From 68bfc63de6c2c668465c68994328a5fb62923845 Mon Sep 17 00:00:00 2001 From: enriquh Date: Fri, 22 Mar 2024 15:02:16 +0100 Subject: [PATCH 1/5] Initial version of QuickSightSubscription construct --- framework/.projen/tasks.json | 3 + framework/API.md | 546 ++++++++++++++++++ framework/src/consumption/lib/index.ts | 1 + .../src/consumption/lib/quicksight/index.ts | 5 + .../quicksight-subscription-props.ts | 79 +++ .../lib/quicksight/quicksight-subscription.ts | 235 ++++++++ .../QuickSightSubscription/index.mjs | 93 +++ .../QuickSightSubscription/package-lock.json | 12 + .../QuickSightSubscription/package.json | 4 + 9 files changed, 978 insertions(+) create mode 100644 framework/src/consumption/lib/quicksight/index.ts create mode 100644 framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts create mode 100644 framework/src/consumption/lib/quicksight/quicksight-subscription.ts create mode 100644 framework/src/consumption/lib/quicksight/resources/QuickSightSubscription/index.mjs create mode 100644 framework/src/consumption/lib/quicksight/resources/QuickSightSubscription/package-lock.json create mode 100644 framework/src/consumption/lib/quicksight/resources/QuickSightSubscription/package.json diff --git a/framework/.projen/tasks.json b/framework/.projen/tasks.json index a04d55813..22a3a4627 100644 --- a/framework/.projen/tasks.json +++ b/framework/.projen/tasks.json @@ -75,6 +75,9 @@ { "exec": "rsync -avr --exclude '*.ts' --exclude '*.js' src/consumption/lib/redshift/resources lib/consumption/lib/redshift" }, + { + "exec": "rsync -avr --exclude '*.ts' --exclude '*.js' src/consumption/lib/quicksight/resources lib/consumption/lib/quicksight" + }, { "exec": "rsync -avr --exclude '*.ts' --exclude '*.js' src/consumption/lib/opensearch/resources lib/consumption/lib/opensearch" } diff --git a/framework/API.md b/framework/API.md index 4ff630071..5dc035531 100644 --- a/framework/API.md +++ b/framework/API.md @@ -4441,6 +4441,374 @@ public readonly DSF_TRACKING_CODE: string; --- +### QuickSightSubscription + +Creates an asynchronous custom resource that handles the creation of a QuickSight subscription. + +*Example* + +```typescript +const subscription = new dsf.consumption.QuickSightSubscription(this, 'RedshiftNamespace', { + name: "default", + dbName: 'defaultdb', +}); +``` + + +#### Initializers + +```typescript +import { consumption } from '@cdklabs/aws-data-solutions-framework' + +new consumption.QuickSightSubscription(scope: Construct, id: string, props: QuickSightSubscriptionProps) +``` + +| **Name** | **Type** | **Description** | +| --- | --- | --- | +| scope | constructs.Construct | *No description.* | +| id | string | *No description.* | +| props | @cdklabs/aws-data-solutions-framework.consumption.QuickSightSubscriptionProps | *No description.* | + +--- + +##### `scope`Required + +- *Type:* constructs.Construct + +--- + +##### `id`Required + +- *Type:* string + +--- + +##### `props`Required + +- *Type:* @cdklabs/aws-data-solutions-framework.consumption.QuickSightSubscriptionProps + +--- + +#### Methods + +| **Name** | **Description** | +| --- | --- | +| toString | Returns a string representation of this construct. | +| createQuickSightSubscription | *No description.* | +| retrieveVersion | Retrieve DSF package.json version. | + +--- + +##### `toString` + +```typescript +public toString(): string +``` + +Returns a string representation of this construct. + +##### `createQuickSightSubscription` + +```typescript +public createQuickSightSubscription(): CustomResource +``` + +##### `retrieveVersion` + +```typescript +public retrieveVersion(): any +``` + +Retrieve DSF package.json version. + +#### Static Functions + +| **Name** | **Description** | +| --- | --- | +| isConstruct | Checks if `x` is a construct. | + +--- + +##### `isConstruct` + +```typescript +import { consumption } from '@cdklabs/aws-data-solutions-framework' + +consumption.QuickSightSubscription.isConstruct(x: any) +``` + +Checks if `x` is a construct. + +Use this method instead of `instanceof` to properly detect `Construct` +instances, even when the construct library is symlinked. + +Explanation: in JavaScript, multiple copies of the `constructs` library on +disk are seen as independent, completely different libraries. As a +consequence, the class `Construct` in each copy of the `constructs` library +is seen as a different class, and an instance of one class will not test as +`instanceof` the other class. `npm install` will not create installations +like this, but users may manually symlink construct libraries together or +use a monorepo tool: in those cases, multiple copies of the `constructs` +library can be accidentally installed, and `instanceof` will behave +unpredictably. It is safest to avoid using `instanceof`, and using +this type-testing method instead. + +###### `x`Required + +- *Type:* any + +Any object. + +--- + +#### Properties + +| **Name** | **Type** | **Description** | +| --- | --- | --- | +| node | constructs.Node | The tree node. | +| accountName | string | The name of your Amazon QuickSight account. | +| adminGroup | string[] | The admin group associated with your Active Directory or IAM Identity Center account. | +| authorGroup | string[] | The author group associated with your IAM Identity Center account. | +| executionRole | aws-cdk-lib.aws_iam.IRole | The IAM Role for the QuickSight account subscription execution. | +| identityRegion | string | The region to use as main QuickSight region (used to store configuration and identities info). | +| notificationEmail | string | The email address that you want Amazon QuickSight to send notifications to regarding your Amazon QuickSight account or Amazon QuickSight subscription. | +| readerGroup | string[] | The reader group associated with your IAM Identity Center account. | +| statusFunction | aws-cdk-lib.aws_lambda.IFunction | The Lambda Function for the QuickSight account subscription status checks. | +| statusLogGroup | aws-cdk-lib.aws_logs.ILogGroup | The CloudWatch Log Group for the QuickSight account subscription status checks. | +| submitFunction | aws-cdk-lib.aws_lambda.IFunction | The Lambda Function for the the Redshift Data submission. | +| submitLogGroup | aws-cdk-lib.aws_logs.ILogGroup | The CloudWatch Log Group for the QuickSight account subscription submission. | +| cleanUpFunction | aws-cdk-lib.aws_lambda.IFunction | The Lambda function for the QuickSight account subscription cleaning up lambda. | +| cleanUpLogGroup | aws-cdk-lib.aws_logs.ILogGroup | The CloudWatch Log Group for the QuickSight account subscription cleaning up lambda. | +| cleanUpRole | aws-cdk-lib.aws_iam.IRole | The IAM Role for the the QuickSight account subscription cleaning up lambda. | + +--- + +##### `node`Required + +```typescript +public readonly node: Node; +``` + +- *Type:* constructs.Node + +The tree node. + +--- + +##### `accountName`Required + +```typescript +public readonly accountName: string; +``` + +- *Type:* string + +The name of your Amazon QuickSight