Merge branch 'mainline' of ssh://git.amazon.com:2222/pkg/DataLakeAsCode into mainline

Author: paulu-aws

DeployChemblOpenTargetsEnv.sh

@@ -1,6 +1,9 @@
+#!/bin/sh
 npm run build
 cdk bootstrap
 cdk deploy BaselineStack --require-approval never
+currentPrincipalArn=$(aws sts get-caller-identity --query Arn --output text)
+jq '.context.starterLakeFormationAdmin = $currentPrincipalArn' --arg currentPrincipalArn $currentPrincipalArn cdk.json > tmp.$$.json && mv tmp.$$.json cdk.json
 cdk deploy CoreDataLake --require-approval never
 cdk deploy ChemblStack --require-approval never
 cdk deploy OpenTargetsStack --require-approval never

bin/aws.ts

@@ -15,7 +15,7 @@ const baseline = new BaselineStack(app, 'BaselineStack');
 
 
 const coreDataLake = new DataLakeStack(app, 'CoreDataLake', {
-
+    starterLakeFormationAdminPrincipalArn: app.node.tryGetContext("starterLakeFormationAdmin")
 });
 
 const chemblStack = new ChemblStack(app, 'ChemblStack', {
@@ -36,6 +36,9 @@ const analyticsStack = new AnalyticsStack(app, 'AnalyticsStack', {
 });
 
 
+
+
+
 chemblStack.grantIamRead(analyticsStack.NotebookRole);
 openTargetsStack.grantIamRead(analyticsStack.NotebookRole);
 
@@ -46,44 +49,44 @@ openTargetsStack.grantIamRead(analyticsStack.NotebookRole);
 
 
 
-const exampleUser = iam.User.fromUserName(coreDataLake, 'exampleGrantee', 'paul1' );
+// const exampleUser = iam.User.fromUserName(coreDataLake, 'exampleGrantee', 'paul1' );
 
-var exampleGrant: DataLakeEnrollment.TablePermissionGrant = {
-    tables: ["association_data", "evidence_data","target_list","disease_list"],
-    DatabasePermissions: [DataLakeEnrollment.DatabasePermission.Alter, DataLakeEnrollment.DatabasePermission.CreateTable, DataLakeEnrollment.DatabasePermission.Drop],
-    GrantableDatabasePermissions: [DataLakeEnrollment.DatabasePermission.Alter, DataLakeEnrollment.DatabasePermission.CreateTable, DataLakeEnrollment.DatabasePermission.Drop],
-    TablePermissions: [DataLakeEnrollment.TablePermission.Select, DataLakeEnrollment.TablePermission.Insert, DataLakeEnrollment.TablePermission.Delete],
-    GrantableTablePermissions: [DataLakeEnrollment.TablePermission.Select]
-};
+// var exampleGrant: DataLakeEnrollment.TablePermissionGrant = {
+//     tables: ["association_data", "evidence_data","target_list","disease_list"],
+//     DatabasePermissions: [DataLakeEnrollment.DatabasePermission.Alter, DataLakeEnrollment.DatabasePermission.CreateTable, DataLakeEnrollment.DatabasePermission.Drop],
+//     GrantableDatabasePermissions: [DataLakeEnrollment.DatabasePermission.Alter, DataLakeEnrollment.DatabasePermission.CreateTable, DataLakeEnrollment.DatabasePermission.Drop],
+//     TablePermissions: [DataLakeEnrollment.TablePermission.Select, DataLakeEnrollment.TablePermission.Insert, DataLakeEnrollment.TablePermission.Delete],
+//     GrantableTablePermissions: [DataLakeEnrollment.TablePermission.Select]
+// };
 
-openTargetsStack.grantTablePermissions(exampleUser, exampleGrant);
+// openTargetsStack.grantTablePermissions(exampleUser, exampleGrant);
 
 
 
 
-// In the example below, we are using the compound_structures table from ChEMBL. It has the following table definition:
-// ['molregno', 'molfile', 'standard_inchi', 'standard_inchi_key', 'canonical_smiles']
-// Lets say we want to give a principal ONLY select permissions to everything in the compound_structures table BUT the 'canonical_smiles' column.
+// // In the example below, we are using the compound_structures table from ChEMBL. It has the following table definition:
+// // ['molregno', 'molfile', 'standard_inchi', 'standard_inchi_key', 'canonical_smiles']
+// // Lets say we want to give a principal ONLY select permissions to everything in the compound_structures table BUT the 'canonical_smiles' column.
 
