Update policy and secret access for opensearch (#11)

thoughtbot · Nov 1, 2024 · 5ae8197 · 5ae8197
1 parent 33afa18
commit 5ae8197
Show file tree

Hide file tree

Showing 6 changed files with 79 additions and 20 deletions.
diff --git a/main.tf b/main.tf
@@ -77,6 +77,7 @@ locals {
     module.postgres_admin_login[*],
     module.redis_token[*],
     module.secret_key[*],
+    module.opensearch[0].secret_details,
     values(module.developer_managed_secrets),
   )
 }

diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf
@@ -96,14 +96,14 @@ resource "aws_opensearch_domain" "this" {
         }
       }
 
-      dedicated_master_count        = try(cluster_config.value.dedicated_master_count, 3)
-      dedicated_master_enabled      = try(cluster_config.value.dedicated_master_enabled, true)
-      dedicated_master_type         = try(cluster_config.value.dedicated_master_type, "c6g.large.search")
-      instance_count                = try(cluster_config.value.instance_count, 3)
-      instance_type                 = try(cluster_config.value.instance_type, "r6g.large.search")
-      warm_count                    = try(cluster_config.value.warm_count, null)
-      warm_enabled                  = try(cluster_config.value.warm_enabled, null)
-      warm_type                     = try(cluster_config.value.warm_type, null)
+      dedicated_master_count   = try(cluster_config.value.dedicated_master_count, 3)
+      dedicated_master_enabled = try(cluster_config.value.dedicated_master_enabled, true)
+      dedicated_master_type    = try(cluster_config.value.dedicated_master_type, "c6g.large.search")
+      instance_count           = try(cluster_config.value.instance_count, 3)
+      instance_type            = try(cluster_config.value.instance_type, "r6g.large.search")
+      warm_count               = try(cluster_config.value.warm_count, null)
+      warm_enabled             = try(cluster_config.value.warm_enabled, null)
+      warm_type                = try(cluster_config.value.warm_type, null)
 
       dynamic "zone_awareness_config" {
         for_each = try([cluster_config.value.zone_awareness_config], [])
@@ -163,7 +163,7 @@ resource "aws_opensearch_domain" "this" {
     }
   }
 
-  engine_version  = var.engine_version
+  engine_version = var.engine_version
 
   dynamic "log_publishing_options" {
     for_each = { for opt in var.log_publishing_options : opt.log_type => opt }
@@ -305,7 +305,7 @@ resource "aws_opensearch_domain_saml_options" "this" {
 resource "aws_opensearch_outbound_connection" "this" {
   for_each = { for k, v in var.outbound_connections : k => v if var.create }
 
-  connection_alias  = try(each.value.connection_alias, each.key)
+  connection_alias = try(each.value.connection_alias, each.key)
 
   local_domain_info {
     owner_id    = try(each.value.local_domain_info.owner_id, local.account_id)
@@ -447,3 +447,20 @@ resource "aws_vpc_security_group_egress_rule" "this" {
 
