NRL-1188 use default role policy for glue

jackleary · jackleary · commit 3b35af9e617e · 2024-12-13T16:51:50.000Z
diff --git a/terraform/account-wide-infrastructure/modules/glue/iam.tf b/terraform/account-wide-infrastructure/modules/glue/iam.tf
@@ -15,42 +15,7 @@ resource "aws_iam_role" "glue_service_role" {
   })
 }
 
-resource "aws_iam_role_policy" "glue_service_role_policy" {
-  name = "${var.name_prefix}-glue_service_role_policy"
-  role = aws_iam_role.glue_service_role.name
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Action" : ["s3:CreateBucket"],
-        "Resource" : ["arn:aws:s3:::aws-glue-*"]
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
-        "Resource" : [
-          "arn:aws:s3:::*/*",
-          "arn:aws:s3:::*/*aws-glue-*/*"
-        ]
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : ["s3:GetObject"],
-        "Resource" : [
-          "arn:aws:s3:::crawler-public*",
-          "arn:aws:s3:::aws-glue-*"
-        ]
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "logs:CreateLogGroup",
-          "logs:CreateLogStream",
-          "logs:PutLogEvents"
-        ],
-        "Resource" : ["arn:aws:logs:*:*:*:/aws-glue/*"]
-      }
-    ]
-  })
+resource "aws_iam_role_policy_attachment" "glue_service" {
+  role       = aws_iam_role.glue_service_role.id
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"
 }
