Merge pull request #35799 from hashicorp/f-glue-federated-database

r/aws_glue_catalog_database: add `federated_database` argument

Author: jar-b

.changelog/35799.txt

@@ -0,0 +1,6 @@
+```release-note:bug
+resource/aws_lakeformation_resource: Properly handle configured `false` values for `use_service_linked_role`
+```
+```release-note:enhancement
+resource/aws_glue_catalog_database: Add `federated_database` argument
+```

internal/service/glue/catalog_database.go

@@ -95,6 +95,23 @@ func ResourceCatalogDatabase() *schema.Resource {
 				Optional:     true,
 				ValidateFunc: validation.StringLenBetween(0, 2048),
 			},
+			"federated_database": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"connection_name": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+						"identifier": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+					},
+				},
+			},
 			"location_uri": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -155,6 +172,10 @@ func resourceCatalogDatabaseCreate(ctx context.Context, d *schema.ResourceData,
 		dbInput.Parameters = flex.ExpandStringMap(v.(map[string]interface{}))
 	}
 
+	if v, ok := d.GetOk("federated_database"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
+		dbInput.FederatedDatabase = expandDatabaseFederatedDatabase(v.([]interface{})[0].(map[string]interface{}))
+	}
+
 	if v, ok := d.GetOk("target_database"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
 		dbInput.TargetDatabase = expandDatabaseTargetDatabase(v.([]interface{})[0].(map[string]interface{}))
 	}
@@ -210,6 +231,10 @@ func resourceCatalogDatabaseUpdate(ctx context.Context, d *schema.ResourceData,
 			dbInput.Parameters = flex.ExpandStringMap(v.(map[string]interface{}))
 		}
 
+		if v, ok := d.GetOk("federated_database"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
+			dbInput.FederatedDatabase = expandDatabaseFederatedDatabase(v.([]interface{})[0].(map[string]interface{}))
+		}
+
 		if v, ok := d.GetOk("create_table_default_permission"); ok && len(v.([]interface{})) > 0 {
 			dbInput.CreateTableDefaultPermissions = expandDatabasePrincipalPermissions(v.([]interface{}))
 		}
@@ -259,6 +284,14 @@ func resourceCatalogDatabaseRead(ctx context.Context, d *schema.ResourceData, me
 	d.Set("location_uri", database.LocationUri)
 	d.Set("parameters", aws.StringValueMap(database.Parameters))
 
+	if database.FederatedDatabase != nil {
+		if err := d.Set("federated_database", []interface{}{flattenDatabaseFederatedDatabase(database.FederatedDatabase)}); err != nil {
+			return sdkdiag.AppendErrorf(diags, "setting federated_database: %s", err)
+		}
+	} else {
+		d.Set("federated_database", nil)
+	}
+
 	if database.TargetDatabase != nil {
 		if err := d.Set("target_database", []interface{}{flattenDatabaseTargetDatabase(database.TargetDatabase)}); err != nil {
 			return sdkdiag.AppendErrorf(diags, "setting target_database: %s", err)
@@ -310,6 +343,24 @@ func createCatalogID(d *schema.ResourceData, accountid string) (catalogID string
 	return
 }
 
+func expandDatabaseFederatedDatabase(tfMap map[string]interface{}) *glue.FederatedDatabase {
+	if tfMap == nil {
+		return nil
+	}
+
+	apiObject := &glue.FederatedDatabase{}
+
+	if v, ok := tfMap["connection_name"].(string); ok && v != "" {
+		apiObject.ConnectionName = aws.String(v)
+	}
+
+	if v, ok := tfMap["identifier"].(string); ok && v != "" {
+		apiObject.Identifier = aws.String(v)
+	}
+
+	return apiObject
+}
+
 func expandDatabaseTargetDatabase(tfMap map[string]interface{}) *glue.DatabaseIdentifier {
 	if tfMap == nil {
 		return nil
@@ -332,6 +383,24 @@ func expandDatabaseTargetDatabase(tfMap map[string]interface{}) *glue.DatabaseId
 	return apiObject
 }
 
