Add MWAA Serverless examples with AWS service integrations (#95)

Co-authored-by: John Jackson <john-jac@users.noreply.github.com>

Author: john-jac

serverless/examples/README.md

@@ -0,0 +1,258 @@
+# MWAA Serverless Examples
+
+This directory contains example MWAA Serverless DAGs demonstrating integration with various AWS services. 
+
+## Overview
+
+These DAGs demonstrate how to use Airflow 3.0.6 with AWS services, including proper IAM permissions, error handling, and resource management. Each DAG is self-contained and includes inline documentation.
+
+## Prerequisites
+
+- Amazon MWAA environment (version 3.0.6 or later)
+- AWS CLI configured with appropriate permissions
+- IAM roles with required permissions (see [IAM Policy](#iam-policy))
+
+----
+*Note:* Throughout this post, we use example values that you'll need to replace with your own:
+- Replace `amzn-s3-demo-bucket` with your S3 bucket name
+- Replace `111122223333` with your AWS account ID
+- Replace `us-east-2` with your AWS Region. MWAA Serverless is available in multiple AWS Regions. Check the [List of AWS Services Available by Region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) for current availability.
+
+----
+
+
+
+## DAG Examples
+
+### S3 Operations (`s3_dag.yaml`)
+Demonstrates S3 bucket and object operations including:
+- Creating and deleting S3 buckets
+- Creating, listing, and deleting S3 objects
+- Using S3KeySensor to wait for objects
+
+### AWS Glue Jobs (`glue_dag.yaml`)
+Illustrates Glue ETL job execution:
+- Creating and uploading Glue scripts to S3
+- Running Glue 5.0 jobs with Python
+- Monitoring job completion with sensors
+
+### Amazon Athena (`athena_dag.yaml`)
+Demonstrates Athena query execution:
+- Running SQL queries against data lakes
+- Managing query results and outputs
+- Integration with CloudFormation for resource creation
+
+
+## Setup
+
+1. **Upload YAML files to your S3 bucket:**
+   ```bash
+   aws s3 cp . s3://amzn-s3-demo-bucket/yaml_dags/ --recursive --exclude "*.md" --exclude "*.json"
+   ```
+
+2. **Create the required IAM execution role:**
+   ```bash
+   aws iam create-role \
+     --role-name mwaa-serverless-execution-role \
+     --assume-role-policy-document file://trust-policy.json
+   
+   aws iam put-role-policy \
+     --role-name mwaa-serverless-execution-role \
+     --policy-name mwaa-airflow3-policy \
+     --policy-document file://mwaa-comprehensive-policy.json
+   ```
+
+3. **Create your MWAA Serverless** to use the defnitions, i.e..:
+   ```bash
+	aws mwaa-serverless create-workflow \
+	--name athena_dag \
+	--definition-s3-location '{ "Bucket": "amzn-s3-demo-bucket", "ObjectKey": "yaml_dags/athena_dag.yaml" }' \
+	--role-arn arn:aws:iam::111122223333:role/mwaa-serverless-access-role \
+	--region us-east-2
+	```
+
+## IAM Policy
+
+The comprehensive IAM policy required for all DAGs includes permissions for:
+
+- S3 operations (bucket and object management)
+- Lambda function lifecycle management
+- Glue job creation and execution
+- Athena query execution
+- Batch job submission and monitoring
+- EMR Serverless application management
+- SageMaker processing jobs
+- CloudFormation stack operations
+- CloudWatch logging
+
+```json
+
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "S3Permissions",
+			"Effect": "Allow",
+			"Action": [
+				"s3:CreateBucket",
+				"s3:DeleteBucket",
+				"s3:ListBucket",
+				"s3:GetObject",
+				"s3:PutObject",
+				"s3:DeleteObject"
+			],
