Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dod-iac/terraform-aws-data-pipeline-iam-policy


https://github.com/dod-iac/terraform-aws-data-pipeline-iam-policy

athena aws glue iam s3 terraform

Last synced: 2 months ago
JSON representation

Awesome Lists containing this project

README 

          

## Usage



Creates an IAM policy for use in a data pipeline.



```hcl

module "data_pipeline_iam_policy" {

  source = "dod-iac/data-pipeline-iam-policy/aws"



  name = format("app-%s-data-pipeline-%s", var.application, var.environment)

  s3_buckets_read  = [module.s3_bucket_source.arn]

  s3_buckets_write = [module.s3_bucket_destination.arn]

  tags = {

    Application = var.application

    Environment = var.environment

    Automation  = "Terraform"

  }

}

```



## Testing



Run all terratest tests using the `terratest` script.  If using `aws-vault`, you could use `aws-vault exec $AWS_PROFILE -- terratest`.  The `AWS_DEFAULT_REGION` environment variable is required by the tests.  Use `TT_SKIP_DESTROY=1` to not destroy the infrastructure created during the tests.  Use `TT_VERBOSE=1` to log all tests as they are run.  Use `TT_TIMEOUT` to set the timeout for the tests, with the value being in the Go format, e.g., 15m.  Use `TT_TEST_NAME` to run a specific test by name.



## Terraform Version



Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to main branch.



Terraform 0.11 and 0.12 are not supported.



## License



This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105.  However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License.  See LICENSE file for more information.



## Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 0.13 |

|  [aws](#requirement\_aws) | >= 3.0, < 5.0 |



## Providers



| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >= 3.0, < 5.0 |



## Modules



No modules.



## Resources



| Name | Type |

|------|------|

| [aws_iam_policy.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

| [aws_iam_policy_document.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |

| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |



## Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [athena\_buckets\_results](#input\_athena\_buckets\_results) | The ARNs of the AWS S3 buckets that store the results of Athena queries. Use ["*"] to allow all buckets. | `list(string)` | `[]` | no |

|  [athena\_buckets\_source](#input\_athena\_buckets\_source) | The ARNs of the AWS S3 buckets that store the data being queried through Athena. Use ["*"] to allow all buckets. | `list(string)` | `[]` | no |

|  [athena\_tables\_exec](#input\_athena\_tables\_exec) | A list of the Glue tables that can be read from during execution of Athena queries.  Use ["*"] to allow all tables. | 
list(object({
    database = string
    table    = string
  }))
 | `[]` | no |

|  [athena\_workgroups\_exec](#input\_athena\_workgroups\_exec) | The ARNs of the AWS Athena workgroups that can be executed.  Use ["*"] to allow all workgroups. | `list(string)` | `[]` | no |

|  [codecommit\_repos\_pull](#input\_codecommit\_repos\_pull) | The ARNs of the AWS CodeCommit repos that can be pulled.  Use ["*"] to allow all repos. | `list(string)` | `[]` | no |

|  [codecommit\_repos\_push](#input\_codecommit\_repos\_push) | The ARNs of the AWS CodeCommit repos that can be pushed.  Use ["*"] to allow all repos. | `list(string)` | `[]` | no |

|  [description](#input\_description) | The description of the AWS IAM policy.  Defaults to "The policy for [NAME]." | `string` | `""` | no |

|  [ecr\_repos\_read](#input\_ecr\_repos\_read) | The ARNs of the AWS ECR repos that can be read from.  Use ["*"] to allow all repos. | `list(string)` | `[]` | no |

|  [ecr\_repos\_write](#input\_ecr\_repos\_write) | The ARNs of the AWS ECR repos that can be written to.  Use ["*"] to allow all repos. | `list(string)` | `[]` | no |

|  [glue\_tables\_add](#input\_glue\_tables\_add) | List of Glue tables that partitions can be added to. | 
list(object({
    database = string
    table    = string
  }))
 | `[]` | no |

|  [kms\_keys\_decrypt](#input\_kms\_keys\_decrypt) | The ARNs of the AWS KMS keys that can be used to decrypt data.  Use ["*"] to allow all keys. | `list(string)` | `[]` | no |

|  [kms\_keys\_encrypt](#input\_kms\_keys\_encrypt) | The ARNs of the AWS KMS keys that can be used to encrypt data.  Use ["*"] to allow all keys. | `list(string)` | `[]` | no |

|  [name](#input\_name) | The name of the AWS IAM policy. | `string` | n/a | yes |

|  [s3\_buckets\_read](#input\_s3\_buckets\_read) | The ARNs of the AWS S3 buckets that can be read from.  Use ["*"] to allow all buckets. | `list(string)` | `[]` | no |

|  [s3\_buckets\_write](#input\_s3\_buckets\_write) | The ARNs of the AWS S3 buckets that can be written to.  Use ["*"] to allow all buckets. | `list(string)` | `[]` | no |



## Outputs



| Name | Description |

|------|-------------|

|  [arn](#output\_arn) | The Amazon Resource Name (ARN) of the AWS IAM policy. |

|  [id](#output\_id) | The id of the AWS IAM policy. |

|  [name](#output\_name) | The name of the AWS IAM policy. |