private createQSFoldersProvider()

in packages/constructs/L3/analytics/quicksight-project-l3-construct/lib/quicksight-project-l3-construct.ts [284:477]

• 187 lines of code
• 1 McCabe index (conditional complexity)

  private createQSFoldersProvider(): Provider {
    //Create a role which will be used by the QSFolders Custom Resource Lambda Function
    const qsFoldersCrRole = new MdaaLambdaRole(this, 'qsFolders-cr-role', {
      description: 'CR Lambda Role',
      roleName: 'qsFolders-cr',
      naming: this.props.naming,
      logGroupNames: [this.props.naming.resourceName('qsFolders-cr-func')],
      createParams: false,
      createOutputs: false,
    });

    const qsFoldersCrManagedPolicy = new ManagedPolicy(this, 'qsFolders-cr-lambda', {
      managedPolicyName: this.props.naming.resourceName('qsFolders-cr-lambda'),
      roles: [qsFoldersCrRole],
    });

    const qsFoldersPolicyStatement = new PolicyStatement({
      effect: Effect.ALLOW,
      resources: [`arn:${this.partition}:quicksight:${this.region}:${this.account}:folder/*`],
      actions: [
        'quicksight:CreateFolder',
        'quicksight:DeleteFolder',
        'quicksight:DescribeFolder',
        'quicksight:DescribeFolderPermissions',
        'quicksight:DescribeFolderResolvedPermissions',
        'quicksight:ListFolderMembers',
        'quicksight:ListFolders',
        'quicksight:UpdateFolder',
        'quicksight:UpdateFolderPermissions',
      ],
    });
    qsFoldersCrManagedPolicy.addStatements(qsFoldersPolicyStatement);
    const qsFoldersPolicyStatement2 = new PolicyStatement({
      effect: Effect.ALLOW,
      resources: [`arn:${this.partition}:quicksight:${this.region}:${this.account}:folder/*`],
      actions: ['quicksight:CreateFolderMembership', 'quicksight:DeleteFolderMembership'],
    });
    qsFoldersCrManagedPolicy.addStatements(qsFoldersPolicyStatement2);

    MdaaNagSuppressions.addCodeResourceSuppressions(
      qsFoldersCrManagedPolicy,
      [
        {
          id: 'AwsSolutions-IAM5',
          reason: 'ds:CreateIdentityPoolDirectory,ds:DescribeDirectories - Takes no resource.',
        },
      ],
      true,
    );
    const srcDir = `${__dirname}/../src/python/quicksight_folders`;
    // This Lambda is used as a Custom Resource in order to create the QuickSight Folders
    const quicksightFoldersCrLambda = new MdaaLambdaFunction(this, 'qsFolders-cr-func', {
      functionName: 'qsFolders-cr-func',
      naming: this.props.naming,
      code: Code.fromAsset(srcDir),
      handler: 'quicksight_folders.lambda_handler',
      runtime: Runtime.PYTHON_3_13,
      timeout: Duration.seconds(120),
      environment: {
        ACCOUNT_ID: this.account,
          LOG_LEVEL: 'INFO',
      },
      role: qsFoldersCrRole,
    });

    MdaaNagSuppressions.addCodeResourceSuppressions(
      quicksightFoldersCrLambda,
      [
        {
          id: 'NIST.800.53.R5-LambdaDLQ',
          reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
        },
        {
          id: 'NIST.800.53.R5-LambdaInsideVPC',
          reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
        },
        {
          id: 'NIST.800.53.R5-LambdaConcurrency',
          reason:
            'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
        },
        {
          id: 'HIPAA.Security-LambdaDLQ',
          reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
        },
        {
          id: 'HIPAA.Security-LambdaInsideVPC',
          reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
        },
        {
          id: 'HIPAA.Security-LambdaConcurrency',
          reason:
            'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
        },
        {
          id: 'PCI.DSS.321-LambdaDLQ',
          reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
        },
        {
          id: 'PCI.DSS.321-LambdaInsideVPC',
          reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
        },
        {
          id: 'PCI.DSS.321-LambdaConcurrency',
          reason:
            'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
        },
      ],
      true,
    );
    const qsFoldersCrProviderFunctionName = this.props.naming.resourceName('qsFolders-cr-prov', 64);
    const qsFoldersCrProviderRole = new MdaaLambdaRole(this, 'qsFolders-cr-prov-role', {
      description: 'CR Role',
      roleName: 'qsFolders-cr-prov',
      naming: this.props.naming,
      logGroupNames: [qsFoldersCrProviderFunctionName],
      createParams: false,
      createOutputs: false,
    });
    const qsFoldersCrProvider = new Provider(this, 'qsFolders-cr-provider', {
      providerFunctionName: qsFoldersCrProviderFunctionName,
      onEventHandler: quicksightFoldersCrLambda,
      role: qsFoldersCrProviderRole,
    });
    MdaaNagSuppressions.addCodeResourceSuppressions(
      qsFoldersCrProviderRole,
      [
        {
          id: 'NIST.800.53.R5-IAMNoInlinePolicy',
          reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
        },
        {
          id: 'HIPAA.Security-IAMNoInlinePolicy',
          reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
        },
        {
          id: 'PCI.DSS.321-IAMNoInlinePolicy',
          reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
        },
      ],
      true,
    );

    MdaaNagSuppressions.addCodeResourceSuppressions(
      qsFoldersCrProvider,
      [
        {
          id: 'AwsSolutions-L1',
          reason: 'Lambda function Runtime set by CDK Provider Framework',
        },
        {
          id: 'NIST.800.53.R5-LambdaDLQ',
          reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
        },
        {
          id: 'NIST.800.53.R5-LambdaInsideVPC',
          reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
        },
        {
          id: 'NIST.800.53.R5-LambdaConcurrency',
          reason:
            'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
        },
        {
          id: 'HIPAA.Security-LambdaDLQ',
          reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
        },
        {
          id: 'HIPAA.Security-LambdaInsideVPC',
          reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
        },
        {
          id: 'HIPAA.Security-LambdaConcurrency',
          reason:
            'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
        },
        {
          id: 'PCI.DSS.321-LambdaDLQ',
          reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
        },
        {
          id: 'PCI.DSS.321-LambdaInsideVPC',
          reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
        },
        {
          id: 'PCI.DSS.321-LambdaConcurrency',
          reason:
            'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
        },
      ],
      true,
    );
    return qsFoldersCrProvider;
  }