Add account-wide encryption to the Glue Catalog
Resources:
module "glue_kms_key" {
source = "dod-iac/glue-kms-key/aws"
name = format("alias/app-%s-glue-%s", var.application, var.environment)
tags = {
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}
module "glue_data_catalog_encryption" {
source = "dod-iac/glue-data_catalog-encryption/aws"
aws_kms_key_arn = module.glue_kms_key.aws_kms_key_arn
}Now when you define a crawler or a job, The IAM role that you provide in the definition must have these AWS KMS permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "ARN-of-key-used-to-encrypt-data-catalog"
}
]
}Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to master branch.
Terraform 0.11 and 0.12 are not supported.
This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.
Install dependencies (macOS)
brew install pre-commit terraform terraform-docs
pre-commit install --install-hooks| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | ~> 3.0 |
| Name | Version |
|---|---|
| aws | ~> 3.0 |
No modules.
| Name | Type |
|---|---|
| aws_glue_data_catalog_encryption_settings.main | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_kms_key_arn | The Amazon Resource Name (ARN) of the key | string |
n/a | yes |
| Name | Description |
|---|---|
| glue_catalog_id | The AWS Glue Catalog ID. |