-
Notifications
You must be signed in to change notification settings - Fork 0
/
0_datazone_cloudformation.yaml
117 lines (112 loc) · 3.79 KB
/
0_datazone_cloudformation.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
Description: ReInvent session ANT336
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Cloud9:
Type: AWS::Cloud9::EnvironmentEC2
Properties:
Name: 'data-zone-cloud9'
Description: 'Cloud9 development enviorment'
ImageId: 'amazonlinux-2-x86_64'
InstanceType: 't2.large'
AutomaticStopTimeMinutes: '30'
Repositories: [
{
"PathComponent" : '/DataZone_Demo',
"RepositoryUrl" : 'https://github.com/ev2900/DataZone_Demo.git'
}
]
GlueCrawlerIAMRole:
Type: AWS::IAM::Role
Properties:
RoleName: 'Glue_Crawler_IAM_Role'
Description: 'IAM role for Glue Crawler'
# Trust relationships
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- glue.amazonaws.com
Action:
- 'sts:AssumeRole'
# Premissions
Policies:
- PolicyName: LakeFormation_GetDataAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 's3:GetObject'
- 's3:PutObject'
Resource: '*'
- PolicyName: S3_Access
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: 'lakeformation:GetDataAccess'
Resource: '*'
- PolicyName: AWS_GlueServiceRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'glue:*'
- 's3:GetBucketLocation'
- 's3:ListBucket'
- 's3:ListAllMyBuckets'
- 's3:GetBucketAcl'
- 'ec2:DescribeVpcEndpoints'
- 'ec2:DescribeRouteTables'
- 'ec2:CreateNetworkInterface'
- 'ec2:DeleteNetworkInterface'
- 'ec2:DescribeNetworkInterfaces'
- 'ec2:DescribeSecurityGroups'
- 'ec2:DescribeSubnets'
- 'ec2:DescribeVpcAttribute'
- 'iam:ListRolePolicies'
- 'iam:GetRole'
- 'iam:GetRolePolicy'
- 'cloudwatch:PutMetricData'
Resource: '*'
- Effect: Allow
Action: 's3:CreateBucket'
Resource: 'arn:aws:s3:::aws-glue-*'
- Effect: Allow
Action:
- 's3:GetObject'
- 's3:PutObject'
- 's3:DeleteObject'
Resource:
- 'arn:aws:s3:::aws-glue-*/*'
- 'arn:aws:s3:::*/*aws-glue-*/*'
- Effect: Allow
Action: 's3:GetObject'
Resource:
- 'arn:aws:s3:::crawler-public*'
- 'arn:aws:s3:::aws-glue-*'
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: 'arn:aws:logs:*:*:*:/aws-glue/*'
- Effect: Allow
Action:
- 'ec2:CreateTags'
- 'ec2:DeleteTags'
Resource:
- 'arn:aws:ec2:*:*:network-interface/*'
- 'arn:aws:ec2:*:*:security-group/*'
- 'arn:aws:ec2:*:*:instance/*'
Outputs:
S3BucketARN:
Description: S3 bucket ARN
Value: !GetAtt S3Bucket.Arn
IAMRoleARN:
Description: IAM role ARN
Value: !GetAtt GlueCrawlerIAMRole.Arn