Skip to content

Commit 800a4a9

Browse files
marcodb-awsmarcodb-aws
committed
Reduce number of KMS policy similar
1 parent 751c2e2 commit 800a4a9

File tree

1 file changed

+5
-47
lines changed

1 file changed

+5
-47
lines changed

data-collection/deploy/deploy-data-collection.yaml

Lines changed: 5 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -456,21 +456,6 @@ Resources:
456456
rules_to_suppress:
457457
- id: W28 # Resource found with an explicit name, this disallows updates that require replacement of this resource
458458
reason: "Need explicit name to identify role actions"
459-
460-
KmsPolicyForCidDCCrawlerRole:
461-
Type: AWS::IAM::Policy
462-
Condition: NeedDataBucketsKms
463-
Properties:
464-
PolicyName: !Sub "${ResourcePrefix}AwsDataCollectionCrawlerKmsDecryption"
465-
PolicyDocument:
466-
Version: 2012-10-17
467-
Statement:
468-
- Effect: Allow
469-
Action:
470-
- 'kms:Decrypt'
471-
Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
472-
Roles:
473-
- !Ref GlueRole
474459

475460
LambdaAnalyticsRole: #Execution role for the custom resource for Analytics Lambda
476461
Type: AWS::IAM::Role
@@ -586,11 +571,11 @@ Resources:
586571
- !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}"
587572
- !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/*"
588573

589-
KmsPolicyForCidInitRole:
574+
KmsPolicyForCidResources:
590575
Type: AWS::IAM::Policy
591576
Condition: NeedDataBucketsKms
592577
Properties:
593-
PolicyName: !Sub "${ResourcePrefix}AwsDataCollectionInitKmsDecryption"
578+
PolicyName: !Sub "${ResourcePrefix}AwsDataCollectionKmsDecryption"
594579
PolicyDocument:
595580
Version: 2012-10-17
596581
Statement:
@@ -600,6 +585,9 @@ Resources:
600585
Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
601586
Roles:
602587
- !Ref LambdaInitRole
588+
- !Ref StepFunctionExecutionRole
589+
- !Ref LambdaManageGlueTableRole
590+
- !Ref GlueRole
603591

604592
LambdaInit:
605593
Type: AWS::Lambda::Function
@@ -725,21 +713,6 @@ Resources:
725713
- !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog"
726714
- !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}"
727715
- !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/*"
728-
729-
KmsPolicyForCidGlueTableRole:
730-
Type: AWS::IAM::Policy
731-
Condition: NeedDataBucketsKms
732-
Properties:
733-
PolicyName: !Sub "${ResourcePrefix}AwsDataCollectionGlueTableKmsDecryption"
734-
PolicyDocument:
735-
Version: 2012-10-17
736-
Statement:
737-
- Effect: Allow
738-
Action:
739-
- 'kms:Decrypt'
740-
Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
741-
Roles:
742-
- !Ref LambdaManageGlueTableRole
743716

744717
LambdaManageGlueTable:
745718
Type: AWS::Lambda::Function
@@ -914,21 +887,6 @@ Resources:
914887
Roles:
915888
- Ref: StepFunctionExecutionRole
916889

917-
KmsPolicyForStepFunctionRole:
918-
Type: AWS::IAM::Policy
919-
Condition: NeedDataBucketsKms
920-
Properties:
921-
PolicyName: !Sub "${ResourcePrefix}AwsDataCollectionStepFunctionKmsDecryption"
922-
PolicyDocument:
923-
Version: 2012-10-17
924-
Statement:
925-
- Effect: Allow
926-
Action:
927-
- 'kms:Decrypt'
928-
Resource: !Split [ ',', !Ref DataBucketsKmsKeysArns ]
929-
Roles:
930-
- !Ref StepFunctionExecutionRole
931-
932890
SchedulerExecutionRole:
933891
Type: AWS::IAM::Role
934892
Properties:

0 commit comments

Comments
 (0)