Add IAM role for access to ES (#16)

cloudposse · May 14, 2019 · 529d5c7 · 529d5c7
1 parent ea7ea71
commit 529d5c7
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 2 deletions.
diff --git a/main.tf b/main.tf
@@ -9,6 +9,17 @@ module "label" {
   tags       = "${var.tags}"
 }
 
+module "user_label" {
+  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.5.3"
+  enabled    = "${var.enabled}"
+  namespace  = "${var.namespace}"
+  name       = "${var.name}"
+  stage      = "${var.stage}"
+  delimiter  = "${var.delimiter}"
+  attributes = "${concat(var.attributes, list("user"))}"
+  tags       = "${var.tags}"
+}
+
 resource "aws_security_group" "default" {
   count       = "${var.enabled == "true" ? 1 : 0}"
   vpc_id      = "${var.vpc_id}"
@@ -57,6 +68,37 @@ resource "aws_iam_service_linked_role" "default" {
   description      = "AWSServiceRoleForAmazonElasticsearchService Service-Linked Role"
 }
 
+# Role that pods can assume for access to elasticsearch and kibana
+resource "aws_iam_role" "elasticsearch_user" {
+  count              = "${var.enabled == "true" ? 1 : 0}"
+  name               = "${module.user_label.id}"
+  assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
+  description        = "IAM Role to assume to access the Elasticsearch ${module.label.id} cluster"
+  tags               = "${module.user_label.tags}"
+}
+
+data "aws_iam_policy_document" "assume_role" {
+  count = "${var.enabled == "true" ? 1 : 0}"
+
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${compact(concat(var.iam_authorizing_role_arns, var.iam_role_arns))}"]
+    }
+
+    effect = "Allow"
+  }
+}
+
 resource "aws_elasticsearch_domain" "default" {
   count                 = "${var.enabled == "true" ? 1 : 0}"
   domain_name           = "${module.label.id}"
@@ -134,7 +176,7 @@ data "aws_iam_policy_document" "default" {
 
     principals {
       type        = "AWS"
-      identifiers = ["${distinct(compact(var.iam_role_arns))}"]
+      identifiers = ["${distinct(compact(concat(var.iam_role_arns, aws_iam_role.elasticsearch_user.*.arn)))}"]
     }
   }
 }

diff --git a/output.tf b/output.tf
@@ -32,3 +32,13 @@ output "kibana_hostname" {
   value       = "${module.kibana_hostname.hostname}"
   description = "Kibana hostname"
 }
+
+output "elasticsearch_user_iam_role_name" {
+  value       = "${join(",", aws_iam_role.elasticsearch_user.*.name)}"
+  description = "The name of the IAM role to allow access to Elasticsearch cluster"
+}
+
+output "elasticsearch_user_iam_role_arn" {
+  value       = "${join(",",aws_iam_role.elasticsearch_user.*.arn)}"
+  description = "The ARN of the IAM role to allow access to Elasticsearch cluster"
+}
diff --git a/variables.tf b/variables.tf
@@ -67,7 +67,7 @@ variable "dns_zone_id" {
 
 variable "elasticsearch_version" {
   type        = "string"
-  default     = "6.2"
+  default     = "6.5"
   description = "Version of Elasticsearch to deploy"
 }
 
@@ -88,6 +88,12 @@ variable "iam_role_arns" {
   description = "List of IAM role ARNs to permit access to the Elasticsearch domain"
 }
 
+variable "iam_authorizing_role_arns" {
+  type        = "list"
+  default     = []
+  description = "List of IAM role ARNs to permit to assume the Elasticsearch user role"
+}
+
 variable "iam_actions" {
   type        = "list"
   default     = []