chore: Stash

terraform-aws-modules · Dec 3, 2023 · a1126cc · a1126cc
1 parent 7050620
commit a1126cc
Show file tree

Hide file tree

Showing 5 changed files with 122 additions and 78 deletions.
diff --git a/modules/serverless/README.md b/modules/serverless/README.md
@@ -39,6 +39,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_opensearchserverless_access_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_access_policy) | resource |
 | [aws_opensearchserverless_collection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_collection) | resource |
 | [aws_opensearchserverless_security_policy.encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_security_policy) | resource |
 | [aws_opensearchserverless_security_policy.network](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_security_policy) | resource |
@@ -47,17 +48,21 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_access_policy"></a> [access\_policy](#input\_access\_policy) | access policy to apply to the collection | `any` | `{}` | no |
+| <a name="input_access_policy_description"></a> [access\_policy\_description](#input\_access\_policy\_description) | Description of the access policy | `string` | `null` | no |
+| <a name="input_access_policy_name"></a> [access\_policy\_name](#input\_access\_policy\_name) | Name of the access policy | `string` | `null` | no |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
+| <a name="input_create_access_policy"></a> [create\_access\_policy](#input\_create\_access\_policy) | Determines whether an access policy will be created | `bool` | `true` | no |
 | <a name="input_create_encryption_policy"></a> [create\_encryption\_policy](#input\_create\_encryption\_policy) | Determines whether an encryption policy will be created | `bool` | `true` | no |
 | <a name="input_create_network_policy"></a> [create\_network\_policy](#input\_create\_network\_policy) | Determines whether an network policy will be created | `bool` | `true` | no |
 | <a name="input_description"></a> [description](#input\_description) | Description of the collection | `string` | `null` | no |
-| <a name="input_encryption_security_policy"></a> [encryption\_security\_policy](#input\_encryption\_security\_policy) | Encryption security policy to apply to the collection - this is merged with the default policy provided | `any` | `{}` | no |
-| <a name="input_encryption_security_policy_description"></a> [encryption\_security\_policy\_description](#input\_encryption\_security\_policy\_description) | Description of the encryption security policy | `string` | `null` | no |
-| <a name="input_encryption_security_policy_name"></a> [encryption\_security\_policy\_name](#input\_encryption\_security\_policy\_name) | Name of the encryption security policy | `string` | `null` | no |
+| <a name="input_encryption_policy"></a> [encryption\_policy](#input\_encryption\_policy) | Encryption policy to apply to the collection | `any` | `{}` | no |
+| <a name="input_encryption_policy_description"></a> [encryption\_policy\_description](#input\_encryption\_policy\_description) | Description of the encryption policy | `string` | `null` | no |
+| <a name="input_encryption_policy_name"></a> [encryption\_policy\_name](#input\_encryption\_policy\_name) | Name of the encryption policy | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the collection | `string` | `""` | no |
-| <a name="input_network_security_policy"></a> [network\_security\_policy](#input\_network\_security\_policy) | Network security policy to apply to the collection - this is merged with the default policy provided | `any` | `{}` | no |
-| <a name="input_network_security_policy_description"></a> [network\_security\_policy\_description](#input\_network\_security\_policy\_description) | Description of the network security policy | `string` | `null` | no |
-| <a name="input_network_security_policy_name"></a> [network\_security\_policy\_name](#input\_network\_security\_policy\_name) | Name of the network security policy | `string` | `null` | no |
+| <a name="input_network_policy"></a> [network\_policy](#input\_network\_policy) | Network policy to apply to the collection | `any` | `{}` | no |
+| <a name="input_network_policy_description"></a> [network\_policy\_description](#input\_network\_policy\_description) | Description of the network policy | `string` | `null` | no |
+| <a name="input_network_policy_name"></a> [network\_policy\_name](#input\_network\_policy\_name) | Name of the network policy | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | Create and delete timeout configurations for the collection | `map(string)` | `{}` | no |
 | <a name="input_type"></a> [type](#input\_type) | Type of collection. One of `SEARCH`, `TIMESERIES`, or `VECTORSEARCH`. Defaults to `TIMESERIES` | `string` | `null` | no |
@@ -66,15 +71,17 @@ No modules.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_access_policy"></a> [access\_policy](#output\_access\_policy) | The JSON policy document of the access policy |
+| <a name="output_access_policy_version"></a> [access\_policy\_version](#output\_access\_policy\_version) | The version of the access policy |
 | <a name="output_arn"></a> [arn](#output\_arn) | Amazon Resource Name (ARN) of the collection |
 | <a name="output_dashboard_endpoint"></a> [dashboard\_endpoint](#output\_dashboard\_endpoint) | Collection-specific endpoint used to access OpenSearch Dashboards |
-| <a name="output_encryption_security_policy"></a> [encryption\_security\_policy](#output\_encryption\_security\_policy) | The JSON policy document of the security policy |
-| <a name="output_encryption_security_policy_version"></a> [encryption\_security\_policy\_version](#output\_encryption\_security\_policy\_version) | The version of the security policy |
+| <a name="output_encryption_policy"></a> [encryption\_policy](#output\_encryption\_policy) | The JSON policy document of the encryption policy |
+| <a name="output_encryption_policy_version"></a> [encryption\_policy\_version](#output\_encryption\_policy\_version) | The version of the encryption policy |
 | <a name="output_endpoint"></a> [endpoint](#output\_endpoint) | Collection-specific endpoint used to submit index, search, and data upload requests to an OpenSearch Serverless collection |
 | <a name="output_id"></a> [id](#output\_id) | Unique identifier for the collection |
 | <a name="output_kms_key_arn"></a> [kms\_key\_arn](#output\_kms\_key\_arn) | The ARN of the Amazon Web Services KMS key used to encrypt the collection |
-| <a name="output_network_security_policy"></a> [network\_security\_policy](#output\_network\_security\_policy) | The JSON policy document of the security policy |
-| <a name="output_network_security_policy_version"></a> [network\_security\_policy\_version](#output\_network\_security\_policy\_version) | The version of the security policy |
+| <a name="output_network_policy"></a> [network\_policy](#output\_network\_policy) | The JSON policy document of the network policy |
+| <a name="output_network_policy_version"></a> [network\_policy\_version](#output\_network\_policy\_version) | The version of the network policy |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## License