-var exampleTableWithColumnsGrant: DataLakeEnrollment.TableWithColumnPermissionGrant = {
-    table: "chembl_25_public_compound_structures",
-    // Note that we are NOT including 'canonical_smiles'. That effectivley prevents this user from querying that column.
-    columns: ['molregno', 'molfile', 'standard_inchi', 'standard_inchi_key'],
-    DatabasePermissions: [],
-    GrantableDatabasePermissions: [],
-    TableColumnPermissions: [DataLakeEnrollment.TablePermission.Select],
-    GrantableTableColumnPermissions: []
-};
+// var exampleTableWithColumnsGrant: DataLakeEnrollment.TableWithColumnPermissionGrant = {
+//     table: "chembl_25_public_compound_structures",
+//     // Note that we are NOT including 'canonical_smiles'. That effectivley prevents this user from querying that column.
+//     columns: ['molregno', 'molfile', 'standard_inchi', 'standard_inchi_key'],
+//     DatabasePermissions: [],
+//     GrantableDatabasePermissions: [],
+//     TableColumnPermissions: [DataLakeEnrollment.TablePermission.Select],
+//     GrantableTableColumnPermissions: []
+// };
 
-var exampleTableWithColumnsGrant_WithWildCard: DataLakeEnrollment.TableWithColumnPermissionGrant = {
-    table: "chembl_25_public_compound_structures",
-    wildCardFilter: DataLakeEnrollment.TableWithColumnFilter.Exclude,
-    columns: ['canonical_smiles'],
-    DatabasePermissions: [],
-    GrantableDatabasePermissions: [],
-    TableColumnPermissions: [DataLakeEnrollment.TablePermission.Select],
-    GrantableTableColumnPermissions: []
-};
+// var exampleTableWithColumnsGrant_WithWildCard: DataLakeEnrollment.TableWithColumnPermissionGrant = {
+//     table: "chembl_25_public_compound_structures",
+//     wildCardFilter: DataLakeEnrollment.TableWithColumnFilter.Exclude,
+//     columns: ['canonical_smiles'],
+//     DatabasePermissions: [],
+//     GrantableDatabasePermissions: [],
+//     TableColumnPermissions: [DataLakeEnrollment.TablePermission.Select],
+//     GrantableTableColumnPermissions: []
+// };
 
-// Note that exampleTableWithColumnsGrant exampleTableWithColumnsGrant_WithWildCard grants the same effecitve permissions. One just uses a the wildcard.
-chemblStack.grantTableWithColumnPermissions(exampleUser, exampleTableWithColumnsGrant);
+// // Note that exampleTableWithColumnsGrant exampleTableWithColumnsGrant_WithWildCard grants the same effecitve permissions. One just uses a the wildcard.
+// chemblStack.grantTableWithColumnPermissions(exampleUser, exampleTableWithColumnsGrant);

cdk.json

@@ -1,3 +1,6 @@
 {
-  "app": "npx ts-node bin/aws.ts"
+  "app": "npx ts-node bin/aws.ts",
+  "context": {
+    "starterLakeFormationAdmin": "XXXX-this value gets populated by DeployChemblOpenTargetsEnv.sh script-XXXXX"
+  }
 }

lib/chembl-25-stack.ts

@@ -42,7 +42,9 @@ export class ChemblStack extends DataSetStack{
 				"--DL_REGION": cdk.Stack.of(this).region,
 				"--GLUE_SRC_DATABASE": "chembl_25_src"
 			}	    	
-	    });
+		});
+		
+		
 	}
 }
 

lib/constructs/data-lake-enrollment.ts

@@ -13,20 +13,34 @@ import { DataSetEnrollmentProps, DataSetEnrollment } from './data-set-enrollment
 
 export class DataLakeEnrollment extends cdk.Construct {
 
-  public DataEnrollment: DataSetEnrollment;
-  public DataSetName: string;
-  private CoarseAthenaAccessPolicy: iam.ManagedPolicy;
-  private CoarseResourceAccessPolicy: iam.ManagedPolicy;
-  private CoarseIamPolciesApplied: boolean;
+    public DataEnrollment: DataSetEnrollment;
+    public DataSetName: string;
+    private CoarseAthenaAccessPolicy: iam.ManagedPolicy;
+    private CoarseResourceAccessPolicy: iam.ManagedPolicy;
+    private CoarseIamPolciesApplied: boolean;
 
