From 4ad84589b03f2cd254314775b8e04a68caa835bd Mon Sep 17 00:00:00 2001 From: Iakov GAN <82834333+iakov-aws@users.noreply.github.com> Date: Wed, 8 Nov 2023 13:53:16 +0100 Subject: [PATCH] Fix cfn - add databases permissions for data collection lab (#663) --- cfn-templates/cid-cfn.yml | 54 +++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/cfn-templates/cid-cfn.yml b/cfn-templates/cid-cfn.yml index 29a2e044..1bc361f7 100644 --- a/cfn-templates/cid-cfn.yml +++ b/cfn-templates/cid-cfn.yml @@ -38,7 +38,7 @@ Metadata: - QuickSightDataSourceRoleName - QuickSightDataSetRefreshSchedule - LambdaLayerBucketPrefix - - DataBuketsKmsKeyArns + - DataBucketsKmsKeyArns ParameterLabels: PrerequisitesQuickSight: default: "I have enabled QuickSight Enterprise Edition AND I have a SPICE capacity in the current region." @@ -82,7 +82,7 @@ Metadata: default: "LambdaLayerBucketPrefix - Please do not change" GlueDataCatalog: default: "Existing Glue Data Catalog" - DataBuketsKmsKeyArns: + DataBucketsKmsKeyArns: default: "ARNs of KMS Keys for data bucket. Keep empty if data Buckets are not Encrypted with KMS. Also you can set it to '*'." PrimaryTagName: Default: "Choose a tag name. Currently used only in Compute Optimizer dashboard." @@ -113,11 +113,11 @@ Parameters: QuickSightDataSetRefreshSchedule: Type: String Default: '' - Description: 'Cron expression on when to refresh spice datasets via Lambda. Only needed if some difficulities with refresh scheduling via API.' + Description: 'Cron expression on when to refresh spice datasets via Lambda. Only needed if some difficulties with refresh scheduling via API.' QuickSightDataSourceRoleName: Type: String Default: 'CidQuickSightDataSourceRole' - Description: "IAM Role Name to be used on QuckSight Datasource Creation. If empty - then the Default QuckSight Role will be used; if provided other existing role, will use that Role; if name equal to 'CidQuickSightDataSourceRole', then a role will be created by this CloudFromation)." + Description: "IAM Role Name to be used on QuickSight Datasource Creation. If empty - then the Default QuickSight Role will be used; if provided other existing role, will use that Role; if name equal to 'CidQuickSightDataSourceRole', then a role will be created by this CloudFromation)." CURBucketPath: Type: String MinLength: 3 @@ -187,7 +187,7 @@ Parameters: Type: String Description: Existing Glue Data Catalog Default: "AwsDataCatalog" - DataBuketsKmsKeyArns: + DataBucketsKmsKeyArns: Type: String Description: "ARNs of KMS Keys for data bucket. Keep empty if data Buckets are not Encrypted with KMS. Also you can set it to '*'." Default: "*" @@ -198,7 +198,7 @@ Parameters: AllowedValues: ["yes", "no"] PrimaryTagName: Type: String - Description: Choose a tag name for Primary Tag. Can be any Tag name (owner, environment, finops_exception). Currently used only in Compute Optimizer dashboard. Leve as is if not sure. + Description: Choose a tag name for Primary Tag. Can be any Tag name (owner, environment, finops_exception). Currently used only in Compute Optimizer dashboard. Leave as is if not sure. Default: "owner" MinLength: 1 # cid cmd do not accept empty parameters AllowedPattern: "[a-zA-Z0-9_]*" @@ -237,12 +237,12 @@ Conditions: - !Equals [ !Ref CURTableName, "" ] - !Condition NeedCUR NeedRefreshDatasets: !Not [ !Equals [ !Ref QuickSightDataSetRefreshSchedule, ""] ] - NeedDataBucketsKms: !Equals [ !Ref DataBuketsKmsKeyArns, "" ] + NeedDataBucketsKms: !Equals [ !Ref DataBucketsKmsKeyArns, "" ] NeedDataBucketsKmsAndNeedCURTable: Fn::And: - !Condition NeedDataBucketsKms - !Condition NeedCURTable - NeedDatasource: !Not [ !Equals [ !Ref "AWS::Region", "eu-west-3" ] ] # In eu-west-3 CFN QS Dataset resource is not availble yet. + NeedDatasource: !Not [ !Equals [ !Ref "AWS::Region", "eu-west-3" ] ] # In eu-west-3 CFN QS Dataset resource is not available yet. NeedLakeFormationEnabled: Fn::And: - !Equals [ !Ref LakeFormationEnabled, "yes" ] @@ -598,7 +598,7 @@ Resources: ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/AWSLambdaExecute - InitLambdaExecutionRoleWorkGroupPoliciy: + InitLambdaExecutionRoleWorkGroupPolicy: Type: AWS::IAM::Policy Condition: NeedAthenaWorkgroup Properties: @@ -612,7 +612,7 @@ Resources: Roles: - !Ref InitLambdaExecutionRole - InitLambdaExecutionRoleBucketPoliciy: + InitLambdaExecutionRoleBucketPolicy: Type: AWS::IAM::Policy Condition: NeedAthenaQueryResultsBucket Properties: @@ -635,7 +635,7 @@ Resources: Roles: - !Ref InitLambdaExecutionRole - InitLambdaExecutionRoleStartCrawlerPoliciy: + InitLambdaExecutionRoleStartCrawlerPolicy: Type: AWS::IAM::Policy Condition: NeedCURTable Properties: @@ -663,11 +663,11 @@ Resources: - Key: IgnoreConditionalDependsOnDatabase Value: !If [NeedCURTable, !Ref MyGlueCURCrawler, ''] - Key: IgnoreConditionalDependsOnPolicy1 - Value: !If [NeedAthenaWorkgroup, !Ref InitLambdaExecutionRoleWorkGroupPoliciy, ''] + Value: !If [NeedAthenaWorkgroup, !Ref InitLambdaExecutionRoleWorkGroupPolicy, ''] - Key: IgnoreConditionalDependsOnPolicy2 - Value: !If [NeedAthenaQueryResultsBucket, !Ref InitLambdaExecutionRoleBucketPoliciy, ''] + Value: !If [NeedAthenaQueryResultsBucket, !Ref InitLambdaExecutionRoleBucketPolicy, ''] - Key: IgnoreConditionalDependsOnPolicy3 - Value: !If [NeedCURTable, !Ref InitLambdaExecutionRoleStartCrawlerPoliciy, ''] + Value: !If [NeedCURTable, !Ref InitLambdaExecutionRoleStartCrawlerPolicy, ''] ProcessPathLambdaExecutionRole: Type: AWS::IAM::Role @@ -974,7 +974,7 @@ Resources: Resource: Fn::Sub: 'arn:${AWS::Partition}:s3:::${ProcessedCURPath.Bucket}/${ProcessedCURPath.Path}/*' - KmsPoliciyForCidCURCrawlerRole: + KmsPolicyForCidCURCrawlerRole: Type: AWS::IAM::Policy Condition: NeedDataBucketsKmsAndNeedCURTable Properties: @@ -985,7 +985,7 @@ Resources: - Effect: Allow Action: - 'kms:Decrypt' - Resource: !Split [',', !Ref DataBuketsKmsKeyArns] + Resource: !Split [',', !Ref DataBucketsKmsKeyArns] Roles: - !Ref CidCURCrawlerRole @@ -1033,6 +1033,10 @@ Resources: - NeedDatabase - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/* - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/* + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/optimization_data/* + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/optimization_data + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/cid_data_collection/* + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/cid_data_collection - Effect: Allow Action: - athena:ListDatabases @@ -1081,10 +1085,10 @@ Resources: PolicyDocument: Version: 2012-10-17 Statement: - - Sid: CidAllowDecryptDataBuketsKmsKeyArns + - Sid: CidAllowDecryptDataBucketsKmsKeyArns Effect: Allow Action: 'kms:Decrypt' - Resource: !Split [',', !Ref DataBuketsKmsKeyArns] + Resource: !Split [',', !Ref DataBucketsKmsKeyArns] - Sid: CidAllowListBucket Effect: Allow Action: s3:ListBucket @@ -1105,10 +1109,10 @@ Resources: PolicyDocument: Version: 2012-10-17 Statement: - - Sid: CidAllowDecryptDataBuketsKmsKeyArns + - Sid: CidAllowDecryptDataBucketsKmsKeyArns Effect: Allow Action: 'kms:Decrypt' - Resource: !Split [',', !Ref DataBuketsKmsKeyArns] + Resource: !Split [',', !Ref DataBucketsKmsKeyArns] - Sid: CidAllowListBucket Effect: Allow Action: s3:ListBucket @@ -1182,7 +1186,7 @@ Resources: - glue:GetTables - glue:GetPartitions - glue:CreateTable - Resource: "*" # This is needed to allow Autodetection in CID-CMD + Resource: "*" # This is needed to allow Autodetect in CID-CMD - Effect: Allow Action: - s3:ListBucket @@ -1229,7 +1233,7 @@ Resources: - quicksight:DescribeUser - quicksight:DescribeTemplate - quicksight:DescribeAccountSubscription - Resource: '*' # This is needed to allow Autodetection in CID-CMD + Resource: '*' # This is needed to allow Autodetect in CID-CMD - Effect: Allow Action: - quicksight:CreateRefreshSchedule @@ -1251,7 +1255,7 @@ Resources: - athena:ListTableMetadata - athena:ListWorkGroups - athena:GetDatabase - Resource: '*' # This is needed to allow Autodetection in CID-CMD + Resource: '*' # This is needed to allow Autodetect in CID-CMD DataLakeSettingsCidExecRolePerm: @@ -1336,7 +1340,7 @@ Resources: TableWildcard: {} - KmsPoliciyForCidExecRole: + KmsPolicyForCidExecRole: Type: AWS::IAM::Policy Condition: NeedDataBucketsKms Properties: @@ -1347,7 +1351,7 @@ Resources: - Effect: Allow Action: - 'kms:Decrypt' - Resource: !Split [',', !Ref DataBuketsKmsKeyArns] + Resource: !Split [',', !Ref DataBucketsKmsKeyArns] Roles: - !Ref CidExecRole