Update opensearch pod policy module name (#15)

thoughtbot · Dec 12, 2024 · bd8cf4d · bd8cf4d
1 parent cbb003b
commit bd8cf4d
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 29 deletions.
diff --git a/main.tf b/main.tf
@@ -77,7 +77,7 @@ locals {
     module.postgres_admin_login[*],
     module.redis_token[*],
     module.secret_key[*],
-    module.opensearch[0].secret_details,
+    module.opensearch[0][*],
     values(module.developer_managed_secrets),
   )
 }

diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf
@@ -447,15 +447,16 @@ module "elasticsearch_secret" {
   source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.4.0"
 
   admin_principals = var.admin_principals
-  description      = "Elastisearch secrets for: ${local.name}"
-  name             = "${local.name}-secret"
+  description      = "Elastisearch secrets for: ${var.application_name}"
+  name             = "${var.application_name}-secret"
   read_principals  = var.read_principals
   resource_tags    = var.tags
 
   initial_value = jsonencode({
-    ES_ENDPOINT           = try(aws_opensearch_domain.this[0].endpoint, null)
-    ES_DASHBOARD_ENDPOINT = try(aws_opensearch_domain.this[0].dashboard_endpoint, null)
-    ES_DOMAIN_ID          = try(aws_opensearch_domain.this[0].domain_id, null)
-    ES_PASSWORD           = var.advanced_security_options.master_user_options.master_user_password
+    AWS_SEARCH_ENDPOINT           = try(aws_opensearch_domain.this[0].endpoint, null)
+    AWS_SEARCH_DASHBOARD_ENDPOINT = try(aws_opensearch_domain.this[0].dashboard_endpoint, null)
+    AWS_SEARCH_DOMAIN_ID          = try(aws_opensearch_domain.this[0].domain_id, null)
+    AWS_SEARCH_PASSWORD           = var.advanced_security_options.master_user_options.master_user_password
+    AWS_SEARCH_USER_NAME          = var.advanced_security_options.master_user_options.master_user_name
   })
 }
diff --git a/modules/opensearch/outputs.tf b/modules/opensearch/outputs.tf
@@ -58,15 +58,27 @@ output "security_group_id" {
 # Secret details
 ################################################################################
 
-output "secret_details" {
-  description = "Map containing secret details for opensearch credentials"
-  value = [
-    {
-      name                  = module.secret.secret_name
-      environment_variables = ["ES_ENDPOINT", "ES_DASHBOARD_ENDPOINT", "ES_DOMAIN_ID", "ES_PASSWORD"]
-      policy_json           = module.elasticsearch_secret.policy_json
-      kms_key_arn           = module.elasticsearch_secret.kms_key_arn
-      secret_arn            = module.elasticsearch_secret.arn
-    }
-  ]
-}
+output "environment_variables" {
+  description = "Environment variables set by this rotation function"
+  value       = ["AWS_SEARCH_ENDPOINT", "AWS_SEARCH_DASHBOARD_ENDPOINT", "AWS_SEARCH_DOMAIN_ID", "AWS_SEARCH_PASSWORD", "AWS_SEARCH_USER_NAME"]
+}
+
+output "secret_name" {
+  description = "Name of the secrets manager secret containing credentials"
+  value       = module.elasticsearch_secret.name
+}
+
+output "policy_json" {
+  description = "Required IAM policies"
+  value       = module.elasticsearch_secret.policy_json
+}
+
+output "kms_key_arn" {
+  description = "ID of the KMS key used to encrypt the secret"
+  value       = module.elasticsearch_secret.kms_key_arn
+}
+
+output "secret_arn" {
+  description = "ARN of the secrets manager secret containing credentials"
+  value       = module.elasticsearch_secret.arn
+}
diff --git a/opensearch.tf b/opensearch.tf
@@ -90,7 +90,7 @@ module "opensearch" {
     { log_type = "SEARCH_SLOW_LOGS" },
   ]
 
-  application_name = var.es_application_name
+  application_name = local.name
 
   admin_principals = var.es_admin_principals
 
@@ -146,21 +146,26 @@ resource "random_password" "es" {
   special = false
 }
 
-resource "aws_iam_role_policy_attachment" "test-attach" {
-  count = var.elasticsearch_enabled ? 1 : 0
-
-  role       = module.pod_role.name
-  policy_arn = "arn:aws:iam::aws:policy/aws-service-role/AmazonElasticsearchServiceRolePolicy"
-
-  depends_on = [module.pod_policy]
+data "aws_iam_policy_document" "ecs_osis_access" {
+  statement {
+    sid       = "AllowOpensearchAccess"
+    resources = ["*"]
+    actions = [
+      "ec2:*",
+      "osis:*",
+    ]
+  }
 }
 
 module "es_pod_policy" {
   count  = var.elasticsearch_enabled ? 1 : 0
   source = "github.com/thoughtbot/flightdeck//aws/service-account-policy?ref=v0.9.0"
 
-  name             = "es-${var.es_application_name}-pods"
-  policy_documents = module.opensearch[*].secret_details.policy_json
+  name = "es-${var.es_application_name}-pods"
+  policy_documents = concat(
+    module.opensearch[0][*].policy_json,
+    [data.aws_iam_policy_document.ecs_osis_access.json]
+  )
 
   role_names = [module.pod_role.name]
 }