Skip to content
/ terraform-aws-data-pipeline-iam-policy-document Public

Creates an IAM policy document for use in a data pipeline.

License

View license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dod-iac/terraform-aws-data-pipeline-iam-policy-document

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

.circleci

.circleci

 
 

examples

examples

 
 

pkg/tools

pkg/tools

 
 

scripts

scripts

 
 

test

test

 
 

.editorconfig

.editorconfig

 
 

.envrc

.envrc

 
 

.envrc.local.template

.envrc.local.template

 
 

.gitignore

.gitignore

 
 

.markdownlintrc

.markdownlintrc

 
 

.pre-commit-config.yaml

.pre-commit-config.yaml

 
 

.tflint.hcl

.tflint.hcl

 
 

INTENT.md

INTENT.md

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.tf

main.tf

 
 

make.bat

make.bat

 
 

outputs.tf

outputs.tf

 
 

variables.tf

variables.tf

 
 

versions.tf

versions.tf

 
 

Repository files navigation

Usage

Creates an IAM policy document for use in a data pipeline.

module "data_pipeline_iam_policy_document" {
  source = "dod-iac/data-pipeline-iam-policy-document/aws"

  s3_buckets_read  = [module.s3_bucket_source.arn]
  s3_buckets_write = [module.s3_bucket_destination.arn]
}

Testing

Run all terratest tests using the terratest script. If using aws-vault, you could use aws-vault exec $AWS_PROFILE -- terratest. The AWS_DEFAULT_REGION environment variable is required by the tests. Use TT_SKIP_DESTROY=1 to not destroy the infrastructure created during the tests. Use TT_VERBOSE=1 to log all tests as they are run. Use TT_TIMEOUT to set the timeout for the tests, with the value being in the Go format, e.g., 15m. Use TT_TEST_NAME to run a specific test by name.

Terraform Version

Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to main branch.

Terraform 0.11 and 0.12 are not supported.

License

This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.

Requirements

Name Version
terraform >= 0.13
aws >= 3.0, < 5.0

Providers

Name Version
aws >= 3.0, < 5.0

Modules

No modules.

Resources

Name Type
aws_caller_identity.current data source
aws_iam_policy_document.main data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
athena_buckets_results The ARNs of the AWS S3 buckets that store the results of Athena queries. Use ["*"] to allow all buckets. list(string) [] no
athena_buckets_source The ARNs of the AWS S3 buckets that store the data being queried through Athena. Use ["*"] to allow all buckets. list(string) [] no
athena_tables_exec A list of the Glue tables that can be read from during execution of Athena queries. Use ["*"] to allow all tables. 
list(object({
    database = string
    table    = string
  }))
 [] no
athena_workgroups_exec The ARNs of the AWS Athena workgroups that can be executed. Use ["*"] to allow all workgroups. list(string) [] no
cloudwatch_log_groups_write The ARNs of the AWS CloudWatch log groups that events can be written into. Use ["*"] to allow all log groups. list(string) [] no
codecommit_repos_pull The ARNs of the AWS CodeCommit repos that can be pulled. Use ["*"] to allow all repos. list(string) [] no
codecommit_repos_push The ARNs of the AWS CodeCommit repos that can be pushed. Use ["*"] to allow all repos. list(string) [] no
ec2_networkinterfaces_manage Allows creating, deleting, and attaching network interfaces. bool false no
ecr_repos_read The ARNs of the AWS ECR repos that can be read from. Use ["*"] to allow all repos. list(string) [] no
ecr_repos_write The ARNs of the AWS ECR repos that can be written to. Use ["*"] to allow all repos. list(string) [] no
ecs_tasks_run The list of ARNs for ECS task definitions and the ECS clusters where they can be run. Either clusters or task_definitions can be set to ["*"] to allow all. 
list(object({
    clusters         = list(string)
    task_definitions = list(string)
  }))
 [] no
glue_tables_add List of Glue tables that partitions can be added to. 
list(object({
    database = string
    table    = string
  }))
 [] no
iam_roles_pass The ARNs of the IAM roles that can be passed. Use ["*"] to allow all roles to be passed. list(string) [] no
kms_keys_decrypt The ARNs of the AWS KMS keys that can be used to decrypt data. Use ["*"] to allow all keys. list(string) [] no
kms_keys_encrypt The ARNs of the AWS KMS keys that can be used to encrypt data. Use ["*"] to allow all keys. list(string) [] no
s3_buckets_read The ARNs of the AWS S3 buckets that can be read from. Use ["*"] to allow all buckets. list(string) [] no
s3_buckets_write The ARNs of the AWS S3 buckets that can be written to. Use ["*"] to allow all buckets. list(string) [] no
sqs_queues_receive The ARNs of the AWS SQS queues that messages can be received from. Also grants the permission to delete messages. Use ["*"] to allow all queues. list(string) [] no
sqs_queues_send The ARNs of the AWS S3 queues that messages can be sent to. Use ["*"] to allow all queues. list(string) [] no

Outputs

Name Description
json The rendered JSON of the policy document.

About

Creates an IAM policy document for use in a data pipeline.

Topics

aws athena terraform s3 glue iam

Resources

Readme

License

View license
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages