refactor: OpenSearch resource-based permissions for amp-amg-opensearch blueprint #978
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR moves OpenSearch access management to OpenSearch resource-based policy, instead of fine grained index/collection/field rbac in the search engine.
Motivation
The rationale is: the fine-grained access requires an out-of-the-tree terraform provider or bulky and fragile scripts to provision users and roles in OpenSearch engine. Most of the cases need to provide secure access to:
a) Logs ingestors. Running in EKS they can utilize IRSA to access AWS services. This blueprint does that.
b) Logs readers. Apps owners, Platform teams, and other personas. They can use VPN or internal load balancers to access OpenSearch located inside of a VPC. Resource-based policy should allow "es:ESHttpGet" access to "arn:aws:es:$region:$acc_id:domain/$index/"
c) Domain admins. "es:" access to "arn:aws:es:$region:$acc_id:domain/$index" (not /* postfix is absent)
This has been tested with OpenSearch 1.1, 1.2, 1.3.
More
pre-commit run -a
with this PRFor Moderators
Additional Notes