🔧 QuickSight Terraform

julialawrence commented 5 months ago

User Story

As an Ap Engineer I would like to deploy QuickSight into Modernisation Platform Compute account via Terraform

Value / Purpose

This is the first step to deploying a new solution for QuickSight

Proposal

Deploy QuickSight via Terraform

MP Compute Dev account
London region
Public sharing option enabled
~~Federated + Internal identity solution~~ Identity Center integration
QuickSight-managed role
Access to the following services: S3, Athena, Glue

Additionally: Provision sandbox/developer role as an administrator Configure logging Onboard the account to Observability Platform

Definition of Done

[x] Terraform code written
[x] QuickSight provisioned
[x] Admin user configured
[x] Logging configured
- I can't see a reference to any logging output in QuickSight's documentation, however there are metrics
- https://docs.aws.amazon.com/quicksight/latest/user/monitoring-quicksight.html
[x] ~Account onboarded to Observability Platform~
- This has already been done in #3555
[x] Another team member has reviewed
[x] Tests are green

Gary-H9 commented 4 months ago

Notes - 7th May

MP Compute Dev account - working in ingestion for now, will move file and create properly named components when I can work in analytical-platform-compute 🚧
🇬‍🇧 London region - I cannot see any configuration options in Terraform which allow us to specify the region. I was beginning to think that the region was a bit irrelevant but I can see that only certain administrative tasks are 'certain administrative tasks that can only be done in that region' so need to better understand this.
Public sharing option enabled - if this refers to a dashboard, from the documentation "By default, dashboards in Amazon QuickSight aren't shared with anyone and are only accessible to the owner. However, after you publish a dashboard, you can share it with other users or groups in your QuickSight account..." ✅
Federated + Internal identity solution Identity Center integration - defined in the aws_quicksight_account_subscription Terraform resource. ✅
QuickSight-managed role 🚧
Access to the following services: S3, Athena, Glue 🚧

Are the final two bullet points related? Does this mean 'the QuickSight Managed Role should have access to the following services: S3, Athena, Glue' or are these distinct and the final point means that we want QuickSight Data Sources for S3, Athena, Glue? I suspect that the QuickSight Managed Role, may be created when the account has a QuickSight Subscription added, this is not noted in the terraform plan output.

The code works on the assumption that these are data sources. S3 and Athena can be defined in Terraform but Glue is not a parameter option.

📹 I found out that you can enable introductory videos for users.

julialawrence commented 4 months ago

I believe the region is selected not as a specific configurable attribute but by the region of the provider used to create the resource. So if you're using a provider set to London, I think it should create a QuickSight account with London being the main region.

The story has been updated and we now want to provision QS with identity center as the desired identity option. This is part of our effort to shift to IC and should make integration with lake formation simpler.

The final two points are related. We don't want to be managing the role manually. A managed role created by QS will update itself with the needed permissions when it is enabled for a specific service. The manual representation of this is logging into QS, going to manage QuickSight, and the click on service integration on the left side. Selecting or deselecting a checkbox updates the role under the hood. So this isn't calling for creation of data sources, just configuring the role.

Gary-H9 commented 4 months ago

Notes 8th May

Minor amounts of work done on this today.

Logging - there is no mention of logging in the Terraform resources for QuickSight and from the docs "CloudTrail is enabled on your AWS account when you create the account."

Gary-H9 commented 4 months ago

PR here but this ultimately boils down to this:

resource "aws_quicksight_account_subscription" "subscription" {
  account_name          = "analytical-platform-development"
  authentication_method = "IAM_IDENTITY_CENTER"
  edition               = "ENTERPRISE"
  admin_group           = ["analytical-platform"]
  author_group          = ["analytical-platform"] 
  notification_email    = local.notification_email
}

This then provides this option:

Additionally we checked that we can consume the author_group as well and we can.

Glue is not an option we can enable in the Security & permissions settings in QS

We will complete the EKS Cluster work in Ingestion then deploy to that account in MPE.

jacobwoffenden commented 4 months ago

Analytical Platform Compute environment is now unblocked

jacobwoffenden commented 4 months ago

QuickSight is not deploying via @Gary-H9's pull request, it times out.

When trying it manually in analytical-platform-compute-development, it fails with:

User: arn:aws:sts::381491960855:assumed-role/AWSReservedSSO_modernisation-platform-sandbox_d0899345ec1769be/jacobwoffenden@digital.justice.gov.uk is not authorized to perform: sso:CreateApplication on resource: arn:aws:sso:::instance/ssoins-7535d9af4f41fb26 because no identity-based policy allows the sso:CreateApplication action (Service: SsoAdmin, Status Code: 400, Request ID: 3b8af00b-7aaf-4f6a-8506-d6aaa6e7fc1f)

Assumption is that arn:aws:iam::381491960855:role/MemberInfrastructureAccess isn't able to do sso:CreateApplication on arn:aws:sso:::instance/ssoins-7535d9af4f41fb26 either

Will raise with @ministryofjustice/modernisation-platform