aws_athena_workgroup

account_id

Type: STRING

configuration

Type: STRUCT
Provider name: Configuration
Description: The configuration of the workgroup, which includes the location in Amazon S3 where query and calculation results are stored, the encryption configuration, if any, used for query and calculation results; whether the Amazon CloudWatch Metrics are enabled for the workgroup; whether workgroup settings override client-side settings; and the data usage limits for the amount of data scanned per query or per workgroup. The workgroup settings override is specified in EnforceWorkGroupConfiguration (true/false) in the WorkGroupConfiguration. See WorkGroupConfiguration$EnforceWorkGroupConfiguration.

  • additional_configuration
    Type: STRING
    Provider name: AdditionalConfiguration
    Description: Specifies a user defined JSON string that is passed to the notebook engine.
  • bytes_scanned_cutoff_per_query
    Type: INT64
    Provider name: BytesScannedCutoffPerQuery
    Description: The upper data usage limit (cutoff) for the amount of bytes a single query in a workgroup is allowed to scan.
  • customer_content_encryption_configuration
    Type: STRUCT
    Provider name: CustomerContentEncryptionConfiguration
    Description: Specifies the KMS key that is used to encrypt the user’s data stores in Athena. This setting does not apply to Athena SQL workgroups.
    • kms_key
      Type: STRING
      Provider name: KmsKey
      Description: The customer managed KMS key that is used to encrypt the user’s data stores in Athena.
  • enable_minimum_encryption_configuration
    Type: BOOLEAN
    Provider name: EnableMinimumEncryptionConfiguration
    Description: Enforces a minimal level of encryption for the workgroup for query and calculation results that are written to Amazon S3. When enabled, workgroup users can set encryption only to the minimum level set by the administrator or higher when they submit queries. The EnforceWorkGroupConfiguration setting takes precedence over the EnableMinimumEncryptionConfiguration flag. This means that if EnforceWorkGroupConfiguration is true, the EnableMinimumEncryptionConfiguration flag is ignored, and the workgroup configuration for encryption is used.
  • enforce_work_group_configuration
    Type: BOOLEAN
    Provider name: EnforceWorkGroupConfiguration
    Description: If set to “true”, the settings for the workgroup override client-side settings. If set to “false”, client-side settings are used. For more information, see Workgroup Settings Override Client-Side Settings.
  • engine_version
    Type: STRUCT
    Provider name: EngineVersion
    Description: The engine version that all queries running on the workgroup use. Queries on the AmazonAthenaPreviewFunctionality workgroup run on the preview engine regardless of this setting.
    • effective_engine_version
      Type: STRING
      Provider name: EffectiveEngineVersion
      Description: Read only. The engine version on which the query runs. If the user requests a valid engine version other than Auto, the effective engine version is the same as the engine version that the user requested. If the user requests Auto, the effective engine version is chosen by Athena. When a request to update the engine version is made by a CreateWorkGroup or UpdateWorkGroup operation, the EffectiveEngineVersion field is ignored.
    • selected_engine_version
      Type: STRING
      Provider name: SelectedEngineVersion
      Description: The engine version requested by the user. Possible values are determined by the output of ListEngineVersions, including AUTO. The default is AUTO.
  • execution_role
    Type: STRING
    Provider name: ExecutionRole
    Description: The ARN of the execution role used to access user resources for Spark sessions and IAM Identity Center enabled workgroups. This property applies only to Spark enabled workgroups and IAM Identity Center enabled workgroups. The property is required for IAM Identity Center enabled workgroups.
  • identity_center_configuration
    Type: STRUCT
    Provider name: IdentityCenterConfiguration
    Description: Specifies whether the workgroup is IAM Identity Center supported.
    • enable_identity_center
      Type: BOOLEAN
      Provider name: EnableIdentityCenter
      Description: Specifies whether the workgroup is IAM Identity Center supported.
    • identity_center_instance_arn
      Type: STRING
      Provider name: IdentityCenterInstanceArn
      Description: The IAM Identity Center instance ARN that the workgroup associates to.
  • publish_cloud_watch_metrics_enabled
    Type: BOOLEAN
    Provider name: PublishCloudWatchMetricsEnabled
    Description: Indicates that the Amazon CloudWatch metrics are enabled for the workgroup.
  • query_results_s3_access_grants_configuration
    Type: STRUCT
    Provider name: QueryResultsS3AccessGrantsConfiguration
    Description: Specifies whether Amazon S3 access grants are enabled for query results.
    • authentication_type
      Type: STRING
      Provider name: AuthenticationType
      Description: The authentication type used for Amazon S3 access grants. Currently, only DIRECTORY_IDENTITY is supported.
    • create_user_level_prefix
      Type: BOOLEAN
      Provider name: CreateUserLevelPrefix
      Description: When enabled, appends the user ID as an Amazon S3 path prefix to the query result output location.
    • enable_s3_access_grants
      Type: BOOLEAN
      Provider name: EnableS3AccessGrants
      Description: Specifies whether Amazon S3 access grants are enabled for query results.
  • requester_pays_enabled
    Type: BOOLEAN
