From 9233ab575b2a732da5537ad0bea1e4112c5abac7 Mon Sep 17 00:00:00 2001 From: William Orr Date: Mon, 9 Dec 2024 11:43:46 +0000 Subject: [PATCH 1/4] Add cloudwatch athena exec permissions --- README.md | 5 ++++- iam_builder/iam_builder.py | 5 +++++ iam_builder/schemas/iam_schema.json | 6 ++++++ iam_builder/templates.py | 13 +++++++++++++ 4 files changed, 28 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 874c7b4..a900712 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,8 @@ Whilst the example json (`iam_config.json`) looks like this: ] }, "kms": ["test_kms_key_arn"], - "bedrock": true + "bedrock": true, + "cloudwatch_athena_query_executions": true } ``` @@ -135,6 +136,8 @@ Whilst the example json (`iam_config.json`) looks like this: - **bedrock:** Boolean; must be set to `true` to allow role to interact with Amazon Bedrock. If `false` or absent role will not be able to interact with Amazon Bedrock. +- **cloudwatch_athena_query_executions** Boolean; must be set to `true` to allow role to read `cloudtrail-athena-events` log group. If `false` or absent role will not be able to read these cloudwatch logs. + ## How to update When updating IAM builder, make sure to change the version number in `pyproject.toml` and describe the change in `CHANGELOG.md`. diff --git a/iam_builder/iam_builder.py b/iam_builder/iam_builder.py index 0891d10..8d51e6f 100644 --- a/iam_builder/iam_builder.py +++ b/iam_builder/iam_builder.py @@ -114,4 +114,9 @@ def build_iam_policy(config: dict) -> dict: # noqa: C901 if "bedrock" in config and config["bedrock"]: iam["Statement"].extend(iam_lookup["bedrock"]) + if "cloudwatch_athena_query_executions" in config: + iam["Statement"].extend( + iam_lookup["cloudwatch_athena_query_executions"] + ) + return iam diff --git a/iam_builder/schemas/iam_schema.json b/iam_builder/schemas/iam_schema.json index 414a7dd..5f10f48 100644 --- a/iam_builder/schemas/iam_schema.json +++ b/iam_builder/schemas/iam_schema.json @@ -102,6 +102,12 @@ "description": "bedrock must be set to true to allow role to interact with Amazon Bedrock.", "type": "boolean" }, + "cloudwatch_athena_query_executions": { + "description": "cloudwatch_athena_query_executions must be set to true to allow", + "type": "boolean" + }, + + "role_duration_seconds":{ "description": "Max duration role can be assumed for in seconds", "type": "integer" diff --git a/iam_builder/templates.py b/iam_builder/templates.py index 67da559..c2db00d 100755 --- a/iam_builder/templates.py +++ b/iam_builder/templates.py @@ -166,6 +166,19 @@ } } } + ], + "cloudwatch_athena_query_executions": [ + { + "Sid": "CanGetCloudWatchAthenaLogs", + "Effect": "Allow", + "Action": [ + "log:GetLogEvents", + "log:GetLogRecord" + ], + "Resource": [ + "arn:aws:logs:eu-west-2:593291632749:log-group:cloudtrail-athena-events:*" + ] + } ] } From 90f127beea8579393a7c1a32bcc7909408269406 Mon Sep 17 00:00:00 2001 From: William Orr Date: Mon, 9 Dec 2024 11:58:36 +0000 Subject: [PATCH 2/4] tests and changelog update --- CHANGELOG.md | 5 +++++ pyproject.toml | 2 +- .../expected_policy/cloudwatch_athena_events.json | 14 ++++++++++++++ tests/test_config/cloudwatch_athena_events.yaml | 1 + tests/test_iam_builder.py | 3 ++- 5 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 tests/expected_policy/cloudwatch_athena_events.json create mode 100644 tests/test_config/cloudwatch_athena_events.