+			"Resource": [
+				"arn:aws:s3:::*",
+				"arn:aws:s3:::*/*"
+			]
+		},
+		{
+			"Sid": "GluePermissions",
+			"Effect": "Allow",
+			"Action": [
+				"glue:CreateJob",
+				"glue:GetJob",
+				"glue:StartJobRun",
+				"glue:GetJobRun",
+				"glue:GetTable",
+				"glue:CreateTable",
+				"glue:DeleteTable",
+				"glue:CreateDatabase",
+				"glue:DeleteDatabase"
+			],
+			"Resource": "*"
+		},
+		{
+			"Sid": "AthenaPermissions",
+			"Effect": "Allow",
+			"Action": [
+				"athena:StartQueryExecution",
+				"athena:GetQueryExecution",
+				"athena:GetQueryResults"
+			],
+			"Resource": "*"
+		},
+		{
+			"Sid": "CloudwatchPermissions",
+			"Effect": "Allow",
+			"Action": [
+				"logs:CreateLogGroup",
+				"logs:CreateLogStream",
+				"logs:PutLogEvents"
+			],
+			"Resource": "*"
+		},
+		{
+			"Sid": "CloudFormationPermissions",
+			"Effect": "Allow",
+			"Action": [
+				"cloudformation:CreateStack",
+				"cloudformation:DeleteStack",
+				"cloudformation:DescribeStacks"
+			],
+			"Resource": "*"
+		},
+		{
+			"Sid": "CloudWatchLogsPermissions",
+			"Effect": "Allow",
+			"Action": [
+				"logs:CreateLogGroup",
+				"logs:CreateLogStream",
+				"logs:PutLogEvents"
+			],
+			"Resource": "*"
+		},
+		{
+			"Sid": "IAMPassRolePermissions",
+			"Effect": "Allow",
+			"Action": [
+				"iam:PassRole",
+				"iam:GetRole"
+			],
+			"Resource": "*"
+		}
+	]
+}
+```
+
+### Trust Relationships
+
+Your execution role needs trust relationships for:
+
+
+**Service Roles (for PassRole operations):**
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": [
+          "airflow-serverless.amazonaws.com",
+          "glue.amazonaws.com"
+        ]
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+```
+
+## Usage
+
+1. **Enable DAGs** in the Airflow UI
+2. **Configure parameters** as needed for your environment
+3. **Trigger DAGs** manually or via schedule
+4. **Monitor execution** through CloudWatch logs
+
+## Configuration
+
+Most DAGs use parameters that can be customized:
+
+- `role_arn`: IAM role for service operations
+- `s3_bucket`: S3 bucket for data and scripts
+- `region`: AWS region for resources
+
+Update these parameters in the Airflow UI or via environment variables.
+
+## Troubleshooting
+
+### Common Issues
+
+- **IAM Permission Errors**: Ensure your execution role has all required permissions
+- **Resource Not Found**: Verify S3 buckets and objects exist before running DAGs
+- **Timeout Issues**: Adjust timeout values for long-running jobs
+
+### Logs
+
+Check CloudWatch logs for detailed error information:
+- Airflow task logs: `/aws/amazonmwaa/[environment-name]/task`
+- Service-specific logs: `/aws/glue/`, `/aws/athena/`, etc.
+
+## Clean Up
+
+Each DAG includes cleanup tasks where appropriate. For manual cleanup:
+
+```bash
+# Remove uploaded files
+aws s3 rm s3://amzn-s3-demo-bucket/dags/ --recursive
+
+# Delete IAM role and policies
+aws iam delete-role-policy --role-name mwaa-airflow3-execution-role --policy-name mwaa-airflow3-policy
+aws iam delete-role --role-name mwaa-airflow3-execution-role
+```
+
+## Security
+
+- Always use least-privilege IAM permissions
+- Sensitive data should be stored in AWS Secrets Manager
+- Network access is controlled through VPC configuration
+
+## Contributing
+
+See [CONTRIBUTING](../../../CONTRIBUTING.md) for guidelines on contributing to this repository.
+
+## License
+
+This library is licensed under the MIT-0 License. See the [LICENSE](../../../LICENSE) file.