diff --git a/modules/serverless/main.tf b/modules/serverless/main.tf
@@ -32,21 +32,10 @@ resource "aws_opensearchserverless_collection" "this" {
 resource "aws_opensearchserverless_security_policy" "encryption" {
   count = var.create && var.create_encryption_policy ? 1 : 0
 
-  description = coalesce(var.encryption_security_policy_description, "Encryption policy for ${var.name} collection")
-  name        = coalesce(var.encryption_security_policy_name, "${var.name}-encryption")
-  policy = jsonencode(merge(
-    {
-      Rules = [
-        {
-          Resource     = ["collection/${var.name}"]
-          ResourceType = "collection"
-        }
-      ]
-      AWSOwnedKey = true
-    },
-    var.encryption_security_policy
-  ))
-  type = "encryption"
+  description = coalesce(var.encryption_policy_description, "Encryption policy for ${var.name} collection")
+  name        = coalesce(var.encryption_policy_name, "${var.name}-encryption")
+  policy      = var.encryption_policy
+  type        = "encryption"
 }
 
 ################################################################################
@@ -56,19 +45,21 @@ resource "aws_opensearchserverless_security_policy" "encryption" {
 resource "aws_opensearchserverless_security_policy" "network" {
   count = var.create && var.create_network_policy ? 1 : 0
 
-  description = coalesce(var.network_security_policy_description, "Newtwork policy for ${var.name} collection")
-  name        = coalesce(var.network_security_policy_name, "${var.name}-network")
-  policy = jsonencode(merge(
-    {
-      Rules = [
-        {
-          Resource     = ["collection/${var.name}"]
-          ResourceType = "collection"
-        }
-      ]
-      AllowFromPublic = true
-    },
-    var.network_security_policy
-  ))
-  type = "network"
+  description = coalesce(var.network_policy_description, "Newtwork policy for ${var.name} collection")
+  name        = coalesce(var.network_policy_name, "${var.name}-network")
+  policy      = var.network_policy
+  type        = "network"
+}
+
+################################################################################
+# Access Policy
+################################################################################
+
+resource "aws_opensearchserverless_access_policy" "this" {
+  count = var.create && var.create_access_policy ? 1 : 0
+
+  description = coalesce(var.access_policy_description, "Access policy for ${var.name} collection")
+  name        = coalesce(var.access_policy_name, "${var.name}-access")
+  policy      = var.access_policy
+  type        = "data"
 }
diff --git a/modules/serverless/outputs.tf b/modules/serverless/outputs.tf
@@ -28,29 +28,43 @@ output "id" {
 }
 
 ################################################################################
-# Security Policy - Encryption
+# Encryption Policy
 ################################################################################
 
-output "encryption_security_policy_version" {
-  description = "The version of the security policy"
+output "encryption_policy_version" {
+  description = "The version of the encryption policy"
   value       = try(aws_opensearchserverless_security_policy.encryption[0].policy_version, null)
 }
 
-output "encryption_security_policy" {
-  description = "The JSON policy document of the security policy"
+output "encryption_policy" {
+  description = "The JSON policy document of the encryption policy"
   value       = try(aws_opensearchserverless_security_policy.encryption[0].policy, null)
 }
 
 ################################################################################
-# Security Policy - Network
+# Network Policy
 ################################################################################
 
-output "network_security_policy_version" {
-  description = "The version of the security policy"
+output "network_policy_version" {
+  description = "The version of the network policy"
   value       = try(aws_opensearchserverless_security_policy.network[0].policy_version, null)
 }
 
-output "network_security_policy" {
-  description = "The JSON policy document of the security policy"
+output "network_policy" {
+  description = "The JSON policy document of the network policy"
   value       = try(aws_opensearchserverless_security_policy.network[0].policy, null)
 }
+
+################################################################################
+# Access Policy
+################################################################################
+
+output "access_policy_version" {
+  description = "The version of the access policy"
+  value       = try(aws_opensearchserverless_access_policy.this[0].policy_version, null)
+}
+
+output "access_policy" {
+  description = "The JSON policy document of the access policy"
+  value       = try(aws_opensearchserverless_access_policy.this[0].policy, null)
+}
diff --git a/modules/serverless/variables.tf b/modules/serverless/variables.tf
@@ -39,7 +39,7 @@ variable "timeouts" {
 }
 
 ################################################################################
-# Security Policy - Encryption
+# Encryption Policy
 ################################################################################
 
 variable "create_encryption_policy" {
@@ -48,26 +48,26 @@ variable "create_encryption_policy" {
   default     = true
 }
 
-variable "encryption_security_policy_description" {
-  description = "Description of the encryption security policy"
+variable "encryption_policy_description" {
+  description = "Description of the encryption policy"
   type        = string
   default     = null
 }
 
-variable "encryption_security_policy_name" {
-  description = "Name of the encryption security policy"
+variable "encryption_policy_name" {
+  description = "Name of the encryption policy"
   type        = string
   default     = null
 }
 
-variable "encryption_security_policy" {
-  description = "Encryption security policy to apply to the collection - this is merged with the default policy provided"
+variable "encryption_policy" {
+  description = "Encryption policy to apply to the collection"
   type        = any
   default     = {}
 }
 
 ################################################################################
-# Security Policy - Network
+# Network Policy
 ################################################################################
 
 variable "create_network_policy" {
@@ -76,20 +76,48 @@ variable "create_network_policy" {
   default     = true
 }
 
-variable "network_security_policy_description" {
-  description = "Description of the network security policy"
+variable "network_policy_description" {
+  description = "Description of the network policy"
   type        = string
   default     = null
 }
 
