Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: OpenSearch resource-based permissions for amp-amg-opensearch blueprint #978

Merged
38 changes: 35 additions & 3 deletions examples/observability/amp-amg-opensearch/data.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,15 @@
data "aws_eks_cluster_auth" "this" {
name = module.eks_blueprints.eks_cluster_id
}

data "aws_availability_zones" "available" {}

data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "fluentbit_opensearch_access" {
# Identity Based Policy specifies a list of IAM permissions
# that principal has against OpenSearch service API
# ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-identity
statement {
sid = "OpenSearchAccess"
effect = "Allow"
Expand All @@ -8,13 +19,34 @@ data "aws_iam_policy_document" "fluentbit_opensearch_access" {
}

data "aws_iam_policy_document" "opensearch_access_policy" {
# This is the resource-based policy that allows to set access permissions on OpenSearch level
# To be working properly the client must support IAM (SDK, fluent-bit with sigv4, etc.) Browsers don't do IAM.
# ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource
statement {
sid = "WriteDomainLevelAccessToOpenSearch"
effect = "Allow"
resources = ["${aws_elasticsearch_domain.opensearch.arn}/*"]
actions = ["es:ESHttp*"]
resources = ["${aws_elasticsearch_domain.opensearch.arn}/*"] # this can be an index prefix like '/foo-*'
actions = [ #ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-reference
"es:ESHttpPost",
"es:ESHttpPut"
]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/amp-amg-opensearch-aws-for-fluent-bit-sa-irsa"]
}
}

statement {
sid = "AdminDomainLevelAccessToOpenSearch"
effect = "Allow"
resources = [
"${aws_elasticsearch_domain.opensearch.arn}",
"${aws_elasticsearch_domain.opensearch.arn}/*",
]
actions = ["es:*"]
principals {
type = "*"
identifiers = ["*"]
identifiers = ["*"] # must be set to wildcard when clients can't sign sigv4 or pass IAM to OpenSearch (aka browsers)
}
}
}
10 changes: 2 additions & 8 deletions examples/observability/amp-amg-opensearch/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,6 @@ provider "grafana" {
auth = var.grafana_api_key
}

data "aws_eks_cluster_auth" "this" {
name = module.eks_blueprints.eks_cluster_id
}

data "aws_availability_zones" "available" {}

locals {
name = basename(path.cwd)
region = "us-west-2"
Expand Down Expand Up @@ -124,7 +118,7 @@ resource "grafana_data_source" "prometheus" {
#tfsec:ignore:aws-elastic-search-enable-domain-logging
resource "aws_elasticsearch_domain" "opensearch" {
domain_name = "opensearch"
elasticsearch_version = "OpenSearch_1.1"
elasticsearch_version = "OpenSearch_1.3"

cluster_config {
instance_type = "m6g.large.elasticsearch"
Expand Down Expand Up @@ -155,7 +149,7 @@ resource "aws_elasticsearch_domain" "opensearch" {
}

advanced_security_options {
enabled = true
enabled = false
internal_user_database_enabled = true

master_user_options {
Expand Down