introduce AthenaQueryPolicy_v2

Author: Smoothex

samtranslator/policy_templates_data/policy_templates.json

@@ -117,6 +117,60 @@
       }
     },
     "AthenaQueryPolicy": {
+      "Definition": {
+        "Statement": [
+          {
+            "Action": [
+              "athena:ListWorkGroups",
+              "athena:GetExecutionEngine",
+              "athena:GetExecutionEngines",
+              "athena:GetNamespace",
+              "athena:GetCatalogs",
+              "athena:GetNamespaces",
+              "athena:GetTables",
+              "athena:GetTable"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+          },
+          {
+            "Action": [
+              "athena:StartQueryExecution",
+              "athena:GetQueryResults",
+              "athena:DeleteNamedQuery",
+              "athena:GetNamedQuery",
+              "athena:ListQueryExecutions",
+              "athena:StopQueryExecution",
+              "athena:GetQueryResultsStream",
+              "athena:ListNamedQueries",
+              "athena:CreateNamedQuery",
+              "athena:GetQueryExecution",
+              "athena:BatchGetNamedQuery",
+              "athena:BatchGetQueryExecution",
+              "athena:GetWorkGroup"
+            ],
+            "Effect": "Allow",
+            "Resource": {
+              "Fn::Sub": [
+                "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
+                {
+                  "workgroupName": {
+                    "Ref": "WorkGroupName"
+                  }
+                }
+              ]
+            }
+          }
+        ]
+      },
+      "Description": "Gives permissions to execute Athena queries",
+      "Parameters": {
+        "WorkGroupName": {
+          "Description": "Name of the Athena Workgroup"
+        }
+      }
+    },
+    "AthenaQueryPolicy_v2": {
       "Definition": {
         "Statement": [
           {
@@ -141,7 +195,32 @@
               "glue:GetTable"
             ],
             "Effect": "Allow",
-            "Resource": "*"
+            "Resource": [
+              "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog",
+              {
+                "Fn::Sub": [
+                  "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}",
+                  {
+                    "databaseName": {
+                      "Ref": "DatabaseName"
+                    }
+                  }
+                ]
+              },
+              {
+                "Fn::Sub": [
+                  "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}",
+                  {
+                    "databaseName": {
+                      "Ref": "DatabaseName"
+                    },
+                    "tableName": {
+                      "Ref": "TableName"
+                    }
+                  }
+                ]
+              }
+            ]
           },
           {
             "Action": [
@@ -177,6 +256,12 @@
       "Parameters": {
         "WorkGroupName": {
           "Description": "Name of the Athena Workgroup"
+        },
+        "DatabaseName": {
+          "Description": "Name of the Athena Workgroup"
+        },
+        "TableName": {
+          "Description": "Name of the Athena Workgroup"
         }
       }
     },

tests/translator/input/all_policy_templates.yaml

@@ -160,6 +160,11 @@ Resources:
       - AthenaQueryPolicy:
           WorkGroupName: name
 
+      - AthenaQueryPolicy_v2:
+          WorkGroupName: name
+          DatabaseName: name
+          TableName: name
+
       - S3WritePolicy:
           BucketName: name
 

tests/translator/output/all_policy_templates.json

@@ -1751,6 +1751,90 @@
               ]
             },
             "PolicyName": "KitchenSinkFunctionRolePolicy64"
+          },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "athena:ListWorkGroups",
+                    "athena:GetWorkGroup",
+                    "athena:GetExecutionEngines",
+                    "athena:GetDatabase",
+                    "athena:ListDataCatalogs",
+                    "athena:ListDatabases",
+                    "athena:ListTableMetadata",
+                    "athena:GetTableMetadata"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": "*"
+                },
+                {
+                  "Action": [
+                    "glue:GetDatabases",
+                    "glue:GetDatabase",
+                    "glue:GetTables",
+                    "glue:GetTable"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": [
+                    "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog",
+                    {
+                      "Fn::Sub": [
+                        "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}",
+                        {
+                          "databaseName": {
+                            "Ref": "DatabaseName"
+                          }
+                        }
+                      ]
+                    },
+                    {
+                      "Fn::Sub": [
+                        "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}",
+                        {
+                          "databaseName": {
+                            "Ref": "DatabaseName"
+                          },
+                          "tableName": {
+                            "Ref": "TableName"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                {
+                  "Action": [
+                    "athena:StartQueryExecution",
+                    "athena:GetQueryResults",
+                    "athena:DeleteNamedQuery",
+                    "athena:GetNamedQuery",
+                    "athena:ListQueryExecutions",
+                    "athena:StopQueryExecution",
+                    "athena:GetQueryResultsStream",
+                    "athena:ListNamedQueries",
+                    "athena:CreateNamedQuery",
+                    "athena:GetQueryExecution",
+                    "athena:BatchGetNamedQuery",
+                    "athena:BatchGetQueryExecution",
+                    "athena:GetWorkGroup"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": [
+                      "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
+                      {
+                        "workgroupName": {
+                          "Ref": "WorkGroupName"
+                        }
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            "PolicyName": "KitchenSinkFunctionRolePolicy65"
           }
         ],
         "Tags": [

