javydekoning/cdk.ts

## cdk.ts
import { Stack, StackProps, aws_iam as iam, aws_s3 as s3 } from 'aws-cdk-lib';
import { Construct } from 'constructs';

export class RoleStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const s3SrcBucket = new s3.Bucket(this, 'srcBucket');
    const s3DstBucket = new s3.Bucket(this, 'dstBucket');

    const glueRole = new iam.Role(this, 'GlueServiceRole', {
      assumedBy: new iam.ServicePrincipal('glue.amazonaws.com'),
    });

    glueRole.addManagedPolicy(
      iam.ManagedPolicy.fromManagedPolicyArn(
        this,
        'AWSGlueServiceRole',
        'arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole'
      )
    );

    s3DstBucket.grantWrite(glueRole);
    s3SrcBucket.grantRead(glueRole);
  }
}

## cloudformation.yaml
Resources:
  srcBucketC28082B5:
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
  dstBucketE28F1FB2:
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
  GlueServiceRole38141B95:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: glue.amazonaws.com
        Version: "2012-10-17"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
  GlueServiceRoleDefaultPolicy1E6C9521:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - s3:Abort*
              - s3:DeleteObject*
              - s3:PutObject
              - s3:PutObjectLegalHold
              - s3:PutObjectRetention
              - s3:PutObjectTagging
              - s3:PutObjectVersionTagging
            Effect: Allow
            Resource:
              - Fn::GetAtt:
                  - dstBucketE28F1FB2
                  - Arn
              - Fn::Join:
                  - ""
                  - - Fn::GetAtt:
                        - dstBucketE28F1FB2
                        - Arn
                    - /*
          - Action:
              - s3:GetBucket*
              - s3:GetObject*
              - s3:List*
            Effect: Allow
            Resource:
              - Fn::GetAtt:
                  - srcBucketC28082B5
                  - Arn
              - Fn::Join:
                  - ""
                  - - Fn::GetAtt:
                        - srcBucketC28082B5
                        - Arn
                    - /*
        Version: "2012-10-17"
      PolicyName: GlueServiceRoleDefaultPolicy1E6C9521
      Roles:
        - Ref: GlueServiceRole38141B95
	import { Stack, StackProps, aws_iam as iam, aws_s3 as s3 } from 'aws-cdk-lib';
	import { Construct } from 'constructs';

	export class RoleStack extends Stack {
	constructor(scope: Construct, id: string, props?: StackProps) {
	super(scope, id, props);

	const s3SrcBucket = new s3.Bucket(this, 'srcBucket');
	const s3DstBucket = new s3.Bucket(this, 'dstBucket');

	const glueRole = new iam.Role(this, 'GlueServiceRole', {
	assumedBy: new iam.ServicePrincipal('glue.amazonaws.com'),
	});

	glueRole.addManagedPolicy(
	iam.ManagedPolicy.fromManagedPolicyArn(
	this,
	'AWSGlueServiceRole',
	'arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole'
	)
	);

	s3DstBucket.grantWrite(glueRole);
	s3SrcBucket.grantRead(glueRole);
	}
	}
	Resources:
	srcBucketC28082B5:
	Type: AWS::S3::Bucket
	UpdateReplacePolicy: Retain
	DeletionPolicy: Retain
	dstBucketE28F1FB2:
	Type: AWS::S3::Bucket
	UpdateReplacePolicy: Retain
	DeletionPolicy: Retain
	GlueServiceRole38141B95:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Statement:
	- Action: sts:AssumeRole
	Effect: Allow
	Principal:
	Service: glue.amazonaws.com
	Version: "2012-10-17"
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
	GlueServiceRoleDefaultPolicy1E6C9521:
	Type: AWS::IAM::Policy
	Properties:
	PolicyDocument:
	Statement:
	- Action:
	- s3:Abort*
	- s3:DeleteObject*
	- s3:PutObject
	- s3:PutObjectLegalHold
	- s3:PutObjectRetention
	- s3:PutObjectTagging
	- s3:PutObjectVersionTagging
	Effect: Allow
	Resource:
	- Fn::GetAtt:
	- dstBucketE28F1FB2
	- Arn
	- Fn::Join:
	- ""
	- - Fn::GetAtt:
	- dstBucketE28F1FB2
	- Arn
	- /*
	- Action:
	- s3:GetBucket*
	- s3:GetObject*
	- s3:List*
	Effect: Allow
	Resource:
	- Fn::GetAtt:
	- srcBucketC28082B5
	- Arn
	- Fn::Join:
	- ""
	- - Fn::GetAtt:
	- srcBucketC28082B5
	- Arn
	- /*
	Version: "2012-10-17"
	PolicyName: GlueServiceRoleDefaultPolicy1E6C9521
	Roles:
	- Ref: GlueServiceRole38141B95