Creates an IAM policy that allows use of AWS Athena.
module "athena_iam_policy" {
source = "dod-iac/athena-iam-policy/aws"
databases = [aws_glue_catalog_database.main.arn]
name = format("%s-athena-user-%s", var.application, var.environment)
result_buckets = [aws_s3_bucket.results.arn]
require_mfa = true
source_buckets = [aws_s3_bucket.source.arn]
source_keys = ["*"]
workgroups = [aws_athena_workgroup.main.arn]
}Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to master branch.
Terraform 0.11 and 0.12 are not supported.
This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.
| Name | Version |
|---|---|
| terraform | >= 0.12 |
| aws | >= 2.55.0 |
| Name | Version |
|---|---|
| aws | >= 2.55.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_policy.main | resource |
| aws_caller_identity.current | data source |
| aws_iam_account_alias.current | data source |
| aws_iam_policy_document.main | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allow_delete_named_query | If true, allows the deletion of named queries. | bool |
false |
no |
| databases | The ARNs of the databases that can be used. Use ["*"] to allow all databases. | list(string) |
n/a | yes |
| description | The description of the AWS IAM policy. Defaults to "The policy for [NAME]." | string |
"" |
no |
| name | The name of the AWS IAM policy. | string |
n/a | yes |
| require_mfa | If true, actions require multi-factor authentication. | string |
n/a | yes |
| result_buckets | The ARNs of the AWS S3 buckets the store the results of the Athena queries. Use ["*"] to allow all buckets. | list(string) |
n/a | yes |
| source_buckets | The ARNs of the AWS S3 buckets that store the source data. Use ["*"] to allow all buckets. | list(string) |
n/a | yes |
| source_keys | The ARNs of the AWS KMS keys that can be used to decrypt source data files. Use ["*"] to allow all keys. | list(string) |
[] |
no |
| workgroups | The ARNs of the AWS Athena workgroups that can be used. Use ["*"] to allow all workgroups. | list(string) |
n/a | yes |
| Name | Description |
|---|---|
| arn | The Amazon Resource Name (ARN) of the AWS IAM policy. |
| id | The id of the AWS IAM policy. |
| name | The name of the AWS IAM policy. |