Data Catalog Module
This module simplifies the creation of Data Catalog Policy Tags. Policy Tags can be used to configure Bigquery column-level access.
Note: Data Catalog is still in beta, hence this module currently uses the beta provider.
Examples
Simple Taxonomy with policy tags
module "cmn-dc" {
source = "./fabric/modules/data-catalog-policy-tag"
name = "my-datacatalog-policy-tags"
project_id = "my-project"
tags = {
low = {}
medium = {}
high = {}
}
}
# tftest modules=1 resources=4
Taxonomy with IAM binding
module "cmn-dc" {
source = "./fabric/modules/data-catalog-policy-tag"
name = "my-datacatalog-policy-tags"
project_id = "my-project"
tags = {
low = {}
medium = {}
high = {
iam = {
"roles/datacatalog.categoryFineGrainedReader" = [
"group:GROUP_NAME@example.com"
]
}
}
}
iam = {
"roles/datacatalog.categoryAdmin" = ["group:GROUP_NAME@example.com"]
}
iam_members = {
am1-admin = {
member = "user:am1@example.com"
role = "roles/datacatalog.categoryAdmin"
}
}
}
# tftest modules=1 resources=7
Variables
name |
description |
type |
required |
default |
name |
Name of this taxonomy. |
string |
✓ |
|
project_id |
GCP project id. |
|
✓ |
|
activated_policy_types |
A list of policy types that are activated for this taxonomy. |
list(string) |
|
["FINE_GRAINED_ACCESS_CONTROL"] |
description |
Description of this taxonomy. |
string |
|
"Taxonomy - Terraform managed" |
group_iam |
Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the iam variable. |
map(list(string)) |
|
{} |
iam |
IAM bindings in {ROLE => [MEMBERS]} format. |
map(list(string)) |
|
{} |
iam_additive |
IAM additive bindings in {ROLE => [MEMBERS]} format. |
map(list(string)) |
|
{} |
iam_additive_members |
IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. |
map(list(string)) |
|
{} |
iam_members |
Individual additive IAM bindings, use this when iam_additive does not work due to dynamic resources. Keys are arbitrary and only used for the internal loop. |
map(object({…})) |
|
{} |
location |
Data Catalog Taxonomy location. |
string |
|
"eu" |
prefix |
Optional prefix used to generate project id and name. |
string |
|
null |
tags |
List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. |
map(object({…})) |
|
{} |
Outputs
name |
description |
sensitive |
id |
Fully qualified taxonomy id. |
|
tags |
Policy Tags. |
|
TODO
- Support IAM at tag level.
- Support Child policy tags