DAC-1889 Provide interface for analysts to use Quicksight user lambda (…

…#490)

Add new get-quicksight-user-spreadsheet script which uses google APIs to get data from the users spreadsheet
Add new quicksight-add-users-from-spreadsheet lambda which parses the user spreadsheet and invokes the quicksight-add-users lambda
Add new add-quicksight-users workflow to allow running the new functionality from github

.github/workflows/add-quicksight-users.yml

@@ -0,0 +1,51 @@
+name: ✳️ Add users to Quicksight
+
+on:
+  workflow_dispatch:
+    inputs:
+      dryRun:
+        type: boolean
+        required: true
+        description: If true, this action only prints the users it thinks need adding
+        default: false
+      environment:
+        type: string
+        required: true
+        description: AWS Environment
+        options: [DEV, TEST, FEATURE, PRODUCTION]
+      type:
+        type: choice
+        required: true
+        description: Type of user (determines which spreadsheet sheet to read)
+        options: [GDS, RP]
+
+jobs:
+  get-spreadsheet-users-and-invoke-lambda:
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint (enabling the aws-actions/configure-aws-credentials action)
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: Node setup
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18
+          cache: npm
+      - name: Install node packages
+        run: npm ci
+      - name: Create users file
+        run: node scripts/get-quicksight-user-spreadsheet.mjs ${{ inputs.type }} ${{ secrets.GOOGLE_CLOUD_SERVICE_ACCOUNT_CREDENTIALS }} > spreadsheet.json
+      - name: Assume AWS add users lambda invoke role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets[format('ADD_USERS_LAMBDA_INVOKE_ROLE_{0}', inputs.environment)] }}
+      - name: Invoke lambda
+        run: |
+          PAYLOAD=$(echo "{\"dryRun\": ${{ inputs.dryRun }}, \"spreadsheet\": $(cat spreadsheet.json)}")
+          ENCODED=$(echo "$PAYLOAD" | openssl base64)
+          aws --region eu-west-2 lambda invoke --function-name quicksight-add-users-from-spreadsheet --payload "$ENCODED" out.json
+          cat out.json

README.md

@@ -81,6 +81,7 @@ Below is a list of workflows. The ✳️ symbol at the start of a workflow name
 | ✳️ Upload testing images to ECR      | upload-testing-images.yml        | <ul><li>[merge to main](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push)</li><li>[manual](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch)</li></ul>                                                                                                                                   | Builds one or more testing dockerfiles in `tests/scripts/` and uploads the images to ECR. Which dockerfiles to build can be specified via inputs |
 | SonarCloud Code Analysis             | code-quality-sonarcloud.yml      | <ul><li>[pull requests (on open, reopen and update)](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request)</li></ul>                                                                                                                                                                                                                   | Runs a SonarCloud analysis on the repository                                                                                                     |
 | ✳️ Run flyway command on redshift    | run-flyway-command.yml           | <ul><li>[manual](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch)</li></ul>                                                                                                                                                                                                                                                  | Runs a specified flyway command on the redshift database in a specified environment                                                              |
+| ✳️ Add Quicksight users              | add-quicksight-users.yml         | <ul><li>[manual](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch)</li></ul>                                                                                                                                                                                                                                                  | Reads the DAP account management spreadsheet and attempts to add users to Cognito and Quicksight                                                 |
 
 ## Testing
 

iac/quicksight-access/resources/quicksight-access.yml

@@ -207,6 +207,73 @@ QuicksightAddUsersLambdaFunction:
         - Fn::ImportValue: !Sub ${Environment}-dap-vpc-ProtectedSubnetIdB
         - Fn::ImportValue: !Sub ${Environment}-dap-vpc-ProtectedSubnetIdC
 
+QuicksightAddUsersFromSpreadsheetLambdaFunction:
+  # checkov:skip=CKV_AWS_116: DLQ not needed as this is a manually invoked action
+  Type: AWS::Serverless::Function
+  Condition: IsQuicksightEnvironment
+  Properties:
+    FunctionName: quicksight-add-users-from-spreadsheet
+    Handler: quicksight-add-users-from-spreadsheet.handler
+    Policies:
+      - AWSLambdaBasicExecutionRole
+      - Statement:
+          - Effect: Allow
+            Action: lambda:InvokeFunction
+            Resource: !GetAtt QuicksightAddUsersLambdaFunction.Arn
+          - Effect: Allow
+            Action: cognito-idp:AdminGetUser
+            Resource: !GetAtt QuicksightAccessUserPool.Arn
+          - Effect: Allow
+            Action:
+              - quicksight:DescribeUser
+              - quicksight:ListUserGroups
+            Resource: '*'
+    ReservedConcurrentExecutions: 10
+    Environment:
+      # checkov:skip=CKV_AWS_173: These environment variables do not require encryption
+      Variables:
+        ENVIRONMENT: !Ref Environment
+        USER_POOL_ID: !Ref QuicksightAccessUserPool
+    Tags:
+      Environment: !Ref Environment
+    MemorySize: 512
+    # this lambda lives in the protected subnets of a different VPC than the main application lambdas
+    # because it needs (limited) internet access to call cognito and quicksight APIs and these services do not have VPC endpoints
+    # it also needs to invoke the quicksight-add-users lambda and must be in this VPC to use the lambda VPC endpoint
+    # see https://govukverify.atlassian.net/wiki/spaces/PLAT/pages/3531735041/VPC
+    VpcConfig:
+      SecurityGroupIds:
+        - Fn::ImportValue: !Sub ${Environment}-dap-vpc-AWSServicesEndpointSecurityGroupId
+      SubnetIds:
+        - Fn::ImportValue: !Sub ${Environment}-dap-vpc-ProtectedSubnetIdA
+        - Fn::ImportValue: !Sub ${Environment}-dap-vpc-ProtectedSubnetIdB
+        - Fn::ImportValue: !Sub ${Environment}-dap-vpc-ProtectedSubnetIdC
+
+QuicksightAddUsersFromSpreadsheetInvokeRole:
+  Type: AWS::IAM::Role
+  Condition: IsQuicksightEnvironment
+  Properties:
+    RoleName: !Sub ${Environment}-dap-quicksight-add-users-invoke-role
+    AssumeRolePolicyDocument:
+      Version: 2012-10-17
+      Statement:
+        - Effect: Allow
+          Principal:
+            Federated: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
+          Action: 'sts:AssumeRoleWithWebIdentity'
+          Condition:
+            StringLike:
+              'token.actions.githubusercontent.com:sub':
+                - repo:govuk-one-login/data-analytics-platform:ref:refs/heads/*
+                - repo:govuk-one-login/data-analytics-platform:environment:*
+    Policies:
+      - PolicyName: !Sub ${Environment}-dap-quicksight-add-users-invoke-policy
+        PolicyDocument:
+          Version: 2012-10-17
+          Statement:
+            - Effect: Allow
+              Action: lambda:InvokeFunction
+              Resource: !GetAtt QuicksightAddUsersFromSpreadsheetLambdaFunction.Arn
 webAcl:
   Type: 'AWS::WAFv2::WebACL'
   Condition: IsQuicksightEnvironment