in packages/constructs/L3/analytics/quicksight-account-l3-construct/lib/quicksight-account-l3-construct.ts [184:403]
private createAccountProvider(): Provider {
//Create a role which will be used by the QS Account Custom Resource Lambda Function
const accountCrRole = new MdaaLambdaRole(this, 'qsAccount-cr-role', {
description: 'CR Lambda Role',
roleName: 'qsAccount-cr',
naming: this.props.naming,
logGroupNames: [this.props.naming.resourceName('qsAccount-cr-func')],
createParams: false,
createOutputs: false,
});
const accountCrManagedPolicy = new ManagedPolicy(this, 'qsAccount-cr-lambda', {
managedPolicyName: this.props.naming.resourceName('qsAccount-cr-lambda'),
roles: [accountCrRole],
});
const accountPolicyStatement = new PolicyStatement({
effect: Effect.ALLOW,
resources: [`arn:${this.partition}:quicksight:${this.region}:${this.account}:user/*`],
actions: ['quicksight:CreateAdmin'],
});
accountCrManagedPolicy.addStatements(accountPolicyStatement);
// Quicksight manages users via Directory Service
const accountPolicyStatement2 = new PolicyStatement({
effect: Effect.ALLOW,
resources: [`arn:${this.partition}:ds:${this.region}:${this.account}:directory/*`],
actions: ['ds:AuthorizeApplication', 'ds:UnauthorizeApplication', 'ds:CreateAlias'],
});
accountCrManagedPolicy.addStatements(accountPolicyStatement2);
const accountPolicyStatement3 = new PolicyStatement({
effect: Effect.ALLOW,
resources: ['*'],
actions: [
'ds:CreateIdentityPoolDirectory',
'ds:DescribeTrusts',
'ds:DescribeDirectories',
'ds:CheckAlias',
'ds:DeleteDirectory',
'iam:ListAccountAliases',
'quicksight:CreateAccountSubscription',
'quicksight:GetGroupMapping',
'quicksight:SetGroupMapping',
'quicksight:SearchDirectoryGroups',
'quicksight:DescribeAccountSettings',
'quicksight:DescribeAccountSubscription',
'quicksight:UpdateAccountSettings',
'quicksight:Subscribe',
],
});
accountCrManagedPolicy.addStatements(accountPolicyStatement3);
MdaaNagSuppressions.addCodeResourceSuppressions(
accountCrManagedPolicy,
[
{
id: 'AwsSolutions-IAM5',
reason: "quicksight, directory service and iam api's in accountPolicyStatement3 Takes no resource.",
},
{
id: 'NIST.800.53.R5-IAMPolicyNoStatementsWithFullAccess',
reason: "quicksight, directory service and iam api's in accountPolicyStatement3 Takes no resource.",
},
{
id: 'HIPAA.Security-IAMPolicyNoStatementsWithFullAccess',
reason: "quicksight, directory service and iam api's in accountPolicyStatement3 Takes no resource.",
},
{
id: 'PCI.DSS.321-IAMPolicyNoStatementsWithFullAccess',
reason: "quicksight, directory service and iam api's in accountPolicyStatement3 Takes no resource.",
},
],
true,
);
const srcDir = `${__dirname}/../src/python/quicksight_account`;
// This Lambda is used as a Custom Resource in order to create the QuickSight Account
const accountCrLambda = new MdaaLambdaFunction(this, 'qsAccount-cr-func', {
functionName: 'qsAccount-cr-func',
naming: this.props.naming,
code: Code.fromAsset(srcDir),
handler: 'quicksight_account.lambda_handler',
runtime: Runtime.PYTHON_3_13,
timeout: Duration.seconds(300),
environment: {
ACCOUNT_ID: this.account,
LOG_LEVEL: 'INFO',
},
role: accountCrRole,
layers: [this.boto3Layer],
});
MdaaNagSuppressions.addCodeResourceSuppressions(
accountCrLambda,
[
{
id: 'NIST.800.53.R5-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'NIST.800.53.R5-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'NIST.800.53.R5-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'HIPAA.Security-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'HIPAA.Security-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'HIPAA.Security-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'PCI.DSS.321-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'PCI.DSS.321-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'PCI.DSS.321-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
],
true,
);
const accountCrProviderFunctionName = this.props.naming.resourceName('qsAccount-cr-prov', 64);
const accountCrProviderRole = new MdaaLambdaRole(this, 'qsAccount-cr-prov-role', {
description: 'CR Role',
roleName: 'qsAccount-cr-prov',
naming: this.props.naming,
logGroupNames: [accountCrProviderFunctionName],
createParams: false,
createOutputs: false,
});
const accountCrProvider = new Provider(this, 'qsAccount-cr-provider', {
providerFunctionName: accountCrProviderFunctionName,
onEventHandler: accountCrLambda,
role: accountCrProviderRole,
});
MdaaNagSuppressions.addCodeResourceSuppressions(
accountCrProviderRole,
[
{
id: 'NIST.800.53.R5-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
{
id: 'HIPAA.Security-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
{
id: 'PCI.DSS.321-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
],
true,
);
MdaaNagSuppressions.addCodeResourceSuppressions(
accountCrProvider,
[
{
id: 'AwsSolutions-L1',
reason: 'Lambda function Runtime set by CDK Provider Framework',
},
{
id: 'NIST.800.53.R5-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'NIST.800.53.R5-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'NIST.800.53.R5-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'HIPAA.Security-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'HIPAA.Security-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'HIPAA.Security-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'PCI.DSS.321-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'PCI.DSS.321-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'PCI.DSS.321-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
],
true,
);
return accountCrProvider;
}