monitoring-apache-iceberg-table-metadata-layer/template.yaml at main · aws-samples/monitoring-apache-iceberg-table-metadata-layer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Parameters:
  CWNamespace:
    Description: Amazon CloudWatch custom metric namespace
    Type: String
  GlueServiceRole:
    Description: AWS Glue Service Role with permissions to create session.
    Type: String
  Warehouse:
    Description: warehouse is a required catalog property to determine the root path of the data warehouse in storage.
    Type: String
Globals:
  Function:
    Timeout: 360
    MemorySize: 512
Resources:
  IcebergMetricsLambda:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: lambda/
      Handler: app.lambda_handler
      Runtime: python3.9
      Policies:
        - CloudWatchPutMetricPolicy: {}
        - AWSLambdaBasicExecutionRole
        - AmazonS3ReadOnlyAccess
        - Statement:
          - Sid: GlueInteractiveSessionPolicy
            Effect: Allow
            Action:
            - glue:GetSession
            - glue:CreateSession
            - glue:GetStatement
            - glue:RunStatement
            - glue:GetSession
            - glue:ListStatements
            Resource: !Sub 'arn:aws:glue:*:${AWS::AccountId}:session/*'
          - Sid: IAMPassRoleForGlueIS
            Effect: Allow
            Action:
            - iam:PassRole
            Resource: !Ref GlueServiceRole
          - Sid: GlueDataCatalogPolicy
            Effect: Allow
            Action:
            - glue:GetTable
            - glue:GetTableVersion
            - glue:GetTables
            - glue:GetDatabase
            - glue:GetDatabases
            - glue:SearchTables
            - glue:GetTableVersions
            - glue:GetPartitions
            - glue:ListSessions
            Resource: '*'
      Architectures:
        - x86_64
      Environment:
        Variables:
          CW_NAMESPACE: !Ref CWNamespace
          GLUE_SERVICE_ROLE: !Ref GlueServiceRole
          SPARK_CATALOG_S3_WAREHOUSE: !Ref Warehouse
  PermissionForEventBridgeToInvokeLambda:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !Ref IcebergMetricsLambda
      Action: 'lambda:InvokeFunction'
      Principal: 'events.amazonaws.com'
      SourceArn: !Sub 'arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/IcebergTablesUpdateRule*'
Outputs:
  IcebergMetricsLambda:
    Description: Lambda Function ARN
    Value: !GetAtt IcebergMetricsLambda.Arn