Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding optional permissions boundary parameter #906

Merged
merged 9 commits into from
Dec 18, 2022
Merged

Adding optional permissions boundary parameter #906

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
9a6475f
adding first-attempt of optional param to athena-sqlserver.yml
cdschneider Dec 17, 2022
8123ba1
descrip in double-quotes
cdschneider Dec 17, 2022
c79ba20
have to use Conditions section
cdschneider Dec 17, 2022
42afbe4
starting to apply to other connectors
cdschneider Dec 17, 2022
d8347f4
adding conditional permissionsboundary for other connectors
cdschneider Dec 17, 2022
bdcf1ae
adding conditional PermBoundary to templates already with optional La…
cdschneider Dec 17, 2022
1ac686b
adding ARN suffix to param
cdschneider Dec 18, 2022
44acc61
fixing a few minor things
cdschneider Dec 18, 2022
3356f3e
Merge remote-tracking branch 'upstream/master' into adding-optional-p…
cdschneider Dec 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions athena-aws-cmdb/athena-aws-cmdb.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,12 @@ Parameters:
Description: "WARNING: If set to 'true' encryption for spilled data is disabled."
Default: 'false'
Type: String
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
ConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -52,6 +58,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
7 changes: 7 additions & 0 deletions athena-cloudera-hive/athena-cloudera-hive.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,12 @@ Parameters:
SubnetIds:
Description: 'One or more Subnet IDs corresponding to the Subnet that the Lambda function can use to access you data source. (e.g. subnet1,subnet2)'
Type: 'List<AWS::EC2::Subnet::Id>'
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
JdbcConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -65,6 +71,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
7 changes: 7 additions & 0 deletions athena-cloudera-impala/athena-cloudera-impala.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,12 @@ Parameters:
SubnetIds:
Description: 'One or more Subnet IDs corresponding to the Subnet that the Lambda function can use to access you data source. (e.g. subnet1,subnet2)'
Type: 'List<AWS::EC2::Subnet::Id>'
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
JdbcConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -65,6 +71,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
7 changes: 7 additions & 0 deletions athena-cloudwatch-metrics/athena-cloudwatch-metrics.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,12 @@ Parameters:
Description: "WARNING: If set to 'true' encryption for spilled data is disabled."
Default: 'false'
Type: String
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
ConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -52,6 +58,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
6 changes: 6 additions & 0 deletions athena-cloudwatch/athena-cloudwatch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,15 @@ Parameters:
Description: "(Optional) By default any data that is spilled to S3 is encrypted using AES-GCM and a randomly generated key. Setting a KMS Key ID allows your Lambda function to use KMS for key generation for a stronger source of encryption keys."
Type: String
Default: ""
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String

Conditions:
HasKMSKeyId: !Not [!Equals [!Ref KMSKeyId, ""]]
NotHasLambdaRole: !Equals [!Ref LambdaRole, ""]
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]

Resources:
ConnectorConfig:
Expand All @@ -72,6 +77,7 @@ Resources:
Condition: NotHasLambdaRole
Type: AWS::IAM::Role
Properties:
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
AssumeRolePolicyDocument:
Expand Down
7 changes: 7 additions & 0 deletions athena-datalakegen2/athena-datalakegen2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,12 @@ Parameters:
SubnetIds:
Description: 'One or more Subnet IDs corresponding to the Subnet that the Lambda function can use to access you data source. (e.g. subnet1,subnet2)'
Type: 'List<AWS::EC2::Subnet::Id>'
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
JdbcConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -67,6 +73,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
7 changes: 7 additions & 0 deletions athena-db2/athena-db2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,12 @@ Parameters:
SubnetIds:
Description: 'One or more Subnet IDs corresponding to the Subnet that the Lambda function can use to access you data source. (e.g. subnet1,subnet2)'
Type: 'List<AWS::EC2::Subnet::Id>'
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
JdbcConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -68,6 +74,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
7 changes: 7 additions & 0 deletions athena-docdb/athena-docdb.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,12 @@ Parameters:
Description: 'The DocDB connection details to use by default if not catalog specific connection is defined and optionally using SecretsManager (e.g. ${secret_name}).'
Type: String
Default: "e.g. mongodb://<username>:<password>@<hostname>:<port>/?ssl=true&ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0"
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
ConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -66,6 +72,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
6 changes: 6 additions & 0 deletions athena-dynamodb/athena-dynamodb.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,15 @@ Parameters:
Description: "(Optional) By default any data that is spilled to S3 is encrypted using AES-GCM and a randomly generated key. Setting a KMS Key ID allows your Lambda function to use KMS for key generation for a stronger source of encryption keys."
Type: String
Default: ""
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String

Conditions:
HasKMSKeyId: !Not [!Equals [!Ref KMSKeyId, ""]]
NotHasLambdaRole: !Equals [!Ref LambdaRole, ""]
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]

Resources:
ConnectorConfig:
Expand All @@ -72,6 +77,7 @@ Resources:
Condition: NotHasLambdaRole
Type: AWS::IAM::Role
Properties:
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
AssumeRolePolicyDocument:
Expand Down
6 changes: 6 additions & 0 deletions athena-elasticsearch/athena-elasticsearch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,9 +78,14 @@ Parameters:
Description: '**If IsVPCAccess is True**. Provide one or more Subnet IDs corresponding to the Subnet that the Lambda function can use to access you data source. (e.g. subnet1,subnet2)'
Type: CommaDelimitedList
Default: ""
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String

Conditions:
IsVPCAccessSelected: !Equals [!Ref IsVPCAccess, true]
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]

Resources:
ConnectorConfig:
Expand All @@ -103,6 +108,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
7 changes: 7 additions & 0 deletions athena-google-bigquery/athena-google-bigquery.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,12 @@ Parameters:
SubnetIds:
Description: 'One or more Subnet IDs corresponding to the Subnet that the Lambda function can use to access you data source. (e.g. subnet1,subnet2)'
Type: 'List<AWS::EC2::Subnet::Id>'
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
ConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -79,6 +85,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
7 changes: 7 additions & 0 deletions athena-hbase/athena-hbase.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,12 @@ Parameters:
HBaseConnectionString:
Description: 'The HBase connection details to use by default in the format: master_hostname:hbase_port:zookeeper_port and optionally using SecretsManager (e.g. ${secret_name}).'
Type: String
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
ConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -65,6 +71,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
7 changes: 7 additions & 0 deletions athena-hortonworks-hive/athena-hortonworks-hive.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,12 @@ Parameters:
SubnetIds:
Description: 'One or more Subnet IDs corresponding to the Subnet that the Lambda function can use to access you data source. (e.g. subnet1,subnet2)'
Type: 'List<AWS::EC2::Subnet::Id>'
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
JdbcConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -65,6 +71,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
6 changes: 6 additions & 0 deletions athena-msk/athena-msk.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,9 +72,14 @@ Parameters:
Description: "(Must for auth type IAM) A custom role to be used by the Connector lambda"
Default: ""
Type: String
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String

Conditions:
NotHasLambdaRole: !Equals [!Ref LambdaRoleARN, ""]
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]

Resources:
JdbcConnectorConfig:
Expand Down Expand Up @@ -106,6 +111,7 @@ Resources:
Condition: NotHasLambdaRole
Type: AWS::IAM::Role
Properties:
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
AssumeRolePolicyDocument:
Expand Down
7 changes: 7 additions & 0 deletions athena-mysql/athena-mysql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,12 @@ Parameters:
SubnetIds:
Description: 'One or more Subnet IDs corresponding to the Subnet that the Lambda function can use to access you data source. (e.g. subnet1,subnet2)'
Type: 'List<AWS::EC2::Subnet::Id>'
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
JdbcConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -65,6 +71,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
8 changes: 8 additions & 0 deletions athena-neptune/athena-neptune.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,13 @@ Parameters:
Description: 'If set to ''false'' the connector does a case sensitive match for keys'
Default: true
Type: String
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String

Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]

Resources:
ConnectorConfig:
Expand All @@ -94,6 +101,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
7 changes: 7 additions & 0 deletions athena-oracle/athena-oracle.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,12 @@ Parameters:
SubnetIds:
Description: 'One or more Subnet IDs corresponding to the Subnet that the Lambda function can use to access you data source. (e.g. subnet1,subnet2)'
Type: 'List<AWS::EC2::Subnet::Id>'
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
JdbcConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -65,6 +71,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
7 changes: 7 additions & 0 deletions athena-postgresql/athena-postgresql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,12 @@ Parameters:
Type: String
Default: "PostGreSqlMuxCompositeHandler"
AllowedValues : ["PostGreSqlMuxCompositeHandler", "PostGreSqlCompositeHandler"]
PermissionsBoundaryARN:
Description: "(Optional) An IAM policy ARN to use as the PermissionsBoundary for the created Lambda function's execution role"
Default: ''
Type: String
Conditions:
HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ]
Resources:
JdbcConnectorConfig:
Type: 'AWS::Serverless::Function'
Expand All @@ -70,6 +76,7 @@ Resources:
Runtime: java11
Timeout: !Ref LambdaTimeout
MemorySize: !Ref LambdaMemory
PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ]
Policies:
- Statement:
- Action:
Expand Down
Loading