/
quicksight-row-level-lambda.yml
146 lines (142 loc) · 5.47 KB
/
quicksight-row-level-lambda.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
AWSTemplateFormatVersion: 2010-09-09
Description: >
python3.8
Cloudformation template to deploy Lambda function along with IAM Role. This function is used to manage user permissions in QuickSight.
Parameters:
Namespace:
Description: Namespace for the QuickSight
Default: default
Type: String
S3Bucket:
Description: Namespace for the QuickSight
Default: default
Type: String
Resources:
AwsQsLambdaExecutor:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: AWSQSLambdaExecutor
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action:
- s3:GetObject
Resource: !Sub 'arn:aws:s3:::${S3Bucket}/*'
- Effect: Allow
Action:
- quicksight:CreateGroup
- quicksight:CreateGroupMembership
- quicksight:DeleteGroupMembership
- quicksight:ListUsers
Resource: '*'
AwsQsUserCreate:
Type: AWS::Lambda::Function
Properties:
Code:
ZipFile: |
import json
import boto3
import csv
import os
from urllib import unquote_plus
s3=boto3.client('s3')
client = boto3.client('quicksight')
account_number= os.getenv('ACCOUNT_NUMBER', None)
namespace=os.getenv('NAMESPACE', None)
def get_existing_groups():
existing_groups=[]
response = client.list_groups(
AwsAccountId=account_number,
Namespace=namespace)
for i in range (len(response['GroupList'])):
existing_groups.append(response['GroupList'][i]['GroupName'].encode('utf-8'))
return existing_groups
def get_file_contents(bucket,key):
resp=s3.get_object(Bucket=bucket,Key=key)
lines = resp['Body'].read().split()
input_file = csv.DictReader(lines)
return input_file
def create_quick_sight_groups_bulk(bucket,key):
existing_groups=get_existing_groups()
input_file = get_file_contents(bucket,key)
for row in input_file:
row=row['Group'].replace(' ','_')
if row not in existing_groups:
row=row.replace(' ','_')
create_quick_sight_group(row)
existing_groups.append(row)
def create_quick_sight_group(group_name):
response = client.create_group(
GroupName=group_name,
Description='Group:'+group_name,
AwsAccountId=account_number,
Namespace=namespace)
def add_user_to_group(user_name,group_name):
response = client.create_group_membership(
MemberName=user_name,
GroupName=group_name,
AwsAccountId=account_number,
Namespace=namespace)
def create_user_group_memebership_bulk(bucket,key):
existing_groups=get_existing_groups()
input_file = get_file_contents(bucket,key)
for row in input_file:
if " " in row['Group'].replace(' ','_'):
grp=row['Group'].replace(' ','_')
else:
grp=row['Group']
usr=row['User']
if grp not in existing_groups:
create_quick_sight_group(grp)
existing_groups.append(grp)
add_user_to_group(usr,grp)
def remove_user_membership(user,group):
response = client.delete_group_membership(
MemberName=user,
GroupName=group,
AwsAccountId=account_number,
Namespace=namespace)
def remove_users_from_group(bucket,key):
input_file = get_file_contents(bucket,key)
for row in input_file:
grp=row['Group']
usr=row['User']
remove_user_membership(usr,grp)
def lambda_handler(event, context):
print(event)
bucket_name = event['Records'][0]['s3']['bucket']['name']
file_key = str(unquote_plus(event['Records'][0]['s3']['object']['key']))
if 'add-user-to-group' in file_key:
create_user_group_memebership_bulk(bucket_name,file_key)
elif 'remove-user-from-group' in file_key:
remove_users_from_group(bucket_name,file_key)
elif 'add-groups' in file_key:
create_quick_sight_groups_bulk(bucket_name,file_key)
Handler: index.lambda_handler
Timeout: 60
Runtime: python3.8
ReservedConcurrentExecutions: 1
Role: !GetAtt AwsQsLambdaExecutor.Arn
MemorySize: 512
Environment:
Variables:
ACCOUNT_NUMBER: !Ref AWS::AccountId
NAMESPACE: !Ref Namespace