in source/lib/quicksight-custom-resources/quicksight-construct.ts [51:140]
private createCustomResource(props: QuickSightProps): cdk.CustomResource {
const customResourcePolicy = new Policy(this, 'QSCustomResourcePolicy', {
statements: [
new PolicyStatement({
effect: Effect.ALLOW,
actions: [
"quicksight:CreateAnalysis",
"quicksight:DeleteAnalysis",
"quicksight:CreateDataSet",
"quicksight:DeleteDataSet",
"quicksight:CreateDataSource",
"quicksight:DeleteDataSource",
"quicksight:UpdateDataSource",
"quicksight:UpdateDataSourcePermissions",
"quicksight:Describe*",
"quicksight:Get*",
"quicksight:List*",
"quicksight:PassDataSet",
"quicksight:PassDataSource",
"quicksight:RestoreAnalysis",
"quicksight:SearchAnalyses",
"quicksight:CreateDashboard",
"quicksight:DeleteDashboard"
],
resources: [`arn:${cdk.Aws.PARTITION}:quicksight:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:*/*`]
}),
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["quicksight:DescribeTemplate"],
resources: [props.sourceTemplateArn]
})
]
});
(customResourcePolicy.node.defaultChild as CfnPolicy).cfnOptions.metadata = {
cfn_nag: {
rules_to_suppress: [{
id: 'W12',
reason: 'The DescribeTemplate API call requires the resource to \'*\' in us-east-1.'
}]
}
};
customResourcePolicy.attachToRole(props.role);
const customResourceFunction = new lambda.Function(this, 'CustomResource', {
runtime: lambda.Runtime.PYTHON_3_8,
handler: 'lambda_function.handler',
description: 'AWS DevOps Monitoring Dashboard Solution - This function creates Amazon QuickSight resources.',
role: props.role,
code: lambda.Code.fromAsset('lambda/quicksight-custom-resources'),
timeout: cdk.Duration.seconds(30),
environment: {
UserAgentExtra: props.userAgentExtra
}
});
customResourceFunction.node.addDependency(customResourcePolicy);
const refCustomResourceFunction = customResourceFunction.node.findChild('Resource') as lambda.CfnFunction;
refCustomResourceFunction.cfnOptions.metadata = {
cfn_nag: {
rules_to_suppress: [
{
id: 'W89',
reason: 'There is no need to run this lambda in a VPC'
},
{
id: 'W92',
reason: 'There is no need for Reserved Concurrency'
}
]
}
};
const customResource = new cdk.CustomResource(this, 'QuickSightResources', {
serviceToken: customResourceFunction.functionArn,
properties: {
Resource: props.resource,
ApplicationName: props.name,
StackName: props.parentStackName,
LogLevel: props.logLevel,
QuickSightSourceTemplateArn: props.sourceTemplateArn,
QuickSightPrincipalArn: props.principalArn,
WorkGroupName: props.workgroupName
},
resourceType: 'Custom::QuickSightResources'
});
customResource.node.addDependency(customResourcePolicy);
return customResource;
}