feat: dashboard tenant and opensearch role submodules (#36)

abhinavkumarsph · web-flow · commit 84bd20657303 · 2024-04-04T11:28:50.000+08:00
diff --git a/examples/role/main.tf b/examples/role/main.tf
@@ -0,0 +1,26 @@
+module "role" {
+  source = "../../modules/role"
+
+  name        = "reader"
+  description = "Opensearch reader role"
+
+  cluster_permissions = ["*"]
+
+  index_permissions = {
+    "test-index-*" = {
+      allowed_actions = ["read"]
+    }
+  }
+
+  tenant_permissions = {
+    "test-index-*" = ["read"]
+  }
+
+  backend_roles = [
+    "arn:aws:iam::999999999999:role/TestReaderRole",
+  ]
+
+  users = [
+    "arn:aws:iam::999999999999:user/TestUser",
+  ]
+}
diff --git a/examples/role/providers.tf b/examples/role/providers.tf
@@ -0,0 +1,2 @@
+provider "opensearch" {
+}
diff --git a/examples/role/versions.tf b/examples/role/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.4"
+
+  required_providers {
+    opensearch = {
+      source  = "opensearch-project/opensearch"
+      version = "~> 2.2.0"
+    }
+  }
+}
diff --git a/modules/dashboard/tenant/README.md b/modules/dashboard/tenant/README.md
@@ -0,0 +1,33 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4  |
+| <a name="requirement_opensearch"></a> [opensearch](#requirement\_opensearch) | >= 2.0  |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_opensearch"></a> [opensearch](#provider\_opensearch) | >= 2.0  |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [opensearch_dashboard_tenant.this](https://registry.terraform.io/providers/opensearch-project/opensearch/latest/docs/resources/dashboard_tenant) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_description"></a> [description](#input\_description) | The dashboard tenant description | `string` | `""` | no |
+| <a name="input_name"></a> [name](#input\_name) | The dashboard tenant name | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
diff --git a/modules/dashboard/tenant/main.tf b/modules/dashboard/tenant/main.tf
@@ -0,0 +1,4 @@
+resource "opensearch_dashboard_tenant" "this" {
+  tenant_name = var.name
+  description = var.description
+}
diff --git a/modules/dashboard/tenant/outputs.tf b/modules/dashboard/tenant/outputs.tf
@@ -0,0 +1,4 @@
+output "id" {
+  description = "The ID of the dashboard tenant"
+  value       = opensearch_dashboard_tenant.this.id
+}
diff --git a/modules/dashboard/tenant/variables.tf b/modules/dashboard/tenant/variables.tf
@@ -0,0 +1,10 @@
+variable "name" {
+  description = "Dashboard tenant name"
+  type        = string
+}
+
+variable "description" {
+  description = "Dashboard tenant description"
+  type        = string
+  default     = ""
+}
diff --git a/modules/dashboard/tenant/versions.tf b/modules/dashboard/tenant/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.4"
+
+  required_providers {
+    opensearch = {
+      source  = "opensearch-project/opensearch"
+      version = ">= 2.0"
+    }
+  }
+}
diff --git a/modules/role/README.md b/modules/role/README.md
@@ -0,0 +1,41 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4 |
+| <a name="requirement_opensearch"></a> [opensearch](#requirement\_opensearch) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_opensearch"></a> [opensearch](#provider\_opensearch) | >= 2.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [opensearch_role.this](https://registry.terraform.io/providers/opensearch-project/opensearch/latest/docs/resources/role) | resource |
+| [opensearch_roles_mapping.this](https://registry.terraform.io/providers/opensearch-project/opensearch/latest/docs/resources/roles_mapping) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_backend_roles"></a> [backend\_roles](#input\_backend\_roles) | (Optional) Set of backend roles to map to the Opensearch role | `set(string)` | `[]` | no |
+| <a name="input_cluster_permissions"></a> [cluster\_permissions](#input\_cluster\_permissions) | Set of cluster permissions to apply to the role | `set(string)` | n/a | yes |
