Merge pull request #69 from moj-analytical-services/CORP/KPI-read-ath…

…ena-cloudwatch-loggroup

CORP/KPI read athena cloudwatch loggroup

CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+
+## v4.10.0
+
+- Add permission to read cloudwatch-athena-events log 
+
 ## v4.9.0
 
 - Add `external_iam_role` to allow Airflow Pulumi tests to pass

README.md

@@ -104,7 +104,8 @@ Whilst the example json (`iam_config.json`) looks like this:
     ]
   },
   "kms": ["test_kms_key_arn"],
-  "bedrock": true
+  "bedrock": true,
+  "cloudwatch_athena_query_executions": true
 }
 ```
 
@@ -135,6 +136,8 @@ Whilst the example json (`iam_config.json`) looks like this:
 
 - **bedrock:** Boolean; must be set to `true` to allow role to interact with Amazon Bedrock. If `false` or absent role will not be able to interact with Amazon Bedrock.
 
+- **cloudwatch_athena_query_executions** Boolean; must be set to `true` to allow role to read `cloudtrail-athena-events` log group. If `false` or absent role will not be able to read these cloudwatch logs.
+
 ## How to update
 
 When updating IAM builder, make sure to change the version number in `pyproject.toml` and describe the change in `CHANGELOG.md`.

iam_builder/iam_builder.py

@@ -114,4 +114,9 @@ def build_iam_policy(config: dict) -> dict:  # noqa: C901
     if "bedrock" in config and config["bedrock"]:
         iam["Statement"].extend(iam_lookup["bedrock"])
 
+    if "cloudwatch_athena_query_executions" in config:
+        iam["Statement"].extend(
+            iam_lookup["cloudwatch_athena_query_executions"]
+        )
+
     return iam

iam_builder/schemas/iam_schema.json

@@ -102,6 +102,12 @@
             "description": "bedrock must be set to true to allow role to interact with Amazon Bedrock.",
             "type": "boolean"
         },
+        "cloudwatch_athena_query_executions": {
+            "description": "cloudwatch_athena_query_executions must be set to true to allow",
+            "type": "boolean"
+        },
+
+
         "role_duration_seconds":{
             "description": "Max duration role can be assumed for in seconds",
             "type": "integer"

iam_builder/templates.py

@@ -166,6 +166,19 @@
                 }
             }
         }
+    ],
+    "cloudwatch_athena_query_executions": [
+        {
+            "Sid": "CanGetCloudWatchAthenaLogs",
+            "Effect": "Allow",
+            "Action": [
+                "log:GetLogEvents",
+                "log:GetLogRecord"
+            ],
+            "Resource": [
+                "arn:aws:logs:eu-west-2:593291632749:log-group:cloudtrail-athena-events:*"
+            ]
+        }
     ]
 }
 

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "iam_builder"
-version = "4.9.1"
+version = "4.10.0"
 description = "A lil python package to generate iam policies"
 authors = ["Karik Isichei <[email protected]>"]
 license = "MIT"

tests/expected_policy/cloudwatch_athena_query_executions.json

@@ -0,0 +1,14 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "CanGetCloudWatchAthenaLogs",
+            "Effect": "Allow",
+            "Action": [
+                "log:GetLogEvents",
+                "log:GetLogRecord"
+            ],
+            "Resource": ["arn:aws:logs:eu-west-2:593291632749:log-group:cloudtrail-athena-events:*"]
+        }
+    ]
+}

tests/test_config/cloudwatch_athena_query_executions.yaml

@@ -0,0 +1 @@
+cloudwatch_athena_query_executions: true

tests/test_iam_builder.py

@@ -75,7 +75,8 @@ class TestConfigOutputs(unittest.TestCase):
             "all_config",
             "secrets",
             "secrets_readwrite",
-            "secretsmanager_read_only"
+            "secretsmanager_read_only",
+            "cloudwatch_athena_query_executions"
         ]
     )
     def test_config_output(self, config_name):