Skip to content

Terraform module that configures KeyCloak and AWS QuickSight dashboards for billing

License

Notifications You must be signed in to change notification settings

bcgov/terraform-aws-quicksight-billing-dashboard-configuration

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

README for AWS QuickSight Dashboards Deployment with Terraform

Overview

  • This repository contains Terraform code for deploying AWS QuickSight dashboards, specifically designed for Cost and Usage Reports (CUR) analysis through CUDOS and Cost Intelligence Dashboards. It leverages an Identity Provider (IdP) for authentication and implements Row-Level Security (RLS) for data access control.

Prerequisites

  • Before deploying the Terraform solution, ensure the following prerequisites are met:
  • Identity Provider Setup: An Identity Provider should be created in AWS for the Keycloak realm. The AWS QuickSight roles configured by this solution have a trust relationship with the IdP, allowing users with assigned roles (Reader and Admin) to authenticate and access the QuickSight dashboards.
  • Cost and Usage Reports Configuration:
    • A S3 bucket will be deployed for CUR storage in the management account.
    • Post-deployment, manually set up CUR to point to this bucket.
    • Transfer any existing CUR data to this new bucket.
  • QuickSight Sign-up:
    • Manually sign up for QuickSight in the AWS account where the solution is deployed.
    • Log in to QuickSight and note the username. This username will be used to grant owner rights to the resources deployed by this solution in QuickSight.

Deployment Process

  • Deploy the Terraform configuration, providing all necessary variables.
  • Post-deployment, configure the CUR to use the created S3 bucket in the management account.
  • Copy existing CUR data to the new bucket. An example script in the example-scripts directory can assist with this process.
  • Since the CUR data crawler runs on a schedule, manually trigger it if immediate data visibility is needed post-deployment.
  • Log in with the previously noted QuickSight username to access and manage the deployed resources.

Post-Deployment Configuration

  • After copying CUR data to the bucket, ensure to manually run the data crawler if immediate data access is required.
  • The RLS Lambda function will synchronize Keycloak users with QuickSight roles, updating access permissions based on user roles and associated accounts. It runs every 30 minutes from 8 AM to 5 PM, Monday through Friday, adhering to QuickSight's data refresh limits.
  • Manually run the deployed Account Mapping lambda and the Rls lambda that runs on a schedule for the first time, so that all the existing AWS accounts are mapped and all the users access information is updated
  • Quicksight needs to be given appropriate permissions so that it can access the s3 bucket where the cur data is stored and access Amazon Athena, We can do this by heading over to manage quicksight from the quicksight dashboard and using the Security & permissions section
  • Email Syncing for Federated Users setting is turned on to allow QuickSight to use a preconfigured email address passed by your identity provider when provisioning new users to this account. This can be done in the Single-ign-on(sso) section of the quicksight settings.
  • The workload sso configuration should be deployed so that all the AWS Billing Viewer roles have the Quicksight Reader role attached to it.

Accessing the Dashboards

  • Once the solution is deployed and configured, users can log in with their designated QuickSight roles (Admin or Reader) to access the relevant dashboards. Data visibility is controlled through RLS, ensuring users only access permitted account data.

Row-Level Security (RLS) Configuration

The RLS feature in this solution is pivotal for controlling access to the QuickSight dashboards based on user roles and data permissions. It is implemented through a Lambda function that runs periodically to update the RLS settings in QuickSight. Here's how the RLS configuration works in this deployment:

  • Lambda Function: A Lambda function is configured to execute every 30 minutes between 8 AM and 5 PM from Monday to Friday. This scheduling aligns with the QuickSight data refresh limits, which is 32 times per 24 hours.

  • Role-Based Data Access: The Lambda function is designed to identify users based on their AWS roles. Specifically, it looks for users with the "Billing viewer" role in their respective AWS accounts. Only users with this role are considered for the RLS dataset.

  • Data Filtering: Once identified, the Lambda function updates the RLS settings in QuickSight, ensuring that users can only access data related to the AWS accounts where they have the "Billing viewer" role. This ensures that data access is tightly controlled and aligned with user permissions.

