[New Resource]: Opensearch: Authorize VPC endpoint access

[Heldroe]

Description

When creating a VPC endpoint for an OpenSearch domain (aws_opensearch_vpc_endpoint) from a different account, the other account must first be allowed to create endpoints for the domain (see https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc-interface-endpoints.html#vpc-endpoint-access)

Requested Resource(s) and/or Data Source(s)

aws_opensearch_vpc_endpoint_authorized_principal

Potential Terraform Configuration

resource "aws_opensearch_vpc_endpoint_authorized_principal" "other_account" {
  domain_name = "my-domain"
  principal   = "1234567890" # AWS account ID
}

References

• AWS documentation: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc-interface-endpoints.html#vpc-endpoint-access
• AWS CLI: https://docs.aws.amazon.com/cli/latest/reference/es/authorize-vpc-endpoint-access.html
• Go SDK: https://pkg.go.dev/github.com/aws/aws-sdk-go@v1.45.24/service/opensearchservice#AuthorizeVpcEndpointAccessInput

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[saqibiqbal7891]

This functionality has been released in v5.22.0 of the Terraform AWS Provider

Link

[marcohenriques]

This functionality has been released in v5.22.0 of the Terraform AWS Provider

Link

wasn't that support to create opensearch vpc endpoints? If I understand it correctly, after creating this endpoint, if the endpoint is to an OpenSearch I another account (same region), in that account we need to authorize it. Is there anything like that already implemented? I didn't find it on the docs

[josechudev]

Hi, is someone currently working on this? I'd like to help

[raffraffraff]

I hate to "me too" this, but without this resource I have had to resort to some really horrible null_resource crap in my Terraform:

resource "null_resource" "authorized_principals" {
  for_each = var.authorized_principals
  triggers = {
    OS_DOMAIN_ARN    = aws_opensearch_domain.this.arn
    OS_DOMAIN_NAME   = var.domain_name
    OS_AWS_PROFILE   = var.aws_profile
    OS_AWS_REGION    = var.region
    VPC_AWS_ACCOUNT  = each.key
  }

  provisioner "local-exec" {
    interpreter = ["/bin/bash", "-c"]
    command     = "${path.module}/scripts/authorization.sh authorize"
    environment = {
      OS_DOMAIN_ARN    = aws_opensearch_domain.this.arn
      OS_DOMAIN_NAME   = var.domain_name
      OS_AWS_PROFILE   = var.aws_profile
      OS_AWS_REGION    = var.region
      VPC_AWS_ACCOUNT  = each.key
    }
  }

  provisioner "local-exec" {
    when        = destroy
    interpreter = ["/bin/bash", "-c"]
    command     = "${path.module}/scripts/authorization.sh revoke"
    environment = {
      OS_DOMAIN_NAME   = self.triggers.OS_DOMAIN_NAME
      OS_AWS_PROFILE   = self.triggers.OS_AWS_PROFILE
      OS_AWS_REGION    = self.triggers.OS_AWS_REGION
      VPC_AWS_ACCOUNT  = self.triggers.VPC_AWS_ACCOUNT
    }
  }

}

and the shell script it calls:

OSCMD="aws --profile $OS_AWS_PROFILE --region $OS_AWS_REGION opensearch"

die() {
  echo "$1" >&2
  exit 1
}

# THESE WILL ONLY READ STATE
list() {
  $OSCMD list-vpc-endpoint-access \
    --domain-name $OS_DOMAIN_NAME \
    --no-cli-pager
}

auth_status() {
  list \
    | jq -r '.AuthorizedPrincipalList[] | select(.Principal=="'$VPC_AWS_ACCOUNT'") | .Principal' \
    | grep -q $VPC_AWS_ACCOUNT
}

# THESE WILL MAKE MODIFICATIONS
authorize() {
  $OSCMD authorize-vpc-endpoint-access \
    --domain-name $OS_DOMAIN_NAME \
    --account $VPC_AWS_ACCOUNT \
    --no-cli-pager >/dev/null
}

revoke() {
  auth_status || die $? "AWS account not authorized, nothing to do"
  $OSCMD revoke-vpc-endpoint-access \
    --domain-name $OS_DOMAIN_NAME \
    --account $VPC_AWS_ACCOUNT \
    --no-cli-pager >/dev/null
}

until [ -z "$1" ]; do
  case $1 in

    authorize)  auth_status && exit 0
                authorize && exit 0
                die "AWS Account $VPC_AWS_ACCOUNT authorization on OpenSearch domain $OS_DOMAIN_NAME failed"
                ;;

    revoke)     auth_status || exit 0
                revoke && exit 0
                die "AWS Account $VPC_AWS_ACCOUNT revocation on OpenSearch domain $OS_DOMAIN_NAME failed"
                ;;

    status)     auth_status && exit 0
                  die "AWS Account $VPC_AWS_ACCOUNT not authorized on OpenSearch domain $OS_DOMAIN_NAME"
                ;;

    list)       list
                ;;

    *)          die "No action specified"
                ;;
  esac
  shift
done

Awful awful awful. I have basically no golang skills, but this is one of those times where I'm willing to learn it just so I can get this feature in, if nobody else is working on it.

[nsyntych]

I have started working on it here: https://github.com/punkops/terraform-provider-aws/blob/03b0b0637499f967b37a9947a1b65e7176083e61/internal/service/opensearch/vpc_endpoint_access.go

Not a master in golang myself but seems straight forward.

It works but it needs a lot of polishing, testing and documentation still...

Any suggestions and help is welcome.

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.74.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!