Fix glue database visibility (#2498)

timburke-hackit · web-flow · commit e84e303e7b1c · 2025-10-10T16:04:51.000+01:00
* add unrestricted database access

* add liberator access to parking dept

* update db names from etl state

* formatting

* add identifier_prefix

* add address api db

* fixup
diff --git a/terraform/core/05-departments.tf b/terraform/core/05-departments.tf
@@ -73,6 +73,24 @@ module "department_parking" {
   departmental_airflow_user       = true
   mwaa_etl_scripts_bucket_arn     = aws_s3_bucket.mwaa_etl_scripts_bucket.arn
   mwaa_key_arn                    = aws_kms_key.mwaa_key.arn
+  additional_glue_database_access = [
+    {
+      database_name = "${local.identifier_prefix}-liberator-raw-zone"
+      actions       = ["glue:GetTable", "glue:GetTables"]
+    },
+    {
+      database_name = "${local.identifier_prefix}-liberator-refined-zone"
+      actions       = ["glue:GetTable", "glue:GetTables"]
+    },
+    {
+      database_name = "${local.identifier_prefix}-liberator-trusted-zone"
+      actions       = ["glue:GetTable", "glue:GetTables"]
+    },
+    {
+      database_name = "${local.identifier_prefix}-raw-zone-unrestricted-address-api"
+      actions       = ["glue:GetTable", "glue:GetTables"]
+    },
+  ]
 }
 
 module "department_finance" {
diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf
@@ -202,6 +202,10 @@ data "aws_iam_policy_document" "read_only_glue_access" {
       "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_glue_catalog_database.raw_zone_catalog_database.name}/*",
       "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_glue_catalog_database.refined_zone_catalog_database.name}/*",
       "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_glue_catalog_database.trusted_zone_catalog_database.name}/*",
+      "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/unrestricted-raw-zone/*",
+      "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/unrestricted-refined-zone/*",
+      "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/unrestricted-trusted-zone/*",
+
     ]
   }
 
@@ -585,6 +589,9 @@ data "aws_iam_policy_document" "glue_access" {
       "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_glue_catalog_database.raw_zone_catalog_database.name}/*",
       "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_glue_catalog_database.refined_zone_catalog_database.name}/*",
       "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_glue_catalog_database.trusted_zone_catalog_database.name}/*",
+      "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/unrestricted-raw-zone/*",
+      "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/unrestricted-refined-zone/*",
+      "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/unrestricted-trusted-zone/*",
     ]
   }
 

Original file line number	Diff line number	Diff line change
`@@ -202,6 +202,10 @@ data "aws_iam_policy_document" "read_only_glue_access" {`
`202`	`202`	`"arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_glue_catalog_database.raw_zone_catalog_database.name}/*",`
`203`	`203`	`"arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_glue_catalog_database.refined_zone_catalog_database.name}/*",`
`204`	`204`	`"arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_glue_catalog_database.trusted_zone_catalog_database.name}/*",`
	`205`	`+ "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/unrestricted-raw-zone/*",`
	`206`	`+ "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/unrestricted-refined-zone/*",`
	`207`	`+ "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/unrestricted-trusted-zone/*",`
	`208`	`+`
`205`	`209`	`]`
`206`	`210`	`}`
`207`	`211`
`@@ -585,6 +589,9 @@ data "aws_iam_policy_document" "glue_access" {`
`585`	`589`	`"arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_glue_catalog_database.raw_zone_catalog_database.name}/*",`
`586`	`590`	`"arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_glue_catalog_database.refined_zone_catalog_database.name}/*",`
`587`	`591`	`"arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${aws_glue_catalog_database.trusted_zone_catalog_database.name}/*",`
	`592`	`+ "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/unrestricted-raw-zone/*",`
	`593`	`+ "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/unrestricted-refined-zone/*",`
	`594`	`+ "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/unrestricted-trusted-zone/*",`
`588`	`595`	`]`
`589`	`596`	`}`
`590`	`597`