Infrastructure deploy/quicksight-row-level-lambda.yml

AWSTemplateFormatVersion: 2010-09-09

Description: >
  python3.8

  Cloudformation template to deploy Lambda function along with IAM Role. This function is used to manage user permissions in QuickSight.
Parameters:
  Namespace:
    Description: Namespace for the QuickSight
    Default: default
    Type: String
  S3Bucket:
    Description: Namespace for the QuickSight
    Default: default
    Type: String
Resources:

  AwsQsLambdaExecutor:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: AWSQSLambdaExecutor
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: arn:aws:logs:*:*:*
              - Effect: Allow
                Action:
                  - s3:GetObject
                Resource: !Sub 'arn:aws:s3:::${S3Bucket}/*'
              - Effect: Allow
                Action:
                  - quicksight:CreateGroup
                  - quicksight:CreateGroupMembership
                  - quicksight:DeleteGroupMembership
                  - quicksight:ListUsers
                Resource: '*'

  AwsQsUserCreate:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        ZipFile: |
          import json
          import boto3
          import csv
          import os
          from urllib import unquote_plus
          s3=boto3.client('s3')
          client = boto3.client('quicksight')
          account_number= os.getenv('ACCOUNT_NUMBER', None)
          namespace=os.getenv('NAMESPACE', None)
          def get_existing_groups():
              existing_groups=[]
              response = client.list_groups(
              AwsAccountId=account_number,
              Namespace=namespace)
              for i in range (len(response['GroupList'])):
                  existing_groups.append(response['GroupList'][i]['GroupName'].encode('utf-8'))
              return existing_groups
          def get_file_contents(bucket,key):
              resp=s3.get_object(Bucket=bucket,Key=key)
              lines = resp['Body'].read().split()
              input_file = csv.DictReader(lines)
              return input_file
          def create_quick_sight_groups_bulk(bucket,key):
              existing_groups=get_existing_groups()
              input_file = get_file_contents(bucket,key)
              for row in input_file:
                  row=row['Group'].replace(' ','_')
                  if row not in existing_groups:
                      row=row.replace(' ','_')
                      create_quick_sight_group(row)
                      existing_groups.append(row)
          def create_quick_sight_group(group_name):
              response = client.create_group(
                  GroupName=group_name,
                  Description='Group:'+group_name,
                  AwsAccountId=account_number,
                  Namespace=namespace)
          def add_user_to_group(user_name,group_name):
              response = client.create_group_membership(
                  MemberName=user_name,
                  GroupName=group_name,
                  AwsAccountId=account_number,
                  Namespace=namespace)
          def create_user_group_memebership_bulk(bucket,key):
              existing_groups=get_existing_groups()
              input_file = get_file_contents(bucket,key)
              for row in input_file:
                  if " " in row['Group'].replace(' ','_'):
                      grp=row['Group'].replace(' ','_')
                  else:
                      grp=row['Group']
                  usr=row['User']
                  if grp not in existing_groups:
                      create_quick_sight_group(grp)
                      existing_groups.append(grp)
                      add_user_to_group(usr,grp)
          def remove_user_membership(user,group):
              response = client.delete_group_membership(
                  MemberName=user,
                  GroupName=group,
                  AwsAccountId=account_number,
                  Namespace=namespace)
          def remove_users_from_group(bucket,key):
              input_file = get_file_contents(bucket,key)
              for row in input_file:
                  grp=row['Group']
                  usr=row['User']
                  remove_user_membership(usr,grp)
          def lambda_handler(event, context):
              print(event)
              bucket_name = event['Records'][0]['s3']['bucket']['name']
              file_key = str(unquote_plus(event['Records'][0]['s3']['object']['key']))
              if 'add-user-to-group' in file_key:
                  create_user_group_memebership_bulk(bucket_name,file_key)
              elif 'remove-user-from-group' in file_key:
                  remove_users_from_group(bucket_name,file_key)
              elif 'add-groups' in file_key:
                  create_quick_sight_groups_bulk(bucket_name,file_key)
      Handler: index.lambda_handler
      Timeout: 60
      Runtime: python3.8
      ReservedConcurrentExecutions: 1
      Role: !GetAtt AwsQsLambdaExecutor.Arn
      MemorySize: 512
      Environment:
        Variables:
          ACCOUNT_NUMBER: !Ref AWS::AccountId
          NAMESPACE: !Ref Namespace