feat(glue): add L2 resources for Database and Table

packages/@aws-cdk/aws-glue/README.md

@@ -22,7 +22,7 @@ new glue.Database(stack, 'MyDatabase', {
 
 ### Table
 
-A Glue table describes the structure (column names and types),location of data (S3 objects with a common prefix in a S3 bucket) and format of the files (Json, Avro, Parquet, etc.):
+A Glue table describes the structure (column names and types), location of data (S3 objects with a common prefix in a S3 bucket) and format of the files (Json, Avro, Parquet, etc.):
 
 ```ts
 new glue.Table(stack, 'MyTable', {
@@ -69,6 +69,33 @@ new glue.Table(stack, 'MyTable', {
 });
 ```
 
+### [Encryption](https://docs.aws.amazon.com/athena/latest/ug/encryption.html)
+
+You can enable encryption on a S3 bucket:
+* [SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) - Server side encryption (SSE) with an Amazon S3-managed key.
+```ts
+new glue.Table(stack, 'MyTable', {
+  encryption: glue.TableEncryption.SSE_S3
+  ...
+});
+```
+* [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html) - Server-side encryption (SSE) with a AWS Key Management Service customer managed key.
+
+```ts
+// with a KMS managed key
+new glue.Table(stack, 'MyTable', {
+  encryption: glue.TableEncryption.SSE_KMS
+  ...
+});
+
+// with a customer-managed KMS key
+new glue.Table(stack, 'MyTable', {
+  encryption: glue.TableEncryption.SSE_KMS,
+  encryptionKey: new kms.EncryptionKey(stack, 'MyKey')
+  ...
+});
+```
+
 ### Types
 
 A table's schema is a collection of columns, each of which have a `name` and a `type`. Types are recursive structures, consisting of primitive and complex types:

packages/@aws-cdk/aws-glue/lib/database.ts

@@ -94,12 +94,13 @@ export class Database extends cdk.Construct {
     });
 
     // see https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html#data-catalog-resource-arns
-    this.databaseName = resource.ref;
+    this.databaseName = resource.databaseName;
     this.databaseArn = this.node.stack.formatArn({
       service: 'glue',
       resource: 'database',
       resourceName: this.databaseName
     });
+    // catalogId is implicitly the accountId, which is why we don't pass the catalogId here
     this.catalogArn = this.node.stack.formatArn({
       service: 'glue',
       resource: 'catalog'

packages/@aws-cdk/aws-glue/lib/schema.ts

@@ -20,6 +20,9 @@ export interface Column {
   comment?: string;
 }
 
+/**
+ * Represents a type of a column in a table schema.
+ */
 export interface Type {
   /**
    * Indicates whether this type is a primitive data type.

packages/@aws-cdk/aws-glue/lib/storage-type.ts

@@ -1,44 +1,50 @@
 /**
  * Absolute class name of the Hadoop `InputFormat` to use when reading table files.
  */
-export enum InputFormat {
+export class InputFormat {
   /**
    * An InputFormat for plain text files. Files are broken into lines. Either linefeed or
    * carriage-return are used to signal end of line. Keys are the position in the file, and
    * values are the line of text.
    *
    * @see https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/mapred/TextInputFormat.html
    */
-  TextInputFormat = 'org.apache.hadoop.mapred.TextInputFormat'
+  public static readonly TextInputFormat = new InputFormat('org.apache.hadoop.mapred.TextInputFormat');
+
+  constructor(public readonly className: string) {}
 }
 
 /**
  * Absolute class name of the Hadoop `OutputFormat` to use when writing table files.
  */
-export enum OutputFormat {
+export class OutputFormat {
   /**
    * Writes text data with a null key (value only).
    *
    * @see https://hive.apache.org/javadocs/r2.2.0/api/org/apache/hadoop/hive/ql/io/HiveIgnoreKeyTextOutputFormat.html
    */
-  HiveIgnoreKeyTextOutputFormat = 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
+  public static readonly HiveIgnoreKeyTextOutputFormat = new OutputFormat('org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat');
+
+  constructor(public readonly className: string) {}
 }
 
 /**
  * Serialization library to use when serializing/deserializing (SerDe) table records.
  *
  * @see https://cwiki.apache.org/confluence/display/Hive/SerDe
  */
-export enum SerializationLibrary {
+export class SerializationLibrary {
   /**
    * @see https://cwiki.apache.org/confluence/display/Hive/LanguageManual+DDL#LanguageManualDDL-JSON
    */
-  HiveJson = 'org.apache.hive.hcatalog.data.JsonSerDe',
+  public static readonly HiveJson = new SerializationLibrary('org.apache.hive.hcatalog.data.JsonSerDe');
 
   /**
    * @see https://github.com/rcongiu/Hive-JSON-Serde
    */
-  OpenXJson = 'org.openx.data.jsonserde.JsonSerDe'
+  public static readonly OpenXJson = new SerializationLibrary('org.openx.data.jsonserde.JsonSerDe');
+
+  constructor(public readonly className: string) {}
 }
 
 /**
@@ -48,17 +54,17 @@ export interface StorageType {
   /**
    * `InputFormat` for this storage type.
    */
-  inputFormat: string;
+  inputFormat: InputFormat;
 
   /**
    * `OutputFormat` for this storage type.
    */
-  outputFormat: string;
+  outputFormat: OutputFormat;
 
   /**
    * Serialization library for this storage type.
    */
-  serializationLibrary: string;
+  serializationLibrary: SerializationLibrary;
 }
 
 export namespace StorageType {

packages/@aws-cdk/aws-glue/lib/table.ts

@@ -1,4 +1,5 @@
 import iam = require('@aws-cdk/aws-iam');
+import kms = require('@aws-cdk/aws-kms');
 import s3 = require('@aws-cdk/aws-s3');
 import cdk = require('@aws-cdk/cdk');
 import { IDatabase } from './database';
@@ -13,6 +14,38 @@ export interface ITable extends cdk.IConstruct {
   export(): TableImportProps;
 }
 
+/**
+ * Encryption options for a Table.
+ *
+ * @see https://docs.aws.amazon.com/athena/latest/ug/encryption.html
+ */
+export enum TableEncryption {
+  Unencrypted = 'Unecrypted',
+
+  /**
+   * Server side encryption (SSE) with an Amazon S3-managed key.
+   *
+   * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
+   */
+  SSE_S3 = 'SSE-S3',
+
+  /**
+   * Server-side encryption (SSE) with an AWS KMS customer managed key.
+   *
+   * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
+   */
+  SSE_KMS = 'SSE-KMS',
+
+  /**
+   * Client-side encryption (CSE) with an AWS KMS customer managed key.
+   *
+   * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
+   *
+   * TODO: implement. It's not clear what properties to set on a table to support client-side encryption.
+   */
+  // CSE_KMS = 'CSE-KMS'
+}
+
 export interface TableImportProps {
   tableArn: string;
   tableName: string;
@@ -41,7 +74,7 @@ export interface TableProps {
    *
    * @default one is created for you
    */
-  bucket?: s3.Bucket;
+  bucket?: s3.IBucket;
 
   /**
    * S3 prefix under which table objects are stored.
@@ -74,6 +107,28 @@ export interface TableProps {
    */
   compressed?: boolean;
 
+  /**
+   * The kind of encryption to secure the data with.
+   *
+   * You can only provide this option if you are not explicitly passing in a Bucket.
+   *
+   * If you choose SSE-KMS, you can specify a KMS key via `encryptionKey`. If
+   * encryption key is not specified, a key will automatically be created.
+   *
+   * @default Unencrypted
+   */
+  encryption?: TableEncryption;
+
+  /**
+   * External KMS key to use for bucket encryption.
+   *
+   * The 'encryption' property must be either un-specified or set to "SSE-KMS".
+   *
+   * @default If encryption is set to "Kms" and this property is undefined, a
+   * new KMS key will be created and associated with this bucket.
+   */
+  encryptionKey?: kms.IEncryptionKey;
+
   /**
    * Indicates whether the table data is stored in subdirectories.
    *
@@ -98,7 +153,7 @@ export class Table extends cdk.Construct implements ITable {
   }
 
   public readonly database: IDatabase;
-  public readonly bucket: s3.Bucket;
+  public readonly bucket: s3.IBucket;
   public readonly prefix: string;
 
   public readonly tableName: string;
@@ -109,9 +164,15 @@ export class Table extends cdk.Construct implements ITable {
   public readonly partitionKeys?: Column[];
 
