diff --git a/VARIABLES.md b/VARIABLES.md
index 00b2aa1..c0bc7d5 100644
--- a/VARIABLES.md
+++ b/VARIABLES.md
@@ -53,6 +53,12 @@ This document provides comprehensive documentation for all variables available i
 | `search_volume_throughput` | `number` | `null` | EBS throughput (MiB/s, for some gp3 volumes) | 125-1000 |
 | `search_auto_tune_desired_state` | `string` | `"DISABLED"` | ElasticSearch Auto-Tune state | `"ENABLED"`, `"DISABLED"` |
 
+### Lake Formation Variables
+
+| Variable            | Type   | Default | Description                                                                                                                                                                                                                               |
+|---------------------|--------|---------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `enable_lf_grants`  | `bool` | `false` | Enable per-role Lake Formation TableWildcard grants. Requires the CloudFormation execution role to be a Lake Formation administrator. Leave `false` unless LF enforcement is active and the deploying role is on the LF admin list.       |
+
 ### CloudFormation Stack Variables
 
 | Variable | Type | Default | Description |
diff --git a/modules/quilt/main.tf b/modules/quilt/main.tf
index e420d85..96e1eaf 100644
--- a/modules/quilt/main.tf
+++ b/modules/quilt/main.tf
@@ -101,6 +101,8 @@ resource "aws_cloudformation_stack" "stack" {
   parameters = merge(
     var.parameters,
     {
+      EnableLakeFormationGrants = var.enable_lf_grants ? "Enabled" : null
+
       VPC               = module.vpc.vpc_id
       Subnets           = join(",", module.vpc.private_subnets)
       PublicSubnets     = var.internal ? null : join(",", module.vpc.public_subnets)
diff --git a/modules/quilt/variables.tf b/modules/quilt/variables.tf
index c2d6768..d9344d3 100644
--- a/modules/quilt/variables.tf
+++ b/modules/quilt/variables.tf
@@ -138,6 +138,13 @@ variable "search_volume_type" {
   description = "Type of EBS volumes attached to data nodes in the ElasticSearch cluster"
 }
 
+variable "enable_lf_grants" {
+  type        = bool
+  nullable    = false
+  default     = false
+  description = "Enable per-role Lake Formation TableWildcard grants. Requires the CloudFormation execution role to be a Lake Formation administrator. Leave false unless LF enforcement is active and the deploying role is on the LF admin list."
+}
+
 variable "template_file" {
   type        = string
   nullable    = true