def _create_events_crawler_role()

in Gems/AWSMetrics/cdv1/aws_metrics/data_lake_integration.py [0:0]


    def _create_events_crawler_role(self) -> None:
        """
        Create the IAM role for the Glue crawler.
        """
        policy_statements = list()

        s3_policy_statement = iam.PolicyStatement(
            actions=[
                's3:ListBucket',
                's3:GetObject',
                's3:PutObject',
                's3:DeleteObject'
            ],
            effect=iam.Effect.ALLOW,
            resources=[
                self._analytics_bucket.bucket_arn,
                f'{self._analytics_bucket.bucket_arn}/*'
            ]
        )
        policy_statements.append(s3_policy_statement)

        glue_table_policy_statement = iam.PolicyStatement(
            actions=[
                'glue:BatchGetPartition',
                'glue:GetPartition',
                'glue:GetPartitions',
                'glue:BatchCreatePartition',
                'glue:CreatePartition',
                'glue:CreateTable',
                'glue:GetTable',
                'glue:GetTables',
                'glue:GetTableVersion',
                'glue:GetTableVersions',
                'glue:UpdatePartition',
                'glue:UpdateTable'
            ],
            effect=iam.Effect.ALLOW,
            resources=[
                core.Fn.sub(
                    'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog'
                ),
                core.Fn.sub(
                    body='arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${EventsDatabase}/*',
                    variables={
                        'EventsDatabase': self._events_database.ref
                    }
                ),
                core.Fn.sub(
                    body='arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${EventsDatabase}',
                    variables={
                        'EventsDatabase': self._events_database.ref
                    }
                )
            ]
        )
        policy_statements.append(glue_table_policy_statement)

        glue_database_policy_statement = iam.PolicyStatement(
            actions=[
                'glue:GetDatabase',
                'glue:GetDatabases',
                'glue:UpdateDatabase'
            ],
            effect=iam.Effect.ALLOW,
            resources=[
                core.Fn.sub(
                    'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog'
                ),
                core.Fn.sub(
                    body='arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${EventsDatabase}',
                    variables={
                        'EventsDatabase': self._events_database.ref
                    }
                )
            ]
        )
        policy_statements.append(glue_database_policy_statement)

        log_policy_statement = iam.PolicyStatement(
            actions=[
                'logs:CreateLogGroup',
                'logs:CreateLogStream',
                'logs:PutLogEvents'
            ],
            effect=iam.Effect.ALLOW,
            resources=[
                core.Fn.sub(
                    'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/crawlers:*'
                )
            ]
        )
        policy_statements.append(log_policy_statement)

        events_crawler_policy_document = iam.PolicyDocument(
            statements=policy_statements
        )

        self._events_crawler_role = iam.Role(
            self._stack,
            id='EventsCrawlerRole',
            role_name=resource_name_sanitizer.sanitize_resource_name(
                f'{self._stack.stack_name}-EventsCrawlerRole', 'iam_role'),
            assumed_by=iam.ServicePrincipal(
                service='glue.amazonaws.com'
            ),
            inline_policies={
                'GameAnalyticsPipelineGlueCrawlerPolicy': events_crawler_policy_document
            }
        )