This repository has been archived by the owner on Jul 28, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathcrossaccountathena.cf.yaml
133 lines (126 loc) · 4.14 KB
/
crossaccountathena.cf.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
AWSTemplateFormatVersion: "2010-09-09"
Description: Example AWS Lambda function for Amazon Athena Cross Account functionality
Parameters:
GlueDataCatalogAccountID:
Type: String
Description: AWS account ID for Glue Data Catalog
AllowedPattern: \d{12}
ConstraintDescription: Must be an AWS account ID
GlueDataCatalogRegion:
Type: String
Description: (Optional) AWS region ID for Glue Catalog (Eg. us-east-1). Defaults to current region if not specified.
AthenaCatalogName:
Type: String
Description: Cross Account Catalog Description
AllowedPattern: ^[a-z0-9_@-]*$
ConstraintDescription: Must be lowercase alphabets, digits, underscore, or hyphen
LambdaCodeS3Bucket:
Type: String
Description: S3 bucket containing function code zip file
LambdaCodeS3Key:
Type: String
Description: S3 path to function zip file. Eg. prefix/functionv2.zip
S3SpillLocation:
Type: String
Description: S3 path to spill Lambda response so that it doesn't exceed Lambda's limit. Eg. s3://<bucket>/<spill-prefx>/
S3SpillTTL:
Type: Number
Description: (Optional) Unit-Seconds. If set to positive number, it'll reuse the spilled content for this duration. Eg. 3600 for 1 hour
Conditions:
AddS3Policy: !Not [!Equals [!Ref S3SpillLocation, ""]]
Resources:
AthenaCrossAccountCatalog:
Type: AWS::Athena::DataCatalog
Properties:
Name:
Ref: "AthenaCatalogName"
Description: Custom Hive Catalog Description
Type: HIVE
Parameters:
metadata-function:
Fn::GetAtt: [ AthenaCrossAccountLambdaFunction, Arn ]
AthenaCrossAccountLambdaFunction:
Type: "AWS::Lambda::Function"
Properties:
Description: Allows Amazon Athena to query an AWS Glue Data Catalog in a different account
Code:
S3Key:
Ref: LambdaCodeS3Key
S3Bucket:
Ref: LambdaCodeS3Bucket
Environment:
Variables:
TARGET_ACCOUNT_ID:
Ref: GlueDataCatalogAccountID
CATALOG_NAME:
Ref: AthenaCatalogName
CATALOG_REGION:
Ref: GlueDataCatalogRegion
SPILL_LOCATION:
Ref: S3SpillLocation
SPILL_TTL:
Ref: S3SpillTTL
Handler: heracles.lambda.handler
Role:
Fn::GetAtt: [ LambdaExecutionRole, Arn ]
Runtime: python3.7
Timeout: 300
MemorySize: 1024
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: AWSLambdaBasicExecutionRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "*"
- PolicyName: AWSGlueReadOnlyAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- glue:BatchGetPartition
- glue:GetDatabase
- glue:GetDatabases
- glue:GetPartition
- glue:GetPartitions
- glue:GetTable
- glue:GetTables
- glue:GetTableVersion
- glue:GetTableVersions
Resource: "*"
- !If
- AddS3Policy
-
Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
Resource: !Join ['', ['arn:aws:s3:::', !Select [1, !Split ["s3://", !Ref S3SpillLocation]], '*']]
-
Effect: Allow
Action:
- s3:GetObject
NotResource: 'arn:aws:s3:::*'
Outputs:
CrossAccountPrincipal:
Description: The Principal to grant access to in the Glue Data Catalog Account
Value:
!Join [ ":", [ "arn:aws:sts:", !Ref "AWS::AccountId", !Join [ "/", [ "assumed-role", !Ref LambdaExecutionRole, !Ref AthenaCrossAccountLambdaFunction ]]]]