deploy/template.yml

---
AWSTemplateFormatVersion: 2010-09-09
Description: "**WARNING** This template creates IAM Role, AWS Glue job and related resources. You will be billed for the AWS resources used if you create a stack from this template."
Parameters:
  S3Bucketname:
    Description: Name of the existing Artifact store S3 bucket creation
    Type: String
  KMSKey:
    Description: KMS Key used to encrypt the bucket
    Type: String
Resources:
  GlueJobRole:
    Type: AWS::IAM::Role
    Metadata:
      cdk_nag:
        rules_to_suppress:
          - id: AwsSolutions-IAM5
            reason: "Wild card in policy is required for matching S3 objects"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - glue.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:PutObject
                  - s3:ListBucket
                  - s3:DeleteObject
                Resource:
                  - !Sub "arn:${AWS::Partition}:s3:::${S3Bucketname}"
                  - !Sub "arn:${AWS::Partition}:s3:::${S3Bucketname}/*"
              - Effect: Allow
                Action:
                  - kms:Decrypt
                  - kms:Encrypt
                  - kms:GenerateDataKey
                  - kms:DescribeKey
                Resource:
                  - !Ref "KMSKey"
  GlueJob:
    Type: AWS::Glue::Job
    Properties:
      Command:
        Name: glueetl
        ScriptLocation: !Sub "s3://${S3Bucketname}/GlueJobs/sample.py"
      DefaultArguments:
        --job-bookmark-option: job-bookmark-enable
      GlueVersion: "4.0"
      ExecutionProperty:
        MaxConcurrentRuns: 2
      MaxRetries: 0
      Name: samplejob
      Role: !Ref "GlueJobRole"
      WorkerType: G.2X
      NumberOfWorkers: 10
      SecurityConfiguration: !Ref "GlueSecurityConfiguration"
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete
  GlueSecurityConfiguration:
    Type: AWS::Glue::SecurityConfiguration
    Properties:
      Name: DefaultSecurityConfiguration
      EncryptionConfiguration:
        CloudWatchEncryption:
          CloudWatchEncryptionMode: SSE-KMS
          KmsKeyArn: !Ref "KMSKey"
        JobBookmarksEncryption:
          JobBookmarksEncryptionMode: CSE-KMS
          KmsKeyArn: !Ref "KMSKey"
        S3Encryptions:
          - KmsKeyArn: !Ref "KMSKey"
            S3EncryptionMode: SSE-KMS
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete