-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcf_lambda_gluetablecreate.yaml
159 lines (143 loc) · 5.68 KB
/
cf_lambda_gluetablecreate.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
AWSTemplateFormatVersion: '2010-09-09'
# Template to setup Lambda function . Credential data will be saved in Secret Manager
Parameters:
LambdaGlueTableCreate:
Type: String
Default: 'gluetablecreate_lambdafunction'
Description: 'Name of the Lambda function will be created to Read OData metadata and create Glue tables'
ConfigFileS3BucketName:
Type: String
Default: 'afsaplake-deployscript-<Update your account ID>'
Description: 'Name of the S3 bucket where the config json file, lambda layer and function zip files is stored'
ConfigFileName:
Type: String
Default: 'config_glue_table.json'
Description: 'Name of the JSON config file in S3 bucket store OData services name, table and database name, Datalake bucket name'
LambdaCodeZipFile:
Type: String
Default: 'gluetablecreate_lambdafunction.zip'
Description: 'Name of the Zip file containing the Lambda function code uploaded to S3'
LambdaLayerZipFile:
Type: String
Default: 'Lambdalayer_GlueTablecreationJob.zip'
Description: 'Name of the Zip file containing the Lambda Layer uploaded to S3'
LambdaLayerOData:
Type: String
Default: 'sapdata-gluetable-pyodata'
Description: 'Name of the Lambda Layer will be created'
SecretName:
Type: String
Description: 'Name of Secret Manager created and stored SAP credentials. This name will be input as Lambda Envinronment Valiables'
Default: 'afsaplake-sapsecret'
SecretManagerARN:
Type: String
Description: 'Name of Secret Manager created and stored SAP credentials. This will for Lambda IAM permission setting'
Default: 'arn:aws:secretsmanager:<Region>:<AccountID>:secret:<your secret name and specific text>'
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: S3 bucket and configuration files. Please check and modify with your environment values.
Parameters:
- ConfigFileS3BucketName
- ConfigFileName
- LambdaCodeZipFile
- LambdaLayerZipFile
- Label:
default: Input to create AWS Lambda Function (IAM role will be created automatically). Please check and modify with your values.
Parameters:
- SecretName
- SecretManagerARN
- LambdaGlueTableCreate
- LambdaLayerOData
Resources:
SAPDataLakeLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub 'afsaplake-lambdaexecutionrole-${AWS::AccountId}'
Description: Role for Lambda function to read SAP OData metadata and create tables in Glue
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: '/'
Policies:
- PolicyName: !Sub afsaplake-lambdaexecutionrole-${AWS::AccountId}-log
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*'
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*:*'
- PolicyName: !Sub afsaplake-lambdaexecutionrole-${AWS::AccountId}-glue
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- glue:CreateTable
- glue:UpdateTable
Resource: !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:*'
- PolicyName: !Sub afsaplake-lambdaexecutionrole-${AWS::AccountId}-s3readwrite
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
- s3:GetObject
- s3:PutObject
Resource:
- !Sub 'arn:aws:s3:::*'
- !Sub 'arn:aws:s3:::*/*'
- PolicyName: !Sub afsaplake-lambdaexecutionrole-${AWS::AccountId}-secretmanager
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
Resource: !Ref SecretManagerARN
LambdaLayerforGluetableLambda:
Type: AWS::Lambda::LayerVersion
Properties:
LayerName: !Ref LambdaLayerOData
Description: 'Lambda Layer for Glue table creation function'
Content:
S3Bucket: !Ref ConfigFileS3BucketName
S3Key: !Ref LambdaLayerZipFile
CompatibleRuntimes:
- python3.12
LambdaFunctionGluetableforSAPDatalake:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Ref LambdaGlueTableCreate
Description: 'Lambda Function to read SAP OData metadata and create Glue tables'
Code:
S3Bucket: !Ref ConfigFileS3BucketName
S3Key: !Ref LambdaCodeZipFile
Handler: gluetablecreate_lambdafunction.lambda_handler #Please update this if you change .py filename. Default code file name is gluetablecreate_lambdafunction
Runtime: python3.12
Timeout: 900
Role: !GetAtt SAPDataLakeLambdaRole.Arn
Layers:
- !Ref LambdaLayerforGluetableLambda
Environment:
Variables:
secretname: !Ref SecretName
BucketConfig: !Ref ConfigFileS3BucketName
FileNameConfig: !Ref ConfigFileName
DependsOn:
- SAPDataLakeLambdaRole
- LambdaLayerforGluetableLambda