Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: include iam pivot role as part of the environment cdk stack #355

Merged
merged 122 commits into from
Apr 5, 2023
Merged

feat: include iam pivot role as part of the environment cdk stack #355

merged 122 commits into from
Apr 5, 2023

Conversation

dlpzx
Copy link
Contributor

@dlpzx dlpzx commented Mar 8, 2023
edited
Loading

Feature or Bugfix

  • Feature

Detail

⚠️ ⚠️ ⚠️ IMPORTANT ⚠️ ⚠️ ⚠️

IF YOU ARE MIGRATING FROM MANUAL TO CDK-CREATED ROLE, WHILE THE PIPELINE IS UPDATING THE BACKEND CODE, UPDATING ENVIRONMENT/DATASET STACKS AND UPDATING THE FRONTEND CODE YOU WILL EXPERIENCE DOWN TIMES. PLAN THE MIGRATION (AROUND 1-2H) IN A TIME WINDOW THAT DOES NOT IMPACT YOUR USERS.

Configuration of manual or cdk-created pivotRole

With this PR customers will be able to use data.all and link environments using a manually created pivotRole or a cdk-pivotRole deployed as part of the environment stack. What to use is configurable in the cdk.json for each infra account. For example, customers can have manually created pivotRoles in "dev" and cdk-created ones in "prod". The configuration affects all environments of the deployment. In this example, environments linked to "prod" will always deploy a cdk-PivotRole, it is not possible to have a mix of manual and cdk roles in the same infra deployment.

  • Added configuration parameter in cdk.json to enable or disable pivotRole creation as part of environment in each development environment:
    "enable_pivot_role_auto_create": "boolean_ENABLE_PIVOT_ROLE_AUTO_CREATE_IN_ENVIRONMENT|DEFAULT=false",

  • Creation of SSM Parameter that stores this flag in each of the development environments. (Screenshot outdated, not the parameter is called enablePivotRoleAutoCreate to match the cdk.json parameter name
    image

  • Modification of the "dataall-pivotrole-name" Secret in central account. For pivotRole created manually it stays in "dataallPivotRole" for cdk-created ones "dataallPivotRole-cdk" to avoid issues with conflicting IAM roles.

  • Added CDK nested stack for PivotRole IAM role and add it to the Environment stack. It is deployed depending on the value of the created SSM parameter. Permissions that reference the pivotRole are adapted to use the pivotRole-cdk when it is enabled.

  • Conditional pre-requisites box in CreateEnvironment UI view depending on the value of the SSM Parameter. The value of the SSM parameter is written to the .env file of the React application and is used in the frontend/src/views/Environments/EnvironmentCreateForm.js.
    (With enable_pivot_role_auto_create: false)

image

(With enable_pivot_role_auto_create: true)
image

Refactor AWS account checks

In the resolvers and in the environment stack deployment originally we performed some checks in the account with boto3 calls assuming that the pivotRole was created. In this PR some of this checks are now effectuated with the cdk look up role and other tests have been moved to other places in the code. In addition, more tests are added to consider all scenarios (e.g. check that pivotRole exists in manual-pivot role deployments).

  • Modified check of CDKToolkit CFN stack to avoid using pivotRole

image

  • Added check of pivotRole creation (for manual created pivotRole) with CDK look-up role.

image

  • Added check_environment methods to the update_environment API call.

  • Previous check of existing SageMaker Studio domain when MLStudio is enabled is now executed with cdk look up role

  • Previous check of Quicksight subscription when Dashboards is enabled now happens after environment creation, when a Dataset is created or when a Dashboard-Quicksight session is started.

  • Previous creation of data.all Quicksight default group when Dashboards is enabled now happens after environment creation, when a Dataset is created or when a Dashboard-Quicksight session is started.

Migrating from manual to cdk-created pivotRole

This PR takes into consideration the scenario in which customers already have a deployment of data.all with environments linked using a manually created pivotRole and want to leverage cdk-created pivotRoles.

