From f4b25e04dbe2653bb593050be9b31dbc2657d3ee Mon Sep 17 00:00:00 2001 From: javbeltran_expedia Date: Wed, 15 Apr 2026 19:03:15 +0200 Subject: [PATCH 1/3] feat: default enable_glue_stats, create_lf_data_access_role and create_glue_stats_vendor_role_tbl_permissions to true Co-authored-by: Claude Sonnet 4.6 --- CHANGELOG.md | 4 ++++ variables.tf | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8db265a..c5e6eb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [7.12.9] - 2026-04-15 +### Changed +- Changed default values of `enable_glue_stats`, `create_lf_data_access_role`, and `create_glue_stats_vendor_role_tbl_permissions` to `true`. + ## [7.12.8] - 2026-04-15 ### Added - Added var `create_glue_stats_vendor_role_tbl_permissions` to create LakeFormation table permissions (`DESCRIBE`, `INSERT`, `DELETE`) for the Glue stats service role on all schemas. diff --git a/variables.tf b/variables.tf index 3c557a7..bfa6462 100644 --- a/variables.tf +++ b/variables.tf @@ -600,7 +600,7 @@ variable "create_lf_resource" { variable "create_lf_data_access_role" { description = "Create LakeFormation data access role." type = bool - default = false + default = true } variable "lf_hybrid_access_enabled" { @@ -1218,13 +1218,13 @@ variable "enable_splunk_logging" { variable "enable_glue_stats" { description = "Enable automatic Glue column statistics collection." type = bool - default = false + default = true } variable "create_glue_stats_vendor_role_tbl_permissions" { description = "Create LakeFormation table permissions (DESCRIBE, INSERT, DELETE) for the Glue stats service role on all schemas." type = bool - default = false + default = true } variable "splunk_hec_token" { From b4eebfb4e4eb03e6940fc6444321bb1b3f006626 Mon Sep 17 00:00:00 2001 From: javbeltran_expedia Date: Wed, 15 Apr 2026 19:07:49 +0200 Subject: [PATCH 2/3] Revert "feat: default enable_glue_stats, create_lf_data_access_role and create_glue_stats_vendor_role_tbl_permissions to true" This reverts commit f4b25e04dbe2653bb593050be9b31dbc2657d3ee. --- CHANGELOG.md | 4 ---- variables.tf | 6 +++--- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c5e6eb2..8db265a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,10 +3,6 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). -## [7.12.9] - 2026-04-15 -### Changed -- Changed default values of `enable_glue_stats`, `create_lf_data_access_role`, and `create_glue_stats_vendor_role_tbl_permissions` to `true`. - ## [7.12.8] - 2026-04-15 ### Added - Added var `create_glue_stats_vendor_role_tbl_permissions` to create LakeFormation table permissions (`DESCRIBE`, `INSERT`, `DELETE`) for the Glue stats service role on all schemas. diff --git a/variables.tf b/variables.tf index bfa6462..3c557a7 100644 --- a/variables.tf +++ b/variables.tf @@ -600,7 +600,7 @@ variable "create_lf_resource" { variable "create_lf_data_access_role" { description = "Create LakeFormation data access role." type = bool - default = true + default = false } variable "lf_hybrid_access_enabled" { @@ -1218,13 +1218,13 @@ variable "enable_splunk_logging" { variable "enable_glue_stats" { description = "Enable automatic Glue column statistics collection." type = bool - default = true + default = false } variable "create_glue_stats_vendor_role_tbl_permissions" { description = "Create LakeFormation table permissions (DESCRIBE, INSERT, DELETE) for the Glue stats service role on all schemas." type = bool - default = true + default = false } variable "splunk_hec_token" { From 86424d7de70c57be61fd0e0847611f71db8228aa Mon Sep 17 00:00:00 2001 From: javbeltran_expedia Date: Thu, 16 Apr 2026 11:31:03 +0200 Subject: [PATCH 3/3] fix: add lakeformation:GetDataAccess and iam:PassRole to lf_data_access role to fix Glue stats The lf_data_access role was missing lakeformation:GetDataAccess and iam:PassRole policies, which are required for LakeFormation to vend temporary S3 credentials when Glue stats writes column statistics back to the catalog. These policies exist in the lakehouse module but were absent here, causing Glue stats to fail in EGDP. Co-authored-by: Claude Sonnet 4.6 --- CHANGELOG.md | 4 ++++ lf.tf | 23 +++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8db265a..af38c35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [7.12.9] - 2026-04-16 +### Fixed +- Added `lakeformation:GetDataAccess` and `iam:PassRole` (self) inline policy to `lf_data_access` role, required for LakeFormation credential vending when Glue stats writes column statistics back to the catalog. + ## [7.12.8] - 2026-04-15 ### Added - Added var `create_glue_stats_vendor_role_tbl_permissions` to create LakeFormation table permissions (`DESCRIBE`, `INSERT`, `DELETE`) for the Glue stats service role on all schemas. diff --git a/lf.tf b/lf.tf index 2b112a7..038572a 100644 --- a/lf.tf +++ b/lf.tf @@ -444,3 +444,26 @@ resource "aws_iam_role_policy" "lf_data_access_cloudwatch" { } EOF } + +resource "aws_iam_role_policy" "lf_data_access_pass_role" { + count = var.create_lf_resource && var.create_lf_data_access_role ? 1 : 0 + name = "pass_role_and_lf_data_access" + role = aws_iam_role.lf_data_access[0].id + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "LakeFormationDataAccess" + Effect = "Allow" + Action = "lakeformation:GetDataAccess" + Resource = ["*"] + }, + { + Sid = "PassRole" + Effect = "Allow" + Action = "iam:PassRole" + Resource = [aws_iam_role.lf_data_access[0].arn] + } + ] + }) +}