- This repository contains Terraform code for deploying AWS QuickSight dashboards, specifically designed for Cost and Usage Reports (CUR) analysis through CUDOS and Cost Intelligence Dashboards. It leverages an Identity Provider (IdP) for authentication and implements Row-Level Security (RLS) for data access control.
- Before deploying the Terraform solution, ensure the following prerequisites are met:
- Identity Provider Setup: An Identity Provider should be created in AWS for the Keycloak realm. The AWS QuickSight roles configured by this solution have a trust relationship with the IdP, allowing users with assigned roles (Reader and Admin) to authenticate and access the QuickSight dashboards.
- Cost and Usage Reports Configuration:
- A S3 bucket will be deployed for CUR storage in the management account.
- Post-deployment, manually set up CUR to point to this bucket.
- Transfer any existing CUR data to this new bucket.
- QuickSight Sign-up:
- Manually sign up for QuickSight in the AWS account where the solution is deployed.
- Log in to QuickSight and note the username. This username will be used to grant owner rights to the resources deployed by this solution in QuickSight.
- Deploy the Terraform configuration, providing all necessary variables.
- Post-deployment, configure the CUR to use the created S3 bucket in the management account.
- Copy existing CUR data to the new bucket. An example script in the example-scripts directory can assist with this process.
- Since the CUR data crawler runs on a schedule, manually trigger it if immediate data visibility is needed post-deployment.
- Log in with the previously noted QuickSight username to access and manage the deployed resources.
- After copying CUR data to the bucket, ensure to manually run the data crawler if immediate data access is required.
- The RLS Lambda function will synchronize Keycloak users with QuickSight roles, updating access permissions based on user roles and associated accounts. It runs every 30 minutes from 8 AM to 5 PM, Monday through Friday, adhering to QuickSight's data refresh limits.
- Manually run the deployed Account Mapping lambda and the Rls lambda that runs on a schedule for the first time, so that all the existing AWS accounts are mapped and all the users access information is updated
- Quicksight needs to be given appropriate permissions so that it can access the s3 bucket where the cur data is stored and access Amazon Athena, We can do this by heading over to manage quicksight from the quicksight dashboard and using the Security & permissions section
- Email Syncing for Federated Users setting is turned on to allow QuickSight to use a preconfigured email address passed by your identity provider when provisioning new users to this account. This can be done in the Single-ign-on(sso) section of the quicksight settings.
- The workload sso configuration should be deployed so that all the AWS Billing Viewer roles have the Quicksight Reader role attached to it.
- Once the solution is deployed and configured, users can log in with their designated QuickSight roles (Admin or Reader) to access the relevant dashboards. Data visibility is controlled through RLS, ensuring users only access permitted account data.
The RLS feature in this solution is pivotal for controlling access to the QuickSight dashboards based on user roles and data permissions. It is implemented through a Lambda function that runs periodically to update the RLS settings in QuickSight. Here's how the RLS configuration works in this deployment:
-
Lambda Function: A Lambda function is configured to execute every 30 minutes between 8 AM and 5 PM from Monday to Friday. This scheduling aligns with the QuickSight data refresh limits, which is 32 times per 24 hours.
-
Role-Based Data Access: The Lambda function is designed to identify users based on their AWS roles. Specifically, it looks for users with the "Billing viewer" role in their respective AWS accounts. Only users with this role are considered for the RLS dataset.
-
Data Filtering: Once identified, the Lambda function updates the RLS settings in QuickSight, ensuring that users can only access data related to the AWS accounts where they have the "Billing viewer" role. This ensures that data access is tightly controlled and aligned with user permissions.
-
Impact on Dashboard Access: As a result of this RLS configuration, users will see a tailored view of the QuickSight dashboards. They will only have visibility into the cost and usage data of the AWS accounts where they hold the "Billing viewer" role, enhancing security and ensuring data relevance.
-
By integrating this role-based access control, the solution ensures that the QuickSight dashboards provide a secure, customized view for each user, aligning with their specific access rights and roles within the AWS environment.
| Name | Version |
|---|---|
| aws | ~>5.0 |
| keycloak | >= 4.1.0 |
| Name | Version |
|---|---|
| archive | n/a |
| aws | ~>5.0 |
| aws.master-account | ~>5.0 |
| keycloak | >= 4.1.0 |
| Name | Source | Version |
|---|---|---|
| cid_dashboards | github.com/aws-samples/aws-cudos-framework-deployment//terraform-modules/cid-dashboards | 0.2.46 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| AWSClientName | The name of the AWS client configured in Keycloak | string |
"urn:amazon:webservices" |
no |
| AccountMapLambdaScheduleExpression | The cron schedule for the Account Map Lambda to run. Default is every weekday at 8am. | string |
"cron(0 8 ? * MON-FRI *)" |
no |
| AccountMapLambdaTimezone | The timezone for the Account Map Lambda EventBridge scheduler | string |
"Canada/Pacific" |
no |
| CURBucketPath | S3 path for CUR data.In general, you want to navigate to the folder just before the year partition folders. In this example, the next folder in this path would be year=2024/. Example: s3:/// | string |
n/a | yes |
| ClientIdKey | The name of the key within the above secret that points to the Client ID | string |
"client_id" |
no |
| ClientSecretKey | The name of the key within the above secret that points to the Client Secret | string |
"client_secret" |
no |
| KeycloakURL | The base URL (without http(s)://) of your Keycloak deployment. The Keycloak URL must not contain http(s)://. | string |
n/a | yes |
| QuickSightUser | User name of QuickSight user (as displayed in QuickSight admin panel). The RLS DataSource and DataSet will be owned by this user. | string |
n/a | yes |
| RLSLambdaScheduleExpression | The cron schedule for the RLS Lambda to run. Default is every 30 mins, 8am-5:30pm MON-FRI | string |
"cron(0/30 8-17 ? * MON-FRI *)" |
no |
| RLSLambdaTimezone | The timezone for the RLSLambda EventBridge scheduler | string |
"Canada/Pacific" |
no |
| aws_master_account_id | Account id of the aws master (or) management account | string |
n/a | yes |
| aws_region | AWS region to deploy resources | string |
"ca-central-1" |
no |
| aws_saml_idp_arn | Name of the saml identity provider in the aws account | string |
n/a | yes |
| bcgov_roles_access | Name of the Bc gov role that is needed to get access to the Quicksight dashboards | string |
n/a | yes |
| cost_and_usage_report_table_name | name of the cost and usage report table in athena | string |
n/a | yes |
| cur_export_bucket_name | Name of the bucket created in the management account to store exported cur reports | string |
n/a | yes |
| cur_replication_bucket_name | Name of the bucket where the Cost and Usage reports are replicated. | string |
n/a | yes |
| iam_replication_policy_name | Name of the Iam policy created and attached to the iam replication role mentioned above. | string |
n/a | yes |
| iam_replication_role_name | Name of the Iam role used to do the replication. | string |
n/a | yes |
| idp_initiated_sso_relay_state | Url to redirect once the authentication is completed | string |
n/a | yes |
| idp_initiated_sso_url_name | URL fragment name to reference client when you want to do idp initiated sso | string |
n/a | yes |
| kc_base_url | Base URL for Keycloak | any |
n/a | yes |
| kc_realm | realm name of the Keycloak | any |
n/a | yes |
| kc_terraform_auth_client_id | Id of client used to connect to keycloack | any |
n/a | yes |
| kc_terraform_auth_client_secret | secret of client used to connect to keycloack | any |
n/a | yes |
| master_account_kms_key_alias | Alias of the master account kms encryption key | string |
n/a | yes |
| operations_account_id | Account id of the aws master (or) management account | string |
n/a | yes |
| operations_account_kms_key_alias | Alias of the operations account kms encryption key | string |
n/a | yes |
| quicksight_client_id | Id of the quicksight client created | string |
"Quicksight" |
no |
| quicksight_client_name | Name of the quicksight client created | string |
"Quicksight" |
no |
| rls_lambda_client_id | Id of the rls lambda client created | string |
"rls-lambda" |
no |
| rls_lambda_client_name | Name of the rls lambda client created | string |
"RLS-Lambda-Client" |
no |
| rls_lambda_client_roles | List of Keycloak role names | list(string) |
[ |
no |
| session_duration | Session duration length in seconds | number |
10800 |
no |
| Name | Description |
|---|---|
| cur_replication_bucket_name | Name of the bucket created in the destination account to replicate the CUR data from management account |
| glue_table_name | n/a |
| quicksight_admin_role_arn | Arn of the Quicksight Admin role created |
| quicksight_reader_role_arn | Arn of the Quicksight reader role created |