import aws_cdk as cdk

from aws_cdk import (
  Stack,
  aws_lakeformation
)
from constructs import Construct

class DataLakePermissionsStack(Stack):

  def __init__(self, scope: Construct, construct_id: str, glue_job_role, **kwargs) -> None:
    super().__init__(scope, construct_id, **kwargs)

    glue_job_input_arguments = self.node.try_get_context('glue_kinesis_table')
    database_name = glue_job_input_arguments["database_name"]

    #XXXX: The role assumed by cdk is not a data lake administrator.
    # So, deploying PrincipalPermissions meets the error such as:
    # "Resource does not exist or requester is not authorized to access requested permissions."
    # In order to solve the error, it is necessary to promote the cdk execution role to the data lake administrator.
    # For example, https://github.com/aws-samples/data-lake-as-code/blob/mainline/lib/stacks/datalake-stack.ts#L68
    cfn_data_lake_settings = aws_lakeformation.CfnDataLakeSettings(self, "CfnDataLakeSettings",
      admins=[aws_lakeformation.CfnDataLakeSettings.DataLakePrincipalProperty(
        data_lake_principal_identifier=cdk.Fn.sub(self.synthesizer.cloud_formation_execution_role_arn)
      )]
    )

    cfn_principal_permissions = aws_lakeformation.CfnPrincipalPermissions(self, "CfnPrincipalPermissions",
      permissions=["SELECT", "INSERT", "DELETE", "DESCRIBE", "ALTER"],
      permissions_with_grant_option=[],
      principal=aws_lakeformation.CfnPrincipalPermissions.DataLakePrincipalProperty(
        data_lake_principal_identifier=glue_job_role.role_arn
      ),
      resource=aws_lakeformation.CfnPrincipalPermissions.ResourceProperty(
        #XXX: Can't specify a TableWithColumns resource and a Table resource
        table=aws_lakeformation.CfnPrincipalPermissions.TableResourceProperty(
          catalog_id=cdk.Aws.ACCOUNT_ID,
          database_name=database_name,
          # name="ALL_TABLES",
          table_wildcard={}
        )
      )
    )
    cfn_principal_permissions.apply_removal_policy(cdk.RemovalPolicy.DESTROY)

    #XXX: In order to keep resource destruction order,
    # set dependency between CfnDataLakeSettings and CfnPrincipalPermissions
    cfn_principal_permissions.add_dependency(cfn_data_lake_settings)

    cdk.CfnOutput(self, f'{self.stack_name}_Principal',
      value=cfn_principal_permissions.attr_principal_identifier)