Skip to content

Commit

Permalink
refactor: OpenSearch resource-based permissions for amp-amg-opensearc…
Browse files Browse the repository at this point in the history
…h blueprint (aws-ia#978)
  • Loading branch information
alex-rawman authored and allamand committed Dec 15, 2022
1 parent 60ec2a1 commit ac1442d
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 11 deletions.
38 changes: 35 additions & 3 deletions examples/observability/amp-amg-opensearch/data.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,15 @@
data "aws_eks_cluster_auth" "this" {
name = module.eks_blueprints.eks_cluster_id
}

data "aws_availability_zones" "available" {}

data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "fluentbit_opensearch_access" {
# Identity Based Policy specifies a list of IAM permissions
# that principal has against OpenSearch service API
# ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-identity
statement {
sid = "OpenSearchAccess"
effect = "Allow"
Expand All @@ -8,13 +19,34 @@ data "aws_iam_policy_document" "fluentbit_opensearch_access" {
}

data "aws_iam_policy_document" "opensearch_access_policy" {
# This is the resource-based policy that allows to set access permissions on OpenSearch level
# To be working properly the client must support IAM (SDK, fluent-bit with sigv4, etc.) Browsers don't do IAM.
# ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource
statement {
sid = "WriteDomainLevelAccessToOpenSearch"
effect = "Allow"
resources = ["${aws_elasticsearch_domain.opensearch.arn}/*"]
actions = ["es:ESHttp*"]
resources = ["${aws_elasticsearch_domain.opensearch.arn}/*"] # this can be an index prefix like '/foo-*'
actions = [ #ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-reference
"es:ESHttpPost",
"es:ESHttpPut"
]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/amp-amg-opensearch-aws-for-fluent-bit-sa-irsa"]
}
}

statement {
sid = "AdminDomainLevelAccessToOpenSearch"
effect = "Allow"
resources = [
"${aws_elasticsearch_domain.opensearch.arn}",
"${aws_elasticsearch_domain.opensearch.arn}/*",
]
actions = ["es:*"]
principals {
type = "*"
identifiers = ["*"]
identifiers = ["*"] # must be set to wildcard when clients can't sign sigv4 or pass IAM to OpenSearch (aka browsers)
}
}
}
10 changes: 2 additions & 8 deletions examples/observability/amp-amg-opensearch/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,6 @@ provider "grafana" {
auth = var.grafana_api_key
}

data "aws_eks_cluster_auth" "this" {
name = module.eks_blueprints.eks_cluster_id
}

data "aws_availability_zones" "available" {}

locals {
name = basename(path.cwd)
region = "us-west-2"
Expand Down Expand Up @@ -124,7 +118,7 @@ resource "grafana_data_source" "prometheus" {
#tfsec:ignore:aws-elastic-search-enable-domain-logging
resource "aws_elasticsearch_domain" "opensearch" {
domain_name = "opensearch"
elasticsearch_version = "OpenSearch_1.1"
elasticsearch_version = "OpenSearch_1.3"

cluster_config {
instance_type = "m6g.large.elasticsearch"
Expand Down Expand Up @@ -155,7 +149,7 @@ resource "aws_elasticsearch_domain" "opensearch" {
}

advanced_security_options {
enabled = true
enabled = false
internal_user_database_enabled = true

master_user_options {
Expand Down

0 comments on commit ac1442d

Please sign in to comment.