So I have an I am policy and i want to be able to reference my athena workgroup arn as part of the principals section in my policy.
Am not sure what the correct approach is for this. So far I have the following in my outputs.tf
output "workgroup_arn" {
description = "arn of newly created Athena workgroup."
value = aws_athena_workgroup.athena_workgroup.arn
}
My IAM policy as as follows :
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*",
]
principals {
type = "AWS"
identifiers = [ARN OF WORKGROUP]
}
}
Essentially for aws_athena_workgroup I am setting up encryption_configuration using KMS. I realised an IAM policy is needed so am assuming the identifiers here will be the arn of the athena workgroup.
>Solution :
If all the elements (i.e., the IAM policy and the Athena workgroup) are in the same directory, there is no need to reference outputs, rather the attributes exported by the resource can be used (aws_athena_workgroup):
resource "aws_athena_workgroup" "athena_workgroup" {
.
.
.
}
Then, in the policy, you would just reference the ARN attribute like this:
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*",
]
principals {
type = "AWS"
identifiers = [aws_athena_workgroup.athena_workgroup.arn]
}
}