To do that, customers just need to add the enable_pivot_role_auto_create parameter in their cdk.json configuration and set it to true. Once the CICD pipeline has completed: new linked environments will contain the nested cdk-pivotRole stack (no actions needed) and existing environments can be updated by:
a) manually, by clicking on "update stack" in the environment>stack tab
b) automatically, wait for the stack-updater ECS task that runs daily overnight
c) automatically, set the added update_dataall_stacks_in_cicd_pipeline parameter to true in the cdk.json config file. The stack-updater ECS task will be triggered from the CICD pipeline

  • Added configuration parameter in cdk.json to add a CodeBuild stage in CICD pipeline to trigger update of environments and datasets stacks:
    "enable_update_dataall_stacks_in_cicd_pipeline": "boolean_ENABLE_UPDATE_DATAALL_STACKS_IN_CICD_PIPELINE|DEFAULT=false"
    This parameter can be set back to false whenever customers do not foresee many changes in the dataset and environment stacks and back to true when we want to force the update of stacks. This can be useful to ensure changes in the stacks are applied immediately instead of waiting for the stack-updater to run overnight.

image

  • Modified stacks-updater ECS task to run environment updates first, wait until completion and then update dataset stacks. The reason of keeping this order is that the datasets of an environment use Lambda functions created in the environment stack as Custom resources (glue-db-handler). The original Lambda function needs to be updated to use the new pivotRole before being used in the Dataset stack. Plus, Quicksight group creation which happens in the dataset stack uses the pivotRole because the cdk-look-up role has no Quicksight permissions.

  • Replaced the CFN AWS::LakeFormation::Resource by a Custom Resource and added the necessary 'lakeformation:De/registerResource` permissions to Pivot Role. Using the Cfn resource directly caused internal Failure errors. To have more control over the update we now execute it as a custom resource (in the same way as we do with the glue-db-handler).

image

Documentation

  • Userguide changes in environment section
  • GitHub pages changes (in a different PR)

Additional enhancements

  • For the dataset custom resources, now the provider creation has been moved to the environment stack avoiding Lambda policy size limitations, the SSM parameters for the Lambda arn and name are left for reference if needed.
  • Modified Default Lake Formation settings custom resource in environment stack: added validation of IAM roles when adding LakeFormation data lake admins, if the IAM roles do not exist, data.all removes them from data lake admins to avoid errors. It now removes pivotRole (manual or cdk) from LakeFormation data lake admins on environment stack deletion.
  • Make team IAM roles policies unique by adding environmentUri to their policy names
  • bugfix: Fix local imports of shareItemSM for Docker and quicksight properties
  • Isolated SageMaker Studio domain stack in a different nested stack in the Environment stack for readability

Relates

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

dosiennik and others added 30 commits February 2, 2023 19:18
@dosiennik
migrate pivot role to the cdk managed approach
61a47e0
@noah-paige @dlpzx
219 pipeline filter (#259)
0a0deb5 
### Feature or Bugfix
- Feature

### Detail
- Add filter to pipeline list view
- Filter by region (of CICD Env), devStrategy, and tags 

![Screen Shot 2022-12-16 at 3 24 32
PM](https://user-images.githubusercontent.com/69586985/208183131-3087a03a-b17b-4cde-b376-4d5877c1aadb.png)


### Relates
- [#219 ](#219)

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
@dlpzx @degoldner
Introduce sharing State Machines (#267)
87ba593 
- Feature
- Refactoring

- Embed sharing actions into code defined State machines
- Redesign the sharing workflow to keep track of revoke of access
- Adjust and simplify sharing managers and tasks - separation of approval and revoke process
- Revoke items in batch
- Added info in share statistics in inbox and outbox
- Added testing for S3 and LakeFormation share managers and for sharing APIs

(Check out the conversation in the below issue for more details)

- #255

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: Dennis Goldner <107395339+degoldner@users.noreply.github.com>
@dlpzx
Visibility for shared tables and folder consumption (#289)
315dfcf 
### Feature or Bugfix
- Feature

### Detail
- Added "shared" db name and access point names in the UI
- Added "shared" db name and access point names as part of the
shareObject graphQL schema
The result is that users can view relevant information to consume data
that has been shared with them directly from the shares view. They can
copy to their clipboards a command to list the objects inside a shared
folders using the AWS CLI or they can copy an SQL statement to use in
Athena and query shared tables.


