From ae652a550a5a8620657e153f1ddf4424a82e36c0 Mon Sep 17 00:00:00 2001 From: "Dr. Ernie Prabhakar" Date: Sat, 11 Apr 2026 22:07:02 -0700 Subject: [PATCH 1/2] Add enable_lf_grants variable for opt-in Lake Formation TableWildcard grants Accounts with Lake Formation enforcement active need per-role TableWildcard grants, but these require the deploying role to be an LF admin. Default to false so installs don't break on accounts without LF admin setup. Co-Authored-By: Claude Opus 4.6 (1M context) --- VARIABLES.md | 6 ++++++ modules/quilt/main.tf | 2 ++ modules/quilt/variables.tf | 7 +++++++ 3 files changed, 15 insertions(+) diff --git a/VARIABLES.md b/VARIABLES.md index 00b2aa1..c0bc7d5 100644 --- a/VARIABLES.md +++ b/VARIABLES.md @@ -53,6 +53,12 @@ This document provides comprehensive documentation for all variables available i | `search_volume_throughput` | `number` | `null` | EBS throughput (MiB/s, for some gp3 volumes) | 125-1000 | | `search_auto_tune_desired_state` | `string` | `"DISABLED"` | ElasticSearch Auto-Tune state | `"ENABLED"`, `"DISABLED"` | +### Lake Formation Variables + +| Variable | Type | Default | Description | +|---------------------|--------|---------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `enable_lf_grants` | `bool` | `false` | Enable per-role Lake Formation TableWildcard grants. Requires the CloudFormation execution role to be a Lake Formation administrator. Leave `false` unless LF enforcement is active and the deploying role is on the LF admin list. | + ### CloudFormation Stack Variables | Variable | Type | Default | Description | diff --git a/modules/quilt/main.tf b/modules/quilt/main.tf index e420d85..dba511b 100644 --- a/modules/quilt/main.tf +++ b/modules/quilt/main.tf @@ -101,6 +101,8 @@ resource "aws_cloudformation_stack" "stack" { parameters = merge( var.parameters, { + EnableLakeFormationGrants = var.enable_lf_grants ? "Enabled" : "Disabled" + VPC = module.vpc.vpc_id Subnets = join(",", module.vpc.private_subnets) PublicSubnets = var.internal ? null : join(",", module.vpc.public_subnets) diff --git a/modules/quilt/variables.tf b/modules/quilt/variables.tf index c2d6768..d9344d3 100644 --- a/modules/quilt/variables.tf +++ b/modules/quilt/variables.tf @@ -138,6 +138,13 @@ variable "search_volume_type" { description = "Type of EBS volumes attached to data nodes in the ElasticSearch cluster" } +variable "enable_lf_grants" { + type = bool + nullable = false + default = false + description = "Enable per-role Lake Formation TableWildcard grants. Requires the CloudFormation execution role to be a Lake Formation administrator. Leave false unless LF enforcement is active and the deploying role is on the LF admin list." +} + variable "template_file" { type = string nullable = true From 0c00b6eaf9de20c35b81e07710f7127a61ddd64f Mon Sep 17 00:00:00 2001 From: "Dr. Ernie Prabhakar" Date: Sat, 11 Apr 2026 23:19:37 -0700 Subject: [PATCH 2/2] fix: use null to omit EnableLakeFormationGrants when disabled Passing "Disabled" breaks existing deployments whose CFT templates don't yet define this parameter. Using null omits the key from the merge() map, matching the pattern for PublicSubnets and UserSubnets. Co-Authored-By: Claude Opus 4.6 (1M context) --- modules/quilt/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/quilt/main.tf b/modules/quilt/main.tf index dba511b..96e1eaf 100644 --- a/modules/quilt/main.tf +++ b/modules/quilt/main.tf @@ -101,7 +101,7 @@ resource "aws_cloudformation_stack" "stack" { parameters = merge( var.parameters, { - EnableLakeFormationGrants = var.enable_lf_grants ? "Enabled" : "Disabled" + EnableLakeFormationGrants = var.enable_lf_grants ? "Enabled" : null VPC = module.vpc.vpc_id Subnets = join(",", module.vpc.private_subnets)