feat: Add support to cross account opensearch domain in opensearch de…

…stination
fdmsantos · Oct 18, 2022 · ac36ec1 · ac36ec1
1 parent aa42c43
commit ac36ec1
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -77,6 +77,8 @@ Supports all destinations and all Kinesis Firehose Features.
   - IAM Roles
   - Opensearch Service Role
   - Associate Role to Redshift Cluster Iam Roles
+  - Cross Account S3 Bucket Policy
+  - Cross Account OpenSearch Service policy
 
 ## How to Use
 

diff --git a/iam.tf b/iam.tf
@@ -373,7 +373,7 @@ data "aws_iam_policy_document" "elasticsearch" {
       "es:ESHttpPut"
     ]
     resources = [
-      var.elasticsearch_domain_arn, # E quando for cluster endpoint?
+      var.elasticsearch_domain_arn,
       "${var.elasticsearch_domain_arn}/*"
     ]
   }
@@ -412,6 +412,34 @@ resource "aws_iam_role_policy_attachment" "elasticsearch" {
   policy_arn = aws_iam_policy.elasticsearch[0].arn
 }
 
+data "aws_iam_policy_document" "cross_account_elasticsearch" {
+  count = local.add_elasticsearch_policy && var.elasticsearch_cross_account ? 1 : 0
+  version = "2012-10-17"
+  statement {
+    sid = "Cross Account Access to ${data.aws_caller_identity.current.account_id} Account"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [local.firehose_role_arn]
+    }
+
+    actions = [
+      "es:ESHttpGet"
+    ]
+
+    resources = [
+      "${var.elasticsearch_domain_arn}/_all/_settings",
+      "${var.elasticsearch_domain_arn}/_cluster/stats",
+      "${var.elasticsearch_domain_arn}/${var.elasticsearch_index_name}*/_mapping/${var.elasticsearch_type_name != null ? var.elasticsearch_type_name : "*"}",
+      "${var.elasticsearch_domain_arn}/_nodes",
+      "${var.elasticsearch_domain_arn}/_nodes/stats",
+      "${var.elasticsearch_domain_arn}/_nodes/*/stats",
+      "${var.elasticsearch_domain_arn}/_stats",
+      "${var.elasticsearch_domain_arn}/${var.elasticsearch_index_name}*/_stats"
+    ]
+  }
+}
 ##################
 # VPC
 ##################

diff --git a/outputs.tf b/outputs.tf
@@ -66,6 +66,11 @@ output "opensearch_iam_service_linked_role_arn" {
   value       = try(aws_iam_service_linked_role.opensearch[0].arn, "")
 }
 
+output "opensearch_cross_account_service_policy" {
+  description = "OpenSearch Service policy when the opensearch domain belongs to another account"
+  value       = try(data.aws_iam_policy_document.cross_account_elasticsearch[0].json, "")
+}
+
 output "application_role_arn" {
   description = "The ARN of the IAM role created for Kinesis Firehose Stream Source"
   value       = try(aws_iam_role.application[0].arn, "")

diff --git a/variables.tf b/variables.tf
@@ -774,6 +774,12 @@ variable "elasticsearch_vpc_subnet_ids" {
   default     = null
 }
 
+variable "elasticsearch_cross_account" {
+  description = "Indicates if Elasticsearch domain is in a different account"
+  type        = bool
+  default     = false
+}
+
 variable "vpc_security_group_firehose_ids" {
   description = "A list of security group IDs to associate with Kinesis Firehose"
   type        = list(string)