![image](https://user-images.githubusercontent.com/71252798/216063148-dabb0834-a1bd-45e6-8446-916540efc871.png)


### Relates
- #283 

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
@dlpzx
Fix order of migration scripts
f174ed3
@dlpzx
Added UserGuide in PDF for v1.4.0
444175f
@dlpzx
Fix notifications approve/reject
19f76f1
@dlpzx
Commented init_quicksight from environment stack and added in lf-shar…
75bf048 
…e-manager
@dlpzx
First draft of SageMaker domain in SageMakerStudio stack
74e1902
@dlpzx
Move Quicksight/SageMaker pivotRole dependencies in environment stack
0ec057f
@dlpzx
Fix reference to target environment
04fae69
@dlpzx
Fix integration tests cdkproxy
c5c18a1
@dlpzx
Fix integration tests cdkproxy
006c912
@dosiennik @dlpzx
migrate pivot role to the cdk managed approach
480ffc4
@dlpzx
Commented init_quicksight from environment stack and added in lf-shar…
f6c64c0 
…e-manager
@dlpzx
First draft of SageMaker domain in SageMakerStudio stack
2c9df49
@dlpzx
Move Quicksight/SageMaker pivotRole dependencies in environment stack
5bcbd9a
@dlpzx
Fix reference to target environment
46a853d
@dlpzx
Fix integration tests cdkproxy
dc6fe01
@dlpzx
Fix integration tests cdkproxy
f43a663
@dlpzx
Merge remote-tracking branch 'origin/274-include-iam-pivot-role-as-pa…
d0c8674 
…rt-of-the-environment-cdk-stack' into 274-include-iam-pivot-role-as-part-of-the-environment-cdk-stack

# Conflicts:
#	backend/dataall/db/api/__init__.py
#	backend/dataall/db/api/dataset.py
#	backend/dataall/db/api/dataset_location.py
#	backend/dataall/db/api/dataset_table.py
#	backend/dataall/db/api/environment.py
#	backend/dataall/db/api/redshift_cluster.py
#	backend/dataall/db/api/share_object.py
#	backend/dataall/tasks/data_sharing/data_sharing_service.py
#	backend/dataall/tasks/data_sharing/share_managers/lf_share_manager.py
#	backend/dataall/tasks/data_sharing/share_processors/lf_process_cross_account_share.py
#	backend/dataall/tasks/data_sharing/share_processors/lf_process_same_account_share.py
#	deploy/stacks/backend_stack.py
#	deploy/stacks/backend_stage.py
#	deploy/stacks/container.py
#	deploy/stacks/pipeline.py
#	template_cdk.json
#	tests/tasks/test_lf_share_manager.py
@dlpzx
Added SSM Parameter for create_pivot_role
5e62ed2
@dlpzx
Removed quicksight init form environment, modified quicksight get ide…
be7534e 
…ntity region
@dlpzx
Typo - stringify boolean SSM parameter
812ed0c
@dlpzx
use cdk look-up role instead of pivotrole in environment stack check …
d1afc26 
…functions
@dlpzx
Removed pivot role environment variables in ECS
8779959
@dlpzx
Modified resolver of environment to check CDK toolkit with resolver
ae8df29
@dlpzx
Move VPC lookup to main stack to solve creds issue
1d5af03
@dlpzx
Added API to check manual creation of pivotRole and update frontend v…
595e503 
…iew dynamically
@dlpzx
Quicksight default group name as class param
e7ecbb3
@nikpodsh
Copy link
Contributor

I think it'd be nice to have a test that compares a manual pivot role and the automated one. Just in case when we added a new changes in one of them, but forgot to replicated it into the other. What do you think?

kukushking
kukushking approved these changes Mar 29, 2023
View reviewed changes
Copy link
Contributor

@kukushking kukushking left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

@dlpzx dlpzx changed the title 274 include iam pivot role as part of the environment cdk stack feat: include iam pivot role as part of the environment cdk stack Mar 31, 2023
@dlpzx dlpzx requested a review from dosiennik April 5, 2023 06:10
@dlpzx dlpzx merged commit 5726403 into v1m5m0 Apr 5, 2023
dlpzx added a commit that referenced this pull request Apr 11, 2023
@dlpzx
Include iam pivot role as part of the environment cdk stack (#355)
9cf24bc 
### Feature or Bugfix
- Feature

### Detail
#### ⚠️ ⚠️ ⚠️ IMPORTANT ⚠️ ⚠️ ⚠️
IF YOU ARE MIGRATING FROM MANUAL TO CDK-CREATED ROLE, WHILE THE PIPELINE IS UPDATING THE BACKEND CODE, UPDATING ENVIRONMENT/DATASET STACKS AND UPDATING THE FRONTEND CODE YOU WILL EXPERIENCE DOWN TIMES. PLAN THE MIGRATION (AROUND 1-2H) IN A TIME WINDOW THAT DOES NOT IMPACT YOUR USERS.

#### Configuration of manual or cdk-created pivotRole
With this PR customers will be able to use data.all and link environments using a manually created pivotRole or a cdk-pivotRole deployed as part of the environment stack. What to use is configurable in the `cdk.json` for each infra account. For example, customers can have manually created pivotRoles in "dev" and cdk-created ones in "prod". The configuration affects all environments of the deployment. In this example, environmentslinked to "prod" will always deploy a cdk-PivotRole, it is not possible to have a mix of manual and cdk roles in the same infra deployment.

- Added configuration parameter in `cdk.json` to enable or disable pivotRole creation as part of environment in each development environment:
 `"enable_pivot_role_auto_create": "boolean_ENABLE_PIVOT_ROLE_AUTO_CREATE_IN_ENVIRONMENT|DEFAULT=false",`

- Creation of SSM Parameter that stores this flag in each of the development environments. (Screenshot outdated, not the parameter is called `enablePivotRoleAutoCreate` to match the cdk.json parameter name
![image](https://user-images.githubusercontent.com/71252798/225842050-36c24de8-4a13-4378-91f8-4a7eb10a4281.png)

- Modification of the "dataall-pivotrole-name" Secret in central account. For pivotRole created manually it stays in "dataallPivotRole" for cdk-created ones "dataallPivotRole-cdk" to avoid issues with conflicting IAM roles.

- Added CDK nested stack for PivotRole IAM role and add it to the Environment stack. It is deployed depending on the value of the created SSM parameter. Permissions that reference the pivotRole are adapted to use the pivotRole-cdk when it is enabled.

- Conditional pre-requisites box in CreateEnvironment UI view depending on the value of the SSM Parameter. The value of the SSM parameter is written to the `.env` file of the React application and is used in the `frontend/src/views/Environments/EnvironmentCreateForm.js`.
(With `enable_pivot_role_auto_create: false`)
<img width="1407" alt="image" src="https://user-images.githubusercontent.com/71252798/225843691-1fa8a99f-1936-4061-bac9-80030e6f4232.png">

(With `enable_pivot_role_auto_create: true`)
![image](https://user-images.githubusercontent.com/71252798/226277248-97c8550e-053d-4d1d-8313-bfd7650a71f5.png)

#### Refactor AWS account checks
In the resolvers and in the environment stack deployment originally we performed some checks in the account with boto3 calls assuming that the pivotRole was created. In this PR some of this checks are now effectuated with the `cdk look up role` and other tests have been moved to other places in the code. In addition, more tests are added to consider all scenarios (e.g. check that pivotRole exists in manual-pivot role deployments).

- Modified check of CDKToolkit CFN stack to avoid using pivotRole
<img width="335" alt="image" src="https://user-images.githubusercontent.com/71252798/225841263-5991165d-d1ed-4aeb-9ec8-017357485434.png">

- Added check of pivotRole creation (for manual created pivotRole) with CDK look-up role.
<img width="1260" alt="image" src="https://user-images.githubusercontent.com/71252798/223967385-450d9018-43e5-45b6-9736-225c627af989.png">

- Added check_environment methods to the update_environment API call.

- Previous check of existing SageMaker Studio domain when MLStudio is enabled is now executed with cdk look up role
- Previous check of Quicksight subscription when Dashboards is enabled now happens after environment creation, when a Dataset is created or when a Dashboard-Quicksight session is started.
- Previous creation of data.all Quicksight default group when Dashboards is enabled now happens after environment creation, when a Dataset is created or when a Dashboard-Quicksight session is started.

#### Migrating from manual to cdk-created pivotRole
This PR takes into consideration the scenario in which customers already have a deployment of data.all with environments linked using a manually created pivotRole and want to leverage cdk-created pivotRoles.

To do that, customers just need to add the `enable_pivot_role_auto_create` parameter in their `cdk.json` configuration and set it to `true`. Once the CICD pipeline has completed: new linked environments will contain the nested cdk-pivotRole stack (no actions needed) and existing environments can be updated by:
a) manually, by clicking on "update stack" in the environment>stack tab
b) automatically, wait for the `stack-updater` ECS task that runs daily overnight
c) automatically, set the added `update_dataall_stacks_in_cicd_pipeline` parameter to `true` in the `cdk.json` config file. The `stack-updater` ECS task will be triggered from the CICD pipeline

- Added configuration parameter in `cdk.json` to add a CodeBuild stage in CICD pipeline to trigger update of environments and datasets stacks:
`"enable_update_dataall_stacks_in_cicd_pipeline": "boolean_ENABLE_UPDATE_DATAALL_STACKS_IN_CICD_PIPELINE|DEFAULT=false"`
This parameter can be set back to `false` whenever customers do not foresee many changes in the dataset and environment stacks and back to true when we want to force the update of stacks. This can be useful to ensure changes in the stacks are applied immediately instead of waiting for the stack-updater to run overnight.

