From c3eaf4f04d81811bc92904fa2b115942dbc2c44e Mon Sep 17 00:00:00 2001 From: Alex Roman <109555724+alex-rawman@users.noreply.github.com> Date: Fri, 30 Sep 2022 17:26:35 -0400 Subject: [PATCH] refactor: OpenSearch resource-based permissions for amp-amg-opensearch blueprint (#978) --- .../observability/amp-amg-opensearch/data.tf | 38 +++++++++++++++++-- .../observability/amp-amg-opensearch/main.tf | 10 +---- 2 files changed, 37 insertions(+), 11 deletions(-) diff --git a/examples/observability/amp-amg-opensearch/data.tf b/examples/observability/amp-amg-opensearch/data.tf index fa2d80aeb0..490870eac2 100644 --- a/examples/observability/amp-amg-opensearch/data.tf +++ b/examples/observability/amp-amg-opensearch/data.tf @@ -1,4 +1,15 @@ +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + +data "aws_availability_zones" "available" {} + +data "aws_caller_identity" "current" {} + data "aws_iam_policy_document" "fluentbit_opensearch_access" { + # Identity Based Policy specifies a list of IAM permissions + # that principal has against OpenSearch service API + # ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-identity statement { sid = "OpenSearchAccess" effect = "Allow" @@ -8,13 +19,34 @@ data "aws_iam_policy_document" "fluentbit_opensearch_access" { } data "aws_iam_policy_document" "opensearch_access_policy" { + # This is the resource-based policy that allows to set access permissions on OpenSearch level + # To be working properly the client must support IAM (SDK, fluent-bit with sigv4, etc.) Browsers don't do IAM. + # ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource statement { + sid = "WriteDomainLevelAccessToOpenSearch" effect = "Allow" - resources = ["${aws_elasticsearch_domain.opensearch.arn}/*"] - actions = ["es:ESHttp*"] + resources = ["${aws_elasticsearch_domain.opensearch.arn}/*"] # this can be an index prefix like '/foo-*' + actions = [ #ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-reference + "es:ESHttpPost", + "es:ESHttpPut" + ] + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/amp-amg-opensearch-aws-for-fluent-bit-sa-irsa"] + } + } + + statement { + sid = "AdminDomainLevelAccessToOpenSearch" + effect = "Allow" + resources = [ + "${aws_elasticsearch_domain.opensearch.arn}", + "${aws_elasticsearch_domain.opensearch.arn}/*", + ] + actions = ["es:*"] principals { type = "*" - identifiers = ["*"] + identifiers = ["*"] # must be set to wildcard when clients can't sign sigv4 or pass IAM to OpenSearch (aka browsers) } } } diff --git a/examples/observability/amp-amg-opensearch/main.tf b/examples/observability/amp-amg-opensearch/main.tf index 7aa0b71e16..961131aef2 100644 --- a/examples/observability/amp-amg-opensearch/main.tf +++ b/examples/observability/amp-amg-opensearch/main.tf @@ -21,12 +21,6 @@ provider "grafana" { auth = var.grafana_api_key } -data "aws_eks_cluster_auth" "this" { - name = module.eks_blueprints.eks_cluster_id -} - -data "aws_availability_zones" "available" {} - locals { name = basename(path.cwd) region = "us-west-2" @@ -124,7 +118,7 @@ resource "grafana_data_source" "prometheus" { #tfsec:ignore:aws-elastic-search-enable-domain-logging resource "aws_elasticsearch_domain" "opensearch" { domain_name = "opensearch" - elasticsearch_version = "OpenSearch_1.1" + elasticsearch_version = "OpenSearch_1.3" cluster_config { instance_type = "m6g.large.elasticsearch" @@ -155,7 +149,7 @@ resource "aws_elasticsearch_domain" "opensearch" { } advanced_security_options { - enabled = true + enabled = false internal_user_database_enabled = true master_user_options {