From 56dd5f913b0ba4f836077c550f590b849cdd18aa Mon Sep 17 00:00:00 2001
From: Pat Heard <patrick.heard@cds-snc.ca>
Date: Tue, 12 Nov 2024 19:17:33 +0000
Subject: [PATCH] fix: Glue ETL role permissions

Update the Glue ETL IAM role to allow it to associate a KMS key with
the Glue CloudWatch log group.
---
 terragrunt/aws/glue/iam.tf    | 3 ++-
 terragrunt/aws/glue/locals.tf | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/terragrunt/aws/glue/iam.tf b/terragrunt/aws/glue/iam.tf
index 48741b5..781b879 100644
--- a/terragrunt/aws/glue/iam.tf
+++ b/terragrunt/aws/glue/iam.tf
@@ -121,7 +121,8 @@ data "aws_iam_policy_document" "glue_kms" {
       "logs:AssociateKmsKey"
     ]
     resources = [
-      "arn:aws:logs:${var.region}:${var.account_id}:log-group:${local.glue_crawler_log_group_name}:*"
+      "arn:aws:logs:${var.region}:${var.account_id}:log-group:${local.glue_crawler_log_group_name}:*",
+      "arn:aws:logs:${var.region}:${var.account_id}:log-group:${local.glue_etl_log_group_name}"
     ]
   }
 }
diff --git a/terragrunt/aws/glue/locals.tf b/terragrunt/aws/glue/locals.tf
index 5e5663b..f1e3bef 100644
--- a/terragrunt/aws/glue/locals.tf
+++ b/terragrunt/aws/glue/locals.tf
@@ -1,3 +1,4 @@
 locals {
   glue_crawler_log_group_name = "/aws-glue/crawlers-role${aws_iam_role.glue_crawler.path}${aws_iam_role.glue_crawler.name}-${aws_glue_security_configuration.encryption_at_rest.name}"
+  glue_etl_log_group_name     = "/aws-glue/sessions/*"
 }
\ No newline at end of file