From e8bca67ec1167d80dfe59d71c8e9fedc4dff9548 Mon Sep 17 00:00:00 2001
From: Iakov Gan <iakov@amazon.com>
Date: Sat, 28 Oct 2023 09:26:23 +0200
Subject: [PATCH 1/2] allways allow access to data collection bucket for
 account map access

---
 cfn-templates/cid-cfn.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cfn-templates/cid-cfn.yml b/cfn-templates/cid-cfn.yml
index bd30f91e..827b4477 100644
--- a/cfn-templates/cid-cfn.yml
+++ b/cfn-templates/cid-cfn.yml
@@ -269,7 +269,9 @@ Conditions:
   NeedQuickSightDataSourceRoleAndODC:
     Fn::And:
       - !Condition NeedQuickSightDataSourceRole
-      - !Condition NeedDataCollectionLab
+      - Fn::Or:
+        - !Condition NeedDataCollectionLab
+        - !Condition NeedCUR # For CUR related dashboards we still need access to data collection for additional data (account map)
 
 Resources:
   SpiceRefreshExecutionRole: #Role needed to schedule spice ingestion for the datasets

From 9acb8a81baa877e69b101e236908c49a09763d5d Mon Sep 17 00:00:00 2001
From: Iakov Gan <iakov@amazon.com>
Date: Sat, 28 Oct 2023 09:47:26 +0200
Subject: [PATCH 2/2] better conditions

---
 cfn-templates/cid-cfn.yml | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/cfn-templates/cid-cfn.yml b/cfn-templates/cid-cfn.yml
index 827b4477..29a2e044 100644
--- a/cfn-templates/cid-cfn.yml
+++ b/cfn-templates/cid-cfn.yml
@@ -266,12 +266,6 @@ Conditions:
     Fn::And:
       - !Condition NeedQuickSightDataSourceRole
       - !Condition NeedCUR
-  NeedQuickSightDataSourceRoleAndODC:
-    Fn::And:
-      - !Condition NeedQuickSightDataSourceRole
-      - Fn::Or:
-        - !Condition NeedDataCollectionLab
-        - !Condition NeedCUR # For CUR related dashboards we still need access to data collection for additional data (account map)
 
 Resources:
   SpiceRefreshExecutionRole: #Role needed to schedule spice ingestion for the datasets
@@ -789,7 +783,7 @@ Resources:
 
   ProcessedODCPath:
     Type: Custom::CustomResourceProcessPath
-    Condition: NeedDataCollectionLab
+    #Condition: NeedDataCollectionLab #Need to process ODC lab path regardless dashboards. CUR dashboards need ODC for account map
     Properties:
       ServiceToken: !GetAtt CustomResourceProcessPath.Arn
       s3path: !Ref OptimizationDataCollectionBucketPath
@@ -1081,7 +1075,7 @@ Resources:
 
   QuickSightDataSourceRolePolicyForODCBucket:
     Type: AWS::IAM::Policy
-    Condition: NeedQuickSightDataSourceRoleAndODC
+    Condition: NeedQuickSightDataSourceRole     # We need ODC bucket even if ODC dashboards are not activated  (ex: for account map)
     Properties:
       PolicyName: QuickSightDataSource-S3AccessODC
       PolicyDocument: