10

我对如何使用 terraform 将 Athena 连接到我的 Glue Catalog 数据库感到困惑。

我用

resource "aws_glue_catalog_database" "catalog_database" {
    name = "${var.glue_db_name}"
}

resource "aws_glue_crawler" "datalake_crawler" {
    database_name = "${var.glue_db_name}"
    name          = "${var.crawler_name}"
    role          = "${aws_iam_role.crawler_iam_role.name}"
    description   = "${var.crawler_description}"
    table_prefix  = "${var.table_prefix}"
    schedule      = "${var.schedule}" 

    s3_target {
      path = "s3://${var.data_bucket_name[0]}"
  }
    s3_target {
      path = "s3://${var.data_bucket_name[1]}"
  }
 }

创建一个 Glue DB 和爬虫来爬取一个 s3 存储桶(这里只有两个),但我不知道如何将 Athena 查询服务链接到 Glue DB。在 terraform 文档中Athena,似乎没有办法将 Athena 连接到 Glue 目录,而只能连接到 S3 Bucket。然而,显然Athena 可以与 Glue 集成

如何改造 Athena 数据库以使用我的 Glue 目录而不是 S3 存储桶作为其数据源?

4

2 回答 2

6

我们当前让 Glue 抓取一个 S3 存储桶并在 Glue DB 中创建/更新表(然后可以在 Athena 中查询)的基本设置如下所示:

爬虫角色和角色策略:

  • IAM角色的assume_role_policy只需要Glue作为principal
  • IAM 角色策略允许对 Glue、S3 和日志执行操作
  • 胶水行动和资源可能会缩小到真正需要的
  • S3 操作仅限于爬虫所需的操作
resource "aws_iam_role" "glue_crawler_role" {
  name = "analytics_glue_crawler_role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "glue.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "glue_crawler_role_policy" {
  name = "analytics_glue_crawler_role_policy"
  role = "${aws_iam_role.glue_crawler_role.id}"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:*",
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:GetBucketAcl",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::analytics-product-data",
        "arn:aws:s3:::analytics-product-data/*",
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:*:/aws-glue/*"
      ]
    }
  ]
}
EOF
}

S3 存储桶、胶水数据库和爬虫:

resource "aws_s3_bucket" "product_bucket" {
  bucket = "analytics-product-data"
  acl = "private"
}

resource "aws_glue_catalog_database" "analytics_db" {
  name = "inventory-analytics-db"
}

resource "aws_glue_crawler" "product_crawler" {
  database_name = "${aws_glue_catalog_database.analytics_db.name}"
  name = "analytics-product-crawler"
  role = "${aws_iam_role.glue_crawler_role.arn}"

  schedule = "cron(0 0 * * ? *)"

  configuration = "{\"Version\": 1.0, \"CrawlerOutput\": { \"Partitions\": { \"AddOrUpdateBehavior\": \"InheritFromTable\" }, \"Tables\": {\"AddOrUpdateBehavior\": \"MergeNewColumns\" } } }"

  schema_change_policy {
    delete_behavior = "DELETE_FROM_DATABASE"
  }

  s3_target {
    path = "s3://${aws_s3_bucket.product_bucket.bucket}/products"
  }
}
于 2019-03-30T00:06:25.850 回答
0

我的 Terraform 代码有很多问题。首先:

  1. 代码中的S3bucket 参数是指用于查询输出的存储桶,而不是应该构建表的数据。aws_athena_database
  2. 我已将我的设置aws_glue_crawler写入 Glue 数据库而不是 Athena 数据库。事实上,正如 Martin 上面所建议的,一旦正确设置,Athena 就能够看到 Glue db 中的表。

  3. 我的爬虫没有附加正确的策略。最初,附加到爬虫角色的唯一策略是

    resource "aws_iam_role_policy_attachment" "crawler_attach" {
    policy_arn = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"
    role = "${aws_iam_role.crawler_iam_role.name}"
}

    在设置了第二个策略,明确允许所有S3访问我想要爬取的所有存储桶并将该策略附加到相同的爬虫角色后,爬虫成功运行并更新了表。

第二条政策:

resource "aws_iam_policy" "crawler_bucket_policy" {
    name = "crawler_bucket_policy"
    path = "/"
    description = "Gives crawler access to buckets"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1553807998309",
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1553808056033",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket0"
    },
    {
      "Sid": "Stmt1553808078743",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket1"
    },
    {
      "Sid": "Stmt1553808099644",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket2"
    },
    {
      "Sid": "Stmt1553808114975",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket3"
    },
    {
      "Sid": "Stmt1553808128211",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket4"
    }
  ]
}
EOF
}

我相信我可以避免在此策略中对存储桶名称进行硬编码,但我还不知道该怎么做。

于 2019-03-28T22:20:11.627 回答