Skip to content

Commit e7cc7f5

Browse files
timburke-hackittimburke-hackit
committed
restrict default permissions to department and undrestricted databases
1 parent 37fe0ea commit e7cc7f5

File tree

1 file changed

+20
-2
lines changed

1 file changed

+20
-2
lines changed

terraform/modules/department/50-aws-iam-policies.tf

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -195,7 +195,16 @@ data "aws_iam_policy_document" "read_only_glue_access" {
195195
"glue:SearchTables",
196196
"glue:Query*",
197197
]
198-
resources = ["*"]
198+
resources = [
199+
aws_glue_catalog_database.raw_zone_catalog_database.arn,
200+
aws_glue_catalog_database.refined_zone_catalog_database.arn,
201+
aws_glue_catalog_database.trusted_zone_catalog_database.arn,
202+
"arn:aws:glue:${data.data.aws_region.current.name}:${data.data.aws_region.current.account_id}:table/${aws_glue_catalog_database.raw_zone_catalog_database.name}/*",
203+
"arn:aws:glue:${data.data.aws_region.current.name}:${data.data.aws_region.current.account_id}:table/${aws_glue_catalog_database.refined_zone_catalog_database.name}/*",
204+
"arn:aws:glue:${data.data.aws_region.current.name}:${data.data.aws_region.current.account_id}:table/${aws_glue_catalog_database.trusted_zone_catalog_database.name}/*",
205+
"arn:aws:glue:${data.data.aws_region.current.name}:${data.data.aws_region.current.account_id}:database/unrestricted-*-zone",
206+
"arn:aws:glue:${data.data.aws_region.current.name}:${data.data.aws_region.current.account_id}:table/unrestricted-*-zone/*",
207+
]
199208
}
200209

201210
dynamic "statement" {
@@ -543,7 +552,16 @@ data "aws_iam_policy_document" "glue_access" {
543552
"glue:GetDatabases",
544553
"glue:Query*",
545554
]
546-
resources = ["*"]
555+
resources = [
556+
aws_glue_catalog_database.raw_zone_catalog_database.arn,
557+
aws_glue_catalog_database.refined_zone_catalog_database.arn,
558+
aws_glue_catalog_database.trusted_zone_catalog_database.arn,
559+
"arn:aws:glue:${data.data.aws_region.current.name}:${data.data.aws_region.current.account_id}:table/${aws_glue_catalog_database.raw_zone_catalog_database.name}/*",
560+
"arn:aws:glue:${data.data.aws_region.current.name}:${data.data.aws_region.current.account_id}:table/${aws_glue_catalog_database.refined_zone_catalog_database.name}/*",
561+
"arn:aws:glue:${data.data.aws_region.current.name}:${data.data.aws_region.current.account_id}:table/${aws_glue_catalog_database.trusted_zone_catalog_database.name}/*",
562+
"arn:aws:glue:${data.data.aws_region.current.name}:${data.data.aws_region.current.account_id}:database/unrestricted-*-zone",
563+
"arn:aws:glue:${data.data.aws_region.current.name}:${data.data.aws_region.current.account_id}:table/unrestricted-*-zone/*",
564+
]
547565
}
548566

549567
dynamic "statement" {

0 commit comments

Comments
 (0)