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 6178e37..fef2a03 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## v4.10.0 + +- Add permission to read cloudwatch-athena-events log + ## v4.9.0 - Add `external_iam_role` to allow Airflow Pulumi tests to pass diff --git a/pyproject.toml b/pyproject.toml index 78e5b54..0daaa4e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "iam_builder" -version = "4.9.1" +version = "4.10.0" description = "A lil python package to generate iam policies" authors = ["Karik Isichei "] license = "MIT" diff --git a/tests/expected_policy/cloudwatch_athena_events.json b/tests/expected_policy/cloudwatch_athena_events.json new file mode 100644 index 0000000..b0651d9 --- /dev/null +++ b/tests/expected_policy/cloudwatch_athena_events.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CanGetCloudWatchAthenaLogs", + "Effect": "Allow", + "Action": [ + "log:GetLogEvents", + "log:GetLogRecord" + ], + "Resource": ["arn:aws:logs:eu-west-2:593291632749:log-group:cloudtrail-athena-events:*"] + } + ] +} diff --git a/tests/test_config/cloudwatch_athena_events.yaml b/tests/test_config/cloudwatch_athena_events.yaml new file mode 100644 index 0000000..3bb22b3 --- /dev/null +++ b/tests/test_config/cloudwatch_athena_events.yaml @@ -0,0 +1 @@ +cloudwatch_athena_query_executions: true \ No newline at end of file diff --git a/tests/test_iam_builder.py b/tests/test_iam_builder.py index 7a31a67..99e2d11 100644 --- a/tests/test_iam_builder.py +++ b/tests/test_iam_builder.py @@ -75,7 +75,8 @@ class TestConfigOutputs(unittest.TestCase): "all_config", "secrets", "secrets_readwrite", - "secretsmanager_read_only" + "secretsmanager_read_only", + "cloudwatch_athena_query_executions" ] ) def test_config_output(self, config_name): From 7b0339b89966479a578f36a0255c841bfee533db Mon Sep 17 00:00:00 2001 From: William Orr Date: Mon, 9 Dec 2024 12:03:32 +0000 Subject: [PATCH 3/4] fix test names --- ...athena_events.json => cloudwatch_athena_query_executions.json} | 0 ...athena_events.yaml => cloudwatch_athena_query_executions.yaml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename tests/expected_policy/{cloudwatch_athena_events.json => cloudwatch_athena_query_executions.json} (100%) rename tests/test_config/{cloudwatch_athena_events.yaml => cloudwatch_athena_query_executions.yaml} (100%) diff --git a/tests/expected_policy/cloudwatch_athena_events.json b/tests/expected_policy/cloudwatch_athena_query_executions.json similarity index 100% rename from tests/expected_policy/cloudwatch_athena_events.json rename to tests/expected_policy/cloudwatch_athena_query_executions.json diff --git a/tests/test_config/cloudwatch_athena_events.yaml b/tests/test_config/cloudwatch_athena_query_executions.yaml similarity index 100% rename from tests/test_config/cloudwatch_athena_events.yaml rename to tests/test_config/cloudwatch_athena_query_executions.yaml From 4ce1cc4a3a9c4e8249ef5274ac765159759da056 Mon Sep 17 00:00:00 2001 From: William Orr Date: Mon, 9 Dec 2024 12:08:51 +0000 Subject: [PATCH 4/4] fix yaml yapping: new line at EOF --- tests/test_config/cloudwatch_athena_query_executions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_config/cloudwatch_athena_query_executions.yaml b/tests/test_config/cloudwatch_athena_query_executions.yaml index 3bb22b3..058be4c 100644 --- a/tests/test_config/cloudwatch_athena_query_executions.yaml +++ b/tests/test_config/cloudwatch_athena_query_executions.yaml @@ -1 +1 @@ -cloudwatch_athena_query_executions: true \ No newline at end of file +cloudwatch_athena_query_executions: true