Created
April 13, 2019 14:37
-
-
Save mikeapted/0e6cc3fdc417c262b956f3f30dc17609 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"AWSTemplateFormatVersion": "2010-09-09", | |
"Description": "PA16 2018-12-13 - @akirmak - RevHist: PA16: sagemaker notebook role type fixed. PA15:-(parameters added for AcctId and S3 bucket's name initials)", | |
"Parameters": { | |
"yourInitials": { | |
"Description": "Your Initials to be used in the s3-bucket created. All in small letters pls. e.g. It shall be 'fs' for Frank Sinatra", | |
"Type": "String", | |
"MinLength": "2", | |
"MaxLength": "5" | |
} | |
}, | |
"Metadata": { | |
"AWS::CloudFormation::Designer": { | |
"38df71f9-6e6c-4cb3-bc01-40d0988453b1": { | |
"size": { | |
"width": 60, | |
"height": 60 | |
}, | |
"position": { | |
"x": 540, | |
"y": 180 | |
}, | |
"z": 1, | |
"embeds": [] | |
}, | |
"13e1ef2d-884d-4875-8b55-27a4843db116": { | |
"size": { | |
"width": 60, | |
"height": 60 | |
}, | |
"position": { | |
"x": 540, | |
"y": 60 | |
}, | |
"z": 1, | |
"embeds": [] | |
}, | |
"c599e0d5-d036-4fa1-9503-59cebc8349d1": { | |
"size": { | |
"width": 60, | |
"height": 60 | |
}, | |
"position": { | |
"x": 540, | |
"y": 270 | |
}, | |
"z": 1, | |
"embeds": [] | |
}, | |
"e058c21b-ec9d-4936-95eb-2c492465d87b": { | |
"size": { | |
"width": 60, | |
"height": 60 | |
}, | |
"position": { | |
"x": 360, | |
"y": 270 | |
}, | |
"z": 1, | |
"embeds": [], | |
"isassociatedwith": [ | |
"c599e0d5-d036-4fa1-9503-59cebc8349d1" | |
] | |
}, | |
"ed799633-3378-4ef8-8cbe-37b6c7ad5181": { | |
"size": { | |
"width": 60, | |
"height": 60 | |
}, | |
"position": { | |
"x": 330, | |
"y": 180 | |
}, | |
"z": 1, | |
"embeds": [], | |
"isassociatedwith": [ | |
"38df71f9-6e6c-4cb3-bc01-40d0988453b1" | |
] | |
}, | |
"e517d929-5247-426f-9c9e-2c8b7c9a37c6": { | |
"size": { | |
"width": 60, | |
"height": 60 | |
}, | |
"position": { | |
"x": 320, | |
"y": 80 | |
}, | |
"z": 0, | |
"embeds": [], | |
"isassociatedwith": [ | |
"13e1ef2d-884d-4875-8b55-27a4843db116" | |
] | |
} | |
} | |
}, | |
"Resources": { | |
"tameGlueRoleSlessDataLakeImmersion": { | |
"Type": "AWS::IAM::Role", | |
"Properties": { | |
"AssumeRolePolicyDocument": { | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Service": [ | |
"glue.amazonaws.com" | |
] | |
}, | |
"Action": [ | |
"sts:AssumeRole" | |
] | |
} | |
] | |
}, | |
"ManagedPolicyArns": [ | |
"arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole" | |
] | |
}, | |
"Metadata": { | |
"AWS::CloudFormation::Designer": { | |
"id": "38df71f9-6e6c-4cb3-bc01-40d0988453b1" | |
} | |
} | |
}, | |
"tameGluePolicySlessDataLakeImmersion": { | |
"Type": "AWS::IAM::Policy", | |
"Properties": { | |
"PolicyName": "AWSGlueServicePolicyServerlessDataLakeImmersion", | |
"PolicyDocument": { | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "VisualEditor0", | |
"Effect": "Allow", | |
"Action": [ | |
"s3:PutObject", | |
"s3:GetObject", | |
"s3:DeleteObject" | |
], | |
"Resource": { | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:s3:::", | |
{ | |
"Ref": "yourInitials" | |
}, | |
"-tame-bda-immersion/*" | |
] | |
] | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"s3:GetObject", | |
