fix: update Superset access to Glue catalog (#27)

Update the data catalog's resource policy to limit Superset to only accessing specific databases and tables.
cds-snc · Nov 15, 2024 · f966912 · f966912
1 parent 5d3c297
commit f966912
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/terragrunt/aws/glue/iam.tf b/terragrunt/aws/glue/iam.tf
@@ -25,7 +25,11 @@ data "aws_iam_policy_document" "cross_account_access" {
       "glue:GetTableVersion",
       "glue:GetTableVersions"
     ]
-    resources = ["arn:aws:glue:${var.region}:${var.account_id}:*"]
+    resources = [
+      "arn:aws:glue:${var.region}:${var.account_id}:catalog",
+      "arn:aws:glue:${var.region}:${var.account_id}:database/${aws_glue_catalog_database.operations_aws_production.name}",
+      "arn:aws:glue:${var.region}:${var.account_id}:table/${aws_glue_catalog_database.operations_aws_production.name}/*"
+    ]
   }
 }