Describe the issue: I’m an intern in an IT company, we were assigned to create through terraform an opensearch role where it only needs to spin up and spin down opensearch. We were able to create a group and an assumerole where they can’t access anything except opensearch. But the problem is that we can’t create opensearch domain.
We already tried doing it manually so we can compare what policies are needed but we can’t still create domain using an iam_user in opnesearchdeploy group despite having a full access of opensearch service so we were quite confused what do we need to add in our terraform code.
Configuration:
CREATE GROUP
resource “aws_iam_group” “opensearchdeploy-group” {
name = “OpensearchDeploy”
}
CREATE ROLE
resource “aws_iam_role” “opensearchdeploy-role” {
name = “${local.tfsettings.prefix}OpensearchDeploy”
assume_role_policy = jsonencode({
Version = “2012-10-17”,
Statement = [
{
Effect = “Allow”,
Action = “sts:AssumeRole”,
Principal = { “AWS” : “${local.tfsettings.accountnumber}” }
# Condition = {
# “Bool” : {
# “aws:MultiFactorAuthPresent” : true
# }
# }
}]
})
}
Attach the AWS-AdministratorAccess-Policy to Opensearchdeploy-Role
resource “aws_iam_role_policy_attachment” “opensearchdeploy-group-policy-attachment” {
role = aws_iam_role.opensearchdeploy-role.name
policy_arn = aws_iam_policy.assume-OpensearchDeploy-policy.arn
}
Policy to Assume OpensearchdeployRole
resource “aws_iam_policy” “assume-OpensearchDeploy-policy” {
name = “${local.tfsettings.prefix}AssumeOpensearchDeploy”
description = “Allow assuming the OpensearchDeploy role”
policy = jsonencode({
Version = “2012-10-17”,
Statement = [
{
Effect = “Allow”,
Action = “sts:AssumeRole”,
Resource = “arn:aws:iam::${local.tfsettings.accountnumber}:role/${local.tfsettings.prefix}OpensearchDeploy”
}]
})
}
Assign the AssumeOpensearchDeploy to OpensearchDeploy Group
resource “aws_iam_group_policy_attachment” “opensearchdeploy-group-policy-attachment” {
group = aws_iam_group.opensearchdeploy-group.name
policy_arn = aws_iam_policy.assume-OpensearchDeploy-policy.arn
}
resource “aws_iam_policy” “opensearchdeploy-policy” {
name = “${local.tfsettings.prefix}OpensearchDeploy”
description = “Access granted for Opensearch Deployer”
policy = jsonencode({
Version: “2012-10-17”,
Statement: [
{
Sid: “AssumeRoleOnly”,
Effect: “Allow”,
Action: “sts:AssumeRole”,
Resource: “arn:aws:iam::${local.tfsettings.accountnumber}:role/OpensearchDeploy”
},
{
Sid: “OpensearchSpinUp”,
Effect: “Allow”,
Action: [
“es:CreateElasticsearchDomain”,
“es:StartElasticsearchServiceSoftwareUpdate”,
“es:CancelElasticsearchServiceSoftwareUpdate”,
“es:DescribeElasticsearchDomain”,
“es:CreateDomain”,
“es:DescribeDomain”,
“es:DescribeDomainConfig”,
“es:UpdateDomainConfig”,
“es:ListDomainNames”,
“es:ListDomainNames”,
“es:ListElasticsearchInstanceTypeDetails”,
“es:ListElasticsearchVersions”,
“es:ListTags”
],
Resource: “arn:aws:es:us-east-1:${local.tfsettings.accountnumber}:domain/"
},
{
Sid: “OpensearchSpinDown”,
Effect: “Allow”,
Action: [
“es:DeleteElasticsearchDomain”,
“es:DeleteDomain”,
“es:StopElasticsearchServiceSoftwareUpdate”
],
Resource: "arn:aws:es:us-east-1:${local.tfsettings.accountnumber}:domain/”
}
]
})
}
Relevant Logs or Screenshots:
