From cadb0b45196faf9b1ec5e11bc41bb9e01bf4bc18 Mon Sep 17 00:00:00 2001
From: Thomas Yu <thomas.yu@sagebase.org>
Date: Mon, 10 Jun 2024 00:37:25 -0700
Subject: [PATCH] [IBCDPE-923] snowflake integration (#112)

* Integrate s3 buckets with snowflake

* Remove prod first

* Fix sub and ref

* Update parameter to id

* Add external id

* Use string

* Use string

* simplify policy and add snowflake role

* Add prod configuration

* Make these strings
---
 config/develop/snowflake-s3-role.yaml | 11 ++++
 config/prod/snowflake-s3-role.yaml    | 11 ++++
 templates/snowflake-s3-role.yaml      | 75 +++++++++++++++++++++++++++
 3 files changed, 97 insertions(+)
 create mode 100644 config/develop/snowflake-s3-role.yaml
 create mode 100644 config/prod/snowflake-s3-role.yaml
 create mode 100644 templates/snowflake-s3-role.yaml

diff --git a/config/develop/snowflake-s3-role.yaml b/config/develop/snowflake-s3-role.yaml
new file mode 100644
index 00000000..b93410e7
--- /dev/null
+++ b/config/develop/snowflake-s3-role.yaml
@@ -0,0 +1,11 @@
+template:
+  path: snowflake-s3-role.yaml
+stack_name: snowflake-s3-role
+parameters:
+  S3SourceBucketName: {{ stack_group_config.input_bucket_name }}
+  S3IntermediateBucketName: {{ stack_group_config.intermediate_bucket_name }}
+  S3ParquetBucketName: {{ stack_group_config.processed_data_bucket_name }}
+  AWSAccountId: "arn:aws:iam::637423216157:user/v93m0000-s"
+  ExternalId: "0"
+stack_tags:
+  {{ stack_group_config.default_stack_tags }}
diff --git a/config/prod/snowflake-s3-role.yaml b/config/prod/snowflake-s3-role.yaml
new file mode 100644
index 00000000..9162d261
--- /dev/null
+++ b/config/prod/snowflake-s3-role.yaml
@@ -0,0 +1,11 @@
+template:
+  path: snowflake-s3-role.yaml
+stack_name: snowflake-s3-role
+parameters:
+  S3SourceBucketName: {{ stack_group_config.input_bucket_name }}
+  S3IntermediateBucketName: {{ stack_group_config.intermediate_bucket_name }}
+  S3ParquetBucketName: {{ stack_group_config.processed_data_bucket_name }}
+  AWSAccountId: "659375444835"
+  ExternalId: "0"
+stack_tags:
+  {{ stack_group_config.default_stack_tags }}
diff --git a/templates/snowflake-s3-role.yaml b/templates/snowflake-s3-role.yaml
new file mode 100644
index 00000000..e726a5ee
--- /dev/null
+++ b/templates/snowflake-s3-role.yaml
@@ -0,0 +1,75 @@
+AWSTemplateFormatVersion: '2010-09-09'
+
+Description: A Snowflake Role for the S3 to Snowflake Integration
+
+Parameters:
+
+  S3SourceBucketName:
+    Type: String
+    Description: Name of the S3 bucket where source data are stored.
+
+  S3IntermediateBucketName:
+    Type: String
+    Description: Name of the S3 intermediate (JSON) bucket
+
+  S3ParquetBucketName:
+    Type: String
+    Description: Name of the S3 Parquet bucket
+
+  AWSAccountId:
+    Type: String
+    Description: The Snowflake AWS Account ID
+
+  ExternalId:
+    Type: String
+    Description: The External ID
+
+Resources:
+
+  SnowflakeRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS: !Ref AWSAccountId
+            Action: "sts:AssumeRole"
+            Condition:
+              StringEquals:
+                sts:ExternalId: !Ref ExternalId
+
+      Policies:
+      - PolicyName: snowflake-s3-iam-policy
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Effect: Allow
+            Action:
+            - s3:GetObject
+            - s3:GetObjectVersion
+            Resource:
+            - !Sub arn:aws:s3:::${S3SourceBucketName}/*
+            - !Sub arn:aws:s3:::${S3IntermediateBucketName}/*
+            - !Sub arn:aws:s3:::${S3ParquetBucketName}/*
+          - Effect: Allow
+            Action:
+            - s3:ListBucket
+            - s3:GetBucketLocation
+            Resource:
+            - !Sub arn:aws:s3:::${S3SourceBucketName}
+            - !Sub arn:aws:s3:::${S3IntermediateBucketName}
+            - !Sub arn:aws:s3:::${S3ParquetBucketName}
+
+Outputs:
+
+  RoleName:
+    Value: !Ref SnowflakeRole
+    Export:
+      Name: !Sub '${AWS::Region}-${AWS::StackName}-RoleName'
+
+  RoleArn:
+    Value: !GetAtt SnowflakeRole.Arn
+    Export:
+      Name: !Sub '${AWS::Region}-${AWS::StackName}-RoleArn'