   constructor(scope: cdk.Construct, id: string, props: TableProps) {
+    validateProps(props);
     super(scope, id);
+
     this.database = props.database;
-    this.bucket = props.bucket || new s3.Bucket(this, 'Bucket');
+    const encryption = parseEncryption(props);
+    this.bucket = props.bucket || new s3.Bucket(this, 'Bucket', {
+      encryption: encryption ? encryption.encryption : undefined,
+      encryptionKey: encryption ? encryption.encryptionKey : undefined
+    });
     this.storageType = props.storageType;
     this.prefix = props.prefix || 'data/';
     this.columns = props.columns;
@@ -133,18 +194,18 @@ export class Table extends cdk.Construct implements ITable {
           compressed: props.compressed === undefined ? false : props.compressed,
           storedAsSubDirectories: props.storedAsSubDirectories === undefined ? false : props.storedAsSubDirectories,
           columns: renderColumns(props.columns),
-          inputFormat: props.storageType.inputFormat,
-          outputFormat: props.storageType.outputFormat,
+          inputFormat: props.storageType.inputFormat.className,
+          outputFormat: props.storageType.outputFormat.className,
           serdeInfo: {
-            serializationLibrary: props.storageType.serializationLibrary
+            serializationLibrary: props.storageType.serializationLibrary.className
           }
         },
 
         tableType: 'EXTERNAL_TABLE'
       }
     });
 
-    this.tableName = tableResource.ref;
+    this.tableName = tableResource.tableName;
     this.tableArn = cdk.Fn.join('', [this.database.databaseArn, '/', this.tableName]);
   }
 
@@ -162,7 +223,7 @@ export class Table extends cdk.Construct implements ITable {
    */
   public grantRead(identity: iam.IPrincipal): void {
     this.grant(identity, readPermissions);
-    this.bucket.grantRead(identity);
+    this.bucket.grantRead(identity, this.prefix);
   }
 
   /**
@@ -172,7 +233,7 @@ export class Table extends cdk.Construct implements ITable {
    */
   public grantWrite(identity: iam.IPrincipal): void {
     this.grant(identity, writePermissions);
-    this.bucket.grantWrite(identity);
+    this.bucket.grantWrite(identity, this.prefix);
   }
 
   /**
@@ -182,7 +243,7 @@ export class Table extends cdk.Construct implements ITable {
    */
   public grantReadWrite(identity: iam.IPrincipal): void {
     this.grant(identity, readPermissions.concat(writePermissions));
-    this.bucket.grantReadWrite(identity);
+    this.bucket.grantReadWrite(identity, this.prefix);
   }
 
   private grant(identity: iam.IPrincipal, permissions: string[]) {
@@ -192,6 +253,56 @@ export class Table extends cdk.Construct implements ITable {
   }
 }
 
+/**
+ * Check there is at least one column and no duplicated column names or partition keys.
+ *
+ * @param props the TableProps
+ */
+function validateProps(props: TableProps): void {
+  if (props.bucket && (props.encryption || props.encryptionKey)) {
+    throw new Error('you can not specify both an encryption key and s3 bucket');
+  }
+  if (props.columns.length === 0) {
+    throw new Error('you must specify at least one column for the table');
+  }
+  const names = new Set<string>();
+  (props.columns.concat(props.partitionKeys || [])).forEach(column => {
+    if (names.has(column.name)) {
+      throw new Error(`column names and partition keys must be unique, but 'p1' is duplicated`);
+    }
+    names.add(column.name);
+  });
+}
+
+function parseEncryption(props: TableProps): {
+  encryption: s3.BucketEncryption;
+  encryptionKey?: kms.IEncryptionKey;
+} | undefined {
+  if (props.encryption === undefined || props.encryption === TableEncryption.Unencrypted) {
+    return undefined;
+  }
+
+  if (props.encryption === TableEncryption.SSE_KMS) {
+    if (props.encryptionKey === undefined) {
+      return {
+        encryption: s3.BucketEncryption.KmsManaged
+      };
+    } else {
+      return {
+        encryption: s3.BucketEncryption.Kms,
+        encryptionKey: props.encryptionKey
+      };
+    }
+  } else {
+    if (props.encryptionKey) {
+      throw new Error('a customer managed KMS key cannot be used with SSE-S3 encryption');
+    }
+    return {
+      encryption: s3.BucketEncryption.S3Managed
+    };
+  }
+}
+
 const readPermissions = [
   'glue:BatchDeletePartition',
   'glue:BatchGetPartition',