CI/CD and Quicksight multi-account best practices

Most of our users ask us for best practices for CI/CD (a.k.a. BI Ops) in QuickSight to plan, control, validate and finally deploy changes in their QuickSight environment.

This is a pretty broad topic and hence, we recommend to discuss with your AWS Solution Architect. Still here we want to provide some general recommendations and details of the different tools that both, QuickSight and the AWS ecosystem provides for you to accomplish this task.

Overview of Topics:

  • QuickSight APIs: Utilizing templates and the new bundle export APIs to export multiple QuickSight assets as code.
  • CloudFormation/CDK: Managing infrastructure as code.
  • (Optional) Integration with AWS Code services.

High-level Recommendations for Implementation:

  • Separate Environments: Use distinct AWS accounts for different stages (Development, Test, Pre-production, Production) to minimize risks from misconfigurations or unintended changes.
  • Promotion Process: Automate the promotion of changes from Development to Test but incorporate manual approvals for moving to Pre-production and Production.
  • Data Separation: Utilize different datasets for development and testing to safeguard sensitive information (e.g., PII) in early stages.

Before continuing, a couple of recommendations to implement these best practices:

  1. Consider using separate AWS (and hence QS) accounts for the different environments (Dev/Test/Pre-production/Production), this is in line with the AWS best practices whitepaper so you can, amongst other benefits, reduce the blast radius in case of miss-configurations or accidental code/setup changes in an account.
  2. Use a process to automatically promote changes from development to Test accounts for example but include manual approval processes when promoting to pre-production and prod.
  3. Use different datasets for development and testing than the ones you will have in pre-production and prod (to prevent access to PII and customer data in early development phases)

Now, with these recommendations in place, lets dive deep on the aforementioned items one by one:

QuickSight APIs:

QuickSight offers two API-based approaches for automating tasks like continuous deployment:

  1. Templates : Facilitate replicating dashboard and analysis designs across accounts and regions, with the option to replace datasets to adhere to the first and third best practices.

  2. Bundle Export APIs : These allow the comprehensive export of assets (analyses, dashboards, datasets, data sources, refresh schedules, themes, VPC connections etc.) in JSON or CloudFormation format, including dependencies.

Templates are best for exact asset replication without dependencies, but offer the option of replacing the datasets that feed dashboards and analyses, whereas Bundle APIs are more suited for CI/CD pipelines and extensive migrations, offering full asset and dependency exports.

Templates in QuickSight create exact duplicates of dashboards or analyses but do not include dependencies like data sources and themes. Instead, they use placeholders, allowing you to substitute datasets with those already existing in the target account. For more details, refer to the relevant blog post.

Conversely, the bundle API lets you create a package containing the dashboard or analysis and all its dependencies (like themes, data sources, datasets, etc.). This bundle can be downloaded, stored, and modified as required, making it ideal for version control systems or for making changes to the dashboards/analyses, such as altering names, fields etc.

The choice between templates and bundle APIs depends on your specific needs. Bundle APIs are generally better for CI/CD pipelines and large-scale migrations between accounts, while templates might be preferred in certain scenarios.

The following table tries to illustrate the main features available in Templates and Bundle APIs:

Templates Bundle APIs
CloudFormation/CDK support Y Y
Downloadable/Exportable N Y
Support asset existing updates N (*) Y
Exporting dependencies N Y
Export multiple assets at once N Y
Allow you to define asset permissions on creation Y Y

*Supported if used with CloudFormation AWS::QuickSight::Dashboard or AWS::QuickSight::Analysis resources


CloudFormation provides infrastructure as code capabilities to manage AWS resources. It uses a declarative JSON or YAML syntax to model the resources and their configurations.

For QuickSight, CloudFormation supports creating and managing assets like data sources, datasets, analyses, dashboards, themes, VPC etc.

A key benefit is that CloudFormation handles orchestrating the underlying API calls and resource management automatically. For example, to update a dashboard, CloudFormation will delete and recreate it, if necessary, without manual intervention.

Other notable CloudFormation features include:

  • Stack sets to deploy across accounts and regions
  • Drift detection to identify resources changed outside of CloudFormation
  • Rollback capabilities on failures
  • Supports infrastructure lifecycle management

By representing infrastructure declaratively and managing resources programmatically, CloudFormation enables infrastructure automation, testing, and continuous delivery pipelines.

The QuickSight bundle API can also integrate with CloudFormation by exporting assets in CloudFormation JSON format. For QuickSight assets, it provides a robust mechanism for managing and deploying changes across environments in a standardized, auditable way. It is ideal for managing QuickSight data sources and underlying infrastructure like VPC connections etc. The integration of the bundle API enhances CloudFormation’s capabilities for asset portability and version control. Read more about this in this blog.

AWS Code services

Finally, integrating low-level APIs with orchestration tools like AWS CodePipeline facilitates deployment automation. CodePipeline enables automating deployments using CloudFormation to promote changes across multiple stages like development, testing, pre-production, and production. This allows implementing a full CI/CD pipeline for QuickSight assets.

Key benefits of using CodePipeline:

  • Automates rollout of CloudFormation stacks across accounts and regions
  • Implements quality gates and approval checks between environments
  • Supports safeguards so production is not directly updated from development
  • Facilitates rapid iterations from dev to test without impacting production
  • Provides notifications, dashboards, and logs for pipeline visibility
  • Integrates seamlessly with other developer tools like GitHub and Jenkins

Overall, CodePipeline lets you build a structured, auditable, and efficient workflow for releasing QuickSight dashboard and analysis changes. Environment promotion rules can enforce testing and security best practices. Teams can develop faster without worrying about accidental production outages.

For a more comprehensive understanding, we’ve created a high-level diagram to illustrate this architecture:

Hope you find this article interesting!

Happy dashboarding!