    Provider name: RequesterPaysEnabled
    Description: If set to true, allows members assigned to a workgroup to reference Amazon S3 Requester Pays buckets in queries. If set to false, workgroup members cannot query data from Requester Pays buckets, and queries that retrieve data from Requester Pays buckets cause an error. The default is false. For more information about Requester Pays buckets, see Requester Pays Buckets in the Amazon Simple Storage Service Developer Guide.
  • result_configuration
    Type: STRUCT
    Provider name: ResultConfiguration
    Description: The configuration for the workgroup, which includes the location in Amazon S3 where query and calculation results are stored and the encryption option, if any, used for query and calculation results. To run the query, you must specify the query results location using one of the ways: either in the workgroup using this setting, or for individual queries (client-side), using ResultConfiguration$OutputLocation. If none of them is set, Athena issues an error that no output location is provided.
    • acl_configuration
      Type: STRUCT
      Provider name: AclConfiguration
      Description: Indicates that an Amazon S3 canned ACL should be set to control ownership of stored query results. Currently the only supported canned ACL is BUCKET_OWNER_FULL_CONTROL. This is a client-side setting. If workgroup settings override client-side settings, then the query uses the ACL configuration that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. For more information, see WorkGroupConfiguration$EnforceWorkGroupConfiguration and Workgroup Settings Override Client-Side Settings.
      • s3_acl_option
        Type: STRING
        Provider name: S3AclOption
        Description: The Amazon S3 canned ACL that Athena should specify when storing query results. Currently the only supported canned ACL is BUCKET_OWNER_FULL_CONTROL. If a query runs in a workgroup and the workgroup overrides client-side settings, then the Amazon S3 canned ACL specified in the workgroup’s settings is used for all queries that run in the workgroup. For more information about Amazon S3 canned ACLs, see Canned ACL in the Amazon S3 User Guide.
    • encryption_configuration
      Type: STRUCT
      Provider name: EncryptionConfiguration
      Description: If query and calculation results are encrypted in Amazon S3, indicates the encryption option used (for example, SSE_KMS or CSE_KMS) and key information. This is a client-side setting. If workgroup settings override client-side settings, then the query uses the encryption configuration that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. See WorkGroupConfiguration$EnforceWorkGroupConfiguration and Workgroup Settings Override Client-Side Settings.
      • encryption_option
        Type: STRING
        Provider name: EncryptionOption
        Description: Indicates whether Amazon S3 server-side encryption with Amazon S3-managed keys (SSE_S3), server-side encryption with KMS-managed keys (SSE_KMS), or client-side encryption with KMS-managed keys (CSE_KMS) is used. If a query runs in a workgroup and the workgroup overrides client-side settings, then the workgroup’s setting for encryption is used. It specifies whether query results must be encrypted, for all queries that run in this workgroup.
      • kms_key
        Type: STRING
        Provider name: KmsKey
        Description: For SSE_KMS and CSE_KMS, this is the KMS key ARN or ID.
    • expected_bucket_owner
      Type: STRING
      Provider name: ExpectedBucketOwner
      Description: The Amazon Web Services account ID that you expect to be the owner of the Amazon S3 bucket specified by ResultConfiguration$OutputLocation. If set, Athena uses the value for ExpectedBucketOwner when it makes Amazon S3 calls to your specified output location. If the ExpectedBucketOwner Amazon Web Services account ID does not match the actual owner of the Amazon S3 bucket, the call fails with a permissions error. This is a client-side setting. If workgroup settings override client-side settings, then the query uses the ExpectedBucketOwner setting that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. See WorkGroupConfiguration$EnforceWorkGroupConfiguration and Workgroup Settings Override Client-Side Settings.
    • output_location
      Type: STRING
      Provider name: OutputLocation
      Description: The location in Amazon S3 where your query and calculation results are stored, such as s3://path/to/query/bucket/. To run the query, you must specify the query results location using one of the ways: either for individual queries using either this setting (client-side), or in the workgroup, using WorkGroupConfiguration. If none of them is set, Athena issues an error that no output location is provided. If workgroup settings override client-side settings, then the query uses the settings specified for the workgroup. See WorkGroupConfiguration$EnforceWorkGroupConfiguration.

creation_time

Type: TIMESTAMP
Provider name: CreationTime
Description: The date and time the workgroup was created.

description

Type: STRING
Provider name: Description
Description: The workgroup description.

identity_center_application_arn

Type: STRING
Provider name: IdentityCenterApplicationArn
Description: The ARN of the IAM Identity Center enabled application associated with the workgroup.

name

Type: STRING
Provider name: Name
Description: The workgroup name.

state

Type: STRING
Provider name: State
Description: The state of the workgroup: ENABLED or DISABLED.

tags

Type: UNORDERED_LIST_STRING

workgroup_arn

Type: STRING