Fix lambda data (#168)

* fix lambda inventory as Environment breaks crawler

* rename lambda to lambda_functions

* rename lambda to lambda_functions

* lint and refactor

* refactor output

Author: iakov-aws

data-collection/deploy/deploy-data-collection.yaml

@@ -36,7 +36,7 @@ Metadata:
           - IncludeLicenseManagerModule
     ParameterLabels:
       DestinationBucket:
-        default: 'Destination S3 bucket'
+        default: 'Destination S3 bucket prefix'
       ManagementAccountRole:
         default: 'Management account role'
       ManagementAccountID:
@@ -113,7 +113,7 @@ Mappings:
 Parameters:
   DestinationBucket:
     Type: String
-    Description: A Prefix of S3 Bucket name that will hold information. A Bucket name will be concatenated with account_id automatically (cid-data-123456123456). You can keep this parameter as is.
+    Description: "A Prefix of S3 Bucket name that will hold information. A Bucket name will be concatenated with account_id automatically (ex: cid-data-123456123456). You can keep this parameter as is."
     AllowedPattern: (?=^.{3,36}$)(?!^(\d+\.)+\d+$)(^(([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*([a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9\-])$)
     Default: cid-data-
   ManagementAccountRole:
@@ -230,20 +230,6 @@ Parameters:
     AllowedValues: ['yes', 'no']
     Default: 'no'
 
-Outputs:
-  S3Bucket:
-    Description: Name of S3 Bucket which will store the AWS Cost Explorer Rightsizing recommendations
-    Value: !Ref S3Bucket
-  S3BucketARN:
-    Description: ARN of S3 Bucket which will store the AWS Cost Explorer Rightsizing recommendations
-    Value: !GetAtt S3Bucket.Arn
-  RoleARN:
-    Description: "The arn of the IAM role that deployed in the management account which can retrieve AWS Organization data"
-    Value: !Sub "arn:aws:iam::${ManagementAccountID}:role/${ManagementAccountRole}"
-  DataCollectionDatabase:
-    Description: "Techical Value - DataCollectionDatabase"
-    Value: !Ref DatabaseName
-    Export: { Name: "cid-DataCollection-Database" }
 
 Conditions:
   DeployTAModule: !Equals [ !Ref IncludeTAModule, "yes"]
@@ -1223,3 +1209,51 @@ Resources:
         ResourcePrefix: !Ref ResourcePrefix
         DestinationBucket: !Ref S3Bucket
         DestinationBucketARN: !GetAtt S3Bucket.Arn
+
+  DataCollectionReadAccess:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: !Sub ${ResourcePrefix}DataCollectionReadAccess
+      Description: 'Policy for QuickSight to allow DataCollection access'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: AllowGlue
+            Effect: Allow
+            Action:
+              - glue:GetPartition
+              - glue:GetPartitions
+              - glue:GetDatabase
+              - glue:GetDatabases
+              - glue:GetTable
+              - glue:GetTables
+            Resource:
+              - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog
+              - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}
+              - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/*
+          - Sid: AllowListBucket
+            Effect: Allow
+            Action: s3:ListBucket
+            Resource:
+              - !Sub ${S3Bucket.Arn}
+          - Sid: AllowReadBucket
+            Effect: Allow
+            Action:
+              - s3:GetObject
+              - s3:GetObjectVersion
+            Resource:
+              - !Sub ${S3Bucket.Arn}/*
+
+Outputs:
+  Bucket:
+    Description: CID Data Collection - Name of S3 Bucket which will store collected data
+    Value: !Ref S3Bucket
+    Export: { Name: "cid-DataCollection-Bucket" }
+  Database:
+    Description: "Glue Database for CID Data Collection"
+    Value: !Ref DatabaseName
+    Export: { Name: "cid-DataCollection-Database" }
+  ReadAccessPolicyARN:
+    Description: "Access Policy for CID Data Collection"
+    Value: !Ref DataCollectionReadAccess
+    Export: { Name: "cid-DataCollection-ReadAccessPolicyARN" }