in packages/constructs/L3/governance/glue-catalog-l3-construct/lib/glue-catalog-l3-construct.ts [297:474]
private getGlueCatalogResourcePolicyCrProvider(): Provider {
if (this.catalogResourcePolicyProvider) {
return this.catalogResourcePolicyProvider;
}
const catalogCrFunctionRole = new MdaaLambdaRole(this.scope, 'catalog-function-role', {
description: 'CR Role',
roleName: 'catalog-cr',
naming: this.props.naming,
logGroupNames: [this.props.naming.resourceName('catalog-cr')],
createParams: false,
createOutputs: false,
});
//Permissions for managing Glue Resource Policies
const manageCatalogStatement = new PolicyStatement({
effect: Effect.ALLOW,
resources: [`arn:${this.partition}:glue:${this.region}:${this.account}:catalog`],
actions: ['glue:PutResourcePolicy', 'glue:DeleteResourcePolicy'],
});
catalogCrFunctionRole.addToPolicy(manageCatalogStatement);
//Permissions for managing Glue Resource Policies
const queryRamStatement = new PolicyStatement({
effect: Effect.ALLOW,
resources: [`arn:${this.partition}:ram:${this.region}:${this.account}:resource-share/*`],
actions: ['ram:ListResources'],
});
catalogCrFunctionRole.addToPolicy(queryRamStatement);
MdaaNagSuppressions.addCodeResourceSuppressions(
catalogCrFunctionRole,
[
{
id: 'NIST.800.53.R5-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource. Inline policy specific to custom resource.',
},
],
true,
);
const sourceDir = `${__dirname}/../src/python/glue_catalog_resource_policy`;
// This Lambda is used as a Custom Resource in order to create the Data Lake Folder
const catalogResourcePolicyLambda = new MdaaLambdaFunction(this.scope, 'catalog-cr-function', {
functionName: 'catalog-cr',
code: Code.fromAsset(sourceDir),
handler: 'glue_catalog_resource_policy.lambda_handler',
runtime: Runtime.PYTHON_3_13,
timeout: Duration.seconds(120),
role: catalogCrFunctionRole,
naming: this.props.naming,
createParams: false,
createOutputs: false,
environment: {
LOG_LEVEL: 'INFO',
},
});
MdaaNagSuppressions.addCodeResourceSuppressions(
catalogResourcePolicyLambda,
[
{
id: 'NIST.800.53.R5-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'NIST.800.53.R5-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with S3.',
},
{
id: 'NIST.800.53.R5-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'HIPAA.Security-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'PCI.DSS.321-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'HIPAA.Security-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with S3.',
},
{
id: 'PCI.DSS.321-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with S3.',
},
{
id: 'HIPAA.Security-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'PCI.DSS.321-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
],
true,
);
const catalogCrProviderFunctionName = this.props.naming.resourceName('catalog-cr-prov', 64);
const catalogCrProviderRole = new MdaaLambdaRole(this.scope, 'catalog-provider-role', {
description: 'CR Role',
roleName: 'catalog-provider-role',
naming: this.props.naming,
logGroupNames: [catalogCrProviderFunctionName],
createParams: false,
createOutputs: false,
});
const catalogResourcePolicyProvider = new Provider(this.scope, 'datalake-catalog-cr-provider', {
providerFunctionName: catalogCrProviderFunctionName,
onEventHandler: catalogResourcePolicyLambda,
role: catalogCrProviderRole,
});
MdaaNagSuppressions.addCodeResourceSuppressions(
catalogCrProviderRole,
[
{
id: 'NIST.800.53.R5-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
],
true,
);
MdaaNagSuppressions.addCodeResourceSuppressions(
catalogResourcePolicyProvider,
[
{ id: 'AwsSolutions-L1', reason: 'Lambda function Runtime set by CDK Provider Framework' },
{
id: 'NIST.800.53.R5-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'NIST.800.53.R5-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with S3.',
},
{
id: 'NIST.800.53.R5-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'HIPAA.Security-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'PCI.DSS.321-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'HIPAA.Security-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with S3.',
},
{
id: 'PCI.DSS.321-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with S3.',
},
{
id: 'HIPAA.Security-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'PCI.DSS.321-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
],
true,
);
this.catalogResourcePolicyProvider = catalogResourcePolicyProvider;
return catalogResourcePolicyProvider;
}