diff --git a/examples/role/main.tf b/examples/role/main.tf new file mode 100644 index 0000000..57f20fa --- /dev/null +++ b/examples/role/main.tf @@ -0,0 +1,26 @@ +module "role" { + source = "../../modules/role" + + name = "reader" + description = "Opensearch reader role" + + cluster_permissions = ["*"] + + index_permissions = { + "test-index-*" = { + allowed_actions = ["read"] + } + } + + tenant_permissions = { + "test-index-*" = ["read"] + } + + backend_roles = [ + "arn:aws:iam::999999999999:role/TestReaderRole", + ] + + users = [ + "arn:aws:iam::999999999999:user/TestUser", + ] +} diff --git a/examples/role/providers.tf b/examples/role/providers.tf new file mode 100644 index 0000000..6917ade --- /dev/null +++ b/examples/role/providers.tf @@ -0,0 +1,2 @@ +provider "opensearch" { +} diff --git a/examples/role/versions.tf b/examples/role/versions.tf new file mode 100644 index 0000000..c252798 --- /dev/null +++ b/examples/role/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.4" + + required_providers { + opensearch = { + source = "opensearch-project/opensearch" + version = "~> 2.2.0" + } + } +} diff --git a/modules/dashboard/tenant/README.md b/modules/dashboard/tenant/README.md new file mode 100644 index 0000000..e530856 --- /dev/null +++ b/modules/dashboard/tenant/README.md @@ -0,0 +1,33 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.4 | +| [opensearch](#requirement\_opensearch) | >= 2.0 | + +## Providers + +| Name | Version | +|------|---------| +| [opensearch](#provider\_opensearch) | >= 2.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [opensearch_dashboard_tenant.this](https://registry.terraform.io/providers/opensearch-project/opensearch/latest/docs/resources/dashboard_tenant) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | The dashboard tenant description | `string` | `""` | no | +| [name](#input\_name) | The dashboard tenant name | `string` | n/a | yes | + +## Outputs + +No outputs. diff --git a/modules/dashboard/tenant/main.tf b/modules/dashboard/tenant/main.tf new file mode 100644 index 0000000..1145f60 --- /dev/null +++ b/modules/dashboard/tenant/main.tf @@ -0,0 +1,4 @@ +resource "opensearch_dashboard_tenant" "this" { + tenant_name = var.name + description = var.description +} diff --git a/modules/dashboard/tenant/outputs.tf b/modules/dashboard/tenant/outputs.tf new file mode 100644 index 0000000..9e824e1 --- /dev/null +++ b/modules/dashboard/tenant/outputs.tf @@ -0,0 +1,4 @@ +output "id" { + description = "The ID of the dashboard tenant" + value = opensearch_dashboard_tenant.this.id +} diff --git a/modules/dashboard/tenant/variables.tf b/modules/dashboard/tenant/variables.tf new file mode 100644 index 0000000..306a35d --- /dev/null +++ b/modules/dashboard/tenant/variables.tf @@ -0,0 +1,10 @@ +variable "name" { + description = "Dashboard tenant name" + type = string +} + +variable "description" { + description = "Dashboard tenant description" + type = string + default = "" +} diff --git a/modules/dashboard/tenant/versions.tf b/modules/dashboard/tenant/versions.tf new file mode 100644 index 0000000..c1a9caf --- /dev/null +++ b/modules/dashboard/tenant/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.4" + + required_providers { + opensearch = { + source = "opensearch-project/opensearch" + version = ">= 2.0" + } + } +} diff --git a/modules/role/README.md b/modules/role/README.md new file mode 100644 index 0000000..aa55b61 --- /dev/null +++ b/modules/role/README.md @@ -0,0 +1,41 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.4 | +| [opensearch](#requirement\_opensearch) | >= 2.0 | + +## Providers + +| Name | Version | +|------|---------| +| [opensearch](#provider\_opensearch) | >= 2.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [opensearch_role.this](https://registry.terraform.io/providers/opensearch-project/opensearch/latest/docs/resources/role) | resource | +| [opensearch_roles_mapping.this](https://registry.terraform.io/providers/opensearch-project/opensearch/latest/docs/resources/roles_mapping) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [backend\_roles](#input\_backend\_roles) | (Optional) Set of backend roles to map to the Opensearch role | `set(string)` | `[]` | no | +| [cluster\_permissions](#input\_cluster\_permissions) | Set of cluster permissions to apply to the role | `set(string)` | n/a | yes | +| [description](#input\_description) | Opensearch role description | `string` | `""` | no | +| [index\_permissions](#input\_index\_permissions) | Map of index pattern to permissions to apply to the pattern |
map(object(
{
allowed_actions = set(string)
masked_fields = optional(set(string))
document_level_security = optional(string)
field_level_security = optional(set(string))
}
))
| n/a | yes | +| [name](#input\_name) | Opensearch role name | `string` | n/a | yes | +| [tenant\_permissions](#input\_tenant\_permissions) | Map of tenant pattern to set of permissions to apply to the pattern | `map(set(string))` | n/a | yes | +| [users](#input\_users) | (Optional) Set of users to map to the Opensearch role | `set(string)` | `[]` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [id](#output\_id) | The ID of the role | diff --git a/modules/role/main.tf b/modules/role/main.tf new file mode 100644 index 0000000..a821e69 --- /dev/null +++ b/modules/role/main.tf @@ -0,0 +1,36 @@ +resource "opensearch_role" "this" { + role_name = var.name + description = var.description + + cluster_permissions = var.cluster_permissions + + dynamic "index_permissions" { + for_each = var.index_permissions + + content { + index_patterns = index_permissions.key + allowed_actions = index_permissions.value.allowed_actions + document_level_security = index_permissions.value.document_level_security + field_level_security = index_permissions.value.field_level_security + masked_fields = index_permissions.value.masked_fields + } + } + + dynamic "tenant_permissions" { + for_each = var.tenant_permissions + content { + tenant_patterns = tenant_permissions.key + allowed_actions = tenant_permissions.value + } + } +} + +resource "opensearch_roles_mapping" "this" { + count = length(setunion(var.backend_roles, var.users)) > 0 ? 1 : 0 + + role_name = opensearch_role.this.role_name + description = "Role mapping for ${var.name}" + + backend_roles = var.backend_roles + users = var.users +} diff --git a/modules/role/outputs.tf b/modules/role/outputs.tf new file mode 100644 index 0000000..afb7364 --- /dev/null +++ b/modules/role/outputs.tf @@ -0,0 +1,4 @@ +output "id" { + description = "The ID of the role" + value = opensearch_role.this.id +} diff --git a/modules/role/variables.tf b/modules/role/variables.tf new file mode 100644 index 0000000..84051ef --- /dev/null +++ b/modules/role/variables.tf @@ -0,0 +1,44 @@ +variable "name" { + description = "Opensearch role name" + type = string +} + +variable "description" { + description = "Opensearch role description" + type = string + default = "" +} + +variable "cluster_permissions" { + description = "Set of cluster permissions to apply to the role" + type = set(string) +} + +variable "index_permissions" { + description = "Map of index pattern to permissions to apply to the pattern" + type = map(object( + { + allowed_actions = set(string) + masked_fields = optional(set(string)) + document_level_security = optional(string) + field_level_security = optional(set(string)) + } + )) +} + +variable "tenant_permissions" { + description = "Map of tenant pattern to set of permissions to apply to the pattern" + type = map(set(string)) +} + +variable "backend_roles" { + description = "(Optional) Set of backend roles to map to the Opensearch role" + type = set(string) + default = [] +} + +variable "users" { + description = "(Optional) Set of users to map to the Opensearch role" + type = set(string) + default = [] +} diff --git a/modules/role/versions.tf b/modules/role/versions.tf new file mode 100644 index 0000000..c1a9caf --- /dev/null +++ b/modules/role/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.4" + + required_providers { + opensearch = { + source = "opensearch-project/opensearch" + version = ">= 2.0" + } + } +}