-  constructor(scope: cdk.Construct, id: string, props: DataLakeEnrollment.DataLakeEnrollmentProps) {
+    constructor(scope: cdk.Construct, id: string, props: DataLakeEnrollment.DataLakeEnrollmentProps) {
         super(scope, id);
 
 
         this.DataSetName = props.DataSetName;
         this.CoarseIamPolciesApplied = false;
 
     }
+ 
+    protected grantGlueRoleLakeFormationPermissions(DataSetGlueRole: iam.Role, DataSetName: string) {
+
+        this.grantDataLocationPermissions(this.DataEnrollment.DataSetGlueRole, {
+            Grantable: true,
+            GrantResourcePrefix: `${DataSetName}locationGrant`
+        });
+        this.grantDatabasePermission(this.DataEnrollment.DataSetGlueRole,  {		     
+		     DatabasePermissions: [DataLakeEnrollment.DatabasePermission.All],
+             GrantableDatabasePermissions: [DataLakeEnrollment.DatabasePermission.All],
+             GrantResourcePrefix: `${DataSetName}RoleGrant`
+		}, true);
+    }
+
 
     public createCoarseIamPolicy(){
 
@@ -225,6 +239,45 @@ export class DataLakeEnrollment extends cdk.Construct {
 
     }
 
+    public grantDataLocationPermissions(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.DataLocationGrant){
+        
+        var grantIdPrefix = ""
+        var dataLakePrincipal : lakeformation.CfnPermissions.DataLakePrincipalProperty = {
+            dataLakePrincipalIdentifier: ""
+        };
+
+        var dataLocationProperty : lakeformation.CfnPermissions.ResourceProperty = {
+            dataLocationResource: {
+                s3Resource: `arn:aws:s3:::${this.DataEnrollment.DataLakeBucketName}${this.DataEnrollment.DataLakePrefix}`            
+            }            
+        };
+        const resolvedPrincipalType = this.determinePrincipalType(principal);
+
+        if(resolvedPrincipalType === iam.Role) {
+            const resolvedPrincipal = principal as  iam.Role;
+
+            if(permissionGrant.GrantResourcePrefix){
+                grantIdPrefix = `${permissionGrant.GrantResourcePrefix}-${this.DataSetName}`
+            }else{
+                grantIdPrefix = `${resolvedPrincipal.roleName}-${this.DataSetName}`
+            }            
+            dataLakePrincipal = { dataLakePrincipalIdentifier: resolvedPrincipal.roleArn };
+		}
+
+	    if(resolvedPrincipalType === iam.User){
+            const resolvedPrincipal = principal as  iam.User;
+            grantIdPrefix = `${resolvedPrincipal.userName}-${this.DataSetName}`
+            dataLakePrincipal = { dataLakePrincipalIdentifier: resolvedPrincipal.userArn };
+		}
+
+        if(permissionGrant.Grantable){
+            this.createLakeFormationPermission(`${grantIdPrefix}-locationGrant`,dataLakePrincipal , dataLocationProperty, ['DATA_LOCATION_ACCESS'], ['DATA_LOCATION_ACCESS']);
+        }else {
+            this.createLakeFormationPermission(`${grantIdPrefix}-locationGrant`,dataLakePrincipal , dataLocationProperty, ['DATA_LOCATION_ACCESS'], ['']);
+        }                
+
+
+    }
 
     public grantTableWithColumnPermissions(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.TableWithColumnPermissionGrant){
 
