constructor()

in packages/constructs/L3/governance/glue-catalog-l3-construct/lib/glue-catalog-l3-construct.ts [73:163]


  constructor(scope: Construct, id: string, props: GlueCatalogL3ConstructProps) {
    super(scope, id, props);
    this.props = props;
    this.consumerAccounts = Object.fromEntries(
      Object.entries(this.props.consumerAccounts || []).filter(x => x[1] != this.account),
    );
    this.kmsKeyConsumerAccounts = Object.fromEntries(
      Object.entries(this.props.kmsKeyConsumerAccounts || []).filter(x => x[1] != this.account),
    );
    this.producerAccounts = Object.fromEntries(
      Object.entries(this.props.producerAccounts || []).filter(x => x[1] != this.account),
    );
    const allReadPrincipalArns: string[] = [];
    const allWritePrincipalArns: string[] = [];

    const resourcePolicyDocument = new PolicyDocument();
    Object.keys(this.props.accessPolicies || {}).forEach(accessPolicyName => {
      console.log(accessPolicyName);
      const accessPolicy = (this.props.accessPolicies || {})[accessPolicyName];
      console.log(accessPolicy);
      allReadPrincipalArns.push(...(accessPolicy.readPrincipalArns || []));
      allWritePrincipalArns.push(...(accessPolicy.writePrincipalArns || []));
      const statements = this.createResourcePolicyStatements(
        accessPolicyName,
        accessPolicy.resources,
        accessPolicy.readPrincipalArns,
        accessPolicy.writePrincipalArns,
      );
      resourcePolicyDocument.addStatements(...statements);
    });

    if (this.consumerAccounts && Object.keys(this.consumerAccounts).length > 0) {
      const readPrincipalArns = Object.entries(this.consumerAccounts).map(
        x => `arn:${this.partition}:iam::${x[1]}:root`,
      );
      const statements = this.createResourcePolicyStatements('accounts', ['*'], readPrincipalArns);
      resourcePolicyDocument.addStatements(...statements);
    }

    if (resourcePolicyDocument.statementCount > 0) {
      //Required as per https://docs.aws.amazon.com/lake-formation/latest/dg/hybrid-cross-account.html
      const shareResourceStatement = this.getShareResourcePolicyStatement();
      resourcePolicyDocument.addStatements(shareResourceStatement);

      const catalogCrProvider = this.getGlueCatalogResourcePolicyCrProvider();
      const catalogResourcePolicy = new CustomResource(this.scope, `catalog-resource-policy`, {
        serviceToken: catalogCrProvider.serviceToken,
        properties: {
          resourcePolicyJson: resourcePolicyDocument.toJSON(),
          account: this.account,
          policyHashParam: this.props.naming.ssmPath('policyHash'),
        },
      });
      new StringParameter(this.scope, 'catalog-resource-policy-hash-ssm', {
        parameterName: this.props.naming.ssmPath('policyHash'),
        stringValue: catalogResourcePolicy.getAttString('PolicyHash'),
      });
    }

    if (this.producerAccounts && Object.keys(this.producerAccounts).length > 0) {
      Object.entries(this.producerAccounts).forEach(producerAcct => {
        const acctName = producerAcct[0];
        const acctId = producerAcct[1];
        new CfnDataCatalog(this.scope, `athena-catalog-${acctName}`, {
          name: acctName,
          type: 'GLUE',
          parameters: {
            'catalog-id': acctId,
          },
        });
      });
    }
    const catalogKmsKeyConsumerAccounts = Object.entries({
      ...(this.consumerAccounts || {}),
      ...(this.kmsKeyConsumerAccounts || {}),
    }).map(x => x[1]);
    //Use some private helper functions to create the catalog resources
    const catalogKmsKey = this.createCatalogKmsKey(
      allReadPrincipalArns,
      allWritePrincipalArns,
      catalogKmsKeyConsumerAccounts,
    );

    new MdaaCatalogSettings(this.scope, 'glue-catalog-settings', {
      naming: this.props.naming,
      catalogId: this.account,
      catalogKmsKey: catalogKmsKey,
    });

    return this;
  }