[IBCDPE-923] snowflake integration (#112)

* Integrate s3 buckets with snowflake * Remove prod first * Fix sub and ref * Update parameter to id * Add external id * Use string * Use string * simplify policy and add snowflake role * Add prod configuration * Make these strings
Sage-Bionetworks · Jun 10, 2024 · cadb0b4 · cadb0b4
1 parent 8d027ed
commit cadb0b4
Show file tree

Hide file tree

Showing 3 changed files with 97 additions and 0 deletions.
diff --git a/config/develop/snowflake-s3-role.yaml b/config/develop/snowflake-s3-role.yaml
@@ -0,0 +1,11 @@
+template:
+  path: snowflake-s3-role.yaml
+stack_name: snowflake-s3-role
+parameters:
+  S3SourceBucketName: {{ stack_group_config.input_bucket_name }}
+  S3IntermediateBucketName: {{ stack_group_config.intermediate_bucket_name }}
+  S3ParquetBucketName: {{ stack_group_config.processed_data_bucket_name }}
+  AWSAccountId: "arn:aws:iam::637423216157:user/v93m0000-s"
+  ExternalId: "0"
+stack_tags:
+  {{ stack_group_config.default_stack_tags }}
diff --git a/config/prod/snowflake-s3-role.yaml b/config/prod/snowflake-s3-role.yaml
@@ -0,0 +1,11 @@
+template:
+  path: snowflake-s3-role.yaml
+stack_name: snowflake-s3-role
+parameters:
+  S3SourceBucketName: {{ stack_group_config.input_bucket_name }}
+  S3IntermediateBucketName: {{ stack_group_config.intermediate_bucket_name }}
+  S3ParquetBucketName: {{ stack_group_config.processed_data_bucket_name }}
+  AWSAccountId: "659375444835"
+  ExternalId: "0"
+stack_tags:
+  {{ stack_group_config.default_stack_tags }}
diff --git a/templates/snowflake-s3-role.yaml b/templates/snowflake-s3-role.yaml
@@ -0,0 +1,75 @@
+AWSTemplateFormatVersion: '2010-09-09'
+
+Description: A Snowflake Role for the S3 to Snowflake Integration
+
+Parameters:
+
+  S3SourceBucketName:
+    Type: String
+    Description: Name of the S3 bucket where source data are stored.
+
+  S3IntermediateBucketName:
+    Type: String
+    Description: Name of the S3 intermediate (JSON) bucket
+
+  S3ParquetBucketName:
+    Type: String
+    Description: Name of the S3 Parquet bucket
+
+  AWSAccountId:
+    Type: String
+    Description: The Snowflake AWS Account ID
+
+  ExternalId:
+    Type: String
+    Description: The External ID
+
+Resources:
+
+  SnowflakeRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS: !Ref AWSAccountId
+            Action: "sts:AssumeRole"
+            Condition:
+              StringEquals:
+                sts:ExternalId: !Ref ExternalId
+
+      Policies:
+      - PolicyName: snowflake-s3-iam-policy
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Effect: Allow
+            Action:
+            - s3:GetObject
+            - s3:GetObjectVersion
+            Resource:
+            - !Sub arn:aws:s3:::${S3SourceBucketName}/*
+            - !Sub arn:aws:s3:::${S3IntermediateBucketName}/*
+            - !Sub arn:aws:s3:::${S3ParquetBucketName}/*
+          - Effect: Allow
+            Action:
+            - s3:ListBucket
+            - s3:GetBucketLocation
+            Resource:
+            - !Sub arn:aws:s3:::${S3SourceBucketName}
+            - !Sub arn:aws:s3:::${S3IntermediateBucketName}
+            - !Sub arn:aws:s3:::${S3ParquetBucketName}
+
+Outputs:
+
+  RoleName:
+    Value: !Ref SnowflakeRole
+    Export:
+      Name: !Sub '${AWS::Region}-${AWS::StackName}-RoleName'
+
+  RoleArn:
+    Value: !GetAtt SnowflakeRole.Arn
+    Export:
+      Name: !Sub '${AWS::Region}-${AWS::StackName}-RoleArn'