From 306a519f42400c2f5ae4bd48ef6f3a57b98b5d7a Mon Sep 17 00:00:00 2001 From: Alex Roman Date: Tue, 20 Sep 2022 22:12:34 -0400 Subject: [PATCH 1/3] ref (amp-amg-opensearch) permissions --- .../observability/amp-amg-opensearch/data.tf | 38 +++++++++++++++++-- .../observability/amp-amg-opensearch/main.tf | 35 ++--------------- .../amp-amg-opensearch/providers.tf | 22 +++++++++++ 3 files changed, 60 insertions(+), 35 deletions(-) create mode 100644 examples/observability/amp-amg-opensearch/providers.tf diff --git a/examples/observability/amp-amg-opensearch/data.tf b/examples/observability/amp-amg-opensearch/data.tf index fa2d80aeb0..144f700394 100644 --- a/examples/observability/amp-amg-opensearch/data.tf +++ b/examples/observability/amp-amg-opensearch/data.tf @@ -1,4 +1,15 @@ +data "aws_eks_cluster_auth" "this" { + name = module.eks_blueprints.eks_cluster_id +} + +data "aws_availability_zones" "available" {} + +data "aws_caller_identity" "current" {} + data "aws_iam_policy_document" "fluentbit_opensearch_access" { + # Identity Based Policy specifies a list of IAM permissions + # that principal has against OpenSearch service API + # ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-identity statement { sid = "OpenSearchAccess" effect = "Allow" @@ -8,13 +19,34 @@ data "aws_iam_policy_document" "fluentbit_opensearch_access" { } data "aws_iam_policy_document" "opensearch_access_policy" { + # This is the resource-based policy that allows to set access permissions on OpenSearch level + # To be working properly the client must support IAM (SDK, fluent-bit with sigv4, etc.) Browsers don't do IAM. + # ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource statement { + sid = "WriteDomainLevelAccessToOpenSearch" effect = "Allow" - resources = ["${aws_elasticsearch_domain.opensearch.arn}/*"] - actions = ["es:ESHttp*"] + resources = ["${aws_elasticsearch_domain.opensearch.arn}/*"] # this can be an index prefix like '/foo-*' + actions = [ #ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-reference + "es:ESHttpPost", + "es:ESHttpPut" + ] + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/amp-amg-opensearch-aws-for-fluent-bit-sa-irsa"] + } + } + + statement { + sid = "AdminDomainLevelAccessToOpenSearch" + effect = "Allow" + resources = [ + "${aws_elasticsearch_domain.opensearch.arn}", + "${aws_elasticsearch_domain.opensearch.arn}/*", + ] + actions = ["es:*"] principals { type = "*" - identifiers = ["*"] + identifiers = ["*"] # must be set to wildcard when clients can't sign sigv4 or pass IAM to OpenSearch (aka browsers) } } } diff --git a/examples/observability/amp-amg-opensearch/main.tf b/examples/observability/amp-amg-opensearch/main.tf index 140d0b6bd6..f853d32a78 100644 --- a/examples/observability/amp-amg-opensearch/main.tf +++ b/examples/observability/amp-amg-opensearch/main.tf @@ -1,32 +1,3 @@ -provider "aws" { - region = local.region -} - -provider "kubernetes" { - host = module.eks_blueprints.eks_cluster_endpoint - cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.this.token -} - -provider "helm" { - kubernetes { - host = module.eks_blueprints.eks_cluster_endpoint - cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.this.token - } -} - -provider "grafana" { - url = var.grafana_endpoint - auth = var.grafana_api_key -} - -data "aws_eks_cluster_auth" "this" { - name = module.eks_blueprints.eks_cluster_id -} - -data "aws_availability_zones" "available" {} - locals { name = basename(path.cwd) region = "us-west-2" @@ -123,7 +94,7 @@ resource "grafana_data_source" "prometheus" { #tfsec:ignore:aws-elastic-search-enable-domain-logging resource "aws_elasticsearch_domain" "opensearch" { domain_name = "opensearch" - elasticsearch_version = "OpenSearch_1.1" + elasticsearch_version = "OpenSearch_1.3" cluster_config { instance_type = "m6g.large.elasticsearch" @@ -154,7 +125,7 @@ resource "aws_elasticsearch_domain" "opensearch" { } advanced_security_options { - enabled = true + enabled = false internal_user_database_enabled = true master_user_options { @@ -270,4 +241,4 @@ module "vpc" { } tags = local.tags -} +} \ No newline at end of file diff --git a/examples/observability/amp-amg-opensearch/providers.tf b/examples/observability/amp-amg-opensearch/providers.tf new file mode 100644 index 0000000000..04a6164844 --- /dev/null +++ b/examples/observability/amp-amg-opensearch/providers.tf @@ -0,0 +1,22 @@ +provider "aws" { + region = local.region +} + +provider "kubernetes" { + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.this.token +} + +provider "helm" { + kubernetes { + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.this.token + } +} + +provider "grafana" { + url = var.grafana_endpoint + auth = var.grafana_api_key +} From 5597933646e3c4652e195e38eb7b6745dcc328b3 Mon Sep 17 00:00:00 2001 From: Alex Roman Date: Wed, 21 Sep 2022 06:36:54 -0400 Subject: [PATCH 2/3] fix (amp-amg-opensearch) pre-commit linters --- examples/observability/amp-amg-opensearch/data.tf | 8 ++++---- examples/observability/amp-amg-opensearch/main.tf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/observability/amp-amg-opensearch/data.tf b/examples/observability/amp-amg-opensearch/data.tf index 144f700394..490870eac2 100644 --- a/examples/observability/amp-amg-opensearch/data.tf +++ b/examples/observability/amp-amg-opensearch/data.tf @@ -26,7 +26,7 @@ data "aws_iam_policy_document" "opensearch_access_policy" { sid = "WriteDomainLevelAccessToOpenSearch" effect = "Allow" resources = ["${aws_elasticsearch_domain.opensearch.arn}/*"] # this can be an index prefix like '/foo-*' - actions = [ #ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-reference + actions = [ #ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-reference "es:ESHttpPost", "es:ESHttpPut" ] @@ -37,13 +37,13 @@ data "aws_iam_policy_document" "opensearch_access_policy" { } statement { - sid = "AdminDomainLevelAccessToOpenSearch" - effect = "Allow" + sid = "AdminDomainLevelAccessToOpenSearch" + effect = "Allow" resources = [ "${aws_elasticsearch_domain.opensearch.arn}", "${aws_elasticsearch_domain.opensearch.arn}/*", ] - actions = ["es:*"] + actions = ["es:*"] principals { type = "*" identifiers = ["*"] # must be set to wildcard when clients can't sign sigv4 or pass IAM to OpenSearch (aka browsers) diff --git a/examples/observability/amp-amg-opensearch/main.tf b/examples/observability/amp-amg-opensearch/main.tf index f853d32a78..ac3aea6fe4 100644 --- a/examples/observability/amp-amg-opensearch/main.tf +++ b/examples/observability/amp-amg-opensearch/main.tf @@ -241,4 +241,4 @@ module "vpc" { } tags = local.tags -} \ No newline at end of file +} From b158bb7e063a9ded4786d11e4a1a415ab758a1da Mon Sep 17 00:00:00 2001 From: Alex Roman Date: Mon, 26 Sep 2022 14:44:51 -0400 Subject: [PATCH 3/3] fix: Providers moved back to main.tf --- .../observability/amp-amg-opensearch/main.tf | 23 +++++++++++++++++++ .../amp-amg-opensearch/providers.tf | 22 ------------------ 2 files changed, 23 insertions(+), 22 deletions(-) delete mode 100644 examples/observability/amp-amg-opensearch/providers.tf diff --git a/examples/observability/amp-amg-opensearch/main.tf b/examples/observability/amp-amg-opensearch/main.tf index 67c3025ffc..961131aef2 100644 --- a/examples/observability/amp-amg-opensearch/main.tf +++ b/examples/observability/amp-amg-opensearch/main.tf @@ -1,3 +1,26 @@ +provider "aws" { + region = local.region +} + +provider "kubernetes" { + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.this.token +} + +provider "helm" { + kubernetes { + host = module.eks_blueprints.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.this.token + } +} + +provider "grafana" { + url = var.grafana_endpoint + auth = var.grafana_api_key +} + locals { name = basename(path.cwd) region = "us-west-2" diff --git a/examples/observability/amp-amg-opensearch/providers.tf b/examples/observability/amp-amg-opensearch/providers.tf deleted file mode 100644 index 04a6164844..0000000000 --- a/examples/observability/amp-amg-opensearch/providers.tf +++ /dev/null @@ -1,22 +0,0 @@ -provider "aws" { - region = local.region -} - -provider "kubernetes" { - host = module.eks_blueprints.eks_cluster_endpoint - cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.this.token -} - -provider "helm" { - kubernetes { - host = module.eks_blueprints.eks_cluster_endpoint - cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.this.token - } -} - -provider "grafana" { - url = var.grafana_endpoint - auth = var.grafana_api_key -}