  • Impact on Dashboard Access: As a result of this RLS configuration, users will see a tailored view of the QuickSight dashboards. They will only have visibility into the cost and usage data of the AWS accounts where they hold the "Billing viewer" role, enhancing security and ensuring data relevance.

  • By integrating this role-based access control, the solution ensures that the QuickSight dashboards provide a secure, customized view for each user, aligning with their specific access rights and roles within the AWS environment.

Requirements

Name Version
aws ~>5.0
keycloak >= 4.1.0

Providers

Name Version
archive n/a
aws ~>5.0
aws.master-account ~>5.0
keycloak >= 4.1.0

Modules

Name Source Version
cid_dashboards github.com/aws-samples/aws-cudos-framework-deployment//terraform-modules/cid-dashboards 0.2.46

Resources

Name Type
aws_glue_catalog_table.account_mapping_table resource
aws_glue_catalog_table.rls_glue_table resource
aws_iam_policy.athena_and_glue_permissions resource
aws_iam_policy.org_and_s3_permissions resource
aws_iam_policy.quicksight_admin_policy resource
aws_iam_policy.quicksight_reader_policy resource
aws_iam_policy.replication_policy resource
aws_iam_role.RLSLambdaExecutionRole resource
aws_iam_role.account_map_lambda_execution_role resource
aws_iam_role.account_map_lambda_schedule_role resource
aws_iam_role.lambda_schedule_role resource
aws_iam_role.quicksight_admin resource
aws_iam_role.quicksight_reader resource
aws_iam_role.replication_role resource
aws_iam_role_policy.QuickSightPermissions resource
aws_iam_role_policy.S3Permissions resource
aws_iam_role_policy.SecretsManagerPermissions resource
aws_iam_role_policy.invoke_account_map_lambda resource
aws_iam_role_policy.invoke_rls_lambda resource
aws_iam_role_policy_attachment.athena_and_glue_permissions_attach resource
aws_iam_role_policy_attachment.lambda_basic_execution resource
aws_iam_role_policy_attachment.org_and_s3_permissions_attach resource
aws_iam_role_policy_attachment.quicksight_admin_policy_attach resource
aws_iam_role_policy_attachment.quicksight_reader_policy_attach resource
aws_iam_role_policy_attachment.replication_role_policy_attachment resource
aws_lambda_function.account_mapping_lambda resource
aws_lambda_function.rls_lambda resource
aws_quicksight_data_set.rls_athena_data_set resource
aws_quicksight_data_source.quicksight_data_source resource
aws_s3_bucket.cur_export_bucket resource
aws_s3_bucket.destination_bucket resource
aws_s3_bucket_policy.destination_bucket_policy resource
aws_s3_bucket_replication_configuration.replication resource
aws_s3_bucket_versioning.cur_export_bucket_versioning resource
aws_s3_bucket_versioning.destination_bucket_versioning resource
aws_scheduler_schedule.account_map_lambda_schedule resource
aws_scheduler_schedule.rls_lambda_schedule resource
aws_secretsmanager_secret.client_secret resource
aws_secretsmanager_secret_version.rls_lambda_client_secret_version resource
aws_ssm_parameter.quicksight_saml_client_id resource
keycloak_generic_protocol_mapper.quicksight_mapper_aws_principaltag resource
keycloak_generic_protocol_mapper.quicksight_mapper_session_duration resource
keycloak_generic_protocol_mapper.quicksight_mapper_session_name resource
keycloak_generic_protocol_mapper.quicksight_mapper_session_role resource
keycloak_openid_client.rls_lambda_client resource
keycloak_role.quicksight_role resource
keycloak_saml_client.Quicksight resource
keycloak_user_roles.service_account_user_roles resource
archive_file.account_map_lambda_zip data source
archive_file.rls_lambda_zip data source
aws_kms_key.master_account_key_by_alias data source
aws_kms_key.operations_account_key_by_alias data source
keycloak_openid_client.realm_management data source
keycloak_openid_client_service_account_user.rls_lambda_service_account_user data source
keycloak_realm.realm data source
keycloak_role.rls_lambda_roles data source