"s3:PutObject" | |
], | |
"Resource": { | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:s3:::", | |
{ | |
"Ref": "yourInitials" | |
}, | |
"-tame-bda-immersion/compressed-parquet*" | |
] | |
] | |
} | |
} | |
] | |
}, | |
"Roles": [ | |
{ | |
"Ref": "tameGlueRoleSlessDataLakeImmersion" | |
} | |
] | |
}, | |
"Metadata": { | |
"AWS::CloudFormation::Designer": { | |
"id": "ed799633-3378-4ef8-8cbe-37b6c7ad5181" | |
} | |
} | |
}, | |
"tameFHoseRoleSlessDataLakeImmersion": { | |
"Type": "AWS::IAM::Role", | |
"Properties": { | |
"AssumeRolePolicyDocument": { | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "", | |
"Effect": "Allow", | |
"Principal": { | |
"Service": "firehose.amazonaws.com" | |
}, | |
"Action": "sts:AssumeRole", | |
"Condition": { | |
"StringEquals": { | |
"sts:ExternalId": { | |
"Ref": "AWS::AccountId" | |
} | |
} | |
} | |
} | |
] | |
}, | |
"ManagedPolicyArns": [ | |
"arn:aws:iam::aws:policy/CloudWatchLogsFullAccess" | |
] | |
}, | |
"Metadata": { | |
"AWS::CloudFormation::Designer": { | |
"id": "13e1ef2d-884d-4875-8b55-27a4843db116" | |
} | |
} | |
}, | |
"tameFHosePolicySlessDataLakeImmersion": { | |
"Type": "AWS::IAM::Policy", | |
"Properties": { | |
"PolicyName": "FirehosePolicyServerlessDataLakeImmersion", | |
"PolicyDocument": { | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "", | |
"Effect": "Allow", | |
"Action": [ | |
"glue:GetTableVersions" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "", | |
"Effect": "Allow", | |
"Action": [ | |
"s3:AbortMultipartUpload", | |
"s3:GetBucketLocation", | |
"s3:GetObject", | |
"s3:ListBucket", | |
"s3:ListBucketMultipartUploads", | |
"s3:PutObject" | |
], | |
"Resource": [ | |
{ | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:s3:::", | |
{ | |
"Ref": "yourInitials" | |
}, | |
"-tame-bda-immersion" | |
] | |
] | |
}, | |
{ | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:s3:::", | |
{ | |
"Ref": "yourInitials" | |
}, | |
"-tame-bda-immersion/*" | |
] | |
] | |
}, | |
"arn:aws:s3:::%FIREHOSE_BUCKET_NAME%", | |
"arn:aws:s3:::%FIREHOSE_BUCKET_NAME%/*" | |
] | |
}, | |
{ | |
"Sid": "", | |
"Effect": "Allow", | |
"Action": [ | |
"lambda:InvokeFunction", | |
"lambda:GetFunctionConfiguration" | |
], | |
"Resource": { | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:lambda:", | |
{ | |
"Ref": "AWS::Region" | |
}, | |
":", | |
{ | |
"Ref": "AWS::AccountId" | |
}, | |
":function:%FIREHOSE_DEFAULT_FUNCTION%:%FIREHOSE_DEFAULT_VERSION%" | |
] | |
] | |
} | |
}, | |
{ | |
"Sid": "", | |
"Effect": "Allow", | |
"Action": [ | |
"logs:PutLogEvents" | |
], | |
"Resource": [ | |
{ | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:logs:", | |
{ | |
"Ref": "AWS::Region" | |
}, | |
":", | |
{ | |
"Ref": "AWS::AccountId" | |
}, | |
":log-group:/aws/kinesisfirehose/tamebda-rta-kinesisfh-prodcat:log-stream:*" | |
] | |
] | |
} | |
] | |
}, | |
{ | |
"Sid": "", | |
"Effect": "Allow", | |
"Action": [ | |
"kinesis:DescribeStream", | |
"kinesis:GetShardIterator", | |
"kinesis:GetRecords" | |
], | |
"Resource": { | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:kinesis:", | |
{ | |
"Ref": "AWS::Region" | |
