I don't know if this is a bug per-se, maybe its by design. It could be considered an enhancement request. There are certain actions like PutResourcePolicy that do not provide the catalogId in the event body. I have tried using the account id in place of it as I understand they can be interchangeable but it will filter down to 0 resources matched. Unlike if I was doing a polling policy.
https://docs.aws.amazon.com/glue/latest/webapi/API_PutResourcePolicy.html
Example Policy
- name: net-change-rbp-cross-account
resource: aws.glue-catalog
mode:
type: cloudtrail
role: arn:aws:iam::644160558196:role/fakerole
events:
- source: glue.amazonaws.com
event: PutResourcePolicy
ids: account
filters:
- type: cross-account
actions:
- type: notify
to:
- [email protected]
transport:
type: sns
topic: arn:aws:sns:us-east-1:644160558196:faketopic
Sample event
{
"version": "0",
"id": "4186524f-f288-ecb2-0052-fwdqdfwdq",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.glue",
"account": "644160558196",
"time": "2020-06-04T15:18:28Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "sdafadsfdsaf",
"arn": "arn:aws:iam::644160558196:user/[email protected]",
"accountId": "644160558196",
"accessKeyId": "dfwdfqfdqwf",
"userName": "[email protected]",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-06-04T15:06:07Z"
}
}
},
"eventTime": "2020-06-04T15:18:28Z",
"eventSource": "glue.amazonaws.com",
"eventName": "PutResourcePolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "99.99.99.99",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"policyHashCondition": "ggigiigpjjjoppjojpo==",
"policyInJson": "{\n \"Version\" : \"2012-10-17\",\n \"Statement\" : [ {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\": {\n \"StringEquals\": {\n \"aws:PrincipalOrgID\": \"o-4amkskbcf3\"\n } \n }\n } ]\n}"
},
"responseElements": {
"policyHash": "fghfhgfhgfgh=="
},
"requestID": "562ac246-0da8-4eb7-143tt431t-7053b5ecf789",
"eventID": "ttityitiit-9b01-13t4113-a1db-57f55e636789",
"eventType": "AwsApiCall"
},
"debug": true
}
the solution would be a change to the catalog resource to implement a match_ids, get_resources method that always returns a resource. similar to how the synthetic resource aws.account works.
Thanks for the guidance @kapilt! I followed the trail to that match_ids method call from policy.py and didn鈥檛 even think of overriding. It was late and a long day :) I鈥檒l throw a pr up today to address.
Thanks @JohnHillegass and @kapilt !
Hey @PratMis and @kapilt, I have submitted PR #5841 to address this
Most helpful comment
the solution would be a change to the catalog resource to implement a match_ids, get_resources method that always returns a resource. similar to how the synthetic resource aws.account works.