AWS native refarch cannot be deployed in AWS accounts with Lake Formation enabled

[vgkowski]

Deploying the AWS native refarch in an account with Lake Formation enabled fails because the CloudFormation execution role is not granted to create Glue resources in Lake Formation. In this setup, IAM permissions are not used anymore by Glue.

The workaround is to grant Lake Formation permissions to the IAM role used by CDK. By default the IAM role used by CDK is common to all CDK applications deployed in an AWS account and is created when bootstrapping an account with cdk bootstrap. This role can be found in the default CDKToolkit stack in CloudFormation console (cdk-xxxxxxx-cfn-exec-role-<ACCOUNT_ID>-). We should document this workaround in the getting started guide.

The long term solution is to use a custom bootstrap with:

• A custom qualifier to scope the custom bootstrap to AWS Analytics Reference Architecture. To ensure the qualifier is passed to all the stacks, we should probably create a new Stack type (AraStack)
• A custom bootstrap CloudFormation template granting Lake Formation permissions to the CDK execution via an AWS::LakeFormation::PrincipalPermissions