aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard

Published 20 hours ago verified publisher icon aws

QuickSight: Row Level Security Tag Based

Open jorgepulidoibm opened this issue 2 years ago • 2 comments

Describe the feature

CDK Does not provide the customisation of this type of Row Level Security even though boto3 and AWS CLI do.

boto3

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/quicksight.html#QuickSight.Client.create_data_set

response = client.create_data_set(
...
    RowLevelPermissionTagConfiguration={
        'Status': 'ENABLED'|'DISABLED',
        'TagRules': [
            {
                'TagKey': 'string',
                'ColumnName': 'string',
                'TagMultiValueDelimiter': 'string',
                'MatchAllValue': 'string'
            },
        ]
    },
...
)

AWS CLI

https://docs.aws.amazon.com/cli/latest/reference/quicksight/create-data-set.html

  create-data-set
--aws-account-id <value>
--data-set-id <value>
--name <value>
--physical-table-map <value>
...
[--row-level-permission-tag-configuration <value>]
...

Use Case

Automated Dataset deployments cannot be done since Datasets are not secured.

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • [ ] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

CDK version used

aws-cdk-lib==2.41.0 aws-cdk.aws-quicksight==1.172.0 aws-cdk.cloud-assembly-schema==1.172.0 aws-cdk.cx-api==1.172.0 aws-cdk.region-info==1.172.0

Environment details (OS name and version, etc.)

macOS 12.5.1, Python CDK

jorgepulidoibm avatar Sep 16 '22 09:09 jorgepulidoibm

Does this satisfy your use case? https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-quicksight.CfnDataSet.html#rowlevelpermissiondataset-1

comcalvi avatar Sep 21 '22 19:09 comcalvi

Hi, it is not the same feature. This requires of a dataset where the row level security is specified, but I'm asking for the Tag Based RLS -> this

jorgepulidoibm avatar Sep 22 '22 16:09 jorgepulidoibm

I tried to workaround this using addOverride but get the following error: "Extraneous key [RowLevelPermissionTagConfiguration] is not permitted"

myDataSet.addOverride('Properties.RowLevelPermissionTagConfiguration.Status', 'ENABLED');
myDataSet.addOverride('Properties.RowLevelPermissionTagConfiguration.TagRules', [
    {
        TagKey: 'myTag',
        ColumnName: 'myColumnName',
        MatchAllValue: '*'
    }
]);

matthew-valenti avatar Nov 30 '22 21:11 matthew-valenti

This is how I managed to get Tag-based RLS working using CDK.

I have a custom construct that contains two resources:

  1. A CfnDataSet for the dataset without the tag-based row-level security
  2. An AwsCustomResource using the QuickSight.updateDataSet API to add Tag-based RLS to it

Honestly it feels very hacky and I wish the QuickSight team would add tag-based support to the AWS::QuickSight::DataSet resource. But this was the best I could do in terms of automation.

Below is the code for the custom resource, in case someone is interested or want to comment.

Keep in mind that the RelationalTable parameter to the function must be a PascalCased version of the relationalTable parameter passed in when creating the CfnDataSet. Don't ask me why, I feel like this is yet another idiosyncrasy of this API.

private addTagBasedRls(dataSetId: string, RelationalTable: any) {
    const stack = Stack.of(this);

    return new cr.AwsCustomResource(this, "TagBasedRls", {
      onCreate: {
        service: "QuickSight",
        action: "updateDataSet",
        outputPaths: ["Arn"],
        parameters: {
          AwsAccountId: stack.account,
          DataSetId: dataSetId,
          Name: dataSetId,
          ImportMode: QuickSightImportModes.SPICE,
          PhysicalTableMap: {
            table: {
              RelationalTable,
            },
          },
          RowLevelPermissionTagConfiguration: {
            Status: "ENABLED",
            TagRules: [
              {
                TagKey: "tag_customer_id",
                ColumnName: "customer_id",
                TagMultiValueDelimiter: ",",
                MatchAllValue: "*",
              },
            ],
          },
        },
        physicalResourceId: cr.PhysicalResourceId.of("TagBasedRls"),
      },
      policy: cr.AwsCustomResourcePolicy.fromStatements([
        new iam.PolicyStatement({
          actions: ["quicksight:UpdateDataset"],
          resources: [
            QuickSightUtils.getQuickSightDataSetArn(stack, dataSetId),
          ],
        }),
      ]),
    });
  }

donatoaz avatar Dec 20 '22 18:12 donatoaz

It looks like this is available here via the tags/rowLevelPermissionTagConfiguration props: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_quicksight.CfnDataSet.html#tags

tim-finnigan avatar Mar 14 '24 17:03 tim-finnigan

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar Mar 14 '24 17:03 github-actions[bot]