Enables deletion of Athena Workgroup via CFN natively, by setting Rec…

…ursiveDeleteOption to true
aws-samples · Dec 14, 2024 · aaac0eb · aaac0eb
1 parent 2126e5d
commit aaac0eb
Showing 1 changed file with 4 additions and 38 deletions.
diff --git a/cfn-templates/cid-cfn.yml b/cfn-templates/cid-cfn.yml
@@ -531,11 +531,14 @@ Resources:
     Properties:
       Name: !Sub 'CID${Suffix}'
       Description: !Sub 'Used for CloudIntelligenceDashboards${Suffix}'
+      State: ENABLED
+      RecursiveDeleteOption: true
       WorkGroupConfiguration:
         EnforceWorkGroupConfiguration: true
         ResultConfiguration:
           EncryptionConfiguration:
             EncryptionOption: SSE_S3
+          ExpectedBucketOwner: !Ref AWS::AccountId
           OutputLocation: !If [ NeedAthenaQueryResultsBucket, !Sub 's3://${MyAthenaQueryResultsBucket}/', !Sub 's3://${AthenaQueryResultsBucket}/' ]
 
   #Legacy version. Replaced by CustomResourceFunctionInit but we cannot remove it completely as it was removing workgroup on deletion of the custom resource.
@@ -582,7 +585,7 @@ Resources:
     Properties:
       FunctionName: !Sub "CidCustomResourceFunctionInit-DoNotRun${Suffix}"
       Role: !GetAtt 'InitLambdaExecutionRole.Arn'
-      Description: "Do what CFN cannot: start crawler, delete bucket with objects and delete an non empty workgroup"
+      Description: "Do what CFN cannot: start crawler and delete bucket with objects"
       Runtime: python3.11
       Architectures: [ x86_64 ] #Compatible with arm64 but it is not supported in all regions
       MemorySize: 128
@@ -602,7 +605,6 @@ Resources:
           from cid.utils import set_parameters
 
           BUCKET = os.environ['BUCKET']
-          WORKGROUP = os.environ['WORKGROUP']
           CRAWLER = os.environ['CRAWLER']
           QUICKSIGHT_USER = os.environ['QUICKSIGHT_USER']
           QUICKSIGHT_ROLE = os.environ.get('QUICKSIGHT_ROLE')
@@ -677,7 +679,6 @@ Resources:
 
           def on_delete():
               # Delete bucket (CF cannot delete if they are non-empty)
-              # and delete WorkGroup (CF cannot do that)
               s3 = boto3.resource('s3')
               log = []
 
@@ -699,24 +700,6 @@ Resources:
                   except Exception as exc:
                       log.append(f'ERROR: {BUCKET} Error: {exc}')
 
-              if WORKGROUP:
-                  try:
-                      response = boto3.client('athena').delete_work_group(
-                          WorkGroup=WORKGROUP,
-                          RecursiveDeleteOption=True
-                      )
-                      print(f'DEBUG: WorkGroup {WORKGROUP} deleted. {response}')
-                      log.append(f'INFO: WorkGroup {WORKGROUP} deleted.')
-                  except botocore.exceptions.ClientError as exc:
-                      status = exc.response["ResponseMetadata"]["HTTPStatusCode"]
-                      errcode = exc.response["Error"]["Code"]
-                      if status == 404:
-                          log.append(f'INFO:  WorkGroup {WORKGROUP} - {errcode}')
-                      else:
-                          log.append(f'ERROR: WorkGroup {WORKGROUP} - {errcode}')
-                  except Exception as exc:
-                      log.append(f'ERROR: WorkGroup {WORKGROUP} Error: {exc}')
-
               if QUICKSIGHT_ROLE:
                   try:
                       role_name = QUICKSIGHT_ROLE.split('/')[-1]
@@ -739,7 +722,6 @@ Resources:
       Environment:
         Variables:
           BUCKET: !If [NeedAthenaQueryResultsBucket, !Ref MyAthenaQueryResultsBucket, '']
-          WORKGROUP: !If [NeedAthenaWorkgroup, !Ref MyAthenaWorkGroup, '']
           CRAWLER: !If [NeedCURTable, !Ref MyGlueCURCrawler, '']
           QUICKSIGHT_USER: !Ref QuickSightUser
           QUICKSIGHT_ROLE: !If [ NeedQuickSightDataSourceRole, !Ref QuickSightDataSourceRole, !Ref 'AWS::NoValue' ]
@@ -790,20 +772,6 @@ Resources:
                 - !Ref 'AWS::NoValue'
       PermissionsBoundary: !If [NeedPermissionsBoundary, !Ref PermissionsBoundary, !Ref 'AWS::NoValue']
 
-  InitLambdaExecutionRoleWorkGroupPolicy:
-    Type: AWS::IAM::Policy
-    Condition: NeedAthenaWorkgroup
-    Properties:
-      PolicyName: AthenaWorkGroupDeletion
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action: athena:DeleteWorkGroup
-            Resource: !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${MyAthenaWorkGroup}'
-      Roles:
-        - !Ref InitLambdaExecutionRole
-
   InitLambdaExecutionRoleBucketPolicy:
     Type: AWS::IAM::Policy
     Condition: NeedAthenaQueryResultsBucket
@@ -855,8 +823,6 @@ Resources:
           Value: !If [NeedAthenaWorkgroup, !Ref MyAthenaWorkGroup, '']
         - Key: IgnoreConditionalDependsOnDatabase
           Value: !If [NeedCURTable, !Ref MyGlueCURCrawler, '']
-        - Key: IgnoreConditionalDependsOnPolicy1
-          Value: !If [NeedAthenaWorkgroup, !Ref InitLambdaExecutionRoleWorkGroupPolicy, '']
         - Key: IgnoreConditionalDependsOnPolicy2
           Value: !If [NeedAthenaQueryResultsBucket, !Ref InitLambdaExecutionRoleBucketPolicy, '']
         - Key: IgnoreConditionalDependsOnPolicy3