<img width="1328" alt="image" src="https://user-images.githubusercontent.com/71252798/226288484-3109a685-4bda-41f8-ab49-84aaa69796bf.png">

- Modified `stacks-updater` ECS task to run environment updates first, wait until completion and then update dataset stacks. The reason of keeping this order is that the datasets of an environment use Lambda functions created in the environment stack as Custom resources (glue-db-handler). The original Lambda function needs to be updated to use the new pivotRole before being used in the Dataset stack. Plus, Quicksight group creation which happens in the dataset stack uses the pivotRole because the cdk-look-up role has no Quicksight permissions.

- Replaced the CFN `AWS::LakeFormation::Resource` by a Custom Resource and added the necessary 'lakeformation:De/registerResource` permissions to Pivot Role. Using the Cfn resource directly caused internal Failure errors. To have more control over the update we now execute it as a custom resource (in the same way as we do with the glue-db-handler).

![image](https://user-images.githubusercontent.com/71252798/226554050-e9d2faa0-96fc-4677-946d-47c6d4c04005.png)

#### ⚠️ ⚠️ ⚠️ Migration risks ⚠️ ⚠️ ⚠️

Removing the AWS::LakeFormation::Resource resource and replacing it with a Custom Resource within the same/single update of the dataset stack causes a race condition since:
1) deleting AWS::LakeFormation::Resource triggers deletion of the data location resource from Lake Formation.
2) adding a custom resource or actually replacing AWS::LakeFormation::Resource with a custom resource creates or updates the data location resource.

Then the output of this update of the dataset stack depends on the order in which 1 & 2 occurs, in the worst case 2 happens before 1, which results in deletion of the Lake Formation data location resource. This is explained because both AWS::LakeFormation::Resource and Custom Resource point to the same DataLakeLocation which can be registered just once.

This error will be solved in a second update of stacks, in which the 'on_update' event of the datalakelocation handler checks if the location was registered in Lake Formation and creates the corresponding data location resource if it is missing. A second update can be triggered manually, by going to the UI, selecting the dataset and clicking on update stack in the stack tab. If it is not triggered manually, an scheduled task runs this update daily.

#### Documentation
- Userguide changes in environment section
- GitHub pages changes (in a different PR)

#### Additional enhancements
- For the dataset custom resources, now the provider creation has been moved to the environment stack avoiding [Lambda policy size limitations](https://repost.aws/knowledge-center/lambda-resource-based-policy-size-error), the SSM parameters for the Lambda arn and name are left for reference if needed.
- Modified Default Lake Formation settings custom resource in environment stack: added validation of IAM roles when adding LakeFormation data lake admins, if the IAM roles do not exist, data.all removes them from data lake admins to avoid errors. It now removes pivotRole (manual or cdk) from LakeFormation data lake admins on environment stack deletion.
- Make team IAM roles policies unique by adding environmentUri to their policy names
- bugfix: [Fix local imports of shareItemSM for Docker and quicksight properties](527f561)
- Isolated SageMaker Studio domain stack in a different nested stack in the Environment stack for readability

### Relates
- #251

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
@dlpzx dlpzx mentioned this pull request Apr 11, 2023
Merged
dlpzx added a commit that referenced this pull request Apr 25, 2023
@dlpzx @kukushking
@dosiennik @noah-paige @degoldner
V1.5.0 Features (#409)
219553f 
### Feature or Bugfix
- V1.5.0 Features. Check each PR for a complete description of the
feature.

### Detail
- #292 
- #355 
- #337 
- #427 
- #431 

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: kukushking <kukushkin.anton@gmail.com>
Co-authored-by: Dariusz Osiennik <osiend@amazon.com>
Co-authored-by: Noah Paige <69586985+noah-paige@users.noreply.github.com>
Co-authored-by: Dennis Goldner <107395339+degoldner@users.noreply.github.com>
@dlpzx dlpzx deleted the 274-include-iam-pivot-role-as-part-of-the-environment-cdk-stack branch May 17, 2023 06:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikpodsh nikpodsh nikpodsh left review comments

@kukushking kukushking kukushking approved these changes

@AmrSaber AmrSaber Awaiting requested review from AmrSaber

@dosiennik dosiennik Awaiting requested review from dosiennik

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dlpzx @nikpodsh @kukushking @dosiennik @noah-paige