diff --git a/spire/templates/apps-400A.yml b/spire/templates/apps-400A.yml index 0c917c45..c93fa060 100644 --- a/spire/templates/apps-400A.yml +++ b/spire/templates/apps-400A.yml @@ -42,6 +42,7 @@ Parameters: Conditions: EnableNestedChangeSetScrubbingResources: !Equals [!Ref NestedChangeSetScrubbingResourcesState, Enabled] + IsProduction: !Equals [!Ref EnvironmentType, Production] Resources: NestedChangeSetScrubber: { Type: AWS::SNS::Topic, Condition: EnableNestedChangeSetScrubbingResources } @@ -95,7 +96,12 @@ Resources: RootStackId: !Ref RootStackId CodeS3Bucket: !Ref DeploymentPackageBucketName CodeS3ObjectKey: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-CDN_Usage/pkg/s3-object-key + AthenaDb: cloudfront_logs + AthenaTable: !If [IsProduction, dovetail3_cdn_production, dovetail3_cdn_staging] BigQueryClientConfig: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-CDN_Usage/big-query-client-config + BigQueryDataset: !If [IsProduction, production, staging] + DovetailCdnLogBucket: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-CDN_Usage/dovetail-cdn-log-bucket + DovetailCdnLogPrefix: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-CDN_Usage/dovetail-cdn-log-prefix Tags: - { Key: prx:meta:tagging-version, Value: "2021-04-07" } - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName } diff --git a/spire/templates/apps/dovetail-cdn-usage.yml b/spire/templates/apps/dovetail-cdn-usage.yml index 18bbb4a7..ccf57bdb 100644 --- a/spire/templates/apps/dovetail-cdn-usage.yml +++ b/spire/templates/apps/dovetail-cdn-usage.yml @@ -15,10 +15,14 @@ Parameters: RootStackId: { Type: String } CodeS3Bucket: { Type: String } CodeS3ObjectKey: { Type: AWS::SSM::Parameter::Value } + AthenaDb: { Type: String } + AthenaTable: { Type: String } BigQueryClientConfig: { Type: AWS::SSM::Parameter::Value } + BigQueryDataset: { Type: String } + DovetailCdnLogBucket: { Type: AWS::SSM::Parameter::Value } + DovetailCdnLogPrefix: { Type: AWS::SSM::Parameter::Value } Conditions: - IsProduction: !Equals [!Ref EnvironmentType, Production] EnableNestedChangeSetScrubbingResources: !Equals [!Ref NestedChangeSetScrubbingResourcesState, Enabled] Resources: @@ -34,10 +38,10 @@ Resources: ${EnvironmentType} Dovetail CDN Usage Environment: Variables: - ATHENA_DB: cloudfront_logs - ATHENA_TABLE: !If [IsProduction, dovetail3_cdn_production, dovetail3_cdn_staging] + ATHENA_DB: !Ref AthenaDb + ATHENA_TABLE: !Ref AthenaTable BQ_CLIENT_CONFIG: !Ref BigQueryClientConfig - BQ_DATASET: !If [IsProduction, production, staging] + BQ_DATASET: !Ref BigQueryDataset Handler: index.handler MemorySize: 512 Runtime: nodejs20.x @@ -49,7 +53,31 @@ Resources: - athena:GetQueryExecution - athena:GetQueryResults Effect: Allow - Resource: arn:aws:s3:::prx-ryan/* + Resource: !Sub arn:aws:athena:*:${AWS::AccountId}:workgroup/primary + - Action: + - glue:GetDatabase + - glue:GetTable + Effect: Allow + Resource: + - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog + - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/${AthenaDb} + - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:table/${AthenaDb}/${AthenaTable} + - Action: + - s3:GetObject + Effect: Allow + Resource: !Sub arn:aws:s3:::${DovetailCdnLogBucket}/${DovetailCdnLogPrefix}/* + - Action: + - s3:GetBucketLocation + - s3:GetObject + - s3:ListBucket + - s3:ListBucketMultipartUploads + - s3:ListMultipartUploadParts + - s3:AbortMultipartUpload + - s3:CreateBucket + - s3:PutObject + Effect: Allow + Resource: !Sub aws-athena-query-results-${AWS::Region}-${AWS::AccountId} + Version: "2012-10-17" Tags: prx:meta:tagging-version: "2021-04-07" prx:cloudformation:stack-name: !Ref AWS::StackName