Creates an IAM policy for use in a data pipeline.
module "data_pipeline_iam_policy" {
source = "dod-iac/data-pipeline-iam-policy/aws"
name = format("app-%s-data-pipeline-%s", var.application, var.environment)
s3_buckets_read = [module.s3_bucket_source.arn]
s3_buckets_write = [module.s3_bucket_destination.arn]
tags = {
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}Run all terratest tests using the terratest script. If using aws-vault, you could use aws-vault exec $AWS_PROFILE -- terratest. The AWS_DEFAULT_REGION environment variable is required by the tests. Use TT_SKIP_DESTROY=1 to not destroy the infrastructure created during the tests. Use TT_VERBOSE=1 to log all tests as they are run. Use TT_TIMEOUT to set the timeout for the tests, with the value being in the Go format, e.g., 15m. Use TT_TEST_NAME to run a specific test by name.
Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to main branch.
Terraform 0.11 and 0.12 are not supported.
This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | >= 3.0, < 5.0 |
| Name | Version |
|---|---|
| aws | >= 3.0, < 5.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_policy.main | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.main | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| athena_buckets_results | The ARNs of the AWS S3 buckets that store the results of Athena queries. Use ["*"] to allow all buckets. | list(string) |
[] |
no |
| athena_buckets_source | The ARNs of the AWS S3 buckets that store the data being queried through Athena. Use ["*"] to allow all buckets. | list(string) |
[] |
no |
| athena_tables_exec | A list of the Glue tables that can be read from during execution of Athena queries. Use ["*"] to allow all tables. | list(object({ |
[] |
no |
| athena_workgroups_exec | The ARNs of the AWS Athena workgroups that can be executed. Use ["*"] to allow all workgroups. | list(string) |
[] |
no |
| codecommit_repos_pull | The ARNs of the AWS CodeCommit repos that can be pulled. Use ["*"] to allow all repos. | list(string) |
[] |
no |
| codecommit_repos_push | The ARNs of the AWS CodeCommit repos that can be pushed. Use ["*"] to allow all repos. | list(string) |
[] |
no |
| description | The description of the AWS IAM policy. Defaults to "The policy for [NAME]." | string |
"" |
no |
| ecr_repos_read | The ARNs of the AWS ECR repos that can be read from. Use ["*"] to allow all repos. | list(string) |
[] |
no |
| ecr_repos_write | The ARNs of the AWS ECR repos that can be written to. Use ["*"] to allow all repos. | list(string) |
[] |
no |
| glue_tables_add | List of Glue tables that partitions can be added to. | list(object({ |
[] |
no |
| kms_keys_decrypt | The ARNs of the AWS KMS keys that can be used to decrypt data. Use ["*"] to allow all keys. | list(string) |
[] |
no |
| kms_keys_encrypt | The ARNs of the AWS KMS keys that can be used to encrypt data. Use ["*"] to allow all keys. | list(string) |
[] |
no |
| name | The name of the AWS IAM policy. | string |
n/a | yes |
| s3_buckets_read | The ARNs of the AWS S3 buckets that can be read from. Use ["*"] to allow all buckets. | list(string) |
[] |
no |
| s3_buckets_write | The ARNs of the AWS S3 buckets that can be written to. Use ["*"] to allow all buckets. | list(string) |
[] |
no |
| Name | Description |
|---|---|
| arn | The Amazon Resource Name (ARN) of the AWS IAM policy. |
| id | The id of the AWS IAM policy. |
| name | The name of the AWS IAM policy. |