Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix athena db reader #19765

Merged
merged 2 commits into from
Aug 30, 2021
Merged

Fix athena db reader #19765

merged 2 commits into from
Aug 30, 2021

Conversation

harsimranmaan
Copy link
Contributor

Closes #19085

The current athena database implements a query on read. This means that the terraform plan needs
the permission to execute queries against athena as well as permission to write to the
s3 bucket where the execution results are stored. This makes it hard to run plan in an
environment where we don't want it to modify any aws resources. The StartQueryExecution
also does not have a way to restrict the queries. This means that it is possible to use
the permissions set up for a terraform plan to run any queries against athena.

The fix here is to read the database name from the AwsDataCatalog. In the future, this can
be extended to include other catalogs as the support for creating athena catalogs is added to
the provider

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #0000

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

@harsimranmaan harsimranmaan requested a review from a team as a code owner June 11, 2021 03:26
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/athena Issues and PRs that pertain to the athena service. size/S Managed by automation to categorize the size of a PR. labels Jun 11, 2021
@ewbankkit ewbankkit mentioned this pull request Aug 28, 2021
Closed
@ewbankkit ewbankkit added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Aug 30, 2021
harsimranmaan and others added 2 commits August 30, 2021 09:23
@harsimranmaan @ewbankkit
Fix athena db reader
29658c4 
The current athena database implements a query on read. This means that the terraform plan needs
the permission to execute queries against athena as well as permission to write to the
s3 bucket where the execution results are stored. This makes it hard to run plan in an
environment where we don't want it to modify any aws resources. The StartQueryExecution
also does not have a way to restrict the queries. This means that it is possible to use
the permissions set up for a terraform plan to run any queries against athena.

The fix here is to read the database name from the AwsDataCatalog. In the future, this can
be extended to include other catalogs as the support for creating athena catalogs is added to
the provider
@ewbankkit
Add CHANGELOG entry.
ec02f6f
ewbankkit
ewbankkit approved these changes Aug 30, 2021
View reviewed changes
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccAWSAthenaDatabase_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAthenaDatabase_ -timeout 180m
=== RUN   TestAccAWSAthenaDatabase_basic
=== PAUSE TestAccAWSAthenaDatabase_basic
=== RUN   TestAccAWSAthenaDatabase_encryption
=== PAUSE TestAccAWSAthenaDatabase_encryption
=== RUN   TestAccAWSAthenaDatabase_nameStartsWithUnderscore
=== PAUSE TestAccAWSAthenaDatabase_nameStartsWithUnderscore
=== RUN   TestAccAWSAthenaDatabase_nameCantHaveUppercase
=== PAUSE TestAccAWSAthenaDatabase_nameCantHaveUppercase
=== RUN   TestAccAWSAthenaDatabase_destroyFailsIfTablesExist
=== PAUSE TestAccAWSAthenaDatabase_destroyFailsIfTablesExist
=== RUN   TestAccAWSAthenaDatabase_forceDestroyAlwaysSucceeds
=== PAUSE TestAccAWSAthenaDatabase_forceDestroyAlwaysSucceeds
=== CONT  TestAccAWSAthenaDatabase_basic
=== CONT  TestAccAWSAthenaDatabase_destroyFailsIfTablesExist
=== CONT  TestAccAWSAthenaDatabase_nameStartsWithUnderscore
=== CONT  TestAccAWSAthenaDatabase_encryption
=== CONT  TestAccAWSAthenaDatabase_nameCantHaveUppercase
=== CONT  TestAccAWSAthenaDatabase_forceDestroyAlwaysSucceeds
--- PASS: TestAccAWSAthenaDatabase_nameCantHaveUppercase (2.48s)
--- PASS: TestAccAWSAthenaDatabase_nameStartsWithUnderscore (41.30s)
--- PASS: TestAccAWSAthenaDatabase_basic (42.55s)
--- PASS: TestAccAWSAthenaDatabase_encryption (46.01s)
--- PASS: TestAccAWSAthenaDatabase_forceDestroyAlwaysSucceeds (46.73s)
--- PASS: TestAccAWSAthenaDatabase_destroyFailsIfTablesExist (54.44s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	57.941s

@ewbankkit
Copy link
Contributor

@harsimranmaan Thanks for the contribution 🎉 👏.

@ewbankkit ewbankkit merged commit 36fa311 into hashicorp:main Aug 30, 2021
@github-actions github-actions bot added this to the v3.57.0 milestone Aug 30, 2021
@harsimranmaan harsimranmaan deleted the b-athena-read-security-fix branch August 30, 2021 21:09
@github-actions
Copy link

github-actions bot commented Sep 2, 2021

This functionality has been released in v3.57.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ewbankkit ewbankkit ewbankkit approved these changes

Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/athena Issues and PRs that pertain to the athena service. size/S Managed by automation to categorize the size of a PR.
Projects
None yet
Milestone
v3.57.0
Development

Successfully merging this pull request may close these issues.

Athena Read Permissions
2 participants
@harsimranmaan @ewbankkit