}, | |
":", | |
{ | |
"Ref": "AWS::AccountId" | |
}, | |
":stream/%FIREHOSE_STREAM_NAME%" | |
] | |
] | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"kms:Decrypt" | |
], | |
"Resource": [ | |
"arn:aws:kms:region:accountid:key/%SSE_KEY_ARN%" | |
], | |
"Condition": { | |
"StringEquals": { | |
"kms:ViaService": "kinesis.%REGION_NAME%.amazonaws.com" | |
}, | |
"StringLike": { | |
"kms:EncryptionContext:aws:kinesis:arn": { | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:kinesis:%REGION_NAME%:", | |
{ | |
"Ref": "AWS::AccountId" | |
}, | |
":stream/%FIREHOSE_STREAM_NAME%" | |
] | |
] | |
} | |
} | |
} | |
} | |
] | |
}, | |
"Roles": [ | |
{ | |
"Ref": "tameFHoseRoleSlessDataLakeImmersion" | |
} | |
] | |
}, | |
"Metadata": { | |
"AWS::CloudFormation::Designer": { | |
"id": "e517d929-5247-426f-9c9e-2c8b7c9a37c6" | |
} | |
} | |
}, | |
"tameSageMakerNBookRoleSlessDataLake": { | |
"Type": "AWS::IAM::Role", | |
"Properties": { | |
"AssumeRolePolicyDocument": { | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Service": "sagemaker.amazonaws.com" | |
}, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
}, | |
"ManagedPolicyArns": [ | |
"arn:aws:iam::aws:policy/AmazonS3FullAccess", | |
"arn:aws:iam::aws:policy/AmazonAthenaFullAccess" | |
] | |
}, | |
"Metadata": { | |
"AWS::CloudFormation::Designer": { | |
"id": "c599e0d5-d036-4fa1-9503-59cebc8349d1" | |
} | |
} | |
}, | |
"tameSageMakerNBookPolicySlessDataLake": { | |
"Type": "AWS::IAM::Policy", | |
"Properties": { | |
"PolicyName": "SageMakerNotebookPolicyServerlessDataLake", | |
"PolicyDocument": { | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "VisualEditor0", | |
"Effect": "Allow", | |
"Action": [ | |
"logs:CreateLogStream", | |
"logs:DescribeLogStreams", | |
"s3:ListBucket", | |
"logs:PutLogEvents" | |
], | |
"Resource": [ | |
{ | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:s3:::aws-glue-jes-prod-", | |
{ | |
"Ref": "AWS::Region" | |
}, | |
"-assets" | |
] | |
] | |
}, | |
{ | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:logs:", | |
{ | |
"Ref": "AWS::Region" | |
}, | |
":", | |
{ | |
"Ref": "AWS::AccountId" | |
}, | |
":log-group:/aws/sagemaker/*" | |
] | |
] | |
}, | |
{ | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:logs:", | |
{ | |
"Ref": "AWS::Region" | |
}, | |
":", | |
{ | |
"Ref": "AWS::AccountId" | |
}, | |
":log-group:/aws/sagemaker/*:log-stream:aws-glue-*" | |
] | |
] | |
} | |
] | |
}, | |
{ | |
"Sid": "VisualEditor1", | |
"Effect": "Allow", | |
"Action": "s3:GetObject", | |
"Resource": { | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:s3:::aws-glue-jes-prod-", | |
{ | |
"Ref": "AWS::Region" | |
}, | |
"-assets*" | |
] | |
] | |
} | |
}, | |
{ | |
"Sid": "VisualEditor2", | |
"Effect": "Allow", | |
"Action": [ | |
"s3:PutAnalyticsConfiguration", | |
"s3:GetObjectVersionTagging", | |
"s3:CreateBucket", | |
"s3:ReplicateObject", | |
"s3:GetObjectAcl", | |
"s3:DeleteBucketWebsite", | |
"s3:PutLifecycleConfiguration", | |
"s3:GetObjectVersionAcl", | |
"s3:PutObjectTagging", | |
"s3:DeleteObject", | |
"s3:DeleteObjectTagging", | |
"s3:GetBucketPolicyStatus", | |
"s3:GetBucketWebsite", | |
