diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index e50f44792..ea4e754f3 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -170,6 +170,101 @@ } } }, + "AthenaQueryPolicy_v2": { + "Definition": { + "Statement": [ + { + "Action": [ + "athena:ListWorkGroups", + "athena:GetWorkGroup", + "athena:GetExecutionEngines", + "athena:GetDatabase", + "athena:ListDataCatalogs", + "athena:ListDatabases", + "athena:ListTableMetadata", + "athena:GetTableMetadata" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetDatabases", + "glue:GetDatabase", + "glue:GetTables", + "glue:GetTable" + ], + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog", + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}", + { + "databaseName": { + "Ref": "DatabaseName" + } + } + ] + }, + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}", + { + "databaseName": { + "Ref": "DatabaseName" + }, + "tableName": { + "Ref": "TableName" + } + } + ] + } + ] + }, + { + "Action": [ + "athena:StartQueryExecution", + "athena:GetQueryResults", + "athena:DeleteNamedQuery", + "athena:GetNamedQuery", + "athena:ListQueryExecutions", + "athena:StopQueryExecution", + "athena:GetQueryResultsStream", + "athena:ListNamedQueries", + "athena:CreateNamedQuery", + "athena:GetQueryExecution", + "athena:BatchGetNamedQuery", + "athena:BatchGetQueryExecution", + "athena:GetWorkGroup" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", + { + "workgroupName": { + "Ref": "WorkGroupName" + } + } + ] + } + } + ] + }, + "Description": "Gives permissions to execute Athena queries", + "Parameters": { + "WorkGroupName": { + "Description": "Name of the Athena Workgroup" + }, + "DatabaseName": { + "Description": "Name of the Glue Database" + }, + "TableName": { + "Description": "Name of the Glue Table" + } + } + }, "CloudFormationDescribeStacksPolicy": { "Definition": { "Statement": [ diff --git a/tests/translator/input/all_policy_templates.yaml b/tests/translator/input/all_policy_templates.yaml index ab1f8d596..d251a89f6 100644 --- a/tests/translator/input/all_policy_templates.yaml +++ b/tests/translator/input/all_policy_templates.yaml @@ -160,6 +160,11 @@ Resources: - AthenaQueryPolicy: WorkGroupName: name + - AthenaQueryPolicy_v2: + WorkGroupName: name + DatabaseName: name + TableName: name + - S3WritePolicy: BucketName: name diff --git a/tests/translator/output/all_policy_templates.json b/tests/translator/output/all_policy_templates.json index c42a0314a..d470fa699 100644 --- a/tests/translator/output/all_policy_templates.json +++ b/tests/translator/output/all_policy_templates.json @@ -1751,6 +1751,90 @@ ] }, "PolicyName": "KitchenSinkFunctionRolePolicy64" + }, + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "athena:ListWorkGroups", + "athena:GetWorkGroup", + "athena:GetExecutionEngines", + "athena:GetDatabase", + "athena:ListDataCatalogs", + "athena:ListDatabases", + "athena:ListTableMetadata", + "athena:GetTableMetadata" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetDatabases", + "glue:GetDatabase", + "glue:GetTables", + "glue:GetTable" + ], + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog", + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}", + { + "databaseName": { + "Ref": "DatabaseName" + } + } + ] + }, + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}", + { + "databaseName": { + "Ref": "DatabaseName" + }, + "tableName": { + "Ref": "TableName" + } + } + ] + } + ] + }, + { + "Action": [ + "athena:StartQueryExecution", + "athena:GetQueryResults", + "athena:DeleteNamedQuery", + "athena:GetNamedQuery", + "athena:ListQueryExecutions", + "athena:StopQueryExecution", + "athena:GetQueryResultsStream", + "athena:ListNamedQueries", + "athena:CreateNamedQuery", + "athena:GetQueryExecution", + "athena:BatchGetNamedQuery", + "athena:BatchGetQueryExecution", + "athena:GetWorkGroup" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", + { + "workgroupName": { + "Ref": "WorkGroupName" + } + } + ] + } + } + ] + }, + "PolicyName": "KitchenSinkFunctionRolePolicy65" } ], "Tags": [ diff --git a/tests/translator/output/aws-cn/all_policy_templates.json b/tests/translator/output/aws-cn/all_policy_templates.json index 7a6f70009..01c24c455 100644 --- a/tests/translator/output/aws-cn/all_policy_templates.json +++ b/tests/translator/output/aws-cn/all_policy_templates.json @@ -1751,6 +1751,90 @@ ] }, "PolicyName": "KitchenSinkFunctionRolePolicy64" + }, + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "athena:ListWorkGroups", + "athena:GetWorkGroup", + "athena:GetExecutionEngines", + "athena:GetDatabase", + "athena:ListDataCatalogs", + "athena:ListDatabases", + "athena:ListTableMetadata", + "athena:GetTableMetadata" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetDatabases", + "glue:GetDatabase", + "glue:GetTables", + "glue:GetTable" + ], + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog", + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}", + { + "databaseName": { + "Ref": "DatabaseName" + } + } + ] + }, + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}", + { + "databaseName": { + "Ref": "DatabaseName" + }, + "tableName": { + "Ref": "TableName" + } + } + ] + } + ] + }, + { + "Action": [ + "athena:StartQueryExecution", + "athena:GetQueryResults", + "athena:DeleteNamedQuery", + "athena:GetNamedQuery", + "athena:ListQueryExecutions", + "athena:StopQueryExecution", + "athena:GetQueryResultsStream", + "athena:ListNamedQueries", + "athena:CreateNamedQuery", + "athena:GetQueryExecution", + "athena:BatchGetNamedQuery", + "athena:BatchGetQueryExecution", + "athena:GetWorkGroup" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", + { + "workgroupName": { + "Ref": "WorkGroupName" + } + } + ] + } + } + ] + }, + "PolicyName": "KitchenSinkFunctionRolePolicy65" } ], "Tags": [ diff --git a/tests/translator/output/aws-us-gov/all_policy_templates.json b/tests/translator/output/aws-us-gov/all_policy_templates.json index bc6e666d9..971195d79 100644 --- a/tests/translator/output/aws-us-gov/all_policy_templates.json +++ b/tests/translator/output/aws-us-gov/all_policy_templates.json @@ -1751,6 +1751,90 @@ ] }, "PolicyName": "KitchenSinkFunctionRolePolicy64" + }, + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "athena:ListWorkGroups", + "athena:GetWorkGroup", + "athena:GetExecutionEngines", + "athena:GetDatabase", + "athena:ListDataCatalogs", + "athena:ListDatabases", + "athena:ListTableMetadata", + "athena:GetTableMetadata" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetDatabases", + "glue:GetDatabase", + "glue:GetTables", + "glue:GetTable" + ], + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog", + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}", + { + "databaseName": { + "Ref": "DatabaseName" + } + } + ] + }, + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}", + { + "databaseName": { + "Ref": "DatabaseName" + }, + "tableName": { + "Ref": "TableName" + } + } + ] + } + ] + }, + { + "Action": [ + "athena:StartQueryExecution", + "athena:GetQueryResults", + "athena:DeleteNamedQuery", + "athena:GetNamedQuery", + "athena:ListQueryExecutions", + "athena:StopQueryExecution", + "athena:GetQueryResultsStream", + "athena:ListNamedQueries", + "athena:CreateNamedQuery", + "athena:GetQueryExecution", + "athena:BatchGetNamedQuery", + "athena:BatchGetQueryExecution", + "athena:GetWorkGroup" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", + { + "workgroupName": { + "Ref": "WorkGroupName" + } + } + ] + } + } + ] + }, + "PolicyName": "KitchenSinkFunctionRolePolicy65" } ], "Tags": [