feature: add a helper construct for a glue default role (#150)

Author: vgkowski

core/API.md

@@ -409,6 +409,43 @@ SingletonBucket.getOrCreate(scope: Construct, bucketName: string)
 
 
 
+### SingletonGlueDefaultRole <a name="aws-analytics-reference-architecture.SingletonGlueDefaultRole"></a>
+
+SingletonGlueDefaultRole Construct to automatically setup a new Amazon IAM role to use with AWS Glue jobs.
+
+The role is created with AWSGlueServiceRole policy and authorize all actions on S3.
+The Construct provides a getOrCreate method for SingletonInstantiation
+
+
+#### Static Functions <a name="Static Functions"></a>
+
+##### `getOrCreate` <a name="aws-analytics-reference-architecture.SingletonGlueDefaultRole.getOrCreate"></a>
+
+```typescript
+import { SingletonGlueDefaultRole } from 'aws-analytics-reference-architecture'
+
+SingletonGlueDefaultRole.getOrCreate(scope: Construct)
+```
+
+###### `scope`<sup>Required</sup> <a name="aws-analytics-reference-architecture.SingletonGlueDefaultRole.parameter.scope"></a>
+
+- *Type:* [`@aws-cdk/core.Construct`](#@aws-cdk/core.Construct)
+
+---
+
+#### Properties <a name="Properties"></a>
+
+##### `iamRole`<sup>Required</sup> <a name="aws-analytics-reference-architecture.SingletonGlueDefaultRole.property.iamRole"></a>
+
+```typescript
+public readonly iamRole: Role;
+```
+
+- *Type:* [`@aws-cdk/aws-iam.Role`](#@aws-cdk/aws-iam.Role)
+
+---
+
+
 ### SynchronousAthenaQuery <a name="aws-analytics-reference-architecture.SynchronousAthenaQuery"></a>
 
 SynchronousAthenaQuery Construct to execute an Amazon Athena query synchronously.

core/src/index.ts

@@ -10,4 +10,5 @@ export { SynchronousAthenaQueryProps, SynchronousAthenaQuery } from './synchrono
 export { SingletonBucket } from './singleton-bucket';
 export { Ec2SsmRole } from './ec2-ssm-role';
 export { DataLakeCatalog } from './data-lake-catalog';
-export { AthenaDefaultSetup, AthenaDefaultSetupProps } from './athena-default-setup';
+export { AthenaDefaultSetup, AthenaDefaultSetupProps } from './athena-default-setup';
+export { SingletonGlueDefaultRole } from './singleton-glue-default-role';

core/src/integ.default.ts

@@ -2,8 +2,8 @@
 // SPDX-License-Identifier: MIT-0
 
 import { App, Stack } from '@aws-cdk/core';
-import { AthenaDefaultSetup } from './athena-default-setup';
+import { SingletonGlueDefaultRole } from '.';
 
 const mockApp = new App();
-const stack = new Stack(mockApp, 'teststack');
-new AthenaDefaultSetup(stack, 'testlake');
+const stack = new Stack(mockApp, 'testStack');
+SingletonGlueDefaultRole.getOrCreate(stack);

