appvia / terraform-aws-cudos

Terraform repository used to deploy and manage a Cloud Intelligence framework
GNU General Public License v3.0
4 stars 1 forks source link

Unable to create quicksight Users #63

Open caquinomrge opened 3 weeks ago

caquinomrge commented 3 weeks ago

Hello,

We are trying to deploy aws cudos dashboard using this module, but currently we are getting this error when applying.

 The following resource(s) failed to create: [CidAthenaDataSource]. Rollback requested by user.
│ Resource handler returned message: "Invalid request provided: One or more principals in resource permissions list are not valid QuickSight users (Service: QuickSight, Status Code: 400, Request ID: null)" (RequestToken: 9ab244c7-12b0-1155-6196-1eaa0ca183ca, HandlerErrorCode: InvalidRequest)
│
│   with module.cudos.module.this.module.dashboards.aws_cloudformation_stack.cid,
│   on .terraform/modules/cudos.this.dashboards/terraform-modules/cid-dashboards/main.tf line 13, in resource "aws_cloudformation_stack" "cid":
│   13: resource "aws_cloudformation_stack" "cid" {

Note: Our identity provider is google and we are passing an xml

@gambol99 hope you can help, thank you!

wozzer72 commented 3 weeks ago

Hey @caquinomrge . The error is more related to Quicksight not your IdP:

not valid QuickSight users 

https://github.com/appvia/terraform-aws-cudos/blob/main/main.tf#L327 is the originator of this error.

For the AWS account into which you are deploying the dashboard, do you have an instance of QuickSight in the target region with the user created as identified by var.quicksights_username?

caquinomrge commented 3 weeks ago

Hey @wozzer72 . Thank you for this information we managed to deploy the dashboards by manually creating the user.

Currently we are getting this error, we still unable to create the user. We create this user manually by inviting him to our quicksight then we managed it by defining it in locals.tf

Error: registering QuickSight User (fullname@emaildomain.com): operation error QuickSight: RegisterUser, https response error StatusCode: 400, RequestID: d2744a6d-dca4-480c-a6bf-4a0027513468, InvalidParameterValueException: Invalid resource identifiers provided. Please check the documentation.
│
│   with module.cudos.module.this.aws_quicksight_user.users["fullname@emaildomain.com"],
│   on .terraform/modules/cudos.this/quicksights.tf line 14, in resource "aws_quicksight_user" "users":
│   14: resource "aws_quicksight_user" "users" {

Here below, we clearly define the user in our locals.tf.

quicksight_users = {
    "fullname@emaildomain.com" = {
      identity_type = "QUICKSIGHT"
      role          = "READER"
    } 
  }
wozzer72 commented 3 weeks ago

Good to know you got through to the end of deployment. That's no mean feat. Well done indeed.

We're still working through the Quicksight subscription/user resource ourselves.

In all instances we too have had to create the Quicksight instance manually and the users/groups accordingly. It's work in progress.

caquinomrge commented 3 weeks ago

@wozzer72 . When we try to add a new user using the module it generated a plan but.

  # module.cudos.module.this.aws_quicksight_user.users["fullname@email.com"] will be created
  + resource "aws_quicksight_user" "users" {
      + arn            = (known after apply)
      + aws_account_id = (known after apply)
      + email          = "fullname@email.com"
      + id             = (known after apply)
      + identity_type  = "QUICKSIGHT"
      + namespace      = "default"
      + user_role      = "READER"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

We get still get this error.

Error: registering QuickSight User (fullname@emaildomain.com): operation error QuickSight: RegisterUser, https response error StatusCode: 400, RequestID: d2744a6d-dca4-480c-a6bf-4a0027513468, InvalidParameterValueException: Invalid resource identifiers provided. Please check the documentation.
│
│   with module.cudos.module.this.aws_quicksight_user.users["fullname@emaildomain.com"],
│   on .terraform/modules/cudos.this/quicksights.tf line 14, in resource "aws_quicksight_user" "users":
│   14: resource "aws_quicksight_user" "users" {

We just want to know if we missed anything in input?

wozzer72 commented 2 weeks ago

Hey Christian

I cannot see anything obvious in your plan that would fail. The 400 is a "bad input data" API response which suggests it data validation issue. I do wonder if AWS is performing some basic validation on the email address - in your example "email.com" and "emaildomain.com" could indeed be examples only for the purpose of creating this issue. AWS QuickSight will of course be trying to send an invitation by email; maybe the 400 is because it failed to send the email invite or maybe because the user already exists (have you checked your QuickSight admin for existing users)?

But terraform is little more than a wrapper on the AWS SDK. Have you tried creating the user manually using the AWS SDK/CLI: https://docs.aws.amazon.com/quicksight/latest/developerguide/register-user.html?