chore: Update Opensearch Serverless examples

fdmsantos · Mar 21, 2024 · a93a7ab · a93a7ab
1 parent 75cba04
commit a93a7ab
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 195 deletions.
diff --git a/examples/opensearch/direct-put-to-opensearchserverless-in-vpc/README.md b/examples/opensearch/direct-put-to-opensearchserverless-in-vpc/README.md
@@ -37,6 +37,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_firehose"></a> [firehose](#module\_firehose) | ../../../ | n/a |
+| <a name="module_opensearch_serverless"></a> [opensearch\_serverless](#module\_opensearch\_serverless) | fdmsantos/opensearch-serverless/aws | 1.0.0 |
 | <a name="module_security_groups"></a> [security\_groups](#module\_security\_groups) | ../../../ | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | n/a |
 
@@ -45,11 +46,6 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Type |
 |------|------|
 | [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_opensearchserverless_access_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_access_policy) | resource |
-| [aws_opensearchserverless_collection.os](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_collection) | resource |
-| [aws_opensearchserverless_security_policy.networking](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_security_policy) | resource |
-| [aws_opensearchserverless_security_policy.security_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_security_policy) | resource |
-| [aws_opensearchserverless_vpc_endpoint.vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_vpc_endpoint) | resource |
 | [aws_s3_bucket.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
 

diff --git a/examples/opensearch/direct-put-to-opensearchserverless-in-vpc/main.tf b/examples/opensearch/direct-put-to-opensearchserverless-in-vpc/main.tf
@@ -32,107 +32,27 @@ module "security_groups" {
   vpc_security_group_destination_vpc_id  = module.vpc.vpc_id
 }
 
-resource "aws_opensearchserverless_vpc_endpoint" "vpc_endpoint" {
-  name               = "example-vpc-endpoint"
-  vpc_id             = module.vpc.vpc_id
-  subnet_ids         = [module.vpc.private_subnets[0]]
-  security_group_ids = [module.security_groups.destination_security_group_id]
-}
-
-resource "aws_opensearchserverless_security_policy" "security_policy" {
-  name = "os-security-policy"
-  type = "encryption"
-  policy = jsonencode({
-    "Rules" = [
-      {
-        "Resource" = [
-          "collection/${local.collection_name}"
-        ],
-        "ResourceType" = "collection"
-      }
-    ],
-    "AWSOwnedKey" = true
-  })
-}
-
-resource "aws_opensearchserverless_security_policy" "networking" {
-  name        = "networking-policy"
-  type        = "network"
-  description = "Public access"
-  policy = jsonencode([
+module "opensearch_serverless" {
+  source                  = "fdmsantos/opensearch-serverless/aws"
+  version                 = "1.0.0"
+  name                    = local.collection_name
+  network_policy_type     = "PrivateCollectionPublicDashboard"
+  vpce_vpc_id             = module.vpc.vpc_id
+  vpce_subnet_ids         = [module.vpc.private_subnets[0]]
+  vpce_security_group_ids = [module.security_groups.destination_security_group_id]
+  access_policy_rules = [
     {
-      Description = "VPC access for collection endpoint",
-      Rules = [
-        {
-          ResourceType = "collection",
-          Resource = [
-            "collection/${local.collection_name}"
-          ]
-        }
-      ],
-      AllowFromPublic = false,
-      SourceVPCEs = [
-        aws_opensearchserverless_vpc_endpoint.vpc_endpoint.id
-      ]
+      type        = "collection"
+      permissions = ["All"]
+      principals  = [module.firehose.kinesis_firehose_role_arn]
     },
     {
-      Description = "Public access for dashboards",
-      Rules = [
-        {
-          ResourceType = "dashboard"
-          Resource = [
-            "collection/${local.collection_name}"
-          ]
-        }
-      ],
-      AllowFromPublic = true
+      type        = "index"
+      permissions = ["All"]
+      indexes     = ["*"]
+      principals  = [module.firehose.kinesis_firehose_role_arn]
     }
-  ])
-}
-
-resource "aws_opensearchserverless_access_policy" "policy" {
-  name        = "data-access-policy"
-  type        = "data"
-  description = "read and write permissions"
-  policy = jsonencode([{
-    Rules = [
-      {
-        ResourceType = "collection",
-        Resource = [
-          "collection/${local.collection_name}"
-        ],
-        Permission = [
-          "aoss:CreateCollectionItems",
-          "aoss:DeleteCollectionItems",
-          "aoss:UpdateCollectionItems",
-          "aoss:DescribeCollectionItems"
-        ]
-      },
-      {
-        ResourceType = "index",
-        Resource = [
-          "index/${local.collection_name}/${local.index_name}"
-        ],
-        Permission = [
-          "aoss:CreateIndex",
-          "aoss:DeleteIndex",
-          "aoss:UpdateIndex",
-          "aoss:DescribeIndex",
-          "aoss:ReadDocument",
-          "aoss:WriteDocument"
-        ]
-      }
-    ],
-    Principal = [
-      module.firehose.kinesis_firehose_role_arn
-    ],
-    Description = "Data Access Policy"
-  }])
-}
-
-resource "aws_opensearchserverless_collection" "os" {
-  name       = local.collection_name
-  depends_on = [aws_opensearchserverless_security_policy.security_policy, aws_opensearchserverless_security_policy.networking]
+  ]
 }
 
