Skip to content

Commit

Permalink
feat: Add support for opensearch and eventbridge datasources (#57)
Browse files Browse the repository at this point in the history
  • Loading branch information
carldjohnston authored Oct 24, 2023
1 parent 1c5187d commit bd9f700
Show file tree
Hide file tree
Showing 6 changed files with 87 additions and 2 deletions.
13 changes: 13 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,17 @@ module "appsync" {
endpoint = "https://search-my-domain.eu-west-1.es.amazonaws.com"
region = "eu-west-1"
}
opensearchservice1 = {
type = "AMAZON_OPENSEARCH_SERVICE"
endpoint = "https://opensearch-my-domain.eu-west-1.es.amazonaws.com"
region = "eu-west-1"
}
eventbridge1 = {
type = "AMAZON_EVENTBRIDGE"
event_bus_arn = "aws:arn:events:us-west-1:135367859850:event-bus/eventbridge1"
}
}
resolvers = {
Expand Down Expand Up @@ -172,6 +183,7 @@ No modules.
| <a name="input_domain_name_description"></a> [domain\_name\_description](#input\_domain\_name\_description) | A description of the Domain Name. | `string` | `null` | no |
| <a name="input_dynamodb_allowed_actions"></a> [dynamodb\_allowed\_actions](#input\_dynamodb\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_DYNAMODB | `list(string)` | <pre>[<br> "dynamodb:GetItem",<br> "dynamodb:PutItem",<br> "dynamodb:DeleteItem",<br> "dynamodb:UpdateItem",<br> "dynamodb:Query",<br> "dynamodb:Scan",<br> "dynamodb:BatchGetItem",<br> "dynamodb:BatchWriteItem"<br>]</pre> | no |
| <a name="input_elasticsearch_allowed_actions"></a> [elasticsearch\_allowed\_actions](#input\_elasticsearch\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_ELASTICSEARCH | `list(string)` | <pre>[<br> "es:ESHttpDelete",<br> "es:ESHttpHead",<br> "es:ESHttpGet",<br> "es:ESHttpPost",<br> "es:ESHttpPut"<br>]</pre> | no |
| <a name="input_eventbridge_allowed_actions"></a> [eventbridge\_allowed\_actions](#input\_eventbridge\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_EVENTBRIDGE | `list(string)` | <pre>[<br> "events:PutEvents"<br>]</pre> | no |
| <a name="input_functions"></a> [functions](#input\_functions) | Map of functions to create | `any` | `{}` | no |
| <a name="input_graphql_api_tags"></a> [graphql\_api\_tags](#input\_graphql\_api\_tags) | Map of tags to add to GraphQL API | `map(string)` | `{}` | no |
| <a name="input_iam_permissions_boundary"></a> [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN for iam permissions boundary | `string` | `null` | no |
Expand All @@ -185,6 +197,7 @@ No modules.
| <a name="input_logs_role_tags"></a> [logs\_role\_tags](#input\_logs\_role\_tags) | Map of tags to add to Cloudwatch logs IAM role | `map(string)` | `{}` | no |
| <a name="input_name"></a> [name](#input\_name) | Name of GraphQL API | `string` | `""` | no |
| <a name="input_openid_connect_config"></a> [openid\_connect\_config](#input\_openid\_connect\_config) | Nested argument containing OpenID Connect configuration. | `map(string)` | `{}` | no |
| <a name="input_opensearchservice_allowed_actions"></a> [opensearchservice\_allowed\_actions](#input\_opensearchservice\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_OPENSEARCH\_SERVICE | `list(string)` | <pre>[<br> "es:ESHttpDelete",<br> "es:ESHttpHead",<br> "es:ESHttpGet",<br> "es:ESHttpPost",<br> "es:ESHttpPut"<br>]</pre> | no |
| <a name="input_resolver_caching_ttl"></a> [resolver\_caching\_ttl](#input\_resolver\_caching\_ttl) | Default caching TTL for resolvers when caching is enabled | `number` | `60` | no |
| <a name="input_resolvers"></a> [resolvers](#input\_resolvers) | Map of resolvers to create | `any` | `{}` | no |
| <a name="input_schema"></a> [schema](#input\_schema) | The schema definition, in GraphQL schema language format. Terraform cannot perform drift detection of this configuration. | `string` | `""` | no |
Expand Down
15 changes: 15 additions & 0 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,21 @@ module "appsync" {
endpoint = "https://search-my-domain.eu-west-1.es.amazonaws.com"
region = "eu-west-1"
}

# Opensearch Service support has not been finished & tested
opensearchservice1 = {
type = "AMAZON_OPENSEARCH_SERVICE"

# Note: dynamic references (module.opensearchservice1.id) do not work do not work unless you create this resource in advance
endpoint = "https://search-my-domain-2.eu-west-1.es.amazonaws.com"
region = "eu-west-1"
}

eventbridge1 = {
type = "AMAZON_EVENTBRIDGE"

event_bus_arn = "aws:arn:events:us-west-1:135367859850:event-bus/eventbridge1"
}
}

resolvers = {
Expand Down
28 changes: 27 additions & 1 deletion iam.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
data "aws_partition" "this" {}

