AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: > Stack that deploys one Lambda function that reads from DynamoDB Stream and replicates the changes to Target DynamoDB Table cross account Functoion is triggered by DynamoDB stream Parameters: TargetDynamoDBTable: Type: String ConstraintDescription: '[A-Za-z0-9_]+' Description: > Target DynamoDB Table name TargetRegion: Type: String ConstraintDescription: '[a-z0-9\-]+' Default: 'eu-west-1' Description: > The region for the target DynamoDB table TargetAccountNumber: Type: String ConstraintDescription: '[0-9]+' Description: > Target AWS Account Number TargetRoleName: Type: String Description: > Target IAM Role name to be assumed by the Glue job. SourceDynamoDBTable: Type: String ConstraintDescription: '[A-Za-z0-9_]+' Description: > Source DynamoDB Table name WorkerType: Type: String Default: 'G.2X' Description: > The type of predefined worker that is allocated when a job runs. Accepts a value of Standard, G.1X, or G.2X. NumberOfWorkers: Type: Number Default: 145 Description: > The number of workers of a defined workerType that are allocated when a job runs. JobName: Type: String Default: 'Initial_Load' Description: > Name of the Glue Job Resources: # Glue Job for initial load InitialLoadJob: Type: AWS::Glue::Job Properties: Role: !Ref GlueJobRole Description: Job created with CloudFormation DefaultArguments: "--TARGET_DYNAMODB_NAME": !Ref TargetDynamoDBTable "--TARGET_AWS_ACCOUNT_NUMBER": !Ref TargetAccountNumber "--TARGET_ROLE_NAME": !Ref TargetRoleName "--TARGET_REGION": !Ref TargetRegion "--SOURCE_DYNAMODB_NAME": !Ref SourceDynamoDBTable "--WORKER_TYPE": !Ref WorkerType "--NUM_WORKERS": !Ref NumberOfWorkers Command: Name: glueetl PythonVersion: 3 ScriptLocation: Glue_Jobs/InitialLoad.py NumberOfWorkers: !Ref NumberOfWorkers WorkerType: !Ref WorkerType GlueVersion: 2.0 ExecutionProperty: MaxConcurrentRuns: 1 Name: !Ref JobName GlueJobRole: Type: AWS::IAM::Role Properties: ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "glue.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" Policies: - PolicyName: "CrossAccountAssumeRole" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - sts:AssumeRole Resource: !Sub "arn:aws:iam::${TargetAccountNumber}:role/${TargetRoleName}" - PolicyName: "DynamoDBReadOnly" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - dynamodb:BatchGetItem - dynamodb:DescribeTable - dynamodb:GetItem - dynamodb:Scan - dynamodb:Query Resource: !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${SourceDynamoDBTable}" - Effect: "Allow" Action: - dynamodb:ListTables Resource: "*" - PolicyName: "GlueS3BucketAccess" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - s3:GetObject - s3:PutObject - s3:DeleteObject - s3:GetObject Resource: "arn:aws:s3:::aws-sam-cli-managed-default-samclisourcebucket-*/*"