diff --git a/examples/volume-and-s3-table-access/main.tf b/examples/volume-and-s3-table-access/main.tf new file mode 100644 index 0000000..ca55caa --- /dev/null +++ b/examples/volume-and-s3-table-access/main.tf @@ -0,0 +1,18 @@ +module "sn_managed_cloud_access_bucket" { + source = "../../modules/aws/volume-access" + + external_id = "max" + role = "sn-ursa-accoss-account" + buckets = [ + ] + + account_ids = [ + ] +} + +module "sn_managed_cloud_access_s3_table" { + source = "../../modules/aws/s3-table-access" + role = module.sn_managed_cloud_access_bucket.role + s3_tables = [] + depends_on = [module.sn_managed_cloud_access_bucket] +} \ No newline at end of file diff --git a/modules/aws/s3-table-access/main.tf b/modules/aws/s3-table-access/main.tf new file mode 100644 index 0000000..f4b5f75 --- /dev/null +++ b/modules/aws/s3-table-access/main.tf @@ -0,0 +1,51 @@ +data "aws_caller_identity" "current" {} +locals { + s3_tables_resource = distinct([for item in var.s3_tables : endswith(item, "/*") ? "${item}" : "${item}/*"]) + tag_set = merge({ Vendor = "StreamNative", Module = "StreamNative Volume", SNVersion = var.sn_policy_version }, var.tags) +} + +###### +#-- Create the IAM role inline policy for the the StreamNative Cloud access to s3 table +###### +resource "aws_iam_role_policy" "s3_access_policy" { + name = var.role + role = var.role + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "LakeFormationPermissionsForS3ListTableBucket", + "Effect" : "Allow", + "Action" : [ + "s3tables:ListTableBuckets" + ], + "Resource" : [ + "*" + ] + }, + { + "Sid" : "LakeFormationDataAccessPermissionsForS3TableBucket", + "Effect" : "Allow", + "Action" : [ + "s3tables:CreateTableBucket", + "s3tables:GetTableBucket", + "s3tables:CreateNamespace", + "s3tables:GetNamespace", + "s3tables:ListNamespaces", + "s3tables:DeleteNamespace", + "s3tables:DeleteTableBucket", + "s3tables:CreateTable", + "s3tables:DeleteTable", + "s3tables:GetTable", + "s3tables:ListTables", + "s3tables:RenameTable", + "s3tables:UpdateTableMetadataLocation", + "s3tables:GetTableMetadataLocation", + "s3tables:GetTableData", + "s3tables:PutTableData" + ], + "Resource" : local.s3_tables_resource + } + ] + }) +} \ No newline at end of file diff --git a/modules/aws/s3-table-access/variables.tf b/modules/aws/s3-table-access/variables.tf new file mode 100644 index 0000000..87f9894 --- /dev/null +++ b/modules/aws/s3-table-access/variables.tf @@ -0,0 +1,22 @@ +variable "sn_policy_version" { + description = "The value of SNVersion tag" + default = "3.16.1" # {{ x-release-please-version }} + type = string +} + +variable "tags" { + default = {} + description = "Extra tags to apply to the resources created by this module." + type = map(string) +} + +variable "s3_tables" { + default = [] + description = "User s3 tables and path name" + type = list(string) +} + +variable "role" { + description = "Your aws iam role for access s3 bucket" + type = string +} diff --git a/modules/aws/s3-table-access/versions.tf b/modules/aws/s3-table-access/versions.tf new file mode 100644 index 0000000..720774c --- /dev/null +++ b/modules/aws/s3-table-access/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.30" + } + } +} \ No newline at end of file diff --git a/modules/aws/volume-access/main.tf b/modules/aws/volume-access/main.tf index 17785d8..666ce9c 100644 --- a/modules/aws/volume-access/main.tf +++ b/modules/aws/volume-access/main.tf @@ -76,4 +76,9 @@ resource "aws_iam_role" "access_bucket_role" { path = "/StreamNative/" tags = local.tag_set max_session_duration = 43200 +} + +output "role" { + value = var.role + description = "role name" } \ No newline at end of file