fix: Glue ETL role permissions

Update the Glue ETL IAM role to allow it to associate a KMS key with the Glue CloudWatch log group.
cds-snc · Nov 12, 2024 · c3eb768 · c3eb768
1 parent c18f773
commit c3eb768
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/terragrunt/aws/glue/iam.tf b/terragrunt/aws/glue/iam.tf
@@ -121,7 +121,9 @@ data "aws_iam_policy_document" "glue_kms" {
       "logs:AssociateKmsKey"
     ]
     resources = [
-      "arn:aws:logs:${var.region}:${var.account_id}:log-group:${local.glue_crawler_log_group_name}:*"
+      "arn:aws:logs:${var.region}:${var.account_id}:log-group:${local.glue_crawler_log_group_name}*",
+      "arn:aws:logs:${var.region}:${var.account_id}:log-group:${local.glue_etl_log_group_name}*",
+      "arn:aws:logs:${var.region}:${var.account_id}:log-group:/aws-glue/sessions/*",
     ]
   }
 }

diff --git a/terragrunt/aws/glue/locals.tf b/terragrunt/aws/glue/locals.tf
@@ -1,3 +1,4 @@
 locals {
   glue_crawler_log_group_name = "/aws-glue/crawlers-role${aws_iam_role.glue_crawler.path}${aws_iam_role.glue_crawler.name}-${aws_glue_security_configuration.encryption_at_rest.name}"
+  glue_etl_log_group_name     = "/aws-glue/jobs/${aws_glue_security_configuration.encryption_at_rest.name}-role${aws_iam_role.glue_crawler.path}${aws_iam_role.glue_etl.name}"
 }