Merge pull request #19648 from danielcmessias/f-aws_lakeformation_per…

…missions-tag-support

LF-Tag support for aws_lakeformation_permissions

.changelog/19648.txt

@@ -0,0 +1,7 @@
+```release-note:note:enhancement
+resource/aws_lakeformation_permissions: Add LF-tag support
+```
+
+```release-note:note:enhancement
+datasource/aws_lakeformation_permissions: Add LF-tag support
+```

.github/scripts/semgrep.sh

@@ -1,11 +1,11 @@
 #!/bin/bash
 
-idx=$1
+cfile=$1
 
-results=$( semgrep -c .semgrep-"${idx}".yml 2>&1 )
+results=$( semgrep -c "${cfile}" 2>&1 )
 while [[ "${results}" == *Invalid_argument* ]] && [[ "${results}" == *" 0 findings"* ]]; do
   echo "${results}"
-  results=$( semgrep -c .semgrep-"${idx}".yml 2>&1 )
+  results=$( semgrep -c "${cfile}" 2>&1 )
 done
 if [[ ! "${results}" == *" 0 findings"* ]]; then
   echo "${results}" >&2

.github/workflows/semgrep-ci.yml

@@ -22,7 +22,7 @@ jobs:
     - uses: actions/checkout@v3
       with:
        fetch-depth: 0
-    - run: semgrep --config .semgrep.yml
+    - run: .github/scripts/semgrep.sh .semgrep.yml
   naming_cac:
     name: Semgrep Naming Scan Caps/AWS/EC2
     runs-on: ubuntu-latest
@@ -31,7 +31,7 @@ jobs:
     if: (github.action != 'dependabot[bot]')
     steps:
     - uses: actions/checkout@v3
-    - run: .github/scripts/semgrep.sh caps-aws-ec2
+    - run: .github/scripts/semgrep.sh .semgrep-caps-aws-ec2.yml
   naming_tests:
     name: Semgrep Test Configs Scan
     runs-on: ubuntu-latest
@@ -40,7 +40,7 @@ jobs:
     if: (github.action != 'dependabot[bot]')
     steps:
     - uses: actions/checkout@v3
-    - run: .github/scripts/semgrep.sh configs
+    - run: .github/scripts/semgrep.sh .semgrep-configs.yml
   naming_semgrep0:
     name: Semgrep Service Name Scan A-C
     runs-on: ubuntu-latest
@@ -49,7 +49,7 @@ jobs:
     if: (github.action != 'dependabot[bot]')
     steps:
     - uses: actions/checkout@v3
-    - run: .github/scripts/semgrep.sh service-name0
+    - run: .github/scripts/semgrep.sh .semgrep-service-name0.yml
   naming_semgrep1:
     name: Semgrep Service Name Scan C-I
     runs-on: ubuntu-latest
@@ -58,7 +58,7 @@ jobs:
     if: (github.action != 'dependabot[bot]')
     steps:
     - uses: actions/checkout@v3
-    - run: .github/scripts/semgrep.sh service-name1
+    - run: .github/scripts/semgrep.sh .semgrep-service-name1.yml
   naming_semgrep2:
     name: Semgrep Service Name Scan I-Q
     runs-on: ubuntu-latest
@@ -67,7 +67,7 @@ jobs:
     if: (github.action != 'dependabot[bot]')
     steps:
     - uses: actions/checkout@v3
-    - run: .github/scripts/semgrep.sh service-name2
+    - run: .github/scripts/semgrep.sh .semgrep-service-name2.yml
   naming_semgrep3:
     name: Semgrep Service Name Scan Q-Z
     runs-on: ubuntu-latest
@@ -76,4 +76,4 @@ jobs:
     if: (github.action != 'dependabot[bot]')
     steps:
     - uses: actions/checkout@v3
-    - run: .github/scripts/semgrep.sh service-name3
+    - run: .github/scripts/semgrep.sh .semgrep-service-name3.yml

GNUmakefile

@@ -199,6 +199,8 @@ semgrep:
 semall:
 	@echo "==> Running Semgrep checks locally (must have semgrep installed)..."
 	@semgrep -c .semgrep.yml
+	@semgrep -c .semgrep-caps-aws-ec2.yml
+	@semgrep -c .semgrep-configs.yml
 	@semgrep -c .semgrep-service-name0.yml
 	@semgrep -c .semgrep-service-name1.yml
 	@semgrep -c .semgrep-service-name2.yml

internal/service/lakeformation/filter.go

@@ -31,6 +31,14 @@ func FilterPermissions(input *lakeformation.ListPermissionsInput, tableType stri
 		return FilterDatabasePermissions(input.Principal.DataLakePrincipalIdentifier, allPermissions)
 	}
 
+	if input.Resource.LFTag != nil {
+		return FilterLFTagPermissions(input.Principal.DataLakePrincipalIdentifier, allPermissions)
+	}
+
+	if input.Resource.LFTagPolicy != nil {
+		return FilterLFTagPolicyPermissions(input.Principal.DataLakePrincipalIdentifier, allPermissions)
+	}
+
 	if tableType == TableTypeTableWithColumns {
 		return FilterTableWithColumnsPermissions(input.Principal.DataLakePrincipalIdentifier, input.Resource.Table, columnNames, excludedColumnNames, columnWildcard, allPermissions)
 	}
@@ -176,3 +184,35 @@ func FilterDatabasePermissions(principal *string, allPermissions []*lakeformatio
 
 	return cleanPermissions
 }
+
+func FilterLFTagPermissions(principal *string, allPermissions []*lakeformation.PrincipalResourcePermissions) []*lakeformation.PrincipalResourcePermissions {
+	var cleanPermissions []*lakeformation.PrincipalResourcePermissions
+
+	for _, perm := range allPermissions {
+		if aws.StringValue(principal) != aws.StringValue(perm.Principal.DataLakePrincipalIdentifier) {
+			continue
+		}
+
+		if perm.Resource.LFTag != nil {
+			cleanPermissions = append(cleanPermissions, perm)
+		}
+	}
+
+	return cleanPermissions
+}
+
+func FilterLFTagPolicyPermissions(principal *string, allPermissions []*lakeformation.PrincipalResourcePermissions) []*lakeformation.PrincipalResourcePermissions {
+	var cleanPermissions []*lakeformation.PrincipalResourcePermissions
+
+	for _, perm := range allPermissions {
+		if aws.StringValue(principal) != aws.StringValue(perm.Principal.DataLakePrincipalIdentifier) {
+			continue
+		}
+
+		if perm.Resource.LFTagPolicy != nil {
+			cleanPermissions = append(cleanPermissions, perm)
+		}
+	}
+
+	return cleanPermissions
+}

internal/service/lakeformation/lakeformation_test.go

@@ -19,11 +19,15 @@ func TestAccLakeFormation_serial(t *testing.T) {
 			"databaseMultiple":   testAccPermissions_databaseMultiple,
 			"dataLocation":       testAccPermissions_dataLocation,
 			"disappears":         testAccPermissions_disappears,
+			"lfTag":              testAccPermissions_lfTag,
+			"lfTagPolicy":        testAccPermissions_lfTagPolicy,
 		},
 		"PermissionsDataSource": {
 			"basic":            testAccPermissionsDataSource_basic,
 			"database":         testAccPermissionsDataSource_database,
 			"dataLocation":     testAccPermissionsDataSource_dataLocation,
+			"lfTag":            testAccPermissionsDataSource_lfTag,
+			"lfTagPolicy":      testAccPermissionsDataSource_lfTagPolicy,
 			"table":            testAccPermissionsDataSource_table,
 			"tableWithColumns": testAccPermissionsDataSource_tableWithColumns,
 		},

internal/service/lakeformation/lf_tag.go

@@ -74,7 +74,7 @@ func resourceLFTagCreate(d *schema.ResourceData, meta interface{}) error {
 
 	_, err := conn.CreateLFTag(input)
 	if err != nil {
-		return fmt.Errorf("Error creating Lake Formation LF-Tag: %w", err)
+		return fmt.Errorf("error creating Lake Formation LF-Tag: %w", err)
 	}
 
 	d.SetId(fmt.Sprintf("%s:%s", catalogID, tagKey))
@@ -96,14 +96,16 @@ func resourceLFTagRead(d *schema.ResourceData, meta interface{}) error {
 	}
 
 	output, err := conn.GetLFTag(input)
-	if err != nil {
+	if !d.IsNewResource() {
 		if tfawserr.ErrCodeEquals(err, lakeformation.ErrCodeEntityNotFoundException) {
 			log.Printf("[WARN] Lake Formation LF-Tag (%s) not found, removing from state", d.Id())
 			d.SetId("")
 			return nil
 		}
+	}
 
-		return fmt.Errorf("Error reading Lake Formation LF-Tag: %s", err.Error())
+	if err != nil {
+		return fmt.Errorf("error reading Lake Formation LF-Tag: %s", err.Error())
 	}
 
 	d.Set("key", output.TagKey)
@@ -142,7 +144,7 @@ func resourceLFTagUpdate(d *schema.ResourceData, meta interface{}) error {
 
 	_, err = conn.UpdateLFTag(input)
 	if err != nil {
-		return fmt.Errorf("Error updating Lake Formation LF-Tag (%s): %w", d.Id(), err)
+		return fmt.Errorf("error updating Lake Formation LF-Tag (%s): %w", d.Id(), err)
 	}
 
 	return resourceLFTagRead(d, meta)
@@ -163,7 +165,7 @@ func resourceLFTagDelete(d *schema.ResourceData, meta interface{}) error {
 
 	_, err = conn.DeleteLFTag(input)
 	if err != nil {
-		return fmt.Errorf("Error deleting Lake Formation LF-Tag (%s): %w", d.Id(), err)
+		return fmt.Errorf("error deleting Lake Formation LF-Tag (%s): %w", d.Id(), err)
 	}
 
 	return nil
@@ -172,7 +174,7 @@ func resourceLFTagDelete(d *schema.ResourceData, meta interface{}) error {
 func ReadLFTagID(id string) (catalogID string, tagKey string, err error) {
 	idParts := strings.Split(id, ":")
 	if len(idParts) != 2 {
-		return "", "", fmt.Errorf("Unexpected format of ID (%q), expected CATALOG-ID:TAG-KEY", id)
+		return "", "", fmt.Errorf("unexpected format of ID (%q), expected CATALOG-ID:TAG-KEY", id)
 	}
 	return idParts[0], idParts[1], nil
 }

internal/service/lakeformation/lf_tag_test.go

@@ -22,10 +22,10 @@ func testAccLFTag_basic(t *testing.T) {
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:     func() { acctest.PreCheck(t); acctest.PreCheckPartitionHasService(lakeformation.EndpointsID, t) },
-		ErrorCheck:   acctest.ErrorCheck(t, lakeformation.EndpointsID),
-		Providers:    acctest.Providers,
-		CheckDestroy: testAccCheckLFTagsDestroy,
+		PreCheck:          func() { acctest.PreCheck(t); acctest.PreCheckPartitionHasService(lakeformation.EndpointsID, t) },
+		ErrorCheck:        acctest.ErrorCheck(t, lakeformation.EndpointsID),
+		ProviderFactories: acctest.ProviderFactories,
+		CheckDestroy:      testAccCheckLFTagsDestroy,
 		Steps: []resource.TestStep{
 			{
 				Config: testAccLFTagConfig_basic(rName),
@@ -50,10 +50,10 @@ func testAccLFTag_disappears(t *testing.T) {
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:     func() { acctest.PreCheck(t); acctest.PreCheckPartitionHasService(lakeformation.EndpointsID, t) },
-		ErrorCheck:   acctest.ErrorCheck(t, lakeformation.EndpointsID),
-		Providers:    acctest.Providers,
-		CheckDestroy: testAccCheckLFTagsDestroy,
+		PreCheck:          func() { acctest.PreCheck(t); acctest.PreCheckPartitionHasService(lakeformation.EndpointsID, t) },
+		ErrorCheck:        acctest.ErrorCheck(t, lakeformation.EndpointsID),
+		ProviderFactories: acctest.ProviderFactories,
+		CheckDestroy:      testAccCheckLFTagsDestroy,
 		Steps: []resource.TestStep{
 			{
 				Config: testAccLFTagConfig_basic(rName),
@@ -72,10 +72,10 @@ func testAccLFTag_values(t *testing.T) {
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:     func() { acctest.PreCheck(t); acctest.PreCheckPartitionHasService(lakeformation.EndpointsID, t) },
-		ErrorCheck:   acctest.ErrorCheck(t, lakeformation.EndpointsID),
-		Providers:    acctest.Providers,
-		CheckDestroy: testAccCheckLFTagsDestroy,
+		PreCheck:          func() { acctest.PreCheck(t); acctest.PreCheckPartitionHasService(lakeformation.EndpointsID, t) },
+		ErrorCheck:        acctest.ErrorCheck(t, lakeformation.EndpointsID),
+		ProviderFactories: acctest.ProviderFactories,
+		CheckDestroy:      testAccCheckLFTagsDestroy,
 		Steps: []resource.TestStep{
 			{
 				Config:  testAccLFTagConfig_values(rName, []string{"value1", "value2"}),
@@ -149,7 +149,7 @@ func testAccCheckLFTagExists(name string) resource.TestCheckFunc {
 		}
 
 		if rs.Primary.ID == "" {
-			return fmt.Errorf("No ID is set")
+			return fmt.Errorf("no ID is set")
 		}
 
 		catalogID, tagKey, err := tflakeformation.ReadLFTagID(rs.Primary.ID)