@@ -277,23 +330,27 @@ export class DataLakeEnrollment extends cdk.Construct {
 
     }
 
-    public grantDatabasePermission(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.DatabasePermissionGrant){
+    public grantDatabasePermission(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.DatabasePermissionGrant, includeSourceDb: boolean = false){
 
 
         var grantIdPrefix = ""
         var dataLakePrincipal : lakeformation.CfnPermissions.DataLakePrincipalProperty = {
             dataLakePrincipalIdentifier: ""
         };
-        var databaseResourceProperty : lakeformation.CfnPermissions.ResourceProperty = {
-            //dataLocationResource: {resourceArn: this.DataEnrollment.DataLakeBucketName},
+        var databaseResourceProperty : lakeformation.CfnPermissions.ResourceProperty = {            
             databaseResource: {name: this.DataEnrollment.Dataset_Datalake.databaseName}
         };
 
         const resolvedPrincipalType = this.determinePrincipalType(principal);
 
         if(resolvedPrincipalType === iam.Role) {
             const resolvedPrincipal = principal as  iam.Role;
-            grantIdPrefix = `${resolvedPrincipal.roleArn}-${this.DataSetName}`
+
+            if(permissionGrant.GrantResourcePrefix){
+                grantIdPrefix = `${permissionGrant.GrantResourcePrefix}-${this.DataSetName}`
+            }else{
+                grantIdPrefix = `${resolvedPrincipal.roleName}-${this.DataSetName}`
+            }            
             dataLakePrincipal = { dataLakePrincipalIdentifier: resolvedPrincipal.roleArn };
 		}
 
@@ -305,11 +362,23 @@ export class DataLakeEnrollment extends cdk.Construct {
 
         this.createLakeFormationPermission(`${grantIdPrefix}-databaseGrant`,dataLakePrincipal , databaseResourceProperty, permissionGrant.DatabasePermissions, permissionGrant.GrantableDatabasePermissions)
 
+        if(includeSourceDb){
+
+            databaseResourceProperty = {
+                //dataLocationResource: {resourceArn: this.DataEnrollment.DataLakeBucketName},
+                databaseResource: {name: this.DataEnrollment.Dataset_Source.databaseName}
+            };
+
+            this.createLakeFormationPermission(`${grantIdPrefix}-databaseSrcGrant`,dataLakePrincipal , databaseResourceProperty, permissionGrant.DatabasePermissions, permissionGrant.GrantableDatabasePermissions)
+
+        }
+
+
     }
 
 
     public grantTablePermissions(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.TablePermissionGrant){
-
+        
         const coreGrant = this.setupIamAndLakeFormationDatabasePermissionForPrincipal(principal, permissionGrant.DatabasePermissions, permissionGrant.GrantableDatabasePermissions);
 
         permissionGrant.tables.forEach(table => {
@@ -462,8 +531,13 @@ export namespace DataLakeEnrollment
     export interface DatabasePermissionGrant {
         DatabasePermissions: Array<DatabasePermission>;
         GrantableDatabasePermissions: Array<DatabasePermission>;
+        GrantResourcePrefix?: string;
     }
 
+    export interface DataLocationGrant{
+        Grantable: boolean;
+        GrantResourcePrefix?: string;
+    }
 
     export interface TablePermissionGrant {
         tables: Array<string>;

lib/constructs/rds-data-set-enrollment.ts

@@ -34,7 +34,7 @@ export class RDSPostgresDataSetEnrollment extends DataLakeEnrollment {
 			});
 
         }
-        
+		
         this.DataEnrollment = new DataSetEnrollment(this, 'rdsDatasetEnrollment', {
 			dataLakeBucket: props.dataLakeBucket,
 			dataSetName: dataSetName,
@@ -61,7 +61,10 @@ export class RDSPostgresDataSetEnrollment extends DataLakeEnrollment {
 			GlueScriptArguments: props.GlueScriptArguments
 
