forked from awslabs/aws-athena-query-federation
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathathena-google-bigquery-connection.yaml
172 lines (167 loc) · 6.61 KB
/
athena-google-bigquery-connection.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
Transform: 'AWS::Serverless-2016-10-31'
Metadata:
'AWS::ServerlessRepo::Application':
Name: AthenaGoogleBigQueryConnectorWithGlueConnection
Description: 'This connector enables Amazon Athena to communicate with Big Query using Google SDK'
Author: 'default author'
SpdxLicenseId: Apache-2.0
LicenseUrl: LICENSE.txt
ReadmeUrl: README.md
Labels:
- Big-Query
- Athena-Federation
- Google-SDK
HomePageUrl: 'https://github.com/awslabs/aws-athena-query-federation'
SemanticVersion: 2025.7.1
SourceCodeUrl: 'https://github.com/awslabs/aws-athena-query-federation'
Parameters:
LambdaFunctionName:
Description: 'This is the name of the lambda function that will be created. This name must satisfy the pattern ^[a-z0-9-_]{1,64}$'
Type: String
AllowedPattern: ^[a-z0-9-_]{1,64}$
SecretName:
Description: "The secret name within AWS Secrets Manager that contains your Google Cloud Platform Credentials."
Type: String
SpillBucket:
Description: 'The name of the bucket where this function can spill data.'
Type: String
GlueConnection:
Description: "Name of glue connection storing connection details for Federated Data source."
Type: String
SecurityGroupIds:
Description: '(Optional) One or more SecurityGroup IDs corresponding to the SecurityGroup that should be applied to the Lambda function. (e.g. sg1,sg2,sg3)'
Type: CommaDelimitedList
Default: ""
SubnetIds:
Description: '(Optional) One or more Subnet IDs corresponding to the Subnet that the Lambda function can use to access you data source. (e.g. subnet1,subnet2)'
Type: CommaDelimitedList
Default: ""
KmsKeyId:
Description: "(Optional) By default any data that is spilled to S3 is encrypted using AES-GCM and a randomly generated key. Setting a KMS Key ID allows your Lambda function to use KMS for key generation for a stronger source of encryption keys."
Type: String
Default: ""
LambdaRoleArn:
Description: "(Optional) A custom role to be used by the Connector lambda"
Type: String
Default: ""
Conditions:
HasSecurityGroups: !Not [ !Equals [ !Join ["", !Ref SecurityGroupIds], "" ] ]
HasSubnets: !Not [ !Equals [ !Join ["", !Ref SubnetIds], "" ] ]
HasKmsKeyId: !Not [ !Equals [ !Ref KmsKeyId, "" ] ]
NotHasLambdaRole: !Equals [ !Ref LambdaRoleArn, "" ]
CreateKmsPolicy: !And [ !Condition HasKmsKeyId, !Condition NotHasLambdaRole ]
IsRegionBAH: !Equals [!Ref "AWS::Region", "me-south-1"]
IsRegionHKG: !Equals [!Ref "AWS::Region", "ap-east-1"]
Resources:
AthenaBigQueryConnector:
Type: 'AWS::Serverless::Function'
Properties:
Environment:
Variables:
glue_connection: !Ref GlueConnection
GOOGLE_APPLICATION_CREDENTIALS: '/tmp/service-account.json'
FunctionName: !Ref LambdaFunctionName
PackageType: "Image"
ImageUri: !Sub
- '${Account}.dkr.ecr.${AWS::Region}.amazonaws.com/athena-federation-repository-google-bigquery:2025.7.1'
- Account: !If [IsRegionBAH, 084828588479, !If [IsRegionHKG, 183295418215, 292517598671]]
Description: "Enables Amazon Athena to communicate with BigQuery using Google SDK"
Timeout: 900
MemorySize: 3008
Role: !If [ NotHasLambdaRole, !GetAtt FunctionRole.Arn, !Ref LambdaRoleArn ]
VpcConfig:
SecurityGroupIds: !If [ HasSecurityGroups, !Ref SecurityGroupIds, !Ref "AWS::NoValue" ]
SubnetIds: !If [ HasSubnets, !Ref SubnetIds, !Ref "AWS::NoValue" ]
FunctionRole:
Condition: NotHasLambdaRole
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- "sts:AssumeRole"
FunctionExecutionPolicy:
Condition: NotHasLambdaRole
Type: "AWS::IAM::Policy"
Properties:
Roles:
- !Ref FunctionRole
PolicyName: FunctionExecutionPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- secretsmanager:GetSecretValue
Effect: Allow
Resource: !Sub 'arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretName}*'
- Action:
- logs:CreateLogGroup
Effect: Allow
Resource: !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:*'
- Action:
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource: !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${LambdaFunctionName}:*'
- Action:
- athena:GetQueryExecution
Effect: Allow
Resource: '*'
- Action:
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DetachNetworkInterface
Effect: Allow
Resource: '*'
- Action:
- s3:GetObject
- s3:ListBucket
- s3:GetBucketLocation
- s3:GetObjectVersion
- s3:PutObject
- s3:PutObjectAcl
- s3:GetLifecycleConfiguration
- s3:PutLifecycleConfiguration
- s3:DeleteObject
Effect: Allow
Resource:
- Fn::Sub:
- arn:${AWS::Partition}:s3:::${bucketName}
- bucketName:
Ref: SpillBucket
- Fn::Sub:
- arn:${AWS::Partition}:s3:::${bucketName}/*
- bucketName:
Ref: SpillBucket
- Action:
- glue:GetConnection
Effect: Allow
Resource:
- !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:connection/${GlueConnection}'
- !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog'
FunctionKmsPolicy:
Condition: CreateKmsPolicy
Type: "AWS::IAM::Policy"
Properties:
PolicyName: FunctionKmsPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- kms:GenerateRandom
Resource: '*'
- Effect: Allow
Action:
- kms:GenerateDataKey
Resource: !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${KmsKeyId}"
Roles:
- !Ref FunctionRole