Amongst The Silos
Steps I expected to take when creating an Amazon QuickSight instance and connecting it a PostgreSQL database in Amazon RDS:
- Write terraform to create the QuickSight instance
- Write terraform to create the RDS dataset
- Open the QuickSight console and create a dashboard using that dataset
Steps I actually had to take:
- Write terraform to create the QuickSight instance only to discover that creation via API is not supported in my region of choice, so had to throw it away
- Create the QuickSight instance manually in the console, during which I had to explicitly select that I wanted to give permissions to talk to RDS
- Manually edit the resultant IAM policies to include permissions to use the customer-managed keys that encrypt all our resources
- Apply a security group to the RDS instance that allows TCP access on port 5432 to the QuickSight public IP addresses in my chosen region
- Add a user to PostgreSQL specifically for QuickSight to use, one with a password hashed using an older algorithm, since the QuickSight driver uses a version that lacks support for modern (read: most secure) algorithms
- Grant permissions for this user to be able to read the schemas and tables that hold the data I want to visualize
- Create the RDS dataset in QuickSight, manually entering the connection details
- Create a dashboard using the above dataset
Figuring out a number of the above steps required decoding unhelpful errors, searching through pages of documentation, and other non-trivial efforts. For shame, Amazon, for shame. Y’all should talk to each other more.