return EnvironmentLogsBucketName from integraiton test getEnv query (#…

…1697)  - Bugfix - Fix integration test teardown of environment bug on cleaning up EnvironmentLogsBucketName - #1695 Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
data-dot-all · Dec 4, 2024 · 48b6b76 · 48b6b76
1 parent 8794b10
commit 48b6b76
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 1 deletion.
diff --git a/backend/dataall/core/environment/cdk/environment_stack.py b/backend/dataall/core/environment/cdk/environment_stack.py
@@ -599,9 +599,20 @@ def create_integration_tests_role(self):
                     's3:List*',
                     's3:GetObject*',
                     's3:DeleteObject',
+                    's3:DeleteObjectVersion',
                 ],
                 effect=iam.Effect.ALLOW,
-                resources=['arn:aws:s3:::dataalltesting*'],
+                resources=[
+                    'arn:aws:s3:::dataalltesting*',
+                    'arn:aws:s3:::dataalltesting*/*',
+                    'arn:aws:s3:::dataall-session*',
+                    'arn:aws:s3:::dataall-session*/*',
+                    'arn:aws:s3:::dataall-test-session*',
+                    'arn:aws:s3:::dataall-test-session*/*',
+                    'arn:aws:s3:::dataall-temp*',
+                    'arn:aws:s3:::dataall-temp*/*',
+                    'arn:aws:s3:::dataall-env-access-logs*',
+                ],
             )
         )
         self.test_role.add_to_policy(
@@ -620,8 +631,10 @@ def create_integration_tests_role(self):
             iam.PolicyStatement(
                 actions=[
                     'lakeformation:GrantPermissions',
+                    'lakeformation:RevokePermissions',
                     'lakeformation:PutDataLakeSettings',
                     'lakeformation:GetDataLakeSettings',
+                    'glue:GetDatabase',
                     'kms:CreateKey',
                     'kms:CreateAlias',
                     'kms:DeleteAlias',
@@ -630,7 +643,11 @@ def create_integration_tests_role(self):
                     'kms:PutKeyPolicy',
                     'kms:ScheduleKeyDeletion',
                     'kms:TagResource',
+                    'kms:DescribeKey',
                     's3:GetBucketVersioning',
+                    's3:List*',
+                    's3:ListAccessPoints',
+                    's3:DeleteAccessPoint',
                 ],
                 effect=iam.Effect.ALLOW,
                 resources=['*'],
@@ -667,3 +684,40 @@ def create_integration_tests_role(self):
                 resources=[f'arn:aws:cloudformation:*:{self.account}:stack/*/*'],
             ),
         )
+
+        self.test_role.add_to_policy(
+            iam.PolicyStatement(
+                actions=[
+                    'iam:GetRole',
+                    'iam:CreateRole',
+                    'iam:DeleteRole',
+                    'iam:PutRolePolicy',
+                    'iam:DeleteRolePolicy',
+                    'iam:DetachRolePolicy',
+                    'iam:ListAttachedRolePolicies',
+                ],
+                effect=iam.Effect.ALLOW,
+                resources=[
+                    f'arn:aws:iam::{self.account}:role/dataall-test-*',
+                    f'arn:aws:iam::{self.account}:role/dataall-session*',
+                ],
+            ),
+        )
+
+        self.test_role.add_to_policy(
+            iam.PolicyStatement(
+                actions=[
+                    'quicksight:DescribeAccountSubscription',
+                ],
+                effect=iam.Effect.ALLOW,
+                resources=[f'arn:aws:quicksight:*:{self.account}:*'],
+            ),
+        )
+
+        self.test_role.add_to_policy(
+            iam.PolicyStatement(
+                actions=['redshift:DeauthorizeDataShare'],
+                effect=iam.Effect.ALLOW,
+                resources=[f'arn:aws:redshift:{self.region}:{self.account}:datashare:*/dataall*'],
+            ),
+        )
diff --git a/tests_new/integration_tests/core/environment/queries.py b/tests_new/integration_tests/core/environment/queries.py
@@ -11,6 +11,7 @@
 tags
 SamlGroupName
 EnvironmentDefaultBucketName
+EnvironmentLogsBucketName
 EnvironmentDefaultIAMRoleArn
 EnvironmentDefaultIAMRoleName
 EnvironmentDefaultIAMRoleImported