Skip to content

Commit

Permalink
Merge pull request #762 from PRX/feat/dovetail_cdn_usage_vars
Browse files Browse the repository at this point in the history 
Attempt to configure/permission things
  • Loading branch information
@cavis
cavis committed May 7, 2024
2 parents 48ed603 + b6d4707 commit c8d62ed
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 5 deletions.
6 changes: 6 additions & 0 deletions spire/templates/apps-400A.yml
View file
Expand Up @@ -42,6 +42,7 @@ Parameters:

Conditions:
EnableNestedChangeSetScrubbingResources: !Equals [!Ref NestedChangeSetScrubbingResourcesState, Enabled]
IsProduction: !Equals [!Ref EnvironmentType, Production]

Resources:
NestedChangeSetScrubber: { Type: AWS::SNS::Topic, Condition: EnableNestedChangeSetScrubbingResources }
Expand Down Expand Up @@ -95,7 +96,12 @@ Resources:
RootStackId: !Ref RootStackId
CodeS3Bucket: !Ref DeploymentPackageBucketName
CodeS3ObjectKey: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-CDN_Usage/pkg/s3-object-key
AthenaDb: cloudfront_logs
AthenaTable: !If [IsProduction, dovetail3_cdn_production, dovetail3_cdn_staging]
BigQueryClientConfig: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-CDN_Usage/big-query-client-config
BigQueryDataset: !If [IsProduction, production, staging]
DovetailCdnLogBucket: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-CDN_Usage/dovetail-cdn-log-bucket
DovetailCdnLogPrefix: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-CDN_Usage/dovetail-cdn-log-prefix
Tags:
- { Key: prx:meta:tagging-version, Value: "2021-04-07" }
- { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
Expand Down
38 changes: 33 additions & 5 deletions spire/templates/apps/dovetail-cdn-usage.yml
View file
Expand Up @@ -15,10 +15,14 @@ Parameters:
RootStackId: { Type: String }
CodeS3Bucket: { Type: String }
CodeS3ObjectKey: { Type: AWS::SSM::Parameter::Value<String> }
AthenaDb: { Type: String }
AthenaTable: { Type: String }
BigQueryClientConfig: { Type: AWS::SSM::Parameter::Value<String> }
BigQueryDataset: { Type: String }
DovetailCdnLogBucket: { Type: AWS::SSM::Parameter::Value<String> }
DovetailCdnLogPrefix: { Type: AWS::SSM::Parameter::Value<String> }

Conditions:
IsProduction: !Equals [!Ref EnvironmentType, Production]
EnableNestedChangeSetScrubbingResources: !Equals [!Ref NestedChangeSetScrubbingResourcesState, Enabled]

Resources:
Expand All @@ -34,10 +38,10 @@ Resources:
${EnvironmentType} Dovetail CDN Usage
Environment:
Variables:
ATHENA_DB: cloudfront_logs
ATHENA_TABLE: !If [IsProduction, dovetail3_cdn_production, dovetail3_cdn_staging]
ATHENA_DB: !Ref AthenaDb
ATHENA_TABLE: !Ref AthenaTable
BQ_CLIENT_CONFIG: !Ref BigQueryClientConfig
BQ_DATASET: !If [IsProduction, production, staging]
BQ_DATASET: !Ref BigQueryDataset
Handler: index.handler
MemorySize: 512
Runtime: nodejs20.x
Expand All @@ -49,7 +53,31 @@ Resources:
- athena:GetQueryExecution
- athena:GetQueryResults
Effect: Allow
Resource: arn:aws:s3:::prx-ryan/*
Resource: !Sub arn:aws:athena:*:${AWS::AccountId}:workgroup/primary
- Action:
- glue:GetDatabase
- glue:GetTable
Effect: Allow
Resource:
- !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog
- !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/${AthenaDb}
- !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:table/${AthenaDb}/${AthenaTable}
- Action:
- s3:GetObject
Effect: Allow
Resource: !Sub arn:aws:s3:::${DovetailCdnLogBucket}/${DovetailCdnLogPrefix}/*
- Action:
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:ListMultipartUploadParts
- s3:AbortMultipartUpload
- s3:CreateBucket
- s3:PutObject
Effect: Allow
Resource: !Sub aws-athena-query-results-${AWS::Region}-${AWS::AccountId}
Version: "2012-10-17"
Tags:
prx:meta:tagging-version: "2021-04-07"
prx:cloudformation:stack-name: !Ref AWS::StackName
Expand Down

0 comments on commit c8d62ed

Please sign in to comment.