-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlocals.tf
109 lines (103 loc) · 4.23 KB
/
locals.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
locals {
create_vpce = var.create_network_policy && var.network_policy_type != "AllPublic" ? true : false
crate_sg = local.create_vpce && var.vpce_create_security_group
sg_name = coalesce(var.vpce_security_group_name, "${var.name}-sg")
network_policy_vpces = local.create_vpce ? [aws_opensearchserverless_vpc_endpoint.this[0].id] : null
network_policies = {
AllPublic = [{
Description = "Public access to collection and Dashboards endpoint for ${var.name} collection",
Rules = [
{
ResourceType = "collection",
Resource = ["collection/${var.name}"]
}, {
ResourceType = "dashboard"
Resource = ["collection/${var.name}"]
}
],
AllowFromPublic = true
}],
AllPrivate = [{
Description = "VPC access to collection and Dashboards endpoint for ${var.name} collection",
Rules = [
{
ResourceType = "collection",
Resource = ["collection/${var.name}"]
}, {
ResourceType = "dashboard"
Resource = ["collection/${var.name}"]
}
],
AllowFromPublic = false,
SourceVPCEs = local.network_policy_vpces
}],
PublicCollectionPrivateDashboard = [{
Description = "Public access to collection endpoint for ${var.name} collection",
Rules = [{
ResourceType = "collection",
Resource = ["collection/${var.name}"]
}],
AllowFromPublic = true
}, {
Description = "VPC access to dashboard endpoint for ${var.name} collection",
Rules = [{
ResourceType = "dashboard",
Resource = ["collection/${var.name}"]
}],
AllowFromPublic = false
SourceVPCEs = local.network_policy_vpces
}],
PrivateCollectionPublicDashboard = [{
Description = "Public access to dashboard endpoint for ${var.name} collection",
Rules = [{
ResourceType = "dashboard",
Resource = ["collection/${var.name}"]
}],
AllowFromPublic = true
},
{
Description = "VPC access to collection endpoint for ${var.name} collection",
Rules = [{
ResourceType = "collection",
Resource = ["collection/${var.name}"]
}],
AllowFromPublic = false
SourceVPCEs = local.network_policy_vpces
}],
}
access_policy_collection_permissions = {
All = "aoss:*",
Create = "aoss:CreateCollectionItems"
Read = "aoss:DescribeCollectionItems"
Update = "aoss:UpdateCollectionItems"
Delete = "aoss:DeleteCollectionItems"
}
access_policy_index_permissions = {
All = "aoss:*",
Create = "aoss:CreateIndex"
Read = "aoss:DescribeIndex"
Update = "aoss:UpdateIndex"
Delete = "aoss:DeleteIndex"
ReadDocument = "aoss:ReadDocument"
WriteDocument = "aoss:WriteDocument"
}
access_policy = var.create_access_policy ? [for i, rule in var.access_policy_rules : {
Rules = [{
ResourceType = rule.type
Resource = rule.type == "collection" ? ["collection/${var.name}"] : [for i, index in rule.indexes : "index/${var.name}/${index}"]
Permission = rule.type == "collection" ? [for k, permission in rule.permissions : local.access_policy_collection_permissions[permission]] : [for k, permission in rule.permissions : local.access_policy_index_permissions[permission]]
}],
Principal = rule.principals
}] : []
data_lifecycle_policy_unlimited = var.create_data_lifecycle_policy ? [for i, rule in var.data_lifecycle_policy_rules : {
ResourceType = "index",
Resource = [for i, index in rule.indexes : "index/${var.name}/${index}"]
NoMinIndexRetention = true
} if rule.retention == "Unlimited"] : null
data_lifecycle_policy_limited = var.create_data_lifecycle_policy ? [for i, rule in var.data_lifecycle_policy_rules : {
ResourceType = "index",
Resource = [for i, index in rule.indexes : "index/${var.name}/${index}"]
MinIndexRetention = rule.retention
} if rule.retention != "Unlimited"] : null
data_lifecycle_policy = var.create_data_lifecycle_policy ? concat(local.data_lifecycle_policy_unlimited, local.data_lifecycle_policy_limited) : null
}