Inputs

Name Description Type Default Required
AWSClientName The name of the AWS client configured in Keycloak string "urn:amazon:webservices" no
AccountMapLambdaScheduleExpression The cron schedule for the Account Map Lambda to run. Default is every weekday at 8am. string "cron(0 8 ? * MON-FRI *)" no
AccountMapLambdaTimezone The timezone for the Account Map Lambda EventBridge scheduler string "Canada/Pacific" no
CURBucketPath S3 path for CUR data.In general, you want to navigate to the folder just before the year partition folders. In this example, the next folder in this path would be year=2024/. Example: s3:/// string n/a yes
ClientIdKey The name of the key within the above secret that points to the Client ID string "client_id" no
ClientSecretKey The name of the key within the above secret that points to the Client Secret string "client_secret" no
KeycloakURL The base URL (without http(s)://) of your Keycloak deployment. The Keycloak URL must not contain http(s)://. string n/a yes
QuickSightUser User name of QuickSight user (as displayed in QuickSight admin panel). The RLS DataSource and DataSet will be owned by this user. string n/a yes
RLSLambdaScheduleExpression The cron schedule for the RLS Lambda to run. Default is every 30 mins, 8am-5:30pm MON-FRI string "cron(0/30 8-17 ? * MON-FRI *)" no
RLSLambdaTimezone The timezone for the RLSLambda EventBridge scheduler string "Canada/Pacific" no
aws_master_account_id Account id of the aws master (or) management account string n/a yes
aws_region AWS region to deploy resources string "ca-central-1" no
aws_saml_idp_arn Name of the saml identity provider in the aws account string n/a yes
bcgov_roles_access Name of the Bc gov role that is needed to get access to the Quicksight dashboards string n/a yes
cost_and_usage_report_table_name name of the cost and usage report table in athena string n/a yes
cur_export_bucket_name Name of the bucket created in the management account to store exported cur reports string n/a yes
cur_replication_bucket_name Name of the bucket where the Cost and Usage reports are replicated. string n/a yes
iam_replication_policy_name Name of the Iam policy created and attached to the iam replication role mentioned above. string n/a yes
iam_replication_role_name Name of the Iam role used to do the replication. string n/a yes
idp_initiated_sso_relay_state Url to redirect once the authentication is completed string n/a yes
idp_initiated_sso_url_name URL fragment name to reference client when you want to do idp initiated sso string n/a yes
kc_base_url Base URL for Keycloak any n/a yes
kc_realm realm name of the Keycloak any n/a yes
kc_terraform_auth_client_id Id of client used to connect to keycloack any n/a yes
kc_terraform_auth_client_secret secret of client used to connect to keycloack any n/a yes
master_account_kms_key_alias Alias of the master account kms encryption key string n/a yes
operations_account_id Account id of the aws master (or) management account string n/a yes
operations_account_kms_key_alias Alias of the operations account kms encryption key string n/a yes
quicksight_client_id Id of the quicksight client created string "Quicksight" no
quicksight_client_name Name of the quicksight client created string "Quicksight" no
rls_lambda_client_id Id of the rls lambda client created string "rls-lambda" no
rls_lambda_client_name Name of the rls lambda client created string "RLS-Lambda-Client" no
rls_lambda_client_roles List of Keycloak role names list(string)
[
"query-clients",
"query-groups",
"query-users",
"view-clients",
"view-users"
]
no
session_duration Session duration length in seconds number 10800 no

Outputs

Name Description
cur_replication_bucket_name Name of the bucket created in the destination account to replicate the CUR data from management account
glue_table_name n/a
quicksight_admin_role_arn Arn of the Quicksight Admin role created
quicksight_reader_role_arn Arn of the Quicksight reader role created

About

Terraform module that configures KeyCloak and AWS QuickSight dashboards for billing

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published