Skip to content

Resource: awsGlueDataCatalogEncryptionSettings

Provides a Glue Data Catalog Encryption Settings resource.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.glueDataCatalogEncryptionSettings.GlueDataCatalogEncryptionSettings(
  this,
  "example",
  {
    dataCatalogEncryptionSettings: {
      connectionPasswordEncryption: {
        awsKmsKeyId: "${aws_kms_key.test.arn}",
        returnConnectionPasswordEncrypted: true,
      },
      encryptionAtRest: {
        catalogEncryptionMode: "SSE-KMS",
        sseAwsKmsKeyId: "${aws_kms_key.test.arn}",
      },
    },
  }
);

Argument Reference

The following arguments are supported:

  • dataCatalogEncryptionSettings – (Required) The security configuration to set. see Data Catalog Encryption Settings.
  • catalogId – (Optional) The ID of the Data Catalog to set the security configuration for. If none is provided, the AWS account ID is used by default.

dataCatalogEncryptionSettings

  • connectionPasswordEncryption - (Required) When connection password protection is enabled, the Data Catalog uses a customer-provided key to encrypt the password as part of CreateConnection or UpdateConnection and store it in the ENCRYPTED_PASSWORD field in the connection properties. You can enable catalog encryption or only password encryption. see Connection Password Encryption.
  • encryptionAtRest - (Required) Specifies the encryption-at-rest configuration for the Data Catalog. see Encryption At Rest.

connectionPasswordEncryption

  • returnConnectionPasswordEncrypted - (Required) When set to true, passwords remain encrypted in the responses of GetConnection and GetConnections. This encryption takes effect independently of the catalog encryption.
  • awsKmsKeyId - (Optional) A KMS key ARN that is used to encrypt the connection password. If connection password protection is enabled, the caller of CreateConnection and UpdateConnection needs at least kms:encrypt permission on the specified AWS KMS key, to encrypt passwords before storing them in the Data Catalog.

encryptionAtRest

  • catalogEncryptionMode - (Required) The encryption-at-rest mode for encrypting Data Catalog data. Valid values are disabled and sseKms.
  • sseAwsKmsKeyId - (Optional) The ARN of the AWS KMS key to use for encryption at rest.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The ID of the Data Catalog to set the security configuration for.

Import

Glue Data Catalog Encryption Settings can be imported using catalogId (AWS account ID if not custom), e.g.,

$ terraform import aws_glue_data_catalog_encryption_settings.example 123456789012