"s3:PutReplicationConfiguration", | |
"s3:DeleteObjectVersionTagging", | |
"s3:GetBucketNotification", | |
"s3:PutBucketCORS", | |
"s3:GetReplicationConfiguration", | |
"s3:ListMultipartUploadParts", | |
"s3:GetObject", | |
"s3:PutBucketNotification", | |
"s3:PutObject", | |
"s3:PutBucketLogging", | |
"s3:GetAnalyticsConfiguration", | |
"s3:GetObjectVersionForReplication", | |
"s3:GetLifecycleConfiguration", | |
"s3:ListBucketByTags", | |
"s3:GetBucketTagging", | |
"s3:GetInventoryConfiguration", | |
"s3:PutAccelerateConfiguration", | |
"s3:DeleteObjectVersion", | |
"s3:GetBucketLogging", | |
"s3:ListBucketVersions", | |
"s3:ReplicateTags", | |
"s3:RestoreObject", | |
"s3:GetAccelerateConfiguration", | |
"s3:ListBucket", | |
"s3:GetBucketPolicy", | |
"s3:PutEncryptionConfiguration", | |
"s3:GetEncryptionConfiguration", | |
"s3:GetObjectVersionTorrent", | |
"s3:AbortMultipartUpload", | |
"s3:GetBucketRequestPayment", | |
"s3:PutBucketTagging", | |
"s3:GetObjectTagging", | |
"s3:GetMetricsConfiguration", | |
"s3:DeleteBucket", | |
"s3:PutBucketVersioning", | |
"s3:GetBucketPublicAccessBlock", | |
"s3:ListBucketMultipartUploads", | |
"s3:PutMetricsConfiguration", | |
"s3:PutObjectVersionTagging", | |
"s3:GetBucketVersioning", | |
"s3:GetBucketAcl", | |
"s3:PutInventoryConfiguration", | |
"s3:GetObjectTorrent", | |
"s3:PutBucketRequestPayment", | |
"s3:PutBucketWebsite", | |
"s3:GetBucketCORS", | |
"s3:GetBucketLocation", | |
"s3:GetObjectVersion", | |
"s3:ReplicateDelete" | |
], | |
"Resource": { | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:s3:::aws-athena-query-results-", | |
{ | |
"Ref": "AWS::AccountId" | |
}, | |
{ | |
"Ref": "AWS::Region" | |
}, | |
"*" | |
] | |
] | |
} | |
}, | |
{ | |
"Sid": "VisualEditor3", | |
"Effect": "Allow", | |
"Action": [ | |
"s3:GetAccountPublicAccessBlock", | |
"s3:ListAllMyBuckets", | |
"s3:HeadBucket" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "VisualEditor4", | |
"Effect": "Allow", | |
"Action": "logs:CreateLogGroup", | |
"Resource": [ | |
{ | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:logs:", | |
{ | |
"Ref": "AWS::Region" | |
}, | |
":", | |
{ | |
"Ref": "AWS::AccountId" | |
}, | |
":log-group:/aws/sagemaker/*" | |
] | |
] | |
}, | |
{ | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:logs:", | |
{ | |
"Ref": "AWS::Region" | |
}, | |
":", | |
{ | |
"Ref": "AWS::AccountId" | |
}, | |
":log-group:/aws/sagemaker/*:log-stream:aws-glue-*" | |
] | |
] | |
} | |
] | |
}, | |
{ | |
"Sid": "VisualEditor5", | |
"Effect": "Allow", | |
"Action": [ | |
"glue:GetDevEndpoints", | |
"glue:UpdateDevEndpoint", | |
"glue:GetDevEndpoint" | |
], | |
"Resource": { | |
"Fn::Join": [ | |
"", | |
[ | |
"arn:aws:glue:", | |
{ | |
"Ref": "AWS::Region" | |
}, | |
":", | |
{ | |
"Ref": "AWS::AccountId" | |
}, | |
":devEndpoint/gj-tame-bda-kdg-raw2parquet-devEndpoint*" | |
] | |
] | |
} | |
} | |
] | |
}, | |
"Roles": [ | |
{ | |
"Ref": "tameSageMakerNBookRoleSlessDataLake" | |
} | |
] | |
}, | |
"Metadata": { | |
"AWS::CloudFormation::Designer": { | |
"id": "e058c21b-ec9d-4936-95eb-2c492465d87b" | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment