(amp-amg-opensearch) for IaC OpenSearch permissions should be managed on IAM-level

[alex-rawman]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

The blueprint currently has fine-grained access enabled. This requires an out-of-the-tree terraform provider or bulky and fragile scripts to provision users and roles in OpenSearch engine. All that can be implemented as resource-based IAM instead of fine-grained OpenSearch rbac.

Describe the solution you would like

Most of the cases need to provide secure access to:
a) Logs ingestors. Running in EKS they can utilize IRSA to access AWS services. This blueprint does that.
b) Logs readers. Apps owners, Platform teams, and other personas. They can use VPN or internal load balancers to access OpenSearch located inside of a VPC. Resource-based policy should allow "es:ESHttpGet" access to "arn:aws🇪🇸$region:$acc_id:domain/$index/"
c) Domain admins. "es:" access to "arn:aws🇪🇸$region:$acc_id:domain/$index" (not /* postfix is absent)
There's a way to extend resource-based IAM policy to have this covered.

Describe alternatives you have considered

Another way to solve it would be adding another terraform provider to manage fine-grained OpenSearch/ElasticSearch rbac.
The downwards of that approach are:

• There's no OpenSearch provider. Only ElasticSearch one. Their compatibility is questionable and, probably, shouldn't be a part of the blueprint
• There use cases for the blueprint can be covered with IAM. So extra provider seems like an overkill

Additional context

[bryantbiggs]

closed in #978