account. + +This name is unique over all of Amazon Web Services, and it appears only when users sign in. +You can't change AccountName value after the Amazon QuickSight account is created. + +--- + +##### `adminGroup`Required + +```typescript +public readonly adminGroup: string[]; +``` + +- *Type:* string[] + +The admin group associated with your Active Directory or IAM Identity Center account. + +This field is required as IAM_IDENTITY_CENTER is +the only supported authentication method of the new Amazon QuickSight account + +--- + +##### `authorGroup`Required + +```typescript +public readonly authorGroup: string[]; +``` + +- *Type:* string[] + +The author group associated with your IAM Identity Center account. + +--- + +##### `executionRole`Required + +```typescript +public readonly executionRole: IRole; +``` + +- *Type:* aws-cdk-lib.aws_iam.IRole + +The IAM Role for the QuickSight account subscription execution. + +--- + +##### `identityRegion`Required + +```typescript +public readonly identityRegion: string; +``` + +- *Type:* string + +The region to use as main QuickSight region (used to store configuration and identities info). + +--- + +##### `notificationEmail`Required + +```typescript +public readonly notificationEmail: string; +``` + +- *Type:* string + +The email address that you want Amazon QuickSight to send notifications to regarding your Amazon QuickSight account or Amazon QuickSight subscription. + +--- + +##### `readerGroup`Required + +```typescript +public readonly readerGroup: string[]; +``` + +- *Type:* string[] + +The reader group associated with your IAM Identity Center account. + +--- + +##### `statusFunction`Required + +```typescript +public readonly statusFunction: IFunction; +``` + +- *Type:* aws-cdk-lib.aws_lambda.IFunction + +The Lambda Function for the QuickSight account subscription status checks. + +--- + +##### `statusLogGroup`Required + +```typescript +public readonly statusLogGroup: ILogGroup; +``` + +- *Type:* aws-cdk-lib.aws_logs.ILogGroup + +The CloudWatch Log Group for the QuickSight account subscription status checks. + +--- + +##### `submitFunction`Required + +```typescript +public readonly submitFunction: IFunction; +``` + +- *Type:* aws-cdk-lib.aws_lambda.IFunction + +The Lambda Function for the the Redshift Data submission. + +--- + +##### `submitLogGroup`Required + +```typescript +public readonly submitLogGroup: ILogGroup; +``` + +- *Type:* aws-cdk-lib.aws_logs.ILogGroup + +The CloudWatch Log Group for the QuickSight account subscription submission. + +--- + +##### `cleanUpFunction`Optional + +```typescript +public readonly cleanUpFunction: IFunction; +``` + +- *Type:* aws-cdk-lib.aws_lambda.IFunction + +The Lambda function for the QuickSight account subscription cleaning up lambda. + +--- + +##### `cleanUpLogGroup`Optional + +```typescript +public readonly cleanUpLogGroup: ILogGroup; +``` + +- *Type:* aws-cdk-lib.aws_logs.ILogGroup + +The CloudWatch Log Group for the QuickSight account subscription cleaning up lambda. + +--- + +##### `cleanUpRole`Optional + +```typescript +public readonly cleanUpRole: IRole; +``` + +- *Type:* aws-cdk-lib.aws_iam.IRole + +The IAM Role for the the QuickSight account subscription cleaning up lambda. + +--- + +#### Constants + +| **Name** | **Type** | **Description** | +| --- | --- | --- | +| DSF_OWNED_TAG | string | *No description.* | +| DSF_TRACKING_CODE | string | *No description.* | +| RESOURCE_TYPE | string | *No description.* | + +--- + +##### `DSF_OWNED_TAG`Required + +```typescript +public readonly DSF_OWNED_TAG: string; +``` + +- *Type:* string + +--- + +##### `DSF_TRACKING_CODE`Required + +```typescript +public readonly DSF_TRACKING_CODE: string; +``` + +- *Type:* string + +--- + +##### `RESOURCE_TYPE`Required + +```typescript +public readonly RESOURCE_TYPE: string; +``` + +- *Type:* string + +--- + ### RedshiftData Creates an asynchronous custom resource that handles the execution of SQL using Redshift's Data API. @@ -10345,6 +10713,184 @@ This is the output path used in the `venv-pack -o` command in your Dockerfile. --- +### QuickSightSubscriptionProps + +The properties for the `QuickSightSubscription` construct. + +#### Initializer + +```typescript +import { consumption } from '@cdklabs/aws-data-solutions-framework' + +const quickSightSubscriptionProps: consumption.QuickSightSubscriptionProps = { ... } +``` + +#### Properties + +| **Name** | **Type** | **Description** | +| --- | --- | --- | +| accountName | string | The name of your Amazon QuickSight account. | +| adminGroup | string[] | The admin group associated with your Active Directory or IAM Identity Center account. | +| authenticationMethod | string | The method that you want to use to authenticate your Amazon QuickSight account. | +| authorGroup | string[] | The author group associated with your IAM Identity Center account. | +| awsAccountId | string | The Amazon Web Services account ID of the account that you're using to create your Amazon QuickSight account. | +| edition | string | The edition of Amazon QuickSight that you want your account to have. | +| identityRegion | string | The region to use as main QuickSight region (used to store configuration and identities info). | +| notificationEmail | string | The email address that you want Amazon QuickSight to send notifications to regarding your Amazon QuickSight account or Amazon QuickSight subscription. | +| readerGroup | string[] | The reader group associated with your IAM Identity Center account. | +| executionTimeout | aws-cdk-lib.Duration | The timeout for the QuickSight account subscription. | +| removalPolicy | aws-cdk-lib.RemovalPolicy | The removal policy when deleting the CDK resource. | + +--- + +##### `accountName`Required + +```typescript +public readonly accountName: string; +``` + +- *Type:* string + +The name of your Amazon QuickSight account. + +This name is unique over all of Amazon Web Services, and it appears only when users sign in. +You can't change AccountName value after the Amazon QuickSight account is created. + +--- + +##### `adminGroup`Required + +```typescript +public readonly adminGroup: string[]; +``` + +- *Type:* string[] + +The admin group associated with your Active Directory or IAM Identity Center account. + +This field is required as IAM_IDENTITY_CENTER is +the only supported authentication method of the new Amazon QuickSight account + +--- + +##### `authenticationMethod`Required + +```typescript +public readonly authenticationMethod: string; +``` + +- *Type:* string + +The method that you want to use to authenticate your Amazon QuickSight account. + +Only IAM_IDENTITY_CENTER, IAM_AND_QUICKSIGHT and IAM_ONLY are supported + +--- + +##### `authorGroup`Required + +```typescript +public readonly authorGroup: string[]; +``` + +- *Type:* string[] + +The author group associated with your IAM Identity Center account. + +--- + +##### `awsAccountId`Required + +```typescript +public readonly awsAccountId: string; +``` + +- *Type:* string + +The Amazon Web Services account