serverless/examples/athena_dag.yaml

@@ -0,0 +1,124 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+athena_dag:
+  dag_id: athena_dag
+  params:
+    output_location: s3://amzn-s3-demo-bucket/athena-results/
+  schedule: None
+  tasks:
+    create_stack:
+      operator: airflow.providers.amazon.aws.operators.cloud_formation.CloudFormationCreateStackOperator
+      cloudformation_parameters:
+        StackName: covid-lake-stack
+        TemplateURL: https://covid19-lake.s3.us-east-2.amazonaws.com/cfn/CovidLakeStack.template.json
+        TimeoutInMinutes: 5
+        OnFailure: DELETE
+      stack_name: covid-lake-stack
+      task_id: create_stack
+      dependencies: []
+    wait_for_stack_create:
+      operator: airflow.providers.amazon.aws.sensors.cloud_formation.CloudFormationCreateStackSensor
+      stack_name: covid-lake-stack
+      task_id: wait_for_stack_create
+      dependencies:
+      - create_stack
+    query_1:
+      operator: airflow.providers.amazon.aws.operators.athena.AthenaOperator
+      database: default
+      output_location: '{{ params.output_location }}'
+      query: |
+        SELECT 
+          cases.fips, 
+          admin2 as county, 
+          province_state, 
+          confirmed,
+          growth_count, 
+          sum(num_licensed_beds) as num_licensed_beds, 
+          sum(num_staffed_beds) as num_staffed_beds, 
+          sum(num_icu_beds) as num_icu_beds
+        FROM 
+          "covid-19"."hospital_beds" beds, 
+          ( SELECT 
+              fips, 
+              admin2, 
+              province_state, 
+              confirmed, 
+              last_value(confirmed) over (partition by fips order by last_update) - first_value(confirmed) over (partition by fips order by last_update) as growth_count,
+              first_value(last_update) over (partition by fips order by last_update desc) as most_recent,
+              last_update
+            FROM  
+              "covid-19"."enigma_jhu" 
+            WHERE 
+              from_iso8601_timestamp(last_update) > now() - interval '200' day AND country_region = 'US') cases
+        WHERE 
+          beds.fips = cases.fips AND last_update = most_recent
+        GROUP BY cases.fips, confirmed, growth_count, admin2, province_state
+        ORDER BY growth_count desc
+      task_id: query_1
+      dependencies:
+      - wait_for_stack_create
+    query_2:
+      operator: airflow.providers.amazon.aws.operators.athena.AthenaOperator
+      database: default
+      output_location: '{{ params.output_location }}'
+      query: |
+        SELECT * FROM "covid-19"."world_cases_deaths_testing" order by "date" desc limit 10;
+      task_id: query_2
+      dependencies:
+      - wait_for_stack_create
+    query_3:
+      operator: airflow.providers.amazon.aws.operators.athena.AthenaOperator
+      database: default
+      output_location: '{{ params.output_location }}'
+      query: |
+        SELECT 
+          date,
+          positive,
+          negative,
+          pending,
+          hospitalized,
+          death,
+          total,
+          deathincrease,
+          hospitalizedincrease,
+          negativeincrease,
+          positiveincrease,
+          sta.state AS state_abbreviation,
+          abb.state 
+
+        FROM "covid-19"."covid_testing_states_daily" sta
+        JOIN "covid-19"."us_state_abbreviations" abb ON sta.state = abb.abbreviation
+        limit 500;
+      task_id: query_3
+      dependencies:
+      - wait_for_stack_create
+    delete_stack:
+      operator: airflow.providers.amazon.aws.operators.cloud_formation.CloudFormationDeleteStackOperator
+      stack_name: covid-lake-stack
+      task_id: delete_stack
+      trigger_rule: all_done
+      dependencies:
+      - query_1
+      - query_3
+      - query_2
+    wait_for_stack_delete:
+      operator: airflow.providers.amazon.aws.sensors.cloud_formation.CloudFormationDeleteStackSensor
+      stack_name: covid-lake-stack
+      task_id: wait_for_stack_delete
+      trigger_rule: all_success
+      dependencies:
+      - delete_stack
+