 		});        
-        
+						
+
 		this.createCoarseIamPolicy();
+		this.grantGlueRoleLakeFormationPermissions(this.DataEnrollment.DataSetGlueRole, props.DataSetName); 
+
 	}
 }

lib/constructs/s3-data-set-enrollment.ts

@@ -16,6 +16,22 @@ export interface S3dataSetEnrollmentProps extends DataLakeEnrollment.DataLakeEnr
 
 
 export class S3dataSetEnrollment extends DataLakeEnrollment{
+
+
+
+    grantGlueRoleLakeFormationPermissions(DataSetGlueRole: iam.Role, DataSetName: string) {
+
+        this.grantDataLocationPermissions(this.DataEnrollment.DataSetGlueRole, {
+            Grantable: true,
+            GrantResourcePrefix: `${DataSetName}locationGrant`
+        });
+        this.grantDatabasePermission(this.DataEnrollment.DataSetGlueRole,  {		     
+		     DatabasePermissions: [DataLakeEnrollment.DatabasePermission.All],
+             GrantableDatabasePermissions: [DataLakeEnrollment.DatabasePermission.All],
+             GrantResourcePrefix: `${DataSetName}RoleGrant`
+		}, true);
+    }
+
 	constructor(scope: cdk.Construct, id: string, props: S3dataSetEnrollmentProps) {
 		super(scope, id, props);
 
@@ -47,7 +63,7 @@ export class S3dataSetEnrollment extends DataLakeEnrollment{
 
         }
 
-		this.DataEnrollment = new DataSetEnrollment(this, 'openTargetsEnrollment', {
+		this.DataEnrollment = new DataSetEnrollment(this, `${props.DataSetName}-s3Enrollment`, {
 		    dataLakeBucket: props.dataLakeBucket,
 			dataSetName: dataSetName,
 			SourceAccessPolicy: s3AccessPolicy,
@@ -58,6 +74,12 @@ export class S3dataSetEnrollment extends DataLakeEnrollment{
 			GlueScriptArguments: props.GlueScriptArguments
 		});
 
-	    this.createCoarseIamPolicy();
+        this.createCoarseIamPolicy();
+
+        this.grantGlueRoleLakeFormationPermissions(this.DataEnrollment.DataSetGlueRole, props.DataSetName); 
+        
+        
+
+
 	}
 }

lib/stacks/datalake-stack.ts

@@ -8,13 +8,15 @@ import cfn = require("@aws-cdk/aws-cloudformation");
 import s3 = require('@aws-cdk/aws-s3');
 import s3assets = require('@aws-cdk/aws-s3-assets');
 import lakeformation = require('@aws-cdk/aws-lakeformation');
-import lambda = require('@aws-cdk/aws-lambda')
+import { CustomResource } from '@aws-cdk/core';
+import * as cr from '@aws-cdk/custom-resources';
+import lambda = require('@aws-cdk/aws-lambda');
 import fs = require('fs');
 
 import { DataSetEnrollmentProps, DataSetEnrollment } from '../constructs/data-set-enrollment';
 
 export interface DataLakeStackProps extends cdk.StackProps {
-
+  starterLakeFormationAdminPrincipalArn: string;
 }
 
 export class DataLakeStack extends cdk.Stack {
@@ -25,6 +27,7 @@ export class DataLakeStack extends cdk.Stack {
   public readonly LakeFormationResource: lakeformation.CfnResource;
   public readonly PrimaryAthenaWorkgroup: athena.CfnWorkGroup;
   private readonly bucketRole: iam.Role; 
+  private readonly starterAdminArn: string;
 
   public grantAthenaResultsBucketPermission(principal: iam.IPrincipal){
 
@@ -63,9 +66,14 @@ export class DataLakeStack extends cdk.Stack {
     super(scope, id, props);
 
     this.DataLakeBucket = new s3.Bucket(this, 'dataLakeBucket');
-    this.AthenaResultsBucket = new s3.Bucket(this, 'athenaResultsBucket');
-    
-    
+    this.AthenaResultsBucket = new s3.Bucket(this, 'athenaResultsBucket');        
+   
+    new lakeformation.CfnDataLakeSettings(this, 'starterAdminPermission', {
+      admins: [{
+        dataLakePrincipalIdentifier: props.starterLakeFormationAdminPrincipalArn        
+      }]
+    });
+
     const coarseAthenaResultBucketAccess = {
             "Version": "2012-10-17",
             "Statement": [