in Gems/AWSMetrics/cdv1/aws_metrics/policy_statements_builder/admin_policy_statements_builder.py [0:0]
def add_data_lake_integration_policy_statements(
self,
component: DataLakeIntegration) -> AdminPolicyStatementsBuilder:
"""
Add the policy statements to retrieve the analytics bucket content and
update Glue database, table and crawler for admin.
:param component: CloudWatch dashboard component created by the metrics gem.
:return: The policy statement builder itself.
"""
if not component:
return self
self._policy_statement_mapping['glue_database'] = iam.PolicyStatement(
actions=[
'glue:GetDatabase',
'glue:UpdateDatabase'
],
effect=iam.Effect.ALLOW,
resources=[
core.Fn.sub('arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog'),
core.Fn.sub(
body='arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${EventsDatabaseName}',
variables={
'EventsDatabaseName': component.events_database_name
}
)
],
sid='UpdateEventsDatabase'
)
self._policy_statement_mapping['glue_table'] = iam.PolicyStatement(
actions=[
'glue:GetTable',
'glue:GetTableVersion',
'glue:GetTableVersions',
'glue:UpdateTable',
'glue:GetPartitions'
],
effect=iam.Effect.ALLOW,
resources=[
core.Fn.sub('arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog'),
core.Fn.sub(
body='arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/'
'${EventsDatabaseName}/${EventsTableName}',
variables={
'EventsDatabaseName': component.events_database_name,
'EventsTableName': component.events_table_name
}
),
core.Fn.sub(
body='arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:'
'database/${EventsDatabaseName}',
variables={
'EventsDatabaseName': component.events_database_name
}
)
],
sid='UpdateEventsTable'
)
self._policy_statement_mapping['glue_crawler'] = iam.PolicyStatement(
actions=[
'glue:GetCrawler',
'glue:StartCrawler',
'glue:StopCrawler',
'glue:UpdateCrawler'
],
effect=iam.Effect.ALLOW,
resources=[core.Fn.sub(
body='arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:crawler/${EventsCrawlerName}',
variables={
'EventsCrawlerName': component.events_crawler_name
}
)],
sid='UpdateEventsCrawler'
)
self._policy_statement_mapping['s3_read'] = iam.PolicyStatement(
actions=[
's3:GetObject',
's3:ListBucket'
],
effect=iam.Effect.ALLOW,
resources=[
core.Fn.sub(
body='arn:${AWS::Partition}:s3:::${AnalyticsBucketName}',
variables={
'AnalyticsBucketName': component.analytics_bucket_name
}
),
core.Fn.sub(
body='arn:${AWS::Partition}:s3:::${AnalyticsBucketName}/*',
variables={
'AnalyticsBucketName': component.analytics_bucket_name
}
)
],
sid='GetAnalyticsBucketObjects'
)
self._policy_statement_mapping['s3_write'] = iam.PolicyStatement(
actions=[
's3:PutObject'
],
effect=iam.Effect.ALLOW,
resources=[
core.Fn.sub(
body='arn:${AWS::Partition}:s3:::${AnalyticsBucketName}/${AthenaOutputDirectory}',
variables={
'AnalyticsBucketName': component.analytics_bucket_name,
'AthenaOutputDirectory': constants.ATHENA_OUTPUT_DIRECTORY
}
),
core.Fn.sub(
body='arn:${AWS::Partition}:s3:::${AnalyticsBucketName}/${AthenaOutputDirectory}/*',
variables={
'AnalyticsBucketName': component.analytics_bucket_name,
'AthenaOutputDirectory': constants.ATHENA_OUTPUT_DIRECTORY
}
)
],
sid='PutQueryResults'
)
self._add_to_iam_policy_statement([component.events_crawler_role_arn])
self._add_to_logs_policy_statement(
[
core.Fn.sub('arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:'
'/aws-glue/crawlers:log-stream:*')
]
)
return self