tests/translator/output/aws-cn/all_policy_templates.json

@@ -1751,6 +1751,90 @@
               ]
             },
             "PolicyName": "KitchenSinkFunctionRolePolicy64"
+          },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "athena:ListWorkGroups",
+                    "athena:GetWorkGroup",
+                    "athena:GetExecutionEngines",
+                    "athena:GetDatabase",
+                    "athena:ListDataCatalogs",
+                    "athena:ListDatabases",
+                    "athena:ListTableMetadata",
+                    "athena:GetTableMetadata"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": "*"
+                },
+                {
+                  "Action": [
+                    "glue:GetDatabases",
+                    "glue:GetDatabase",
+                    "glue:GetTables",
+                    "glue:GetTable"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": [
+                    "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog",
+                    {
+                      "Fn::Sub": [
+                        "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}",
+                        {
+                          "databaseName": {
+                            "Ref": "DatabaseName"
+                          }
+                        }
+                      ]
+                    },
+                    {
+                      "Fn::Sub": [
+                        "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}",
+                        {
+                          "databaseName": {
+                            "Ref": "DatabaseName"
+                          },
+                          "tableName": {
+                            "Ref": "TableName"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                {
+                  "Action": [
+                    "athena:StartQueryExecution",
+                    "athena:GetQueryResults",
+                    "athena:DeleteNamedQuery",
+                    "athena:GetNamedQuery",
+                    "athena:ListQueryExecutions",
+                    "athena:StopQueryExecution",
+                    "athena:GetQueryResultsStream",
+                    "athena:ListNamedQueries",
+                    "athena:CreateNamedQuery",
+                    "athena:GetQueryExecution",
+                    "athena:BatchGetNamedQuery",
+                    "athena:BatchGetQueryExecution",
+                    "athena:GetWorkGroup"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": [
+                      "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
+                      {
+                        "workgroupName": {
+                          "Ref": "WorkGroupName"
+                        }
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            "PolicyName": "KitchenSinkFunctionRolePolicy65"
           }
         ],
         "Tags": [

tests/translator/output/aws-us-gov/all_policy_templates.json

@@ -1751,6 +1751,90 @@
               ]
             },
             "PolicyName": "KitchenSinkFunctionRolePolicy64"
+          },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "athena:ListWorkGroups",
+                    "athena:GetWorkGroup",
+                    "athena:GetExecutionEngines",
+                    "athena:GetDatabase",
+                    "athena:ListDataCatalogs",
+                    "athena:ListDatabases",
+                    "athena:ListTableMetadata",
+                    "athena:GetTableMetadata"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": "*"
+                },
+                {
+                  "Action": [
+                    "glue:GetDatabases",
+                    "glue:GetDatabase",
+                    "glue:GetTables",
+                    "glue:GetTable"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": [
+                    "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog",
+                    {
+                      "Fn::Sub": [
+                        "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}",
+                        {
+                          "databaseName": {
+                            "Ref": "DatabaseName"
+                          }
+                        }
+                      ]
+                    },
+                    {
+                      "Fn::Sub": [
+                        "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}",
+                        {
+                          "databaseName": {
+                            "Ref": "DatabaseName"
+                          },
+                          "tableName": {
+                            "Ref": "TableName"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                {
+                  "Action": [
+                    "athena:StartQueryExecution",
+                    "athena:GetQueryResults",
+                    "athena:DeleteNamedQuery",
+                    "athena:GetNamedQuery",
+                    "athena:ListQueryExecutions",
+                    "athena:StopQueryExecution",
+                    "athena:GetQueryResultsStream",
+                    "athena:ListNamedQueries",
+                    "athena:CreateNamedQuery",
+                    "athena:GetQueryExecution",
+                    "athena:BatchGetNamedQuery",
+                    "athena:BatchGetQueryExecution",
+                    "athena:GetWorkGroup"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": [
+                      "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
+                      {
+                        "workgroupName": {
+                          "Ref": "WorkGroupName"
+                        }
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            "PolicyName": "KitchenSinkFunctionRolePolicy65"
           }
         ],
         "Tags": [