ID of the account that you're using to create your Amazon QuickSight account. + +--- + +##### `edition`Required + +```typescript +public readonly edition: string; +``` + +- *Type:* string +- *Default:* ENTERPRISE is used as default. + +The edition of Amazon QuickSight that you want your account to have. + +Currently, you can choose from ENTERPRISE or ENTERPRISE_AND_Q . + +--- + +##### `identityRegion`Required + +```typescript +public readonly identityRegion: string; +``` + +- *Type:* string + +The region to use as main QuickSight region (used to store configuration and identities info). + +--- + +##### `notificationEmail`Required + +```typescript +public readonly notificationEmail: string; +``` + +- *Type:* string + +The email address that you want Amazon QuickSight to send notifications to regarding your Amazon QuickSight account or Amazon QuickSight subscription. + +--- + +##### `readerGroup`Required + +```typescript +public readonly readerGroup: string[]; +``` + +- *Type:* string[] + +The reader group associated with your IAM Identity Center account. + +--- + +##### `executionTimeout`Optional + +```typescript +public readonly executionTimeout: Duration; +``` + +- *Type:* aws-cdk-lib.Duration +- *Default:* 5mins + +The timeout for the QuickSight account subscription. + +--- + +##### `removalPolicy`Optional + +```typescript +public readonly removalPolicy: RemovalPolicy; +``` + +- *Type:* aws-cdk-lib.RemovalPolicy +- *Default:* The resources are not deleted (`RemovalPolicy.RETAIN`). + +The removal policy when deleting the CDK resource. + +If DESTROY is selected, context value `@data-solutions-framework-on-aws/removeDataOnDestroy` needs to be set to true. +Otherwise, the removalPolicy is reverted to RETAIN. + +--- + ### RedshiftDataProps The properties for the `RedshiftData` construct. diff --git a/framework/src/consumption/lib/index.ts b/framework/src/consumption/lib/index.ts index 81417237b..eafae641c 100644 --- a/framework/src/consumption/lib/index.ts +++ b/framework/src/consumption/lib/index.ts @@ -4,3 +4,4 @@ export * from './redshift'; export * from './athena'; export * from './opensearch'; +export * from './quicksight'; diff --git a/framework/src/consumption/lib/quicksight/index.ts b/framework/src/consumption/lib/quicksight/index.ts new file mode 100644 index 000000000..53629aaf2 --- /dev/null +++ b/framework/src/consumption/lib/quicksight/index.ts @@ -0,0 +1,5 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +export * from './quicksight-subscription' +export * from './quicksight-subscription-props' \ No newline at end of file diff --git a/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts b/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts new file mode 100644 index 000000000..d233e55d6 --- /dev/null +++ b/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts @@ -0,0 +1,79 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +import { Duration, RemovalPolicy } from "aws-cdk-lib"; + + +/** + * The properties for the `QuickSightSubscription` construct + */ + +export interface QuickSightSubscriptionProps { + + /** + * The name of your Amazon QuickSight account. This name is unique over all of Amazon Web Services, and it appears only when users sign in. + * You can't change AccountName value after the Amazon QuickSight account is created. + */ + readonly accountName: string; + + /** + * The email address that you want Amazon QuickSight to send notifications to regarding your Amazon QuickSight account or Amazon QuickSight subscription. + */ + readonly notificationEmail: string; + + /** + * The edition of Amazon QuickSight that you want your account to have. Currently, you can choose from ENTERPRISE or ENTERPRISE_AND_Q . + * @default - ENTERPRISE is used as default. + */ + readonly edition: string; + + /** + * The Amazon Web Services account ID of the account that you're using to create your Amazon QuickSight account. + */ + readonly awsAccountId: string; + + + /** + * The method that you want to use to authenticate your Amazon QuickSight account. + * Only IAM_IDENTITY_CENTER, IAM_AND_QUICKSIGHT and IAM_ONLY are supported + */ + readonly authenticationMethod: 'IAM_IDENTITY_CENTER'| 'IAM_AND_QUICKSIGHT' | 'IAM_ONLY'; + + + /** + * The admin group associated with your Active Directory or IAM Identity Center account. This field is required as IAM_IDENTITY_CENTER is + * the only supported authentication method of the new Amazon QuickSight account + */ + readonly adminGroup: string[]; + + + /** + * The author group associated with your IAM Identity Center account. + */ + readonly authorGroup: string[]; + + /** + * The reader group associated with your IAM Identity Center account. + */ + readonly readerGroup: string[]; + + /** + * The region to use as main QuickSight region (used to store configuration and identities info) + */ + readonly identityRegion: string; + + /** + * The timeout for the QuickSight account subscription. + * @default - 5mins + */ + readonly executionTimeout?: Duration; + + /** + * The removal policy when deleting the CDK resource. + * If DESTROY is selected, context value `@data-solutions-framework-on-aws/removeDataOnDestroy` needs to be set to true. + * Otherwise, the removalPolicy is reverted to RETAIN. + * @default - The resources are not deleted (`RemovalPolicy.RETAIN`). + */ + readonly removalPolicy?: RemovalPolicy; + +} \ No newline at end of file diff --git a/framework/src/consumption/lib/quicksight/quicksight-subscription.ts b/framework/src/consumption/lib/quicksight/quicksight-subscription.ts new file mode 100644 index 000000000..041267c24 --- /dev/null +++ b/framework/src/consumption/lib/quicksight/quicksight-subscription.ts @@ -0,0 +1,235 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +import { Context, TrackedConstruct, TrackedConstructProps } from "../../../utils"; +import { DsfProvider } from '../../../utils/lib/dsf-provider'; +import { QuickSightSubscriptionProps } from './quicksight-subscription-props'; +import { Construct } from 'constructs'; +import { CustomResource, Duration, RemovalPolicy } from 'aws-cdk-lib'; +import { IRole, ManagedPolicy, PolicyDocument, Role , ServicePrincipal, PolicyStatement, Effect } from 'aws-cdk-lib/aws-iam'; +import { ILogGroup } from 'aws-cdk-lib/aws-logs'; +import { IFunction } from 'aws-cdk-lib/aws-lambda'; + + + + +/** + * Creates an asynchronous custom resource that handles the creation of a QuickSight subscription + * + * @example + * const subscription = new dsf.consumption.QuickSightSubscription(this, 'RedshiftNamespace', { + * name: "default", + * dbName: 'defaultdb', + * }); + * + */ + +export class QuickSightSubscription extends TrackedConstruct{ + + /** + * + */ + public static readonly RESOURCE_TYPE = "Custom::QuickSightSubscription"; + + /** + * The CloudWatch Log Group for the QuickSight account subscription submission + */ + public readonly submitLogGroup: ILogGroup; + /** + * The Lambda Function for the the Redshift Data submission + */ + public readonly submitFunction: IFunction; + /** + * The IAM Role for the QuickSight account subscription execution + */ + public readonly executionRole: IRole; + + /** + * The CloudWatch Log Group for the QuickSight account subscription status checks + */ + public readonly statusLogGroup: ILogGroup; + /** + * The Lambda Function for the QuickSight account subscription status checks + */ + public readonly statusFunction: IFunction; + + /** + * The CloudWatch Log Group for the QuickSight account subscription cleaning up lambda + */ + public readonly cleanUpLogGroup?: ILogGroup; + /** + * The Lambda function for the QuickSight account subscription cleaning up lambda + */ + public readonly cleanUpFunction?: IFunction; + /** + * The IAM Role for the the QuickSight account subscription cleaning up lambda + */ + public readonly cleanUpRole?: IRole; + + /** + * The name of your Amazon QuickSight account. This name is unique over all of Amazon Web Services, and it appears only when users sign in. + * You can't change AccountName value after the Amazon QuickSight account is created. + */ + public readonly accountName: string; + + /** + * The email address that you want Amazon QuickSight to send notifications to regarding your Amazon QuickSight account or Amazon QuickSight subscription. + */ + readonly notificationEmail: string; + + /** + * The admin group associated with your Active Directory or IAM Identity Center account. This field is required as IAM_IDENTITY_CENTER is + * the only supported authentication method of the new Amazon QuickSight account + */ + readonly adminGroup: string[]; + + /** + * The author group associated with your IAM Identity Center account. + */ + readonly authorGroup: string[]; + + /** + * The reader group associated with your IAM Identity Center account. + */ + readonly readerGroup: string[]; + + /** + * The region to use as main QuickSight region (used to store configuration and identities info) + */ + readonly identityRegion: string; + + private readonly removalPolicy: RemovalPolicy; + + private readonly serviceToken: string; + private readonly policyActions: string[]; + + constructor (scope: Construct, id: string, props: QuickSightSubscriptionProps) { + const trackedConstructProps: TrackedConstructProps = { + trackingTag: QuickSightSubscription.name, + }; + super(scope, id, trackedConstructProps); + + this.removalPolicy = Context.revertRemovalPolicy(scope, props.removalPolicy); + this.accountName = props.accountName; + this.notificationEmail = props.notificationEmail; + this.adminGroup = props.adminGroup; + this.authorGroup = props.authorGroup; + this.readerGroup = props.readerGroup; + this.identityRegion = props.identityRegion; + + this.policyActions = [ + "quicksight:Subscribe", + "quicksight:UpdateAccountSettings", + "quicksight:Create*", + "quicksight:Unsubscribe", + "quicksight:DescribeAccountSubscription", + "sso:GetManagedApplicationInstance" , + "sso:CreateManagedApplicationInstance", + "sso:GetManagedApplicationInstance", + "sso:DeleteManagedApplicationInstance", + "sso:GetManagedApplicationInstance", + "sso:DescribeGroup", + "sso:SearchGroups", + "sso:GetProfile", + "sso:AssociateProfile", + "sso:DisassociateProfile", + "sso:ListProfiles", + "sso:ListDirectoryAssociations", + "sso:DescribeRegisteredRegions" + ] + + if (props.authenticationMethod != 'IAM_IDENTITY_CENTER') { + this.policyActions = this.policyActions.concat( + [ + "ds:AuthorizeApplication", + "ds:UnauthorizeApplication", + "ds:CheckAlias", + "ds:CreateAlias", + "ds:DescribeDirectories", + "ds:DescribeTrusts", + "ds:DeleteDirectory", + "ds:CreateIdentityPoolDirectory" + ] + ) + } + + this.executionRole = new Role(this, 'Role', { + assumedBy: new ServicePrincipal('lambda.amazonaws.com'), + managedPolicies: [ + ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole'), + ], + inlinePolicies: { + QuickSightSubscription: new PolicyDocument({ + statements : [ + new PolicyStatement({ + effect: Effect.ALLOW, + actions: this.policyActions, + resources: ['*'] + }) + ] + }) + } + }); + + const timeout = props.executionTimeout || Duration.minutes(5); + + const provider = new DsfProvider(this, 'CrProvider', { + providerName: 'QuickSightSubscriptionProvider', + onEventHandlerDefinition: { + depsLockFilePath: __dirname+'/resources/QuickSightSubscription/package-lock.json', + entryFile: __dirname+'/resources/QuickSightSubscription/index.mjs', + handler: 'index.onEventHandler', + environment: { + AUTHENTICATION_METHOD: props.authenticationMethod, + AWS_ACCOUNT_ID: props.awsAccountId, + EDITION: props.edition, + IDENTITY_REGION: props.identityRegion + }, + iamRole: this.executionRole, + timeout, + }, + isCompleteHandlerDefinition: { + iamRole: this.executionRole, + handler: 'index.isCompleteHandler', + depsLockFilePath: __dirname+'/resources/QuickSightSubscription/package-lock.json', + entryFile: __dirname+'/resources/QuickSightSubscription/index.mjs', + timeout, + environment: { + AUTHENTICATION_METHOD: props.authenticationMethod, + AWS_ACCOUNT_ID: props.awsAccountId, + EDITION: props.edition, + IDENTITY_REGION: props.identityRegion + }, + }, + queryInterval: Duration.seconds(1), + removalPolicy: this.removalPolicy, + }); + + this.serviceToken = provider.serviceToken; + this.submitLogGroup = provider.onEventHandlerLogGroup; + this.statusLogGroup = provider.isCompleteHandlerLog!; + this.cleanUpLogGroup = provider.cleanUpLogGroup; + this.submitFunction = provider.onEventHandlerFunction; + this.statusFunction = provider.isCompleteHandlerFunction!; + this.cleanUpFunction = provider.cleanUpFunction; + this.cleanUpRole = provider.cleanUpRole; + + } + + + + public createQuickSightSubscription(){ + return new CustomResource(this, 'QuickSightSubscription', { + resourceType: QuickSightSubscription.RESOURCE_TYPE, + serviceToken: this.serviceToken, + properties: { + accountName: this.accountName, + notificationEmail: this.notificationEmail, + readerGroup: this.readerGroup, + authorGroup: this.authorGroup, + adminGroup: this.adminGroup + }, + removalPolicy: this.removalPolicy + }); + } +} \ No newline at end of file diff --git a/framework/src/consumption/lib/quicksight/resources/QuickSightSubscription/index.mjs b/framework/src/consumption/lib/quicksight/resources/QuickSightSubscription/index.mjs new file mode 100644 index 000000000..7e05991db --- /dev/null +++ b/framework/src/consumption/lib/quicksight/resources/QuickSightSubscription/index.mjs @@ -0,0 +1,93 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +import {QuickSightClient, CreateAccountSubscriptionCommand, DescribeAccountSubscriptionCommand, UpdateAccountSettingsCommand, DeleteAccountSubscriptionCommand } from "@aws-sdk/client-quicksight" + + +const AuthenticationMethod = process.env.AUTHENTICATION_METHOD +const AwsAccountId = process.env.AWS_ACCOUNT_ID +const Edition = process.env.EDITION +const config = { region: process.env.IDENTITY_REGION } +const client = new QuickSightClient(config) + +export const onEventHandler = async(event) => { + const accountName = event["ResourceProperties"]["accountName"] + const notificationEmail = event["ResourceProperties"]["notificationEmail"] + const authorGroup = event["ResourceProperties"]["authorGroup"] + const adminGroup = event["ResourceProperties"]["adminGroup"] + const readerGroup = event["ResourceProperties"]["readerGroup"] + + if (event["RequestType"] === "Create") { + + const input = { // CreateAccountSubscriptionRequest + Edition: Edition, + AuthenticationMethod: AuthenticationMethod, // required + AwsAccountId: AwsAccountId, // required + AccountName: accountName, // required + NotificationEmail: notificationEmail // required + }; + + if (AuthenticationMethod === "IAM_IDENTITY_CENTER") { + input.AdminGroup = adminGroup + input.AuthorGroup = authorGroup + input.ReaderGroup = readerGroup + } + const execResult = await client.send(new CreateAccountSubscriptionCommand(input)) + + return { + "Data": { + "status": execResult.Status, + "requestId": execResult.RequestId + } + } + } else if (event["RequestType"] === "Delete") { + const execResult = await client.send(new UpdateAccountSettingsCommand({AwsAccountId: AwsAccountId, TerminationProtectionEnabled: false})) + + if (execResult.Status >= 400) { + throw new Error(`Failed to disable termination protection for account ${AwsAccountId}`) + } + const responseDelete = await client.send(new DeleteAccountSubscriptionCommand({AwsAccountId: AwsAccountId})) + + return { + "Data": { + "status": responseDelete.Status, + "requestId": responseDelete.RequestId + } + } + } + + +} + +export const isCompleteHandler = async(event) => { + let isComplete = false + + + + const resp = await client.send(new DescribeAccountSubscriptionCommand({AwsAccountId: AwsAccountId})) + const subscriptionStatus = resp.AccountInfo.AccountSubscriptionStatus + const status = resp.Status + + if (event["RequestType"] === "Create"){ + if (status >= 400) { + throw new Error(`Account subscription failed with status ${subscriptionStatus}`) + } else if (status > 300 && status < 400){ + isComplete = false + } + + isComplete = (status === 200 && subscriptionStatus === "ACCOUNT_CREATED") + } else if (event["RequestType"] === "Delete") { + if (status >= 400) { + throw new Error(`Account deletion failed with status ${subscriptionStatus}`) + } else if (status > 300 && status < 400){ + isComplete = false + } + isComplete = (status === 200 && subscriptionStatus === "UNSUBSCRIBED") + } + + + + return { + "IsComplete": isComplete + } +} \ No newline at end of file diff --git a/framework/src/consumption/lib/quicksight/resources/QuickSightSubscription/package-lock.json b/framework/src/consumption/lib/quicksight/resources/QuickSightSubscription/package-lock.json new file mode 100644 index 000000000..f58420be6 --- /dev/null +++ b/framework/src/consumption/lib/quicksight/resources/QuickSightSubscription/package-lock.json @@ -0,0 +1,12 @@ +{ + "name": "quicksight-subscription", + "version": "0.1.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "quicksight-subscription", + "version": "0.1.0" + } + } +} diff --git a/framework/src/consumption/lib/quicksight/resources/QuickSightSubscription/package.json b/framework/src/consumption/lib/quicksight/resources/QuickSightSubscription/package.json new file mode 100644 index 000000000..cb7ee782f --- /dev/null +++ b/framework/src/consumption/lib/quicksight/resources/QuickSightSubscription/package.json @@ -0,0 +1,4 @@ +{ + "name": "quicksight-subscription", + "version": "0.1.0" +} \ No newline at end of file From 2a43ea499d7e2af0b84f63ca0cf4bb616db36b05 Mon Sep 17 00:00:00 2001 From: enriquh Date: Wed, 3 Apr 2024 19:09:34 +0200 Subject: [PATCH 2/5] Added enums to prevent accidental input on QuickSight Subscription props + minor fixes --- .../quicksight-subscription-props.ts | 18 +++++++++++++++--- .../lib/quicksight/quicksight-subscription.ts | 17 +++++++---------- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts b/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts index d233e55d6..f5bc9735f 100644 --- a/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts +++ b/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts @@ -11,7 +11,8 @@ import { Duration, RemovalPolicy } from "aws-cdk-lib"; export interface QuickSightSubscriptionProps { /** - * The name of your Amazon QuickSight account. This name is unique over all of Amazon Web Services, and it appears only when users sign in. + * The name of your Amazon QuickSight account. + * This name is unique over all of Amazon Web Services, and it appears only when users sign in. * You can't change AccountName value after the Amazon QuickSight account is created. */ readonly accountName: string; @@ -25,7 +26,7 @@ export interface QuickSightSubscriptionProps { * The edition of Amazon QuickSight that you want your account to have. Currently, you can choose from ENTERPRISE or ENTERPRISE_AND_Q . * @default - ENTERPRISE is used as default. */ - readonly edition: string; + readonly edition: QuickSightEdition; /** * The Amazon Web Services account ID of the account that you're using to create your Amazon QuickSight account. @@ -36,8 +37,9 @@ export interface QuickSightSubscriptionProps { /** * The method that you want to use to authenticate your Amazon QuickSight account. * Only IAM_IDENTITY_CENTER, IAM_AND_QUICKSIGHT and IAM_ONLY are supported + * @default */ - readonly authenticationMethod: 'IAM_IDENTITY_CENTER'| 'IAM_AND_QUICKSIGHT' | 'IAM_ONLY'; + readonly authenticationMethod: QuickSightAuthenticationMethod; /** @@ -76,4 +78,14 @@ export interface QuickSightSubscriptionProps { */ readonly removalPolicy?: RemovalPolicy; +} + +export enum QuickSightAuthenticationMethod { + IAM_IDENTITY_CENTER = 'IAM_IDENTITY_CENTER', + IAM_AND_QUICKSIGHT = 'IAM_AND_QUICKSIGHT', + IAM_ONLY = 'IAM_ONLY' +} + +export enum QuickSightEdition { + ENTERPRISE = 'ENTERPRISE', } \ No newline at end of file diff --git a/framework/src/consumption/lib/quicksight/quicksight-subscription.ts b/framework/src/consumption/lib/quicksight/quicksight-subscription.ts index 041267c24..796d9f92c 100644 --- a/framework/src/consumption/lib/quicksight/quicksight-subscription.ts +++ b/framework/src/consumption/lib/quicksight/quicksight-subscription.ts @@ -3,10 +3,10 @@ import { Context, TrackedConstruct, TrackedConstructProps } from "../../../utils"; import { DsfProvider } from '../../../utils/lib/dsf-provider'; -import { QuickSightSubscriptionProps } from './quicksight-subscription-props'; +import { QuickSightSubscriptionProps, QuickSightAuthenticationMethod } from './quicksight-subscription-props'; import { Construct } from 'constructs'; import { CustomResource, Duration, RemovalPolicy } from 'aws-cdk-lib'; -import { IRole, ManagedPolicy, PolicyDocument, Role , ServicePrincipal, PolicyStatement, Effect } from 'aws-cdk-lib/aws-iam'; +import { IRole, PolicyDocument, Role , ServicePrincipal, PolicyStatement, Effect } from 'aws-cdk-lib/aws-iam'; import { ILogGroup } from 'aws-cdk-lib/aws-logs'; import { IFunction } from 'aws-cdk-lib/aws-lambda'; @@ -115,7 +115,7 @@ export class QuickSightSubscription