search

aws-solutions / aws-devops-monitoring-dashboard

The DevOps Monitoring Dashboard on AWS solution is a reference implementation that automates the process for monitoring and visualizing performance and operational metrics in continuous integration/continuous delivery (CI/CD) pipeline following AWS best practices.
Apache License 2.0
72 stars 35 forks source link

Quicksight analysis and dashboard unable to be created #14

Closed trevorndodds closed 2 years ago

trevorndodds commented 2 years ago

Stack deploys fine, but the analysis and dashboard are unable to be created, doing a describe on both of these quicksight resources I have a status of CREATION_FAILED with ERROR message: "you do not have permissions to access the source", "ACCESS_DENIED".

I suspect the issue is because the source is in us-east region which is blocked for us. Are you able to add ca-central-1 region or any other option?

aijunpeng commented 2 years ago

Thanks for opening the issue. The solution supports any region (including ca-central-1) as long as the underlying services used in the solution are supported in that region. It seems to me that the error you got might be with the permission of the account you ran the describe command instead of issues with the solution. Can you please elaborate more about your problem? As one of the pre-requisites, a QS enterprise account must be created prior to deploying the stack https://docs.aws.amazon.com/solutions/latest/devops-monitoring-dashboard-on-aws/automated-deployment.html. If you provided a valid QS account and the stack was created successfully, were you able to open the QS analysis and dashboard console in the region where the solution is deployed? What are you trying to achieve? Steps and screenshots would be helpful for understanding your case.

trevorndodds commented 2 years ago

The issue is that I’m not able to access your us-east quicksight dashboard as we have SCPs that restrict access to Canada only. If you look at your code the template for quicksight dashboards are all hosted in us-east.

One possible resolution is that I’ll uhave to deploy your solution in a personal account, import your quicksight dashboards into ca-central then try update your code to point to this quicksight account to import.

aijunpeng commented 2 years ago

Yes as a work-around, you will need to copy the QS dashboard template into an account (A) in ca-central to which your final target account (B) can have access. You don't need to deploy the solution though, just call the QS create-template cli command in account A to create a QS template using the solution's QS template. Please make sure that you set up a QS enterprise account with necessary permissions in account A to guarantee that the cli command will run successfully. Once the QS template is in account A, then can deploy the solution in Account B using the QS template ARN in Account A.

https://docs.aws.amazon.com/cli/latest/reference/quicksight/create-template.html

For your convenience, here is the json content which you can save into a json file, and pass the file as value to --cli-input-json parameter in your create-template cli command.

{
    "AwsAccountId": "Your-CA-Account-A",
    "TemplateId": "solutions_aws-devops-monitoring-dashboard_v1_5_0",
    "Name": "solutions_aws-devops-monitoring-dashboard_v1_5_0",
    "Permissions": [
        {
            "Principal": "*",
            "Actions": [
                "quicksight:DescribeTemplate"
            ]
        }
    ],
    "SourceEntity": {
        "SourceTemplate": {
            "Arn": "arn:aws:quicksight:us-east-1:423991167869:template/solutions_aws-devops-monitoring-dashboard_v1_5_0"
        }
    }
}

Sample command: aws quicksight create-template --cli-input-json path-to-your-json-file --region ca-central-1

aijunpeng commented 2 years ago

Close the ticket due to inactivity