Initial version of QuickSightSubscription construct

Author: enriquh

framework/.projen/tasks.json

@@ -4,3 +4,4 @@
 export * from './redshift';
 export * from './athena';
 export * from './opensearch';
+export * from './quicksight';

framework/API.md

@@ -0,0 +1,5 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+export * from './quicksight-subscription'
+export * from './quicksight-subscription-props'

framework/src/consumption/lib/index.ts

@@ -0,0 +1,79 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { Duration, RemovalPolicy } from "aws-cdk-lib";
+
+
+/**
+ * The properties for the `QuickSightSubscription` construct
+ */
+
+export interface QuickSightSubscriptionProps {
+  
+  /**
+   * The name of your Amazon QuickSight account. This name is unique over all of Amazon Web Services, and it appears only when users sign in. 
+   * You can't change AccountName value after the Amazon QuickSight account is created.
+   */
+  readonly accountName: string;
+  
+  /**
+   * The email address that you want Amazon QuickSight to send notifications to regarding your Amazon QuickSight account or Amazon QuickSight subscription.
+   */
+  readonly notificationEmail: string;
+  
+  /**
+  * The edition of Amazon QuickSight that you want your account to have. Currently, you can choose from ENTERPRISE or ENTERPRISE_AND_Q .
+  *  @default - ENTERPRISE is used as default.
+  */
+  readonly edition: string;
+  
+  /**
+   * The Amazon Web Services account ID of the account that you're using to create your Amazon QuickSight account.
+   */
+  readonly awsAccountId: string;
+  
+
+  /**
+   * The method that you want to use to authenticate your Amazon QuickSight account.
+   * Only IAM_IDENTITY_CENTER, IAM_AND_QUICKSIGHT and IAM_ONLY are supported
+   */
+  readonly authenticationMethod: 'IAM_IDENTITY_CENTER'| 'IAM_AND_QUICKSIGHT' | 'IAM_ONLY';
+
+
+  /**
+   * The admin group associated with your Active Directory or IAM Identity Center account. This field is required as IAM_IDENTITY_CENTER is 
+   * the only supported authentication method of the new Amazon QuickSight account
+   */
+  readonly adminGroup: string[];
+ 
+  
+  /**
+   * The author group associated with your IAM Identity Center account.
+   */
+  readonly authorGroup: string[];
+
+  /**
+   * The reader group associated with your IAM Identity Center account.
+   */
+  readonly readerGroup: string[];
+
+  /**
+   * The region to use as main QuickSight region (used to store configuration and identities info)
+   */
+  readonly identityRegion: string;
+
+  /**
+   * The timeout for the QuickSight account subscription.
+   * @default - 5mins
+   */
+  readonly executionTimeout?: Duration;
+
+    /**
+   * The removal policy when deleting the CDK resource.
+   * If DESTROY is selected, context value `@data-solutions-framework-on-aws/removeDataOnDestroy` needs to be set to true.
+   * Otherwise, the removalPolicy is reverted to RETAIN.
+   * @default - The resources are not deleted (`RemovalPolicy.RETAIN`).
+   */
+    readonly removalPolicy?: RemovalPolicy;
+
+}

framework/src/consumption/lib/quicksight/index.ts

@@ -0,0 +1,235 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { Context, TrackedConstruct, TrackedConstructProps } from "../../../utils";
+import { DsfProvider } from '../../../utils/lib/dsf-provider';
+import { QuickSightSubscriptionProps } from './quicksight-subscription-props';
+import { Construct } from 'constructs';
+import { CustomResource, Duration, RemovalPolicy } from 'aws-cdk-lib';
+import { IRole, ManagedPolicy, PolicyDocument, Role , ServicePrincipal, PolicyStatement, Effect } from 'aws-cdk-lib/aws-iam';
+import { ILogGroup } from 'aws-cdk-lib/aws-logs';
+import { IFunction } from 'aws-cdk-lib/aws-lambda';
+
+
+
+
+/**
+ * Creates an asynchronous custom resource that handles the creation of a QuickSight subscription
+ *
+ * @example
+ * const subscription = new dsf.consumption.QuickSightSubscription(this, 'RedshiftNamespace', {
+ *    name: "default",
+ *    dbName: 'defaultdb',
+ * });
+ *
+ */
+
+export class QuickSightSubscription extends TrackedConstruct{
+
+  /**
+   * 
+   */
+  public static readonly RESOURCE_TYPE = "Custom::QuickSightSubscription";
+
+  /**
+   * The CloudWatch Log Group for the QuickSight account subscription submission
+   */
+  public readonly submitLogGroup: ILogGroup;
+  /**
+   * The Lambda Function for the the Redshift Data submission
+   */
+  public readonly submitFunction: IFunction;
+  /**
+   * The IAM Role for the QuickSight account subscription execution
+   */
+  public readonly executionRole: IRole;
+
+  /**
+   * The CloudWatch Log Group for the QuickSight account subscription status checks
+   */
+  public readonly statusLogGroup: ILogGroup;
+  /**
+   * The Lambda Function for the QuickSight account subscription status checks
+   */
+  public readonly statusFunction: IFunction;
+
+  /**
+ * The CloudWatch Log Group for the QuickSight account subscription cleaning up lambda
+ */
+  public readonly cleanUpLogGroup?: ILogGroup;
+  /**
+   * The Lambda function for the QuickSight account subscription cleaning up lambda
+   */
+  public readonly cleanUpFunction?: IFunction;
+  /**
+   * The IAM Role for the the QuickSight account subscription cleaning up lambda
+   */
+  public readonly cleanUpRole?: IRole;
+
+  /**
+  * The name of your Amazon QuickSight account. This name is unique over all of Amazon Web Services, and it appears only when users sign in. 
+  * You can't change AccountName value after the Amazon QuickSight account is created.
+  */
+  public readonly accountName: string;
+  
+  /**  
+  * The email address that you want Amazon QuickSight to send notifications to regarding your Amazon QuickSight account or Amazon QuickSight subscription.
+  */
+  readonly notificationEmail: string;
+  
+  /**
+   * The admin group associated with your Active Directory or IAM Identity Center account. This field is required as IAM_IDENTITY_CENTER is 
+   * the only supported authentication method of the new Amazon QuickSight account
+   */
+  readonly adminGroup: string[];
+
+  /**
+   * The author group associated with your IAM Identity Center account.
+   */
+  readonly authorGroup: string[];
+
+  /**
+   * The reader group associated with your IAM Identity Center account.
+   */
+  readonly readerGroup: string[];
+
+  /**
+  * The region to use as main QuickSight region (used to store configuration and identities info)
+  */
+  readonly identityRegion: string;
+
+  private readonly removalPolicy: RemovalPolicy;
+
+  private readonly serviceToken: string;
+  private readonly policyActions: string[];
+  
+  constructor (scope: Construct, id: string, props: QuickSightSubscriptionProps) {
+    const trackedConstructProps: TrackedConstructProps = {
+      trackingTag: QuickSightSubscription.name,
+    };    
+    super(scope, id, trackedConstructProps);
+
+    this.removalPolicy = Context.revertRemovalPolicy(scope, props.removalPolicy);
+    this.accountName = props.accountName;
+    this.notificationEmail = props.notificationEmail;
+    this.adminGroup = props.adminGroup;
+    this.authorGroup = props.authorGroup;
+    this.readerGroup = props.readerGroup;
+    this.identityRegion = props.identityRegion;
+
+    this.policyActions = [
+      "quicksight:Subscribe",
+      "quicksight:UpdateAccountSettings",
+      "quicksight:Create*",
+      "quicksight:Unsubscribe",
+      "quicksight:DescribeAccountSubscription",
+      "sso:GetManagedApplicationInstance" ,
+      "sso:CreateManagedApplicationInstance",
+      "sso:GetManagedApplicationInstance",
+      "sso:DeleteManagedApplicationInstance",
+      "sso:GetManagedApplicationInstance",
+      "sso:DescribeGroup",
+      "sso:SearchGroups",
+      "sso:GetProfile",
+      "sso:AssociateProfile", 
+      "sso:DisassociateProfile", 
+      "sso:ListProfiles", 
+      "sso:ListDirectoryAssociations", 
+      "sso:DescribeRegisteredRegions" 
+    ]
+
+    if (props.authenticationMethod != 'IAM_IDENTITY_CENTER') {
+      this.policyActions = this.policyActions.concat(
+        [
+          "ds:AuthorizeApplication",
+          "ds:UnauthorizeApplication",
+          "ds:CheckAlias",
+          "ds:CreateAlias",
+          "ds:DescribeDirectories",
+          "ds:DescribeTrusts",
+          "ds:DeleteDirectory",
+          "ds:CreateIdentityPoolDirectory"
+        ]
+      )
+    }
+    
+    this.executionRole = new Role(this, 'Role', {
+      assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
+      managedPolicies: [
+        ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole'),
+      ],
+      inlinePolicies: {
+        QuickSightSubscription: new PolicyDocument({
+          statements : [
+            new PolicyStatement({
+              effect: Effect.ALLOW,
+              actions: this.policyActions,
+              resources: ['*']
+            })
+          ]
+        })
+      } 
+    });
+
+    const timeout = props.executionTimeout || Duration.minutes(5);
+
+    const provider = new DsfProvider(this, 'CrProvider', {
+      providerName: 'QuickSightSubscriptionProvider',
+      onEventHandlerDefinition: {
+        depsLockFilePath: __dirname+'/resources/QuickSightSubscription/package-lock.json',
+        entryFile: __dirname+'/resources/QuickSightSubscription/index.mjs',
+        handler: 'index.onEventHandler',
+        environment: {
+          AUTHENTICATION_METHOD: props.authenticationMethod,
+          AWS_ACCOUNT_ID: props.awsAccountId,
+          EDITION: props.edition,
+          IDENTITY_REGION: props.identityRegion
+        },
+        iamRole: this.executionRole,
+        timeout,
+      },
+      isCompleteHandlerDefinition: {
+        iamRole: this.executionRole,
+        handler: 'index.isCompleteHandler',
+        depsLockFilePath: __dirname+'/resources/QuickSightSubscription/package-lock.json',
+        entryFile: __dirname+'/resources/QuickSightSubscription/index.mjs',
+        timeout,
+        environment: {
+          AUTHENTICATION_METHOD: props.authenticationMethod,
+          AWS_ACCOUNT_ID: props.awsAccountId,
+          EDITION: props.edition,
+          IDENTITY_REGION: props.identityRegion
+        },
+      },      
+      queryInterval: Duration.seconds(1),
+      removalPolicy: this.removalPolicy,
+    });
+
+    this.serviceToken = provider.serviceToken;
+    this.submitLogGroup = provider.onEventHandlerLogGroup;
+    this.statusLogGroup = provider.isCompleteHandlerLog!;
+    this.cleanUpLogGroup = provider.cleanUpLogGroup;
+    this.submitFunction = provider.onEventHandlerFunction;
+    this.statusFunction = provider.isCompleteHandlerFunction!;
+    this.cleanUpFunction = provider.cleanUpFunction;
+    this.cleanUpRole = provider.cleanUpRole;    
+
+  }
+
+  
+
+  public createQuickSightSubscription(){
+    return new CustomResource(this, 'QuickSightSubscription', {
+      resourceType: QuickSightSubscription.RESOURCE_TYPE,
+      serviceToken: this.serviceToken,
+      properties: {
+        accountName: this.accountName,
+        notificationEmail: this.notificationEmail,
+        readerGroup: this.readerGroup,
+        authorGroup: this.authorGroup,
+        adminGroup: this.adminGroup
+      },
+      removalPolicy: this.removalPolicy
+    });    
+  }
+}