Support s3 table

streamnative · Feb 7, 2025 · 776b629 · 776b629
1 parent cc5d04f
commit 776b629
Show file tree

Hide file tree

Showing 5 changed files with 106 additions and 0 deletions.
diff --git a/examples/volume-and-s3-table-access/main.tf b/examples/volume-and-s3-table-access/main.tf
@@ -0,0 +1,18 @@
+module "sn_managed_cloud_access_bucket" {
+  source = "../../modules/aws/volume-access"
+
+  external_id = "max"
+  role        = "sn-ursa-accoss-account"
+  buckets = [
+  ]
+
+  account_ids = [
+  ]
+}
+
+module "sn_managed_cloud_access_s3_table" {
+  source     = "../../modules/aws/s3-table-access"
+  role       = module.sn_managed_cloud_access_bucket.role
+  s3_tables  = []
+  depends_on = [module.sn_managed_cloud_access_bucket]
+}
diff --git a/modules/aws/s3-table-access/main.tf b/modules/aws/s3-table-access/main.tf
@@ -0,0 +1,51 @@
+data "aws_caller_identity" "current" {}
+locals {
+  s3_tables_resource = distinct([for item in var.s3_tables : endswith(item, "/*") ? "${item}" : "${item}/*"])
+  tag_set            = merge({ Vendor = "StreamNative", Module = "StreamNative Volume", SNVersion = var.sn_policy_version }, var.tags)
+}
+
+######
+#-- Create the IAM role inline policy for the the StreamNative Cloud access to s3 table
+######
+resource "aws_iam_role_policy" "s3_access_policy" {
+  name = var.role
+  role = var.role
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "LakeFormationPermissionsForS3ListTableBucket",
+        "Effect" : "Allow",
+        "Action" : [
+          "s3tables:ListTableBuckets"
+        ],
+        "Resource" : [
+          "*"
+        ]
+      },
+      {
+        "Sid" : "LakeFormationDataAccessPermissionsForS3TableBucket",
+        "Effect" : "Allow",
+        "Action" : [
+          "s3tables:CreateTableBucket",
+          "s3tables:GetTableBucket",
+          "s3tables:CreateNamespace",
+          "s3tables:GetNamespace",
+          "s3tables:ListNamespaces",
+          "s3tables:DeleteNamespace",
+          "s3tables:DeleteTableBucket",
+          "s3tables:CreateTable",
+          "s3tables:DeleteTable",
+          "s3tables:GetTable",
+          "s3tables:ListTables",
+          "s3tables:RenameTable",
+          "s3tables:UpdateTableMetadataLocation",
+          "s3tables:GetTableMetadataLocation",
+          "s3tables:GetTableData",
+          "s3tables:PutTableData"
+        ],
+        "Resource" : local.s3_tables_resource
+      }
+    ]
+  })
+}
diff --git a/modules/aws/s3-table-access/variables.tf b/modules/aws/s3-table-access/variables.tf
@@ -0,0 +1,22 @@
+variable "sn_policy_version" {
+  description = "The value of SNVersion tag"
+  default     = "3.16.1" # {{ x-release-please-version }}
+  type        = string
+}
+
+variable "tags" {
+  default     = {}
+  description = "Extra tags to apply to the resources created by this module."
+  type        = map(string)
+}
+
+variable "s3_tables" {
+  default     = []
+  description = "User s3 tables and path name"
+  type        = list(string)
+}
+
+variable "role" {
+  description = "Your aws iam role for access s3 bucket"
+  type        = string
+}
diff --git a/modules/aws/s3-table-access/versions.tf b/modules/aws/s3-table-access/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.30"
+    }
+  }
+}
diff --git a/modules/aws/volume-access/main.tf b/modules/aws/volume-access/main.tf
@@ -76,4 +76,9 @@ resource "aws_iam_role" "access_bucket_role" {
   path                 = "/StreamNative/"
   tags                 = local.tag_set
   max_session_duration = 43200
+}
+
+output "role" {
+  value       = var.role
+  description = "role name"
 }