-variable "network_security_policy_name" {
-  description = "Name of the network security policy"
+variable "network_policy_name" {
+  description = "Name of the network policy"
   type        = string
   default     = null
 }
 
-variable "network_security_policy" {
-  description = "Network security policy to apply to the collection - this is merged with the default policy provided"
+variable "network_policy" {
+  description = "Network policy to apply to the collection"
+  type        = any
+  default     = {}
+}
+
+################################################################################
+# Access Policy
+################################################################################
+
+variable "create_access_policy" {
+  description = "Determines whether an access policy will be created"
+  type        = bool
+  default     = true
+}
+
+variable "access_policy_description" {
+  description = "Description of the access policy"
+  type        = string
+  default     = null
+}
+
+variable "access_policy_name" {
+  description = "Name of the access policy"
+  type        = string
+  default     = null
+}
+
+variable "access_policy" {
+  description = "access policy to apply to the collection"
   type        = any
   default     = {}
 }
diff --git a/wrappers/serverless/main.tf b/wrappers/serverless/main.tf
@@ -3,18 +3,22 @@ module "wrapper" {
 
   for_each = var.items
 
-  create                                 = try(each.value.create, var.defaults.create, true)
-  create_encryption_policy               = try(each.value.create_encryption_policy, var.defaults.create_encryption_policy, true)
-  create_network_policy                  = try(each.value.create_network_policy, var.defaults.create_network_policy, true)
-  description                            = try(each.value.description, var.defaults.description, null)
-  encryption_security_policy             = try(each.value.encryption_security_policy, var.defaults.encryption_security_policy, {})
-  encryption_security_policy_description = try(each.value.encryption_security_policy_description, var.defaults.encryption_security_policy_description, null)
-  encryption_security_policy_name        = try(each.value.encryption_security_policy_name, var.defaults.encryption_security_policy_name, null)
-  name                                   = try(each.value.name, var.defaults.name, "")
-  network_security_policy                = try(each.value.network_security_policy, var.defaults.network_security_policy, {})
-  network_security_policy_description    = try(each.value.network_security_policy_description, var.defaults.network_security_policy_description, null)
-  network_security_policy_name           = try(each.value.network_security_policy_name, var.defaults.network_security_policy_name, null)
-  tags                                   = try(each.value.tags, var.defaults.tags, {})
-  timeouts                               = try(each.value.timeouts, var.defaults.timeouts, {})
-  type                                   = try(each.value.type, var.defaults.type, null)
+  access_policy                 = try(each.value.access_policy, var.defaults.access_policy, {})
+  access_policy_description     = try(each.value.access_policy_description, var.defaults.access_policy_description, null)
+  access_policy_name            = try(each.value.access_policy_name, var.defaults.access_policy_name, null)
+  create                        = try(each.value.create, var.defaults.create, true)
+  create_access_policy          = try(each.value.create_access_policy, var.defaults.create_access_policy, true)
+  create_encryption_policy      = try(each.value.create_encryption_policy, var.defaults.create_encryption_policy, true)
+  create_network_policy         = try(each.value.create_network_policy, var.defaults.create_network_policy, true)
+  description                   = try(each.value.description, var.defaults.description, null)
+  encryption_policy             = try(each.value.encryption_policy, var.defaults.encryption_policy, {})
+  encryption_policy_description = try(each.value.encryption_policy_description, var.defaults.encryption_policy_description, null)
+  encryption_policy_name        = try(each.value.encryption_policy_name, var.defaults.encryption_policy_name, null)
+  name                          = try(each.value.name, var.defaults.name, "")
+  network_policy                = try(each.value.network_policy, var.defaults.network_policy, {})
+  network_policy_description    = try(each.value.network_policy_description, var.defaults.network_policy_description, null)
+  network_policy_name           = try(each.value.network_policy_name, var.defaults.network_policy_name, null)
+  tags                          = try(each.value.tags, var.defaults.tags, {})
+  timeouts                      = try(each.value.timeouts, var.defaults.timeouts, {})
+  type                          = try(each.value.type, var.defaults.type, null)
 }