resolvedPrincipal . roleArn } ;
263258 }
264259
265- if ( principal instanceof cdk . Resource ) {
266-
267- try {
268- const user = principal as iam . User ;
269- grantIdPrefix = `${ user . userName } ${ this . DataSetName }
270- dataLakePrincipal = { dataLakePrincipalIdentifier : user . userName } ;
271- return ;
272- } catch ( exception ) {
273- console . log ( exception ) ;
274- }
275- try {
276- const role = principal as iam . Role ;
277- grantIdPrefix = `${ role . roleName } ${ this . DataSetName }
278- dataLakePrincipal = { dataLakePrincipalIdentifier : role . roleArn } ;
279- return ;
280- } catch ( exception ) {
281- console . log ( exception ) ;
282- }
260+ if ( resolvedPrincipalType === iam . User ) {
261+ const resolvedPrincipal = principal as iam . User ;
262+ grantIdPrefix = `${ resolvedPrincipal . userName } ${ this . DataSetName }
263+ dataLakePrincipal = { dataLakePrincipalIdentifier : resolvedPrincipal . userName } ;
283264 }
284265
285266 this . createLakeFormationPermission ( `${ grantIdPrefix } , dataLakePrincipal , databaseResourceProperty , permissionGrant . DatabasePermissions , permissionGrant . GrantableDatabasePermissions )
@@ -291,47 +272,60 @@ export class DataLakeEnrollment extends cdk.Construct {
291272 databaseName : this . DataEnrollment . Dataset_Datalake . databaseName
292273 }
293274 } ;
294- this . createLakeFormationPermission ( `${ grantIdPrefix } , dataLakePrincipal , tableResourceProperty , permissionGrant . TablePermissions , permissionGrant . TablePermissions )
275+ this . createLakeFormationPermission ( `${ grantIdPrefix } ${ table } - databaseTableGrant` , dataLakePrincipal , tableResourceProperty , permissionGrant . TablePermissions , permissionGrant . TablePermissions )
295276 } ) ;
296277
297278 }
298279
299- public grantCoarseIamRead ( principal : iam . IPrincipal ) {
280+ private determinePrincipalType ( principal : iam . IPrincipal ) {
300281
301- if ( principal instanceof iam . Role ) {
302- this . CoarseAthenaAccessPolicy . attachToRole ( principal ) ;
303- this . CoarseResourceAccessPolicy . attachToRole ( principal ) ;
304- return ;
282+ if ( principal instanceof iam . Role ) {
283+ //return principal as iam.Role;
284+ return iam . Role ;
305285 }
306286
307287 if ( principal instanceof iam . User ) {
308- this . CoarseAthenaAccessPolicy . attachToUser ( principal ) ;
309- this . CoarseResourceAccessPolicy . attachToUser ( principal ) ;
310- return ;
288+ //return principal as iam.User;
289+ return iam . User ;
311290 }
312291
313292 if ( principal instanceof cdk . Resource ) {
314-
293+
315294 try {
316- const user = principal as iam . User ;
317- this . CoarseAthenaAccessPolicy . attachToUser ( user ) ;
318- this . CoarseResourceAccessPolicy . attachToUser ( user ) ;
319- return ;
295+ const user = principal as iam . User ;
296+ return iam . User ;
320297 } catch ( exception ) {
321298 console . log ( exception ) ;
322299 }
323300 try {
324301 const role = principal as iam . Role ;
325- this . CoarseAthenaAccessPolicy . attachToRole ( role ) ;
326- this . CoarseResourceAccessPolicy . attachToRole ( role ) ;
327- return ;
302+ return iam . Role ;
328303 } catch ( exception ) {
329304 console . log ( exception ) ;
330305 }
306+ }
307+
308+ throw ( "Unable to deterimine principal type..." ) ;
331309
310+ }
311+
312+
313+ public grantCoarseIamRead ( principal : iam . IPrincipal ) {
314+
315+ const resolvedPrincipalType = this . determinePrincipalType ( principal ) ;
332316
317+ if ( resolvedPrincipalType === iam . Role ) {
318+ this . CoarseAthenaAccessPolicy . attachToRole ( principal as iam . Role ) ;
319+ this . CoarseResourceAccessPolicy . attachToRole ( principal as iam . Role ) ;
320+ return ;
333321 }
334322
323+ if ( resolvedPrincipalType === iam . User ) {
324+ this . CoarseAthenaAccessPolicy . attachToUser ( principal as iam . User ) ;
325+ this . CoarseResourceAccessPolicy . attachToUser ( principal as iam . User ) ;
326+ return ;
327+ }
328+
335329 throw ( "Unable to attach policy. Principal is not a user or role." ) ;
336330
337331 }
0 commit comments