Inputs
General
Controls if resources should be created (affects nearly all resources).
Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration.
A map of tags to add to all resources.
Studio
A descriptive name for the Amazon EMR Studio.
A detailed description of the Amazon EMR Studio.
Specifies whether the Studio authenticates users using IAM or Amazon Web Services SSO. Valid values are
SSO or IAM.The Amazon S3 location to back up Amazon EMR Studio Workspaces and notebook files.
The AWS KMS key identifier (ARN) used to encrypt Amazon EMR Studio workspace and notebook files when backed up to Amazon S3.
The ID of the Amazon Virtual Private Cloud (Amazon VPC) to associate with the Studio.
A list of subnet IDs to associate with the Amazon EMR Studio. A Studio can have a maximum of 5 subnets. The subnets must belong to the VPC specified by
vpc_id.The authentication endpoint of your identity provider (IdP). Specify this value when you use IAM authentication and want to let federated users log in to a Studio with the Studio URL and credentials from your IdP.
The name that your identity provider (IdP) uses for its RelayState parameter. For example,
RelayState or TargetSource.A map of session mapping definitions to apply to the Studio. Each entry accepts:
identity_type(string, required)identity_id(optional string)identity_name(optional string)session_policy_arn(optional string)
Service IAM role
Determines whether the service IAM role should be created.
The ARN of an existing IAM role to use for the service.
Name to use on the IAM role created.
Determines whether the IAM role name is used as a prefix.
Description of the role.
IAM role path.
ARN of the policy that is used to set the permissions boundary for the IAM role.
Map of IAM policies to attach to the service role.
A map of additional tags to add to the IAM role created.
Service IAM role policy
Determines whether the service IAM role policy should be created.
A list of Amazon Web Services Secrets Manager secret ARNs to allow use of Git credentials stored in AWS Secrets Manager to link Git repositories to a Workspace.
A list of Amazon S3 bucket ARNs to allow permission to read/write from the Amazon EMR Studio.
A map of IAM policy statements for custom permission usage. Each entry accepts
sid, actions, not_actions, effect, resources, not_resources, principals, not_principals, and condition.User IAM role
Determines whether the user IAM role should be created.
The ARN of an existing IAM role to use for the user.
Name to use on the IAM role created.
Determines whether the IAM role name is used as a prefix.
Description of the role.
IAM role path.
ARN of the policy that is used to set the permissions boundary for the IAM role.
Map of IAM policies to attach to the user role.
A map of additional tags to add to the IAM role created.
User IAM role policy
Determines whether the user IAM role policy should be created.
A list of Amazon S3 bucket ARNs to allow permission to read/write from the Amazon EMR Studio user role.
A map of IAM policy statements for custom permission usage. Each entry accepts
sid, actions, not_actions, effect, resources, not_resources, principals, not_principals, and condition.Security groups
Determines whether security groups for the EMR Studio engine and workspace are created.
Name to use on security group created. Note:
-engine and -workspace will be appended to this name to distinguish.Determines whether the security group name (
security_group_name) is used as a prefix.A map of additional tags to add to the security groups created.
Engine security group
The ID of the Amazon EMR Studio Engine security group. The Engine security group allows inbound network traffic from the Workspace security group, and it must be in the same VPC specified by
vpc_id.Description of the engine security group created.
Security group ingress rules to add to the engine security group. Each rule accepts
cidr_ipv4, cidr_ipv6, description, from_port, to_port, ip_protocol, prefix_list_id, referenced_security_group_id, referenced_workspace_security_group_id, name, and tags.Security group egress rules to add to the engine security group. Each rule accepts the same fields as ingress rules.
Workspace security group
The ID of the Amazon EMR Studio Workspace security group. The Workspace security group allows outbound network traffic to resources in the Engine security group, and it must be in the same VPC specified by
vpc_id.Description of the workspace security group created.
Security group ingress rules to add to the workspace security group. Each rule accepts
cidr_ipv4, cidr_ipv6, description, from_port, to_port, ip_protocol, prefix_list_id, referenced_security_group_id, referenced_engine_security_group_id, name, and tags.Security group egress rules to add to the workspace security group. Each rule accepts the same fields as ingress rules.
Outputs
Studio
ARN of the studio.
The unique access URL of the Amazon EMR Studio.
Service IAM role
Service IAM role name.
Service IAM role ARN.
Stable and unique string identifying the service IAM role.
Service IAM role policy
Service IAM role policy ARN.
Service IAM role policy ID.
The name of the service role policy.
User IAM role
User IAM role name.
User IAM role ARN.
Stable and unique string identifying the user IAM role.
User IAM role policy
User IAM role policy ARN.
User IAM role policy ID.
The name of the user role policy.
Engine security group
Amazon Resource Name (ARN) of the engine security group.
ID of the engine security group.
Workspace security group
Amazon Resource Name (ARN) of the workspace security group.
ID of the workspace security group.