+func flattenDatabaseFederatedDatabase(apiObject *glue.FederatedDatabase) map[string]interface{} {
+	if apiObject == nil {
+		return nil
+	}
+
+	tfMap := map[string]interface{}{}
+
+	if v := apiObject.ConnectionName; v != nil {
+		tfMap["connection_name"] = aws.StringValue(v)
+	}
+
+	if v := apiObject.Identifier; v != nil {
+		tfMap["identifier"] = aws.StringValue(v)
+	}
+
+	return tfMap
+}
+
 func flattenDatabaseTargetDatabase(apiObject *glue.DatabaseIdentifier) map[string]interface{} {
 	if apiObject == nil {
 		return nil

internal/service/glue/catalog_database_test.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/YakDriver/regexache"
 	"github.com/aws/aws-sdk-go/service/glue"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest"
@@ -194,6 +195,38 @@ func TestAccGlueCatalogDatabase_targetDatabaseWithRegion(t *testing.T) {
 	})
 }
 
+func TestAccGlueCatalogDatabase_federatedDatabase(t *testing.T) {
+	ctx := acctest.Context(t)
+	resourceName := "aws_glue_catalog_database.test"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, glue.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDatabaseDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config:  testAccCatalogDatabaseConfig_federatedDatabase(rName),
+				Destroy: false,
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckCatalogDatabaseExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", rName),
+					acctest.CheckResourceAttrRegionalARN(resourceName, "arn", "glue", fmt.Sprintf("database/%s", rName)),
+					resource.TestCheckResourceAttr(resourceName, "federated_database.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "federated_database.0.connection_name", "aws:redshift"),
+					acctest.MatchResourceAttrRegionalARN(resourceName, "federated_database.0.identifier", "redshift", regexache.MustCompile(`datashare:+.`)),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccGlueCatalogDatabase_tags(t *testing.T) {
 	ctx := acctest.Context(t)
 	resourceName := "aws_glue_catalog_database.test"
@@ -320,6 +353,90 @@ resource "aws_glue_catalog_database" "test" {
 `, rName, desc)
 }
 
+func testAccCatalogDatabaseConfig_federatedDatabase(rName string) string {
+	return acctest.ConfigCompose(
+		fmt.Sprintf(`
+data "aws_region" "current" {}
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+
+resource "aws_redshiftserverless_namespace" "test" {
+  namespace_name = %[1]q
+  db_name        = "test"
+}
+
+resource "aws_redshiftserverless_workgroup" "test" {
+  namespace_name = aws_redshiftserverless_namespace.test.namespace_name
+  workgroup_name = %[1]q
+}
+
+resource "aws_redshiftdata_statement" "test_create" {
+  workgroup_name = aws_redshiftserverless_workgroup.test.workgroup_name
+  database       = aws_redshiftserverless_namespace.test.db_name
+  sql            = "CREATE DATASHARE tfacctest;"
+}
+`, rName),
+		// Split this resource into a string literal so the terraform `format` function
+		// interpolates properly
+		`
+resource "aws_redshiftdata_statement" "test_grant_usage" {
+  depends_on     = [aws_redshiftdata_statement.test_create]
+  workgroup_name = aws_redshiftserverless_workgroup.test.workgroup_name
+  database       = aws_redshiftserverless_namespace.test.db_name
+  sql            = format("GRANT USAGE ON DATASHARE tfacctest TO ACCOUNT '%s' VIA DATA CATALOG;", data.aws_caller_identity.current.account_id)
+}
+
+locals {
+  # Data share ARN is not returned from the GRANT USAGE statement, so must be
+  # composed manually.
+  # Ref: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshift.html#amazonredshift-resources-for-iam-policies
+  data_share_arn = format("arn:%s:redshift:%s:%s:datashare:%s/%s",
+    data.aws_partition.current.id,
+    data.aws_region.current.name,
+    data.aws_caller_identity.current.account_id,
+    aws_redshiftserverless_namespace.test.namespace_id,
+    "tfacctest",
+  )
+}
+
+resource "aws_redshift_data_share_authorization" "test" {
+  depends_on = [aws_redshiftdata_statement.test_grant_usage]
+
+  data_share_arn      = local.data_share_arn
+  consumer_identifier = format("DataCatalog/%s", data.aws_caller_identity.current.account_id)
+}
+
+resource "aws_redshift_data_share_consumer_association" "test" {
+  depends_on = [aws_redshift_data_share_authorization.test]
+
+  data_share_arn = local.data_share_arn
+  consumer_arn = format("arn:%s:glue:%s:%s:catalog",
+    data.aws_partition.current.id,
+    data.aws_region.current.name,
+    data.aws_caller_identity.current.account_id,
+  )
+}
+
+resource "aws_lakeformation_resource" "test" {
+  depends_on = [aws_redshift_data_share_consumer_association.test]
+
+  arn                     = local.data_share_arn
+  use_service_linked_role = false
+}
+`,
+		fmt.Sprintf(`
+resource "aws_glue_catalog_database" "test" {
+  depends_on = [aws_lakeformation_resource.test]
+
+  name = %[1]q
+  federated_database {
+    connection_name = "aws:redshift"
+    identifier      = local.data_share_arn
+  }
+}
+`, rName))
+}
+
 func testAccCatalogDatabaseConfig_target(rName string) string {
 	return fmt.Sprintf(`
 resource "aws_glue_catalog_database" "test" {

internal/service/lakeformation/resource.go

@@ -85,7 +85,7 @@ func resourceResourceCreate(ctx context.Context, d *schema.ResourceData, meta in
 		input.UseServiceLinkedRole = aws.Bool(true)
 	}
 
-	if v, ok := d.GetOk("use_service_linked_role"); ok {
+	if v, ok := d.GetOkExists("use_service_linked_role"); ok {
 		input.UseServiceLinkedRole = aws.Bool(v.(bool))
 	}
 

website/docs/r/glue_catalog_database.html.markdown

@@ -13,15 +13,15 @@ Provides a Glue Catalog Database Resource. You can refer to the [Glue Developer
 ## Example Usage
 
 ```terraform
-resource "aws_glue_catalog_database" "aws_glue_catalog_database" {
+resource "aws_glue_catalog_database" "example" {
   name = "MyCatalogDatabase"
 }
 ```
 
 ### Create Table Default Permissions
 
 ```terraform
-resource "aws_glue_catalog_database" "aws_glue_catalog_database" {
+resource "aws_glue_catalog_database" "example" {
   name = "MyCatalogDatabase"
 
   create_table_default_permission {
@@ -41,12 +41,18 @@ This resource supports the following arguments:
 * `catalog_id` - (Optional) ID of the Glue Catalog to create the database in. If omitted, this defaults to the AWS Account ID.
 * `create_table_default_permission` - (Optional) Creates a set of default permissions on the table for principals. See [`create_table_default_permission`](#create_table_default_permission) below.
 * `description` - (Optional) Description of the database.
+* `federated_database` - (Optional) Configuration block that references an entity outside the AWS Glue Data Catalog. See [`federated_database`](#federated_database) below.
 * `location_uri` - (Optional) Location of the database (for example, an HDFS path).
 * `name` - (Required) Name of the database. The acceptable characters are lowercase letters, numbers, and the underscore character.
 * `parameters` - (Optional) List of key-value pairs that define parameters and properties of the database.
 * `tags` - (Optional) Key-value map of resource tags. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
 * `target_database` - (Optional) Configuration block for a target database for resource linking. See [`target_database`](#target_database) below.
 
+### federated_database
+
+* `connection_name` - (Optional) Name of the connection to the external metastore.
+* `identifier` - (Optional) Unique identifier for the federated database.
+
 ### target_database
 
 * `catalog_id` - (Required) ID of the Data Catalog in which the database resides.