   tags = merge(local.tags, var.security_group_tags, try(each.value.tags, {}))
 }
+
+module "elasticsearch_secret" {
+  source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.4.0"
+
+  admin_principals = var.admin_principals
+  description      = "Elastisearch secrets for: ${local.name}"
+  name             = "${local.name}-secret"
+  read_principals  = var.read_principals
+  resource_tags    = var.tags
+
+  initial_value = jsonencode({
+    ES_ENDPOINT           = module.opensearch[0].domain_endpoint
+    ES_DASHBOARD_ENDPOINT = module.opensearch[0].domain_dashboard_endpoint
+    ES_DOMAIN_ID          = module.opensearch[0].domain_id
+    ES_PASSWORD           = random_password.es.result
+  })
+}
diff --git a/modules/opensearch/outputs.tf b/modules/opensearch/outputs.tf
@@ -52,4 +52,21 @@ output "security_group_arn" {
 output "security_group_id" {
   description = "ID of the security group"
   value       = try(aws_security_group.this[0].id, null)
+}
+
+################################################################################
+# Secret details
+################################################################################
+
+output "secret_details" {
+  description = "Map containing secret details for opensearch credentials"
+  value = [
+    {
+      name                  = secret.secret_name
+      environment_variables = ["ES_ENDPOINT", "ES_DASHBOARD_ENDPOINT", "ES_DOMAIN_ID", "ES_PASSWORD"]
+      policy_json           = module.elasticsearch_secret.policy_json
+      kms_key_arn           = module.elasticsearch_secret.kms_key_arn
+      secret_arn            = module.elasticsearch_secret.arn
+    }
+  ]
 }
diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf
@@ -1,3 +1,9 @@
+variable "application_name" {
+  type        = string
+  description = "Unique name for the opensearch instance"
+  default     = ""
+}
+
 variable "create" {
   description = "Determines whether resources will be created (affects all resources)"
   type        = bool
@@ -271,3 +277,15 @@ variable "security_group_tags" {
   type        = map(string)
   default     = {}
 }
+
+variable "admin_principals" {
+  description = "Principals allowed to peform admin actions (default: current account)"
+  type        = list(string)
+  default     = null
+}
+
+variable "read_principals" {
+  description = "Principals allowed to read the secret (default: current account)"
+  type        = list(string)
+  default     = null
+}
diff --git a/opensearch-variables.tf b/opensearch-variables.tf
@@ -44,13 +44,13 @@ variable "es_engine_version" {
   description = "Version of Elasticsearch to deploy."
 }
 
-variable "admin_principals" {
+variable "es_admin_principals" {
   description = "Principals allowed to peform admin actions (default: current account)"
   type        = list(string)
   default     = null
 }
 
-variable "read_principals" {
+variable "es_read_principals" {
   description = "Principals allowed to read the secret (default: current account)"
   type        = list(string)
   default     = null

diff --git a/opensearch.tf b/opensearch.tf
@@ -90,6 +90,12 @@ module "opensearch" {
     { log_type = "SEARCH_SLOW_LOGS" },
   ]
 
+  application_name = var.es_application_name
+
+  admin_principals = var.es_admin_principals
+
+  read_principals = var.es_read_principals
+
   node_to_node_encryption = {
     enabled = true
   }
@@ -140,41 +146,41 @@ resource "random_password" "es" {
   special = false
 }
 
-module "secret" {
+module "elasticsearch_secret" {
   count  = var.elasticsearch_enabled ? 1 : 0
   source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.4.0"
 
   admin_principals = var.admin_principals
-  description      = "Elastisearch password for: ${local.name}"
+  description      = "Elastisearch secrets for: ${local.name}"
   name             = "${local.name}-secret"
   read_principals  = var.read_principals
   resource_tags    = var.tags
 
   initial_value = jsonencode({
     ES_ENDPOINT           = module.opensearch[0].domain_endpoint
     ES_DASHBOARD_ENDPOINT = module.opensearch[0].domain_dashboard_endpoint
-    DOMAIN_ID             = module.opensearch[0].domain_id
-    PASSWORD              = random_password.es.result
+    ES_DOMAIN_ID          = module.opensearch[0].domain_id
+    ES_PASSWORD           = random_password.es.result
   })
 }
 
 resource "aws_iam_role_policy_attachment" "test-attach" {
-  count  = var.elasticsearch_enabled ? 1 : 0
+  count = var.elasticsearch_enabled ? 1 : 0
 
   role       = module.pod_role.name
   policy_arn = "arn:aws:iam::aws:policy/aws-service-role/AmazonElasticsearchServiceRolePolicy"
 
-  depends_on = [ module.pod_policy ]
+  depends_on = [module.pod_policy]
 }
 
 module "pod_policy" {
   count  = var.elasticsearch_enabled ? 1 : 0
   source = "github.com/thoughtbot/flightdeck//aws/service-account-policy?ref=v0.9.0"
 
   name             = "es-${var.es_application_name}-pods"
-  policy_documents = module.secret[*].policy_json
+  policy_documents = module.opensearch[*].secret_details.policy_json
 
-  role_names       = [module.pod_role.name]
+  role_names = [module.pod_role.name]
 }
 
 data "aws_region" "current" {}