Unable to create quicksight Users

[caquinomrge]

Hello,

We are trying to deploy aws cudos dashboard using this module, but currently we are getting this error when applying.

 The following resource(s) failed to create: [CidAthenaDataSource]. Rollback requested by user.
│ Resource handler returned message: "Invalid request provided: One or more principals in resource permissions list are not valid QuickSight users (Service: QuickSight, Status Code: 400, Request ID: null)" (RequestToken: 9ab244c7-12b0-1155-6196-1eaa0ca183ca, HandlerErrorCode: InvalidRequest)
│
│   with module.cudos.module.this.module.dashboards.aws_cloudformation_stack.cid,
│   on .terraform/modules/cudos.this.dashboards/terraform-modules/cid-dashboards/main.tf line 13, in resource "aws_cloudformation_stack" "cid":
│   13: resource "aws_cloudformation_stack" "cid" {

Note: Our identity provider is google and we are passing an xml

@gambol99 hope you can help, thank you!

[wozzer72]

Hey @caquinomrge . The error is more related to Quicksight not your IdP:

not valid QuickSight users 

https://github.com/appvia/terraform-aws-cudos/blob/main/main.tf#L327 is the originator of this error.

For the AWS account into which you are deploying the dashboard, do you have an instance of QuickSight in the target region with the user created as identified by var.quicksights_username?

[caquinomrge]

Hey @wozzer72 . Thank you for this information we managed to deploy the dashboards by manually creating the user.

Currently we are getting this error, we still unable to create the user. We create this user manually by inviting him to our quicksight then we managed it by defining it in locals.tf

Error: registering QuickSight User ([email protected]): operation error QuickSight: RegisterUser, https response error StatusCode: 400, RequestID: d2744a6d-dca4-480c-a6bf-4a0027513468, InvalidParameterValueException: Invalid resource identifiers provided. Please check the documentation.
│
│   with module.cudos.module.this.aws_quicksight_user.users["[email protected]"],
│   on .terraform/modules/cudos.this/quicksights.tf line 14, in resource "aws_quicksight_user" "users":
│   14: resource "aws_quicksight_user" "users" {

Here below, we clearly define the user in our locals.tf.

quicksight_users = {
    "[email protected]" = {
      identity_type = "QUICKSIGHT"
      role          = "READER"
    } 
  }

[wozzer72]

Good to know you got through to the end of deployment. That's no mean feat. Well done indeed.

We're still working through the Quicksight subscription/user resource ourselves.

In all instances we too have had to create the Quicksight instance manually and the users/groups accordingly. It's work in progress.

[caquinomrge]

@wozzer72 . When we try to add a new user using the module it generated a plan but.

  # module.cudos.module.this.aws_quicksight_user.users["[email protected]"] will be created
  + resource "aws_quicksight_user" "users" {
      + arn            = (known after apply)
      + aws_account_id = (known after apply)
      + email          = "[email protected]"
      + id             = (known after apply)
      + identity_type  = "QUICKSIGHT"
      + namespace      = "default"
      + user_role      = "READER"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

We get still get this error.

Error: registering QuickSight User ([email protected]): operation error QuickSight: RegisterUser, https response error StatusCode: 400, RequestID: d2744a6d-dca4-480c-a6bf-4a0027513468, InvalidParameterValueException: Invalid resource identifiers provided. Please check the documentation.
│
│   with module.cudos.module.this.aws_quicksight_user.users["[email protected]"],
│   on .terraform/modules/cudos.this/quicksights.tf line 14, in resource "aws_quicksight_user" "users":
│   14: resource "aws_quicksight_user" "users" {

We just want to know if we missed anything in input?

[wozzer72]

Hey Christian

I cannot see anything obvious in your plan that would fail. The 400 is a "bad input data" API response which suggests it data validation issue. I do wonder if AWS is performing some basic validation on the email address - in your example "email.com" and "emaildomain.com" could indeed be examples only for the purpose of creating this issue. AWS QuickSight will of course be trying to send an invitation by email; maybe the 400 is because it failed to send the email invite or maybe because the user already exists (have you checked your QuickSight admin for existing users)?

But terraform is little more than a wrapper on the AWS SDK. Have you tried creating the user manually using the AWS SDK/CLI: https://docs.aws.amazon.com/quicksight/latest/developerguide/register-user.html?

[georgepstaylor]

@wozzer72 . When we try to add a new user using the module it generated a plan but.

  # module.cudos.module.this.aws_quicksight_user.users["[email protected]"] will be created
  + resource "aws_quicksight_user" "users" {
      + arn            = (known after apply)
      + aws_account_id = (known after apply)
      + email          = "[email protected]"
      + id             = (known after apply)
      + identity_type  = "QUICKSIGHT"
      + namespace      = "default"
      + user_role      = "READER"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

We get still get this error.

Error: registering QuickSight User ([email protected]): operation error QuickSight: RegisterUser, https response error StatusCode: 400, RequestID: d2744a6d-dca4-480c-a6bf-4a0027513468, InvalidParameterValueException: Invalid resource identifiers provided. Please check the documentation.
│
│   with module.cudos.module.this.aws_quicksight_user.users["[email protected]"],
│   on .terraform/modules/cudos.this/quicksights.tf line 14, in resource "aws_quicksight_user" "users":
│   14: resource "aws_quicksight_user" "users" {

We just want to know if we missed anything in input?

Hi @caquinomrge. I believe that this was caused due to the aws_quicksight_user requiring the username attribute when using identity_type = "QUICKSIGHT". I have added this in the latest release v3.0.0 and so you should be able to create non-IAM users using this module now.

[georgepstaylor]

Hello,

We are trying to deploy aws cudos dashboard using this module, but currently we are getting this error when applying.

 The following resource(s) failed to create: [CidAthenaDataSource]. Rollback requested by user.
│ Resource handler returned message: "Invalid request provided: One or more principals in resource permissions list are not valid QuickSight users (Service: QuickSight, Status Code: 400, Request ID: null)" (RequestToken: 9ab244c7-12b0-1155-6196-1eaa0ca183ca, HandlerErrorCode: InvalidRequest)
│
│   with module.cudos.module.this.module.dashboards.aws_cloudformation_stack.cid,
│   on .terraform/modules/cudos.this.dashboards/terraform-modules/cid-dashboards/main.tf line 13, in resource "aws_cloudformation_stack" "cid":
│   13: resource "aws_cloudformation_stack" "cid" {

Note: Our identity provider is google and we are passing an xml

@gambol99 hope you can help, thank you!

Similarly, I hope that v3.0.0 fixes the original error raised in this issue.

For clarity, the user previously defined as var.quicksights_username is the quicksights user which is designated as the owner of the dashboards. This user must exist otherwise the stackset will throw the error above.

With v3.0.0 var.quicksights_username is renamed to var.quicksight_dashboard_owner for clarity on this.

You can enable this module to manage your admin user by passing in:

  quicksight_admin_email     = "[email protected]"
  quicksight_admin_username  = "admin"
  quicksight_dashboard_owner = "admin"

(see the updated examples: https://github.com/appvia/terraform-aws-cudos/blob/main/examples/basic/main.tf)

If you already have an admin user, just pass the username to var.quicksight_dashboard_owner and set enable_quicksight_admin to false.

Let me know if this works for you now!