diff --git a/CHANGELOG.md b/CHANGELOG.md index 6178e37..fef2a03 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## v4.10.0 + +- Add permission to read cloudwatch-athena-events log + ## v4.9.0 - Add `external_iam_role` to allow Airflow Pulumi tests to pass diff --git a/README.md b/README.md index 874c7b4..a900712 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,8 @@ Whilst the example json (`iam_config.json`) looks like this: ] }, "kms": ["test_kms_key_arn"], - "bedrock": true + "bedrock": true, + "cloudwatch_athena_query_executions": true } ``` @@ -135,6 +136,8 @@ Whilst the example json (`iam_config.json`) looks like this: - **bedrock:** Boolean; must be set to `true` to allow role to interact with Amazon Bedrock. If `false` or absent role will not be able to interact with Amazon Bedrock. +- **cloudwatch_athena_query_executions** Boolean; must be set to `true` to allow role to read `cloudtrail-athena-events` log group. If `false` or absent role will not be able to read these cloudwatch logs. + ## How to update When updating IAM builder, make sure to change the version number in `pyproject.toml` and describe the change in `CHANGELOG.md`. diff --git a/iam_builder/iam_builder.py b/iam_builder/iam_builder.py index 0891d10..8d51e6f 100644 --- a/iam_builder/iam_builder.py +++ b/iam_builder/iam_builder.py @@ -114,4 +114,9 @@ def build_iam_policy(config: dict) -> dict: # noqa: C901 if "bedrock" in config and config["bedrock"]: iam["Statement"].extend(iam_lookup["bedrock"]) + if "cloudwatch_athena_query_executions" in config: + iam["Statement"].extend( + iam_lookup["cloudwatch_athena_query_executions"] + ) + return iam diff --git a/iam_builder/schemas/iam_schema.json b/iam_builder/schemas/iam_schema.json index 414a7dd..5f10f48 100644 --- a/iam_builder/schemas/iam_schema.json +++ b/iam_builder/schemas/iam_schema.json @@ -102,6 +102,12 @@ "description": "bedrock must be set to true to allow role to interact with Amazon Bedrock.", "type": "boolean" }, + "cloudwatch_athena_query_executions": { + "description": "cloudwatch_athena_query_executions must be set to true to allow", + "type": "boolean" + }, + + "role_duration_seconds":{ "description": "Max duration role can be assumed for in seconds", "type": "integer" diff --git a/iam_builder/templates.py b/iam_builder/templates.py index 67da559..c2db00d 100755 --- a/iam_builder/templates.py +++ b/iam_builder/templates.py @@ -166,6 +166,19 @@ } } } + ], + "cloudwatch_athena_query_executions": [ + { + "Sid": "CanGetCloudWatchAthenaLogs", + "Effect": "Allow", + "Action": [ + "log:GetLogEvents", + "log:GetLogRecord" + ], + "Resource": [ + "arn:aws:logs:eu-west-2:593291632749:log-group:cloudtrail-athena-events:*" + ] + } ] } diff --git a/pyproject.toml b/pyproject.toml index 78e5b54..0daaa4e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "iam_builder" -version = "4.9.1" +version = "4.10.0" description = "A lil python package to generate iam policies" authors = ["Karik Isichei "] license = "MIT" diff --git a/tests/expected_policy/cloudwatch_athena_query_executions.json b/tests/expected_policy/cloudwatch_athena_query_executions.json new file mode 100644 index 0000000..b0651d9 --- /dev/null +++ b/tests/expected_policy/cloudwatch_athena_query_executions.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CanGetCloudWatchAthenaLogs", + "Effect": "Allow", + "Action": [ + "log:GetLogEvents", + "log:GetLogRecord" + ], + "Resource": ["arn:aws:logs:eu-west-2:593291632749:log-group:cloudtrail-athena-events:*"] + } + ] +} diff --git a/tests/test_config/cloudwatch_athena_query_executions.yaml b/tests/test_config/cloudwatch_athena_query_executions.yaml new file mode 100644 index 0000000..058be4c --- /dev/null +++ b/tests/test_config/cloudwatch_athena_query_executions.yaml @@ -0,0 +1 @@ +cloudwatch_athena_query_executions: true diff --git a/tests/test_iam_builder.py b/tests/test_iam_builder.py index 7a31a67..99e2d11 100644 --- a/tests/test_iam_builder.py +++ b/tests/test_iam_builder.py @@ -75,7 +75,8 @@ class TestConfigOutputs(unittest.TestCase): "all_config", "secrets", "secrets_readwrite", - "secretsmanager_read_only" + "secretsmanager_read_only", + "cloudwatch_athena_query_executions" ] ) def test_config_output(self, config_name):