+| <a name="input_description"></a> [description](#input\_description) | Opensearch role description | `string` | `""` | no |
+| <a name="input_index_permissions"></a> [index\_permissions](#input\_index\_permissions) | Map of index pattern to permissions to apply to the pattern | <pre>map(object(<br>    {<br>      allowed_actions         = set(string)<br>      masked_fields           = optional(set(string))<br>      document_level_security = optional(string)<br>      field_level_security    = optional(set(string))<br>    }<br>  ))</pre> | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | Opensearch role name | `string` | n/a | yes |
+| <a name="input_tenant_permissions"></a> [tenant\_permissions](#input\_tenant\_permissions) | Map of tenant pattern to set of permissions to apply to the pattern | `map(set(string))` | n/a | yes |
+| <a name="input_users"></a> [users](#input\_users) | (Optional) Set of users to map to the Opensearch role | `set(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_id"></a> [id](#output\_id) | The ID of the role |
diff --git a/modules/role/main.tf b/modules/role/main.tf
@@ -0,0 +1,36 @@
+resource "opensearch_role" "this" {
+  role_name   = var.name
+  description = var.description
+
+  cluster_permissions = var.cluster_permissions
+
+  dynamic "index_permissions" {
+    for_each = var.index_permissions
+
+    content {
+      index_patterns          = index_permissions.key
+      allowed_actions         = index_permissions.value.allowed_actions
+      document_level_security = index_permissions.value.document_level_security
+      field_level_security    = index_permissions.value.field_level_security
+      masked_fields           = index_permissions.value.masked_fields
+    }
+  }
+
+  dynamic "tenant_permissions" {
+    for_each = var.tenant_permissions
+    content {
+      tenant_patterns = tenant_permissions.key
+      allowed_actions = tenant_permissions.value
+    }
+  }
+}
+
+resource "opensearch_roles_mapping" "this" {
+  count = length(setunion(var.backend_roles, var.users)) > 0 ? 1 : 0
+
+  role_name   = opensearch_role.this.role_name
+  description = "Role mapping for ${var.name}"
+
+  backend_roles = var.backend_roles
+  users         = var.users
+}
diff --git a/modules/role/outputs.tf b/modules/role/outputs.tf
@@ -0,0 +1,4 @@
+output "id" {
+  description = "The ID of the role"
+  value       = opensearch_role.this.id
+}
diff --git a/modules/role/variables.tf b/modules/role/variables.tf
@@ -0,0 +1,44 @@
+variable "name" {
+  description = "Opensearch role name"
+  type        = string
+}
+
+variable "description" {
+  description = "Opensearch role description"
+  type        = string
+  default     = ""
+}
+
+variable "cluster_permissions" {
+  description = "Set of cluster permissions to apply to the role"
+  type        = set(string)
+}
+
+variable "index_permissions" {
+  description = "Map of index pattern to permissions to apply to the pattern"
+  type = map(object(
+    {
+      allowed_actions         = set(string)
+      masked_fields           = optional(set(string))
+      document_level_security = optional(string)
+      field_level_security    = optional(set(string))
+    }
+  ))
+}
+
+variable "tenant_permissions" {
+  description = "Map of tenant pattern to set of permissions to apply to the pattern"
+  type        = map(set(string))
+}
+
+variable "backend_roles" {
+  description = "(Optional) Set of backend roles to map to the Opensearch role"
+  type        = set(string)
+  default     = []
+}
+
+variable "users" {
+  description = "(Optional) Set of users to map to the Opensearch role"
+  type        = set(string)
+  default     = []
+}
diff --git a/modules/role/versions.tf b/modules/role/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.4"
+
+  required_providers {
+    opensearch = {
+      source  = "opensearch-project/opensearch"
+      version = ">= 2.0"
+    }
+  }
+}
