Closed julialawrence closed 3 months ago
MP Compute Dev account - working in ingestion for now, will move file and create properly named components when I can work in analytical-platform-compute
🚧
🇬🇧 London region - I cannot see any configuration options in Terraform which allow us to specify the region. I was beginning to think that the region was a bit irrelevant but I can see that only certain administrative tasks are 'certain administrative tasks that can only be done in that region' so need to better understand this.
Public sharing option enabled - if this refers to a dashboard, from the documentation "By default, dashboards in Amazon QuickSight aren't shared with anyone and are only accessible to the owner. However, after you publish a dashboard, you can share it with other users or groups in your QuickSight account..." ✅
Federated + Internal identity solution Identity Center integration - defined in the aws_quicksight_account_subscription
Terraform resource. ✅
QuickSight-managed role 🚧
Access to the following services: S3, Athena, Glue 🚧
Are the final two bullet points related? Does this mean 'the QuickSight Managed Role should have access to the following services: S3, Athena, Glue' or are these distinct and the final point means that we want QuickSight Data Sources for S3, Athena, Glue? I suspect that the QuickSight Managed Role, may be created when the account has a QuickSight Subscription added, this is not noted in the terraform plan output.
The code works on the assumption that these are data sources. S3 and Athena can be defined in Terraform but Glue is not a parameter option.
📹 I found out that you can enable introductory videos for users.
I believe the region is selected not as a specific configurable attribute but by the region of the provider used to create the resource. So if you're using a provider set to London, I think it should create a QuickSight account with London being the main region.
The story has been updated and we now want to provision QS with identity center as the desired identity option. This is part of our effort to shift to IC and should make integration with lake formation simpler.
The final two points are related. We don't want to be managing the role manually. A managed role created by QS will update itself with the needed permissions when it is enabled for a specific service. The manual representation of this is logging into QS, going to manage QuickSight, and the click on service integration on the left side. Selecting or deselecting a checkbox updates the role under the hood. So this isn't calling for creation of data sources, just configuring the role.
Minor amounts of work done on this today.
Logging - there is no mention of logging in the Terraform resources for QuickSight and from the docs "CloudTrail is enabled on your AWS account when you create the account."
PR here but this ultimately boils down to this:
resource "aws_quicksight_account_subscription" "subscription" {
account_name = "analytical-platform-development"
authentication_method = "IAM_IDENTITY_CENTER"
edition = "ENTERPRISE"
admin_group = ["analytical-platform"]
author_group = ["analytical-platform"]
notification_email = local.notification_email
}
This then provides this option:
Additionally we checked that we can consume the author_group
as well and we can.
Glue is not an option we can enable in the Security & permissions
settings in QS
We will complete the EKS Cluster work in Ingestion then deploy to that account in MPE.
Analytical Platform Compute environment is now unblocked
QuickSight is not deploying via @Gary-H9's pull request, it times out.
When trying it manually in analytical-platform-compute-development, it fails with:
User: arn:aws:sts::381491960855:assumed-role/AWSReservedSSO_modernisation-platform-sandbox_d0899345ec1769be/jacobwoffenden@digital.justice.gov.uk is not authorized to perform: sso:CreateApplication on resource: arn:aws:sso:::instance/ssoins-7535d9af4f41fb26 because no identity-based policy allows the sso:CreateApplication action (Service: SsoAdmin, Status Code: 400, Request ID: 3b8af00b-7aaf-4f6a-8506-d6aaa6e7fc1f)
Assumption is that arn:aws:iam::381491960855:role/MemberInfrastructureAccess
isn't able to do sso:CreateApplication
on arn:aws:sso:::instance/ssoins-7535d9af4f41fb26
either
Will raise with @ministryofjustice/modernisation-platform
QuickSight is deployed into analytical-platform-compute-development 🎉
The following permissions need adding to MemberInfrastructureAccess
to deploy to test and production
"sso:CreateApplication",
"sso:ListInstances",
"sso:DeleteApplication",
"sso:PutApplicationGrant",
"sso:PutApplicationAuthenticationMethod",
Moving back to blocked while permissions are updated
Pull request merged, but member-bootstrap failed so permissions not deployed 😭 being addressed by @ewastempel
@ewastempel has fixed the role in test and prod ❤, and QuickSight has successfully deployed to all compute environments 🎉
Moving issue into review as the DoD items we can do have been done, does this need expanding or something spinning out into another ticket @julialawrence @Ed-Bajo
User Story
As an Ap Engineer I would like to deploy QuickSight into Modernisation Platform Compute account via Terraform
Value / Purpose
This is the first step to deploying a new solution for QuickSight
Proposal
Deploy QuickSight via Terraform
Federated + Internal identity solutionIdentity Center integrationAdditionally: Provision sandbox/developer role as an administrator Configure logging Onboard the account to Observability Platform
Definition of Done