core/src/singleton-glue-default-role.ts

@@ -0,0 +1,69 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-0
+
+import { ManagedPolicy, PolicyDocument, PolicyStatement, Role, ServicePrincipal } from '@aws-cdk/aws-iam';
+import { Construct, Stack } from '@aws-cdk/core';
+
+/**
+ * SingletonGlueDefaultRole Construct to automatically setup a new Amazon IAM role to use with AWS Glue jobs.
+ * The role is created with AWSGlueServiceRole policy and authorize all actions on S3.
+ * The Construct provides a getOrCreate method for SingletonInstantiation
+ */
+
+export class SingletonGlueDefaultRole extends Construct {
+
+  public static getOrCreate(scope: Construct) {
+    const stack = Stack.of(scope);
+    const id = 'glueDefaultRole';
+    return stack.node.tryFindChild(id) as SingletonGlueDefaultRole || new SingletonGlueDefaultRole(stack, id);
+  }
+
+  public readonly iamRole: Role;
+
+  /**
+   * Constructs a new instance of the GlueDefaultRole class
+   * @param {Construct} scope the Scope of the CDK Construct
+   * @param {string} id the ID of the CDK Construct
+   * @param {GlueDefaultRoleProps} props the GlueDefaultRole [properties]{@link GlueDefaultRoleProps}
+   * @access public
+   */
+
+  private constructor(scope: Construct, id: string) {
+    super(scope, id);
+
+    const stack = Stack.of(this);
+
+    this.iamRole = new Role(this, 'glueDefaultRole', {
+      assumedBy: new ServicePrincipal('glue.amazonaws.com'),
+      managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSGlueServiceRole')],
+      inlinePolicies: {
+        DataAccess: new PolicyDocument({
+          statements: [
+            new PolicyStatement({
+              resources: [
+                stack.formatArn({
+                  region: '',
+                  account: '',
+                  service: 's3',
+                  resource: '*',
+                  resourceName: '*',
+                }),
+              ],
+              actions: [
+                's3:ListBucket',
+                's3:*Object*',
+                's3:AbortMultipartUpload',
+                's3:ListBucketMultipartUploads',
+                's3:ListMultipartUploadParts',
+              ],
+            }),
+            new PolicyStatement({
+              resources: ['*'],
+              actions: ['lakeformation:GetDataAccess'],
+            }),
+          ],
+        }),
+      },
+    });
+  }
+}

core/test/singleton-glue-default-role.test.ts

@@ -0,0 +1,85 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-0
+
+import * as assertCDK from '@aws-cdk/assert';
+import { Stack } from '@aws-cdk/core';
+import { SingletonGlueDefaultRole } from '../src/singleton-glue-default-role';
+import '@aws-cdk/assert/jest';
+
+test('SingletonGlueDefaultRole', () => {
+
+  const singletonGlueDefaultRoleStack = new Stack();
+
+  // Instantiate 2 SingletonGlueDefaultRole Constructs
+  SingletonGlueDefaultRole.getOrCreate(singletonGlueDefaultRoleStack);
+  SingletonGlueDefaultRole.getOrCreate(singletonGlueDefaultRoleStack);
+
+
+  // Test if SingletonGlueDefaultRole is a singleton
+  expect(singletonGlueDefaultRoleStack).toCountResources('AWS::IAM::Role', 1);
+
+  // Test the created Amazon IAM Role
+  expect(singletonGlueDefaultRoleStack).toHaveResource('AWS::IAM::Role', {
+    AssumeRolePolicyDocument: {
+      Statement: [
+        {
+          Action: 'sts:AssumeRole',
+          Effect: 'Allow',
+          Principal: {
+            Service: 'glue.amazonaws.com',
+          },
+        },
+      ],
+      Version: '2012-10-17',
+    },
+    ManagedPolicyArns: [
+      {
+        'Fn::Join': [
+          '',
+          [
+            'arn:',
+            {
+              Ref: 'AWS::Partition',
+            },
+            ':iam::aws:policy/service-role/AWSGlueServiceRole',
+          ],
+        ],
+      },
+    ],
+    Policies: [
+      {
+        PolicyDocument: assertCDK.objectLike({
+          Statement: assertCDK.arrayWith(
+            {
+              Action: [
+                's3:ListBucket',
+                's3:*Object*',
+                's3:AbortMultipartUpload',
+                's3:ListBucketMultipartUploads',
+                's3:ListMultipartUploadParts',
+              ],
+              Effect: 'Allow',
+              Resource: {
+                'Fn::Join': [
+                  '',
+                  [
+                    'arn:',
+                    {
+                      Ref: 'AWS::Partition',
+                    },
+                    ':s3:::*/*',
+                  ],
+                ],
+              },
+            },
+            {
+              Action: 'lakeformation:GetDataAccess',
+              Effect: 'Allow',
+              Resource: '*',
+            }),
+        }),
+        PolicyName: 'DataAccess',
+      },
+    ],
+  });
+});