From cbf6fe0b31e6b35747ef66a69428fd351a7d5437 Mon Sep 17 00:00:00 2001
From: abhinavkumarsph <abhinavkumar@sph.com.sg>
Date: Fri, 22 Dec 2023 14:02:42 +0800
Subject: [PATCH 1/3] feat: custom_role_policy_arns on pipeline iam submodule

Additional field to attach custom IAM policies to the ingestion pipeline IAM role
---
 modules/ingestion/iam/README.md    | 3 ++-
 modules/ingestion/iam/iam.tf       | 2 +-
 modules/ingestion/iam/locals.tf    | 2 ++
 modules/ingestion/iam/variables.tf | 6 ++++++
 4 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/modules/ingestion/iam/README.md b/modules/ingestion/iam/README.md
index 436351b..e1cfe96 100644
--- a/modules/ingestion/iam/README.md
+++ b/modules/ingestion/iam/README.md
@@ -22,12 +22,13 @@
 
 | Name | Type |
 |------|------|
-| [aws_iam_policy_document.opensearch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.opensearch_ingestion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_custom_role_policy_arns"></a> [custom\_role\_policy\_arns](#input\_custom\_role\_policy\_arns) | List of ARNs of IAM policies to attach to the pipeline IAM role | `list(string)` | `[]` | no |
 | <a name="input_opensearch_domain_arns"></a> [opensearch\_domain\_arns](#input\_opensearch\_domain\_arns) | (Optional) The ARN's of the OpenSearch domains to ingest data into | `list(string)` | `[]` | no |
 | <a name="input_pipeline_role_name"></a> [pipeline\_role\_name](#input\_pipeline\_role\_name) | The name of the pipline IAM role | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
diff --git a/modules/ingestion/iam/iam.tf b/modules/ingestion/iam/iam.tf
index 3fa94fb..0f47674 100644
--- a/modules/ingestion/iam/iam.tf
+++ b/modules/ingestion/iam/iam.tf
@@ -10,7 +10,7 @@ module "pipeline_role" {
     "osis-pipelines.amazonaws.com",
   ]
   role_requires_mfa       = false
-  custom_role_policy_arns = local.create_opensearch_ingestion_policy ? [module.pipeline_opensearch_policy.arn] : []
+  custom_role_policy_arns = local.custom_role_policy_arns
 
   tags = var.tags
 }
diff --git a/modules/ingestion/iam/locals.tf b/modules/ingestion/iam/locals.tf
index 95233a2..62bdfef 100644
--- a/modules/ingestion/iam/locals.tf
+++ b/modules/ingestion/iam/locals.tf
@@ -1,3 +1,5 @@
 locals {
   create_opensearch_ingestion_policy = length(var.opensearch_domain_arns) > 0 ? true : false
+
+  custom_role_policy_arns = local.create_opensearch_ingestion_policy ? merge(var.custom_role_policy_arns, [module.pipeline_opensearch_policy.arn]) : var.custom_role_policy_arns
 }
diff --git a/modules/ingestion/iam/variables.tf b/modules/ingestion/iam/variables.tf
index 2c321dd..57da975 100644
--- a/modules/ingestion/iam/variables.tf
+++ b/modules/ingestion/iam/variables.tf
@@ -9,6 +9,12 @@ variable "opensearch_domain_arns" {
   default     = []
 }
 
+variable "custom_role_policy_arns" {
+  description = "List of ARNs of IAM policies to attach to the pipeline IAM role"
+  type        = list(string)
+  default     = []
+}
+
 variable "tags" {
   description = "A map of tags to add to all resources"
   type        = map(string)

From 7c9a8a03182901586da22f41de7d108c29873bd1 Mon Sep 17 00:00:00 2001
From: abhinavkumarsph <abhinavkumar@sph.com.sg>
Date: Tue, 19 Mar 2024 11:26:24 +0800
Subject: [PATCH 2/3] fix: custom policy arn for ingestion iam

---
 examples/ingestion/main.tf       |  3 +++
 modules/ingestion/iam/data.tf    | 40 +++++++++++++++++++++-----------
 modules/ingestion/iam/iam.tf     | 11 ++++++---
 modules/ingestion/iam/locals.tf  |  2 --
 modules/ingestion/iam/outputs.tf |  2 +-
 5 files changed, 38 insertions(+), 20 deletions(-)

diff --git a/examples/ingestion/main.tf b/examples/ingestion/main.tf
index 236daf2..20444f0 100644
--- a/examples/ingestion/main.tf
+++ b/examples/ingestion/main.tf
@@ -19,6 +19,9 @@ module "ingestion_iam" {
   opensearch_domain_arns = [
     "arn:aws:es:${local.region}:${local.account_id}:domain/${local.domain_name}",
   ]
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
+  ]
 }
 
 module "ingestion_pipeline" {
diff --git a/modules/ingestion/iam/data.tf b/modules/ingestion/iam/data.tf
index b5d1a96..be62b1f 100644
--- a/modules/ingestion/iam/data.tf
+++ b/modules/ingestion/iam/data.tf
@@ -1,20 +1,32 @@
 data "aws_iam_policy_document" "opensearch_ingestion" {
+  count = local.create_opensearch_ingestion_policy ? 1 : 0
 
