Skip to content

Commit f049fd4

Browse files
timburke-hackittimburke-hackit
committed
add glue sso block
1 parent 04acc9a commit f049fd4

File tree

1 file changed

+102
-0
lines changed

1 file changed

+102
-0
lines changed

terraform/modules/department/50-aws-iam-policies.tf

Lines changed: 102 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -588,6 +588,108 @@ resource "aws_iam_policy" "glue_access" {
588588
policy = data.aws_iam_policy_document.glue_access.json
589589
}
590590

591+
data "aws_iam_policy_document" "glue_access_sso" {
592+
statement {
593+
effect = "Allow"
594+
actions = [
595+
"athena:*",
596+
"logs:DescribeLogGroups",
597+
"tag:GetResources",
598+
"iam:ListRoles",
599+
]
600+
resources = ["*"]
601+
}
602+
603+
statement {
604+
effect = "Allow"
605+
actions = [
606+
"logs:FilterLogEvents",
607+
"logs:DescribeLogStreams",
608+
"logs:GetLogEvents"
609+
]
610+
resources = [
611+
"arn:aws:logs:*:*:/aws-glue/*"
612+
]
613+
}
614+
615+
statement {
616+
sid = "RolePermissions"
617+
effect = "Allow"
618+
actions = [
619+
"iam:GetRole",
620+
]
621+
resources = [
622+
aws_iam_role.glue_agent.arn
623+
]
624+
}
625+
626+
// Glue Access
627+
statement {
628+
sid = "AwsGlue"
629+
actions = [
630+
"glue:Batch*",
631+
"glue:CheckSchemaVersionValidity",
632+
"glue:CreateDevEndpoint",
633+
"glue:CreateJob",
634+
"glue:CreateScript",
635+
"glue:CreateSession",
636+
"glue:CreatePartition",
637+
"glue:DeleteDevEndpoint",
638+
"glue:DeleteJob",
639+
"glue:DeleteTrigger",
640+
"glue:Get*",
641+
"glue:List*",
642+
"glue:ResetJobBookmark",
643+
"glue:SearchTables",
644+
"glue:StartCrawler",
645+
"glue:StartCrawlerSchedule",
646+
"glue:StartExportLabelsTaskRun",
647+
"glue:StartImportLabelsTaskRun",
648+
"glue:StartJobRun",
649+
"glue:StartWorkflowRun",
650+
"glue:StopCrawler",
651+
"glue:StopCrawlerSchedule",
652+
"glue:StopTrigger",
653+
"glue:StopWorkflowRun",
654+
"glue:TagResource",
655+
"glue:UpdateDevEndpoint",
656+
"glue:UpdateJob",
657+
"glue:UpdateTable",
658+
"glue:CreateTable",
659+
"glue:DeleteTable",
660+
"glue:GetTableVersions",
661+
"glue:GetTable",
662+
"glue:GetTables",
663+
"glue:GetDatabase",
664+
"glue:GetDatabases",
665+
"glue:Query*",
666+
]
667+
resources = flatten([
668+
["arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"],
669+
[for db in local.common_department_databases : "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:database/${db}"],
670+
[for db in local.common_department_databases : "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${db}/*"]
671+
])
672+
}
673+
674+
dynamic "statement" {
675+
for_each = {
676+
read_only = var.additional_glue_database_access.read_only
677+
read_write = var.additional_glue_database_access.read_write
678+
}
679+
iterator = access_level
680+
content {
681+
sid = "AdditionalGlueDatabaseFullAccess${title(replace(access_level.key, "_", ""))}"
682+
effect = "Allow"
683+
actions = local.glue_access_presets[access_level.key]
684+
resources = length(access_level.value) > 0 ? flatten([
685+
["arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"],
686+
[for db in access_level.value : "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:database/${db}"],
687+
[for db in access_level.value : "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${db}/*"]
688+
]) : []
689+
}
690+
}
691+
}
692+
591693
// Read only Secrets policy
592694
data "aws_iam_policy_document" "secrets_manager_read_only" {
593695
statement {

0 commit comments

Comments
 (0)