Data Catalog Module
This module simplifies the creation of Data Catalog Policy Tags. Policy Tags can be used to configure Bigquery column-level access.
Note: Data Catalog is still in beta, hence this module currently uses the beta provider.
Examples
Simple Taxonomy with policy tags
module "cmn-dc" {
source = "./fabric/modules/data-catalog-policy-tag"
name = "my-datacatalog-policy-tags"
project_id = "my-project"
tags = {
low = null, medium = null, high = null
}
}
# tftest modules=1 resources=4
Taxonomy with IAM binding
module "cmn-dc" {
source = "./fabric/modules/data-catalog-policy-tag"
name = "my-datacatalog-policy-tags"
project_id = "my-project"
tags = {
low = null
medium = null
high = { "roles/datacatalog.categoryFineGrainedReader" = ["group:GROUP_NAME@example.com"] }
}
iam = {
"roles/datacatalog.categoryAdmin" = ["group:GROUP_NAME@example.com"]
}
}
# tftest modules=1 resources=6
Variables
name |
description |
type |
required |
default |
name |
Name of this taxonomy. |
string |
✓ |
|
project_id |
GCP project id. |
|
✓ |
|
activated_policy_types |
A list of policy types that are activated for this taxonomy. |
list(string) |
|
["FINE_GRAINED_ACCESS_CONTROL"] |
description |
Description of this taxonomy. |
string |
|
"Taxonomy - Terraform managed" |
group_iam |
Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the iam variable. |
map(list(string)) |
|
{} |
iam |
IAM bindings in {ROLE => [MEMBERS]} format. |
map(list(string)) |
|
{} |
iam_additive |
IAM additive bindings in {ROLE => [MEMBERS]} format. |
map(list(string)) |
|
{} |
iam_additive_members |
IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. |
map(list(string)) |
|
{} |
location |
Data Catalog Taxonomy location. |
string |
|
"eu" |
prefix |
Optional prefix used to generate project id and name. |
string |
|
null |
tags |
List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. |
map(map(list(string))) |
|
{} |
Outputs
TODO
- Support IAM at tag level.
- Support Child policy tags