-
Notifications
You must be signed in to change notification settings - Fork 296
/
athena-dynamodb.yaml
161 lines (157 loc) · 5.79 KB
/
athena-dynamodb.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
Transform: 'AWS::Serverless-2016-10-31'
Metadata:
'AWS::ServerlessRepo::Application':
Name: AthenaDynamoDBConnector
Description: 'This connector enables Amazon Athena to communicate with DynamoDB, making your tables accessible via SQL.'
Author: 'default author'
SpdxLicenseId: Apache-2.0
LicenseUrl: LICENSE.txt
ReadmeUrl: README.md
Labels:
- athena-federation
HomePageUrl: 'https://github.com/awslabs/aws-athena-query-federation'
SemanticVersion: 2022.47.1
SourceCodeUrl: 'https://github.com/awslabs/aws-athena-query-federation'
Parameters:
AthenaCatalogName:
Description: 'This is the name of the lambda function that will be created. This name must satisfy the pattern ^[a-z0-9-_]{1,64}$'
Type: String
AllowedPattern: ^[a-z0-9-_]{1,64}$
SpillBucket:
Description: 'The name of the bucket where this function can spill data.'
Type: String
SpillPrefix:
Description: 'The prefix within SpillBucket where this function can spill data.'
Type: String
Default: athena-spill
LambdaTimeout:
Description: 'Maximum Lambda invocation runtime in seconds. (min 1 - 900 max)'
Default: 900
Type: Number
LambdaMemory:
Description: 'Lambda memory in MB (min 128 - 3008 max).'
Default: 3008
Type: Number
LambdaRole:
Description: "(Optional) A custom role to be used by the Connector lambda"
Type: String
Default: ""
DisableSpillEncryption:
Description: "WARNING: If set to 'true' encryption for spilled data is disabled."
Default: 'false'
Type: String
KMSKeyId:
Description: "(Optional) By default any data that is spilled to S3 is encrypted using AES-GCM and a randomly generated key. Setting a KMS Key ID allows your Lambda function to use KMS for key generation for a stronger source of encryption keys."
Type: String
Default: ""
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasKMSKeyId: !Not [!Equals [!Ref KMSKeyId, ""]]
NotHasLambdaRole: !Equals [!Ref LambdaRole, ""]
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
CreateKMSPolicy: !And [!Condition HasKMSKeyId, !Condition NotHasLambdaRole]
IsRegionBAH: !Equals [!Ref "AWS::Region", "me-south-1"]
IsRegionHKG: !Equals [!Ref "AWS::Region", "ap-east-1"]
Resources:
ConnectorConfig:
Type: 'AWS::Serverless::Function'
Properties:
Environment:
Variables:
disable_spill_encryption: !Ref DisableSpillEncryption
spill_bucket: !Ref SpillBucket
spill_prefix: !Ref SpillPrefix
kms_key_id: !If [HasKMSKeyId, !Ref KMSKeyId, !Ref "AWS::NoValue"]
FunctionName: !Ref AthenaCatalogName
PackageType: "Image"
ImageUri: !Sub
- '${Account}.dkr.ecr.${AWS::Region}.amazonaws.com/athena-federation-repository-dynamodb:2022.47.1'
- Account: !If [IsRegionBAH, 084828588479, !If [IsRegionHKG, 183295418215, 292517598671]]
Description: "Enables Amazon Athena to communicate with DynamoDB, making your tables accessible via SQL"
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
Role: !If [NotHasLambdaRole, !GetAtt FunctionRole.Arn, !Ref LambdaRole]
FunctionRole:
Condition: NotHasLambdaRole
Type: AWS::IAM::Role
Properties:
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- "sts:AssumeRole"
FunctionExecutionPolicy:
Condition: NotHasLambdaRole
Type: "AWS::IAM::Policy"
Properties:
PolicyName: FunctionExecutionPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- dynamodb:DescribeTable
- dynamodb:ListTables
- dynamodb:Query
- dynamodb:Scan
- dynamodb:PartiQLSelect
- glue:GetTableVersions
- glue:GetPartitions
- glue:GetTables
- glue:GetTableVersion
- glue:GetDatabases
- glue:GetTable
- glue:GetPartition
- glue:GetDatabase
- athena:GetQueryExecution
Effect: Allow
Resource: '*'
- Action:
- s3:GetObject
- s3:ListBucket
- s3:GetBucketLocation
- s3:GetObjectVersion
- s3:PutObject
- s3:PutObjectAcl
- s3:GetLifecycleConfiguration
- s3:PutLifecycleConfiguration
- s3:DeleteObject
Effect: Allow
Resource:
- Fn::Sub:
- arn:${AWS::Partition}:s3:::${bucketName}
- bucketName:
Ref: SpillBucket
- Fn::Sub:
- arn:${AWS::Partition}:s3:::${bucketName}/*
- bucketName:
Ref: SpillBucket
Roles:
- !Ref FunctionRole
FunctionKMSPolicy:
Condition: CreateKMSPolicy
Type: "AWS::IAM::Policy"
Properties:
PolicyName: FunctionKMSPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- kms:GenerateRandom
Effect: Allow
Resource: '*'
- Action:
- kms:GenerateDataKey
Effect: Allow
Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${KMSKeyId}"
Roles:
- !Ref FunctionRole