extends TrackedConstruct{ this.adminGroup = props.adminGroup; this.authorGroup = props.authorGroup; this.readerGroup = props.readerGroup; - this.identityRegion = props.identityRegion; + this.identityRegion = props.identityRegion; this.policyActions = [ "quicksight:Subscribe", @@ -138,7 +138,7 @@ export class QuickSightSubscription extends TrackedConstruct{ "sso:DescribeRegisteredRegions" ] - if (props.authenticationMethod != 'IAM_IDENTITY_CENTER') { + if (props.authenticationMethod != QuickSightAuthenticationMethod.IAM_IDENTITY_CENTER) { this.policyActions = this.policyActions.concat( [ "ds:AuthorizeApplication", @@ -154,10 +154,7 @@ export class QuickSightSubscription extends TrackedConstruct{ } this.executionRole = new Role(this, 'Role', { - assumedBy: new ServicePrincipal('lambda.amazonaws.com'), - managedPolicies: [ - ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole'), - ], + assumedBy: new ServicePrincipal('lambda.amazonaws.com'), inlinePolicies: { QuickSightSubscription: new PolicyDocument({ statements : [ @@ -171,7 +168,7 @@ export class QuickSightSubscription extends TrackedConstruct{ } }); - const timeout = props.executionTimeout || Duration.minutes(5); + const timeout = props.executionTimeout ?? Duration.minutes(5); const provider = new DsfProvider(this, 'CrProvider', { providerName: 'QuickSightSubscriptionProvider', @@ -201,7 +198,7 @@ export class QuickSightSubscription extends TrackedConstruct{ IDENTITY_REGION: props.identityRegion }, }, - queryInterval: Duration.seconds(1), + queryInterval: Duration.seconds(10), removalPolicy: this.removalPolicy, }); From c011b0dd244cdc294a87e0ee258be56267849672 Mon Sep 17 00:00:00 2001 From: lmouhib Date: Mon, 25 Mar 2024 15:13:21 +0000 Subject: [PATCH 3/5] lint --- .../src/consumption/lib/quicksight/index.ts | 4 +- .../quicksight-subscription-props.ts | 20 +-- .../lib/quicksight/quicksight-subscription.ts | 114 +++++++++--------- 3 files changed, 70 insertions(+), 68 deletions(-) diff --git a/framework/src/consumption/lib/quicksight/index.ts b/framework/src/consumption/lib/quicksight/index.ts index 53629aaf2..5f56f977c 100644 --- a/framework/src/consumption/lib/quicksight/index.ts +++ b/framework/src/consumption/lib/quicksight/index.ts @@ -1,5 +1,5 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -export * from './quicksight-subscription' -export * from './quicksight-subscription-props' \ No newline at end of file +export * from './quicksight-subscription'; +export * from './quicksight-subscription-props'; \ No newline at end of file diff --git a/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts b/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts index f5bc9735f..ec0f79b5c 100644 --- a/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts +++ b/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts @@ -1,7 +1,7 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -import { Duration, RemovalPolicy } from "aws-cdk-lib"; +import { Duration, RemovalPolicy } from 'aws-cdk-lib'; /** @@ -9,19 +9,19 @@ import { Duration, RemovalPolicy } from "aws-cdk-lib"; */ export interface QuickSightSubscriptionProps { - + /** * The name of your Amazon QuickSight account. * This name is unique over all of Amazon Web Services, and it appears only when users sign in. * You can't change AccountName value after the Amazon QuickSight account is created. */ readonly accountName: string; - + /** * The email address that you want Amazon QuickSight to send notifications to regarding your Amazon QuickSight account or Amazon QuickSight subscription. */ readonly notificationEmail: string; - + /** * The edition of Amazon QuickSight that you want your account to have. Currently, you can choose from ENTERPRISE or ENTERPRISE_AND_Q . * @default - ENTERPRISE is used as default. @@ -32,7 +32,7 @@ export interface QuickSightSubscriptionProps { * The Amazon Web Services account ID of the account that you're using to create your Amazon QuickSight account. */ readonly awsAccountId: string; - + /** * The method that you want to use to authenticate your Amazon QuickSight account. @@ -43,12 +43,12 @@ export interface QuickSightSubscriptionProps { /** - * The admin group associated with your Active Directory or IAM Identity Center account. This field is required as IAM_IDENTITY_CENTER is + * The admin group associated with your Active Directory or IAM Identity Center account. This field is required as IAM_IDENTITY_CENTER is * the only supported authentication method of the new Amazon QuickSight account */ readonly adminGroup: string[]; - - + + /** * The author group associated with your IAM Identity Center account. */ @@ -70,13 +70,13 @@ export interface QuickSightSubscriptionProps { */ readonly executionTimeout?: Duration; - /** + /** * The removal policy when deleting the CDK resource. * If DESTROY is selected, context value `@data-solutions-framework-on-aws/removeDataOnDestroy` needs to be set to true. * Otherwise, the removalPolicy is reverted to RETAIN. * @default - The resources are not deleted (`RemovalPolicy.RETAIN`). */ - readonly removalPolicy?: RemovalPolicy; + readonly removalPolicy?: RemovalPolicy; } diff --git a/framework/src/consumption/lib/quicksight/quicksight-subscription.ts b/framework/src/consumption/lib/quicksight/quicksight-subscription.ts index 796d9f92c..4c35742c7 100644 --- a/framework/src/consumption/lib/quicksight/quicksight-subscription.ts +++ b/framework/src/consumption/lib/quicksight/quicksight-subscription.ts @@ -9,8 +9,11 @@ import { CustomResource, Duration, RemovalPolicy } from 'aws-cdk-lib'; import { IRole, PolicyDocument, Role , ServicePrincipal, PolicyStatement, Effect } from 'aws-cdk-lib/aws-iam'; import { ILogGroup } from 'aws-cdk-lib/aws-logs'; import { IFunction } from 'aws-cdk-lib/aws-lambda'; - - +import { ILogGroup } from 'aws-cdk-lib/aws-logs'; +import { Construct } from 'constructs'; +import { QuickSightSubscriptionProps } from './quicksight-subscription-props'; +import { Context, TrackedConstruct, TrackedConstructProps } from '../../../utils'; +import { DsfProvider } from '../../../utils/lib/dsf-provider'; /** @@ -24,12 +27,12 @@ import { IFunction } from 'aws-cdk-lib/aws-lambda'; * */ -export class QuickSightSubscription extends TrackedConstruct{ +export class QuickSightSubscription extends TrackedConstruct { /** - * + * */ - public static readonly RESOURCE_TYPE = "Custom::QuickSightSubscription"; + public static readonly RESOURCE_TYPE = 'Custom::QuickSightSubscription'; /** * The CloudWatch Log Group for the QuickSight account subscription submission @@ -67,18 +70,18 @@ export class QuickSightSubscription extends TrackedConstruct{ public readonly cleanUpRole?: IRole; /** - * The name of your Amazon QuickSight account. This name is unique over all of Amazon Web Services, and it appears only when users sign in. + * The name of your Amazon QuickSight account. This name is unique over all of Amazon Web Services, and it appears only when users sign in. * You can't change AccountName value after the Amazon QuickSight