in packages/constructs/L3/dataops/dataops-project-l3-construct/lib/dataops-project-l3-construct.ts [959:1107]
private createDatabaseLakeFormationConstruct(
databaseName: string,
dbResourceName: string,
database: CfnDatabase,
databaseLakeFormationProps: DatabaseLakeFormationProps,
createDatazoneDatasource: boolean,
datazoneManageAccessRole?: IRole,
locationArn?: string,
) {
// Provide Project Execution Roles (principal) data location permissions to create data catalog
// tables that point to specified data-locations
if (databaseLakeFormationProps.createReadWriteGrantsForProjectExecutionRoles && locationArn) {
this.projectExecutionRoles.forEach(role => {
const grantId = LakeFormationAccessControlL3Construct.generateIdentifier(databaseName, role.refId());
const grant = new CfnPrincipalPermissions(this, `lf-data-location-grant-${grantId}`, {
principal: {
dataLakePrincipalIdentifier: role.arn(),
},
resource: {
dataLocation: {
catalogId: this.account,
resourceArn: locationArn,
},
},
permissions: ['DATA_LOCATION_ACCESS'],
permissionsWithGrantOption: [],
});
grant.addDependency(database);
});
}
const projectRoleGrantProps: { [key: string]: GrantProps } = {};
if (databaseLakeFormationProps.createSuperGrantsForDataAdminRoles) {
projectRoleGrantProps[`data-admins-${databaseName}`] = {
database: dbResourceName,
databasePermissions: LakeFormationAccessControlL3Construct.DATABASE_SUPER_PERMISSIONS,
principals: Object.fromEntries(
this.dataAdminRoles.map(x => {
return [
x.refId(),
{
role: x,
},
];
}),
),
tablePermissions: LakeFormationAccessControlL3Construct.TABLE_SUPER_PERMISSIONS,
};
}
if (databaseLakeFormationProps.createReadGrantsForDataEngineerRoles) {
projectRoleGrantProps[`data-engineers-${databaseName}`] = {
database: dbResourceName,
databasePermissions: LakeFormationAccessControlL3Construct.DATABASE_READ_PERMISSIONS,
principals: Object.fromEntries(
this.dataEngineerRoles.map(x => {
return [
x.refId(),
{
role: x,
},
];
}),
),
tablePermissions: LakeFormationAccessControlL3Construct.TABLE_READ_PERMISSIONS,
};
}
if (databaseLakeFormationProps.createReadWriteGrantsForProjectExecutionRoles) {
projectRoleGrantProps[`execution-roles-${databaseName}`] = {
database: dbResourceName,
databasePermissions: LakeFormationAccessControlL3Construct.DATABASE_READ_WRITE_PERMISSIONS,
principals: Object.fromEntries(
this.projectExecutionRoles.map(x => {
return [
x.refId(),
{
role: x,
},
];
}),
),
tablePermissions: LakeFormationAccessControlL3Construct.TABLE_READ_WRITE_PERMISSIONS,
};
}
if (createDatazoneDatasource && datazoneManageAccessRole) {
projectRoleGrantProps[`datazone-roles-${databaseName}`] = {
database: dbResourceName,
databasePermissions: LakeFormationAccessControlL3Construct.DATABASE_READ_WRITE_PERMISSIONS,
databaseGrantablePermissions: LakeFormationAccessControlL3Construct.DATABASE_READ_WRITE_PERMISSIONS,
principals: {
datazone: {
role: {
refId: 'datazone',
arn: datazoneManageAccessRole?.roleArn,
},
},
},
tablePermissions: LakeFormationAccessControlL3Construct.TABLE_READ_WRITE_PERMISSIONS,
tableGrantablePermissions: LakeFormationAccessControlL3Construct.TABLE_READ_WRITE_PERMISSIONS,
};
}
const lfGrantProps: NamedGrantProps =
Object.fromEntries(
Object.entries(databaseLakeFormationProps?.grants || {}).map(entry => {
const dbGrantName = entry[0];
const dbGrantProps = entry[1];
const lakeFormationGrantProps = this.createLakeFormationGrantProps(dbResourceName, dbGrantProps);
return [`${databaseName}-${dbGrantName}`, lakeFormationGrantProps];
}),
) || {};
const resourceLinkName = databaseLakeFormationProps.createCrossAccountResourceLinkName || dbResourceName;
const resourceLinkProps: NamedResourceLinkProps = Object.fromEntries(
databaseLakeFormationProps?.createCrossAccountResourceLinkAccounts?.map(account => {
const accountPrincipalEntries = Object.entries(lfGrantProps)
.map(lfGrantEntry => {
const lfGrantProps = lfGrantEntry[1];
return Object.entries(lfGrantProps.principals).filter(principalEntry => {
const principalName = principalEntry[0];
const principalProps = principalEntry[1];
const principalAccount = this.determinePrincipalAccount(principalName, principalProps);
return principalAccount == account;
});
})
.flat();
const namedAccountPrincipals: NamedPrincipalProps = Object.fromEntries(accountPrincipalEntries);
const props: ResourceLinkProps = {
targetDatabase: dbResourceName,
targetAccount: this.account,
fromAccount: account,
grantPrincipals: namedAccountPrincipals,
};
return [resourceLinkName, props];
}) || [],
);
const lakeFormationProps: LakeFormationAccessControlL3ConstructProps = {
grants: { ...projectRoleGrantProps, ...lfGrantProps },
resourceLinks: resourceLinkProps,
externalDatabaseDependency: database,
...(this.props as MdaaL3ConstructProps),
};
//Use the LF Account Control construct to create all database grants and resource links
const lf = new LakeFormationAccessControlL3Construct(this, `lf-grants-${databaseName}`, lakeFormationProps);
lf.node.addDependency(database);
}