locals {
service_roles_with_policies = var.create_graphql_api ? { for k, v in var.datasources : k => v if contains(["AWS_LAMBDA", "AMAZON_DYNAMODB", "AMAZON_ELASTICSEARCH"], v.type) && tobool(lookup(v, "create_service_role", true)) } : {}
service_roles_with_policies = var.create_graphql_api ? { for k, v in var.datasources : k => v if contains(["AWS_LAMBDA", "AMAZON_DYNAMODB", "AMAZON_ELASTICSEARCH", "AMAZON_OPENSEARCH_SERVICE", "AMAZON_EVENTBRIDGE"], v.type) && tobool(lookup(v, "create_service_role", true)) } : {}

service_roles_with_policies_lambda = { for k, v in local.service_roles_with_policies : k => merge(v,
{
Expand Down Expand Up @@ -39,10 +39,36 @@ locals {
}
) if v.type == "AMAZON_ELASTICSEARCH" }

service_roles_with_policies_opensearchservice = { for k, v in local.service_roles_with_policies : k => merge(v,
{
policy_statements = {
opensearchservice = {
effect = "Allow"
actions = lookup(v, "policy_actions", null) == null ? var.opensearchservice_allowed_actions : v.policy_actions
resources = [format("arn:${data.aws_partition.this.partition}:es:%v::domain/%v/*", v.region, v.endpoint)]
}
}
}
) if v.type == "AMAZON_OPENSEARCH_SERVICE" }

service_roles_with_policies_eventbridge = { for k, v in local.service_roles_with_policies : k => merge(v,
{
policy_statements = {
eventbridge = {
effect = "Allow"
actions = lookup(v, "policy_actions", null) == null ? var.eventbridge_allowed_actions : v.policy_actions
resources = [v.event_bus_arn]
}
}
}
) if v.type == "AMAZON_EVENTBRIDGE" }

service_roles_with_specific_policies = merge(
local.service_roles_with_policies_lambda,
local.service_roles_with_policies_dynamodb,
local.service_roles_with_policies_elasticsearch,
local.service_roles_with_policies_opensearchservice,
local.service_roles_with_policies_eventbridge,
)
}

Expand Down
19 changes: 18 additions & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ resource "aws_appsync_datasource" "this" {
name = each.key
type = each.value.type
description = lookup(each.value, "description", null)
service_role_arn = lookup(each.value, "service_role_arn", tobool(lookup(each.value, "create_service_role", contains(["AWS_LAMBDA", "AMAZON_DYNAMODB", "AMAZON_ELASTICSEARCH"], each.value.type))) ? aws_iam_role.service_role[each.key].arn : null)
service_role_arn = lookup(each.value, "service_role_arn", tobool(lookup(each.value, "create_service_role", contains(["AWS_LAMBDA", "AMAZON_DYNAMODB", "AMAZON_ELASTICSEARCH", "AMAZON_OPENSEARCH_SERVICE", "AMAZON_EVENTBRIDGE"], each.value.type))) ? aws_iam_role.service_role[each.key].arn : null)

dynamic "http_config" {
for_each = each.value.type == "HTTP" ? [true] : []
Expand Down Expand Up @@ -180,6 +180,23 @@ resource "aws_appsync_datasource" "this" {
region = lookup(each.value, "region", null)
}
}

dynamic "opensearchservice_config" {
for_each = each.value.type == "AMAZON_OPENSEARCH_SERVICE" ? [true] : []

content {
endpoint = each.value.endpoint
region = lookup(each.value, "region", null)
}
}

dynamic "event_bridge_config" {
for_each = each.value.type == "AMAZON_EVENTBRIDGE" ? [true] : []

content {
event_bus_arn = each.value.event_bus_arn
}
}
}

# Resolvers
Expand Down
12 changes: 12 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,18 @@ variable "elasticsearch_allowed_actions" {
default = ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"]
}

variable "opensearchservice_allowed_actions" {
description = "List of allowed IAM actions for datasources type AMAZON_OPENSEARCH_SERVICE"
type = list(string)
default = ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"]
}

variable "eventbridge_allowed_actions" {
description = "List of allowed IAM actions for datasources type AMAZON_EVENTBRIDGE"
type = list(string)
default = ["events:PutEvents"]
}

variable "iam_permissions_boundary" {
description = "ARN for iam permissions boundary"
type = string
Expand Down
2 changes: 2 additions & 0 deletions wrappers/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ module "wrapper" {
lambda_allowed_actions = try(each.value.lambda_allowed_actions, var.defaults.lambda_allowed_actions, ["lambda:invokeFunction"])
dynamodb_allowed_actions = try(each.value.dynamodb_allowed_actions, var.defaults.dynamodb_allowed_actions, ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem", "dynamodb:UpdateItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem"])
elasticsearch_allowed_actions = try(each.value.elasticsearch_allowed_actions, var.defaults.elasticsearch_allowed_actions, ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"])
opensearchservice_allowed_actions = try(each.value.opensearchservice_allowed_actions, var.defaults.opensearchservice_allowed_actions, ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"])
eventbridge_allowed_actions = try(each.value.eventbridge_allowed_actions, var.defaults.eventbridge_allowed_actions, ["events:PutEvents"])
iam_permissions_boundary = try(each.value.iam_permissions_boundary, var.defaults.iam_permissions_boundary, null)
direct_lambda_request_template = try(each.value.direct_lambda_request_template, var.defaults.direct_lambda_request_template, <<-EOF
{
Expand Down

0 comments on commit bd9f700

Please sign in to comment.