account is created. */ public readonly accountName: string; - - /** + + /** * The email address that you want Amazon QuickSight to send notifications to regarding your Amazon QuickSight account or Amazon QuickSight subscription. */ readonly notificationEmail: string; - + /** - * The admin group associated with your Active Directory or IAM Identity Center account. This field is required as IAM_IDENTITY_CENTER is + * The admin group associated with your Active Directory or IAM Identity Center account. This field is required as IAM_IDENTITY_CENTER is * the only supported authentication method of the new Amazon QuickSight account */ readonly adminGroup: string[]; @@ -102,11 +105,11 @@ export class QuickSightSubscription extends TrackedConstruct{ private readonly serviceToken: string; private readonly policyActions: string[]; - + constructor (scope: Construct, id: string, props: QuickSightSubscriptionProps) { const trackedConstructProps: TrackedConstructProps = { trackingTag: QuickSightSubscription.name, - }; + }; super(scope, id, trackedConstructProps); this.removalPolicy = Context.revertRemovalPolicy(scope, props.removalPolicy); @@ -118,54 +121,54 @@ export class QuickSightSubscription extends TrackedConstruct{ this.identityRegion = props.identityRegion; this.policyActions = [ - "quicksight:Subscribe", - "quicksight:UpdateAccountSettings", - "quicksight:Create*", - "quicksight:Unsubscribe", - "quicksight:DescribeAccountSubscription", - "sso:GetManagedApplicationInstance" , - "sso:CreateManagedApplicationInstance", - "sso:GetManagedApplicationInstance", - "sso:DeleteManagedApplicationInstance", - "sso:GetManagedApplicationInstance", - "sso:DescribeGroup", - "sso:SearchGroups", - "sso:GetProfile", - "sso:AssociateProfile", - "sso:DisassociateProfile", - "sso:ListProfiles", - "sso:ListDirectoryAssociations", - "sso:DescribeRegisteredRegions" - ] + 'quicksight:Subscribe', + 'quicksight:UpdateAccountSettings', + 'quicksight:Create*', + 'quicksight:Unsubscribe', + 'quicksight:DescribeAccountSubscription', + 'sso:GetManagedApplicationInstance', + 'sso:CreateManagedApplicationInstance', + 'sso:GetManagedApplicationInstance', + 'sso:DeleteManagedApplicationInstance', + 'sso:GetManagedApplicationInstance', + 'sso:DescribeGroup', + 'sso:SearchGroups', + 'sso:GetProfile', + 'sso:AssociateProfile', + 'sso:DisassociateProfile', + 'sso:ListProfiles', + 'sso:ListDirectoryAssociations', + 'sso:DescribeRegisteredRegions', + ]; if (props.authenticationMethod != QuickSightAuthenticationMethod.IAM_IDENTITY_CENTER) { this.policyActions = this.policyActions.concat( [ - "ds:AuthorizeApplication", - "ds:UnauthorizeApplication", - "ds:CheckAlias", - "ds:CreateAlias", - "ds:DescribeDirectories", - "ds:DescribeTrusts", - "ds:DeleteDirectory", - "ds:CreateIdentityPoolDirectory" - ] - ) + 'ds:AuthorizeApplication', + 'ds:UnauthorizeApplication', + 'ds:CheckAlias', + 'ds:CreateAlias', + 'ds:DescribeDirectories', + 'ds:DescribeTrusts', + 'ds:DeleteDirectory', + 'ds:CreateIdentityPoolDirectory', + ], + ); } - + this.executionRole = new Role(this, 'Role', { assumedBy: new ServicePrincipal('lambda.amazonaws.com'), inlinePolicies: { QuickSightSubscription: new PolicyDocument({ - statements : [ + statements: [ new PolicyStatement({ effect: Effect.ALLOW, actions: this.policyActions, - resources: ['*'] - }) - ] - }) - } + resources: ['*'], + }), + ], + }), + }, }); const timeout = props.executionTimeout ?? Duration.minutes(5); @@ -180,7 +183,7 @@ export class QuickSightSubscription extends TrackedConstruct{ AUTHENTICATION_METHOD: props.authenticationMethod, AWS_ACCOUNT_ID: props.awsAccountId, EDITION: props.edition, - IDENTITY_REGION: props.identityRegion + IDENTITY_REGION: props.identityRegion, }, iamRole: this.executionRole, timeout, @@ -195,7 +198,7 @@ export class QuickSightSubscription extends TrackedConstruct{ AUTHENTICATION_METHOD: props.authenticationMethod, AWS_ACCOUNT_ID: props.awsAccountId, EDITION: props.edition, - IDENTITY_REGION: props.identityRegion + IDENTITY_REGION: props.identityRegion, }, }, queryInterval: Duration.seconds(10), @@ -209,13 +212,12 @@ export class QuickSightSubscription extends TrackedConstruct{ this.submitFunction = provider.onEventHandlerFunction; this.statusFunction = provider.isCompleteHandlerFunction!; this.cleanUpFunction = provider.cleanUpFunction; - this.cleanUpRole = provider.cleanUpRole; + this.cleanUpRole = provider.cleanUpRole; } - - public createQuickSightSubscription(){ + public createQuickSightSubscription() { return new CustomResource(this, 'QuickSightSubscription', { resourceType: QuickSightSubscription.RESOURCE_TYPE, serviceToken: this.serviceToken, @@ -224,9 +226,9 @@ export class QuickSightSubscription extends TrackedConstruct{ notificationEmail: this.notificationEmail, readerGroup: this.readerGroup, authorGroup: this.authorGroup, - adminGroup: this.adminGroup + adminGroup: this.adminGroup, }, - removalPolicy: this.removalPolicy - }); + removalPolicy: this.removalPolicy, + }); } } \ No newline at end of file From e4638de663167548fe23c517d69e737a947737c7 Mon Sep 17 00:00:00 2001 From: lmouhib Date: Mon, 25 Mar 2024 15:24:30 +0000 Subject: [PATCH 4/5] fix lint --- framework/API.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/framework/API.md b/framework/API.md index 5dc035531..acee5f106 100644 --- a/framework/API.md +++ b/framework/API.md @@ -4605,7 +4605,7 @@ public readonly accountName: string; The name of your Amazon QuickSight account. -This name is unique over all of Amazon Web Services, and it appears only when users sign in. +This name is unique over all of Amazon Web Services, and it appears only when users sign in. You can't change AccountName value after the Amazon QuickSight account is created. --- @@ -4620,7 +4620,7 @@ public readonly adminGroup: string[]; The admin group associated with your Active Directory or IAM Identity Center account. -This field is required as IAM_IDENTITY_CENTER is +This field is required as IAM_IDENTITY_CENTER is the only supported authentication method of the new Amazon QuickSight account --- @@ -10753,7 +10753,7 @@ public readonly accountName: string; The name of your Amazon QuickSight account. -This name is unique over all of Amazon Web Services, and it appears only when users sign in. +This name is unique over all of Amazon Web Services, and it appears only when users sign in. You can't change AccountName value after the Amazon QuickSight account is created. --- @@ -10768,7 +10768,7 @@ public readonly adminGroup: string[]; The admin group associated with your Active Directory or IAM Identity Center account. -This field is required as IAM_IDENTITY_CENTER is +This field is required as IAM_IDENTITY_CENTER is the only supported authentication method of the new Amazon QuickSight account --- From 93f08332fce393dfede353a1c5a262296a3dd9b1 Mon Sep 17 00:00:00 2001 From: enriquh Date: Fri, 5 Apr 2024 11:46:10 +0200 Subject: [PATCH 5/5] Rebase with main --- framework/API.md | 54 ++++++++++++++++--- .../quicksight-subscription-props.ts | 