in packages/constructs/L3/analytics/quicksight-namespace-l3-construct/lib/quicksight-namespace-l3-construct.ts [275:479]
private createNamespaceProvider(): Provider {
//Create a role which will be used by the Namespace Custom Resource Function
const namespaceCrRole: MdaaLambdaRole = new MdaaLambdaRole(this, 'namespace-cr-role', {
description: 'CR Role',
roleName: 'namespace-cr',
naming: this.props.naming,
logGroupNames: [this.props.naming.resourceName('ns-cr-func')],
createParams: false,
createOutputs: false,
});
const namespaceCrManagedPolicy: ManagedPolicy = new ManagedPolicy(this, 'ns-cr-lambda', {
managedPolicyName: this.props.naming.resourceName('ns-cr-lambda'),
roles: [namespaceCrRole],
});
const qsNamespacePolicyStatement: PolicyStatement = new PolicyStatement({
effect: Effect.ALLOW,
resources: [`arn:${this.partition}:quicksight:${this.region}:${this.account}:namespace/${this.namespaceName}`],
actions: [
'quicksight:CreateNamespace',
'quicksight:DescribeNamespace',
'quicksight:DeleteNamespace',
'quicksight:TagResource',
],
});
namespaceCrManagedPolicy.addStatements(qsNamespacePolicyStatement);
//QuickSight uses Directory Service to manage users
const dsPolicyStatement: PolicyStatement = new PolicyStatement({
effect: Effect.ALLOW,
resources: ['*'],
actions: [
'ds:CreateIdentityPoolDirectory', //Takes no resource
'ds:DescribeDirectories', //Takes no resource
],
});
namespaceCrManagedPolicy.addStatements(dsPolicyStatement);
const dsPolicyStatement2: PolicyStatement = new PolicyStatement({
effect: Effect.ALLOW,
resources: [`arn:${this.partition}:ds:${this.region}:${this.account}:directory/*`],
actions: ['ds:AuthorizeApplication', 'ds:UnauthorizeApplication'],
});
namespaceCrManagedPolicy.addStatements(dsPolicyStatement2);
MdaaNagSuppressions.addCodeResourceSuppressions(
namespaceCrManagedPolicy,
[
{
id: 'AwsSolutions-IAM5',
reason: 'ds:CreateIdentityPoolDirectory,ds:DescribeDirectories - Takes no resource.',
appliesTo: ['Resource::*'],
},
{
id: 'AwsSolutions-IAM5',
reason: 'ds:AuthorizeApplication,ds:UnauthorizeApplication - Directory name randomly generated.',
appliesTo: [`Resource::arn:${this.partition}:ds:${this.region}:${this.account}:directory/*`],
},
],
true,
);
const srcDir = `${__dirname}/../src/python/quicksight_namespace`;
// This Lambda is used as a Custom Resource in order to create the QuickSight Namespace
const quicksightNamespaceCrLambda: MdaaLambdaFunction = new MdaaLambdaFunction(this, 'ns-cr-func', {
functionName: 'namespace-cr',
naming: this.props.naming,
code: Code.fromAsset(srcDir),
handler: 'quicksight_namespace.lambda_handler',
runtime: Runtime.PYTHON_3_13,
timeout: Duration.seconds(120),
environment: {
ACCOUNT_ID: this.account,
IDENTITY_STORE: 'QUICKSIGHT',
LOG_LEVEL: 'INFO',
},
role: namespaceCrRole,
});
MdaaNagSuppressions.addCodeResourceSuppressions(
quicksightNamespaceCrLambda,
[
{
id: 'NIST.800.53.R5-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'NIST.800.53.R5-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'NIST.800.53.R5-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'HIPAA.Security-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'PCI.DSS.321-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'HIPAA.Security-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'PCI.DSS.321-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'HIPAA.Security-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'PCI.DSS.321-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
],
true,
);
const namespaceCrProviderFunctionName: string = this.props.naming.resourceName('ns-cr-prov', 64);
const namespaceCrProviderRole: MdaaLambdaRole = new MdaaLambdaRole(this, 'namespace-cr-prov-role', {
description: 'CR Role',
roleName: 'namespace-cr-prov',
naming: this.props.naming,
logGroupNames: [namespaceCrProviderFunctionName],
createParams: false,
createOutputs: false,
});
const namespaceCrProvider: Provider = new Provider(this, 'ns-cr-provider', {
providerFunctionName: namespaceCrProviderFunctionName,
onEventHandler: quicksightNamespaceCrLambda,
role: namespaceCrProviderRole,
});
MdaaNagSuppressions.addCodeResourceSuppressions(
namespaceCrProviderRole,
[
{
id: 'NIST.800.53.R5-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
{
id: 'HIPAA.Security-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
{
id: 'PCI.DSS.321-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
],
true,
);
MdaaNagSuppressions.addCodeResourceSuppressions(
namespaceCrProvider,
[
{ id: 'AwsSolutions-L1', reason: 'Lambda function Runtime set by CDK Provider Framework' },
{
id: 'NIST.800.53.R5-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'NIST.800.53.R5-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'NIST.800.53.R5-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'HIPAA.Security-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'PCI.DSS.321-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'HIPAA.Security-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'PCI.DSS.321-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'HIPAA.Security-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'PCI.DSS.321-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
],
true,
);
return namespaceCrProvider;
}