-  statement {
-    effect    = "Allow"
-    actions   = ["es:DescribeDomain"]
-    resources = var.opensearch_domain_arns
+  dynamic "statement" {
+    for_each = local.create_opensearch_ingestion_policy ? [1] : []
+    content {
+      effect    = "Allow"
+      actions   = ["es:DescribeDomain"]
+      resources = var.opensearch_domain_arns
+    }
   }
 
-  statement {
-    effect = "Allow"
-    actions = [
-      "es:ESHttpGet",
-      "es:ESHttpHead",
-      "es:ESHttpPatch",
-      "es:ESHttpPost",
-      "es:ESHttpPut",
-    ]
-    resources = [for domain in var.opensearch_domain_arns : "${domain}/*"]
+  dynamic "statement" {
+    for_each = local.create_opensearch_ingestion_policy ? [1] : []
+    content {
+      effect = "Allow"
+      actions = [
+        "es:ESHttpGet",
+        "es:ESHttpHead",
+        "es:ESHttpPatch",
+        "es:ESHttpPost",
+        "es:ESHttpPut",
+      ]
+      resources = [for domain in var.opensearch_domain_arns : "${domain}/*"]
+    }
   }
 }
+
+moved {
+  from = data.aws_iam_policy_document.opensearch_ingestion
+  to   = data.aws_iam_policy_document.opensearch_ingestion[0]
+}
diff --git a/modules/ingestion/iam/iam.tf b/modules/ingestion/iam/iam.tf
index 0f47674..7ea800f 100644
--- a/modules/ingestion/iam/iam.tf
+++ b/modules/ingestion/iam/iam.tf
@@ -10,7 +10,7 @@ module "pipeline_role" {
     "osis-pipelines.amazonaws.com",
   ]
   role_requires_mfa       = false
-  custom_role_policy_arns = local.custom_role_policy_arns
+  custom_role_policy_arns = local.create_opensearch_ingestion_policy ? concat(var.custom_role_policy_arns, [module.pipeline_opensearch_policy[0].arn]) : var.custom_role_policy_arns
 
   tags = var.tags
 }
@@ -19,12 +19,17 @@ module "pipeline_opensearch_policy" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
   version = "~> 5.5.0"
 
-  create_policy = local.create_opensearch_ingestion_policy
+  count = local.create_opensearch_ingestion_policy ? 1 : 0
 
   name        = "${var.pipeline_role_name}-ingestion-policy"
   path        = "/"
   description = "IAM Policy for Opensearch ingestion"
-  policy      = data.aws_iam_policy_document.opensearch_ingestion.json
+  policy      = data.aws_iam_policy_document.opensearch_ingestion[0].json
 
   tags = var.tags
 }
+
+moved {
+  from = module.pipeline_opensearch_policy
+  to   = module.pipeline_opensearch_policy[0]
+}
diff --git a/modules/ingestion/iam/locals.tf b/modules/ingestion/iam/locals.tf
index 62bdfef..95233a2 100644
--- a/modules/ingestion/iam/locals.tf
+++ b/modules/ingestion/iam/locals.tf
@@ -1,5 +1,3 @@
 locals {
   create_opensearch_ingestion_policy = length(var.opensearch_domain_arns) > 0 ? true : false
-
-  custom_role_policy_arns = local.create_opensearch_ingestion_policy ? merge(var.custom_role_policy_arns, [module.pipeline_opensearch_policy.arn]) : var.custom_role_policy_arns
 }
diff --git a/modules/ingestion/iam/outputs.tf b/modules/ingestion/iam/outputs.tf
index fd32ddd..1cb22d2 100644
--- a/modules/ingestion/iam/outputs.tf
+++ b/modules/ingestion/iam/outputs.tf
@@ -10,5 +10,5 @@ output "pipeline_role_arn" {
 
 output "opensearch_ingestion_policy_arn" {
   description = "ARN of the Opensearch ingestion policy"
-  value       = local.create_opensearch_ingestion_policy ? module.pipeline_opensearch_policy.arn : null
+  value       = local.create_opensearch_ingestion_policy ? module.pipeline_opensearch_policy[0].arn : null
 }

From 0a518d6730031888dfc4ad61ba7aee169901c26d Mon Sep 17 00:00:00 2001
From: abhinavkumarsph <abhinavkumar@sph.com.sg>
Date: Tue, 19 Mar 2024 11:35:32 +0800
Subject: [PATCH 3/3] chore: custom policy arn order

---
 modules/ingestion/iam/iam.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ingestion/iam/iam.tf b/modules/ingestion/iam/iam.tf
index 7ea800f..06dd9d2 100644
--- a/modules/ingestion/iam/iam.tf
+++ b/modules/ingestion/iam/iam.tf
@@ -10,7 +10,7 @@ module "pipeline_role" {
     "osis-pipelines.amazonaws.com",
   ]
   role_requires_mfa       = false
-  custom_role_policy_arns = local.create_opensearch_ingestion_policy ? concat(var.custom_role_policy_arns, [module.pipeline_opensearch_policy[0].arn]) : var.custom_role_policy_arns
+  custom_role_policy_arns = local.create_opensearch_ingestion_policy ? concat([module.pipeline_opensearch_policy[0].arn], var.custom_role_policy_arns) : var.custom_role_policy_arns
 
   tags = var.tags
 }