8 +-- .../lib/quicksight/quicksight-subscription.ts | 15 ++---- 3 files changed, 57 insertions(+), 20 deletions(-) diff --git a/framework/API.md b/framework/API.md index acee5f106..694292087 100644 --- a/framework/API.md +++ b/framework/API.md @@ -10731,10 +10731,10 @@ const quickSightSubscriptionProps: consumption.QuickSightSubscriptionProps = { . | --- | --- | --- | | accountName | string | The name of your Amazon QuickSight account. | | adminGroup | string[] | The admin group associated with your Active Directory or IAM Identity Center account. | -| authenticationMethod | string | The method that you want to use to authenticate your Amazon QuickSight account. | +| authenticationMethod | @cdklabs/aws-data-solutions-framework.consumption.QuickSightAuthenticationMethod | The method that you want to use to authenticate your Amazon QuickSight account. | | authorGroup | string[] | The author group associated with your IAM Identity Center account. | | awsAccountId | string | The Amazon Web Services account ID of the account that you're using to create your Amazon QuickSight account. | -| edition | string | The edition of Amazon QuickSight that you want your account to have. | +| edition | @cdklabs/aws-data-solutions-framework.consumption.QuickSightEdition | The edition of Amazon QuickSight that you want your account to have. | | identityRegion | string | The region to use as main QuickSight region (used to store configuration and identities info). | | notificationEmail | string | The email address that you want Amazon QuickSight to send notifications to regarding your Amazon QuickSight account or Amazon QuickSight subscription. | | readerGroup | string[] | The reader group associated with your IAM Identity Center account. | @@ -10776,10 +10776,10 @@ the only supported authentication method of the new Amazon QuickSight account ##### `authenticationMethod`Required ```typescript -public readonly authenticationMethod: string; +public readonly authenticationMethod: QuickSightAuthenticationMethod; ``` -- *Type:* string +- *Type:* @cdklabs/aws-data-solutions-framework.consumption.QuickSightAuthenticationMethod The method that you want to use to authenticate your Amazon QuickSight account. @@ -10814,10 +10814,10 @@ The Amazon Web Services account ID of the account that you're using to create yo ##### `edition`Required ```typescript -public readonly edition: string; +public readonly edition: QuickSightEdition; ``` -- *Type:* string +- *Type:* @cdklabs/aws-data-solutions-framework.consumption.QuickSightEdition - *Default:* ENTERPRISE is used as default. The edition of Amazon QuickSight that you want your account to have. @@ -13696,6 +13696,48 @@ Default Node Instances for OpenSearch cluster. --- +### QuickSightAuthenticationMethod + +#### Members + +| **Name** | **Description** | +| --- | --- | +| IAM_IDENTITY_CENTER | *No description.* | +| IAM_AND_QUICKSIGHT | *No description.* | +| IAM_ONLY | *No description.* | + +--- + +##### `IAM_IDENTITY_CENTER` + +--- + + +##### `IAM_AND_QUICKSIGHT` + +--- + + +##### `IAM_ONLY` + +--- + + +### QuickSightEdition + +#### Members + +| **Name** | **Description** | +| --- | --- | +| ENTERPRISE | *No description.* | + +--- + +##### `ENTERPRISE` + +--- + + ### RedshiftServerlessNamespaceLogExport Namespace log export types. diff --git a/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts b/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts index ec0f79b5c..fbc3bd71c 100644 --- a/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts +++ b/framework/src/consumption/lib/quicksight/quicksight-subscription-props.ts @@ -11,8 +11,8 @@ import { Duration, RemovalPolicy } from 'aws-cdk-lib'; export interface QuickSightSubscriptionProps { /** - * The name of your Amazon QuickSight account. - * This name is unique over all of Amazon Web Services, and it appears only when users sign in. + * The name of your Amazon QuickSight account. + * This name is unique over all of Amazon Web Services, and it appears only when users sign in. * You can't change AccountName value after the Amazon QuickSight account is created. */ readonly accountName: string; @@ -27,7 +27,7 @@ export interface QuickSightSubscriptionProps { * @default - ENTERPRISE is used as default. */ readonly edition: QuickSightEdition; - + /** * The Amazon Web Services account ID of the account that you're using to create your Amazon QuickSight account. */ @@ -87,5 +87,5 @@ export enum QuickSightAuthenticationMethod { } export enum QuickSightEdition { - ENTERPRISE = 'ENTERPRISE', + ENTERPRISE = 'ENTERPRISE', } \ No newline at end of file diff --git a/framework/src/consumption/lib/quicksight/quicksight-subscription.ts b/framework/src/consumption/lib/quicksight/quicksight-subscription.ts index 4c35742c7..a252360e3 100644 --- a/framework/src/consumption/lib/quicksight/quicksight-subscription.ts +++ b/framework/src/consumption/lib/quicksight/quicksight-subscription.ts @@ -1,17 +1,12 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -import { Context, TrackedConstruct, TrackedConstructProps } from "../../../utils"; -import { DsfProvider } from '../../../utils/lib/dsf-provider'; -import { QuickSightSubscriptionProps, QuickSightAuthenticationMethod } from './quicksight-subscription-props'; -import { Construct } from 'constructs'; import { CustomResource, Duration, RemovalPolicy } from 'aws-cdk-lib'; -import { IRole, PolicyDocument, Role , ServicePrincipal, PolicyStatement, Effect } from 'aws-cdk-lib/aws-iam'; -import { ILogGroup } from 'aws-cdk-lib/aws-logs'; +import { IRole, PolicyDocument, Role, ServicePrincipal, PolicyStatement, Effect } from 'aws-cdk-lib/aws-iam'; import { IFunction } from 'aws-cdk-lib/aws-lambda'; import { ILogGroup } from 'aws-cdk-lib/aws-logs'; import { Construct } from 'constructs'; -import { QuickSightSubscriptionProps } from './quicksight-subscription-props'; +import { QuickSightSubscriptionProps, QuickSightAuthenticationMethod } from './quicksight-subscription-props'; import { Context, TrackedConstruct, TrackedConstructProps } from '../../../utils'; import { DsfProvider } from '../../../utils/lib/dsf-provider'; @@ -118,7 +113,7 @@ export class QuickSightSubscription extends TrackedConstruct { this.adminGroup = props.adminGroup; this.authorGroup = props.authorGroup; this.readerGroup = props.readerGroup; - this.identityRegion = props.identityRegion; + this.identityRegion = props.identityRegion; this.policyActions = [ 'quicksight:Subscribe', @@ -157,7 +152,7 @@ export class QuickSightSubscription extends TrackedConstruct { } this.executionRole = new Role(this, 'Role', { - assumedBy: new ServicePrincipal('lambda.amazonaws.com'), + assumedBy: new ServicePrincipal('lambda.amazonaws.com'), inlinePolicies: { QuickSightSubscription: new PolicyDocument({ statements: [ @@ -200,7 +195,7 @@ export class QuickSightSubscription extends TrackedConstruct { EDITION: props.edition, IDENTITY_REGION: props.identityRegion, }, - }, + }, queryInterval: Duration.seconds(10), removalPolicy: this.removalPolicy, });