refactor: OpenSearch resource-based permissions for amp-amg-opensearch blueprint

examples/observability/amp-amg-opensearch/data.tf

@@ -1,4 +1,15 @@
+data "aws_eks_cluster_auth" "this" {
+  name = module.eks_blueprints.eks_cluster_id
+}
+
+data "aws_availability_zones" "available" {}
+
+data "aws_caller_identity" "current" {}
+
 data "aws_iam_policy_document" "fluentbit_opensearch_access" {
+  # Identity Based Policy specifies a list of IAM permissions
+  # that principal has against OpenSearch service API
+  # ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-identity
   statement {
     sid       = "OpenSearchAccess"
     effect    = "Allow"
@@ -8,13 +19,34 @@ data "aws_iam_policy_document" "fluentbit_opensearch_access" {
 }
 
 data "aws_iam_policy_document" "opensearch_access_policy" {
+  # This is the resource-based policy that allows to set access permissions on OpenSearch level
+  # To be working properly the client must support IAM (SDK, fluent-bit with sigv4, etc.) Browsers don't do IAM.
+  # ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource
   statement {
+    sid       = "WriteDomainLevelAccessToOpenSearch"
     effect    = "Allow"
-    resources = ["${aws_elasticsearch_domain.opensearch.arn}/*"]
-    actions   = ["es:ESHttp*"]
+    resources = ["${aws_elasticsearch_domain.opensearch.arn}/*"] # this can be an index prefix like '/foo-*'
+    actions = [                                                  #ref: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-reference
+      "es:ESHttpPost",
+      "es:ESHttpPut"
+    ]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/amp-amg-opensearch-aws-for-fluent-bit-sa-irsa"]
+    }
+  }
+
+  statement {
+    sid    = "AdminDomainLevelAccessToOpenSearch"
+    effect = "Allow"
+    resources = [
+      "${aws_elasticsearch_domain.opensearch.arn}",
+      "${aws_elasticsearch_domain.opensearch.arn}/*",
+    ]
+    actions = ["es:*"]
     principals {
       type        = "*"
-      identifiers = ["*"]
+      identifiers = ["*"] # must be set to wildcard when clients can't sign sigv4 or pass IAM to OpenSearch (aka browsers)
     }
   }
 }

examples/observability/amp-amg-opensearch/main.tf

@@ -21,12 +21,6 @@ provider "grafana" {
   auth = var.grafana_api_key
 }
 
-data "aws_eks_cluster_auth" "this" {
-  name = module.eks_blueprints.eks_cluster_id
-}
-
-data "aws_availability_zones" "available" {}
-
 locals {
   name   = basename(path.cwd)
   region = "us-west-2"
@@ -124,7 +118,7 @@ resource "grafana_data_source" "prometheus" {
 #tfsec:ignore:aws-elastic-search-enable-domain-logging
 resource "aws_elasticsearch_domain" "opensearch" {
   domain_name           = "opensearch"
-  elasticsearch_version = "OpenSearch_1.1"
+  elasticsearch_version = "OpenSearch_1.3"
 
   cluster_config {
     instance_type          = "m6g.large.elasticsearch"
@@ -155,7 +149,7 @@ resource "aws_elasticsearch_domain" "opensearch" {
   }
 
   advanced_security_options {
-    enabled                        = true
+    enabled                        = false
     internal_user_database_enabled = true
 
     master_user_options {