 resource "aws_kms_key" "this" {
@@ -145,8 +65,8 @@ module "firehose" {
   name                                      = "${var.name_prefix}-delivery-stream"
   destination                               = "opensearchserverless"
   buffering_interval                        = 60
-  opensearchserverless_collection_endpoint  = aws_opensearchserverless_collection.os.collection_endpoint
-  opensearchserverless_collection_arn       = aws_opensearchserverless_collection.os.arn
+  opensearchserverless_collection_endpoint  = module.opensearch_serverless.collection_endpoint
+  opensearchserverless_collection_arn       = module.opensearch_serverless.collection_arn
   opensearch_vpc_create_service_linked_role = true
   opensearch_index_name                     = local.index_name
   enable_vpc                                = true

diff --git a/examples/opensearch/direct-put-to-opensearchserverless-in-vpc/outputs.tf b/examples/opensearch/direct-put-to-opensearchserverless-in-vpc/outputs.tf
@@ -1,4 +1,4 @@
 output "os_domain" {
   description = "Opensearch Serverless Collection Endpoint"
-  value       = aws_opensearchserverless_collection.os.collection_endpoint
+  value       = module.opensearch_serverless.collection_endpoint
 }
diff --git a/examples/opensearch/direct-put-to-opensearchserverless/README.md b/examples/opensearch/direct-put-to-opensearchserverless/README.md
@@ -37,16 +37,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_firehose"></a> [firehose](#module\_firehose) | ../../../ | n/a |
+| <a name="module_opensearch_serverless"></a> [opensearch\_serverless](#module\_opensearch\_serverless) | fdmsantos/opensearch-serverless/aws | 1.0.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_opensearchserverless_access_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_access_policy) | resource |
-| [aws_opensearchserverless_collection.os](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_collection) | resource |
-| [aws_opensearchserverless_security_policy.networking](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_security_policy) | resource |
-| [aws_opensearchserverless_security_policy.security_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearchserverless_security_policy) | resource |
 | [aws_s3_bucket.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
 

diff --git a/examples/opensearch/direct-put-to-opensearchserverless/main.tf b/examples/opensearch/direct-put-to-opensearchserverless/main.tf
@@ -12,91 +12,23 @@ resource "aws_s3_bucket" "s3" {
   force_destroy = true
 }
 
-resource "aws_opensearchserverless_security_policy" "security_policy" {
-  name = "os-security-policy"
-  type = "encryption"
-  policy = jsonencode({
-    "Rules" = [
-      {
-        "Resource" = [
-          "collection/${local.collection_name}"
-        ],
-        "ResourceType" = "collection"
-      }
-    ],
-    "AWSOwnedKey" = true
-  })
-}
-
-resource "aws_opensearchserverless_security_policy" "networking" {
-  name        = "networking-policy"
-  type        = "network"
-  description = "Public access"
-  policy = jsonencode([
+module "opensearch_serverless" {
+  source  = "fdmsantos/opensearch-serverless/aws"
+  version = "1.0.0"
+  name    = local.collection_name
+  access_policy_rules = [
     {
-      Description = "Public access to collection and Dashboards endpoint for example collection",
-      Rules = [
-        {
-          ResourceType = "collection",
-          Resource = [
-            "collection/${local.collection_name}"
-          ]
-        },
-        {
-          ResourceType = "dashboard"
-          Resource = [
-            "collection/${local.collection_name}"
-          ]
-        }
-      ],
-      AllowFromPublic = true
+      type        = "collection"
+      permissions = ["All"]
+      principals  = [module.firehose.kinesis_firehose_role_arn]
+    },
+    {
+      type        = "index"
+      permissions = ["All"]
+      indexes     = ["*"]
+      principals  = [module.firehose.kinesis_firehose_role_arn]
     }
-  ])
-}
-
-resource "aws_opensearchserverless_access_policy" "policy" {
-  name        = "data-access-policy"
-  type        = "data"
-  description = "read and write permissions"
-  policy = jsonencode([{
-    Rules = [
-      {
-        ResourceType = "collection",
-        Resource = [
-          "collection/${local.collection_name}"
-        ],
-        Permission = [
-          "aoss:CreateCollectionItems",
-          "aoss:DeleteCollectionItems",
-          "aoss:UpdateCollectionItems",
-          "aoss:DescribeCollectionItems"
-        ]
-      },
-      {
-        ResourceType = "index",
-        Resource = [
-          "index/${local.collection_name}/${local.index_name}"
-        ],
-        Permission = [
-          "aoss:CreateIndex",
-          "aoss:DeleteIndex",
-          "aoss:UpdateIndex",
-          "aoss:DescribeIndex",
-          "aoss:ReadDocument",
-          "aoss:WriteDocument"
-        ]
-      }
-    ],
-    Principal = [
-      module.firehose.kinesis_firehose_role_arn
-    ],
-    Description = "Data Access Policy"
-  }])
-}
-
-resource "aws_opensearchserverless_collection" "os" {
-  name       = local.collection_name
-  depends_on = [aws_opensearchserverless_security_policy.security_policy, aws_opensearchserverless_security_policy.networking]
+  ]
 }
 
 resource "aws_kms_key" "this" {
@@ -109,8 +41,8 @@ module "firehose" {
   name                                      = "${var.name_prefix}-delivery-stream"
   destination                               = "opensearchserverless"
   buffering_interval                        = 60
-  opensearchserverless_collection_endpoint  = aws_opensearchserverless_collection.os.collection_endpoint
-  opensearchserverless_collection_arn       = aws_opensearchserverless_collection.os.arn
+  opensearchserverless_collection_endpoint  = module.opensearch_serverless.collection_endpoint
+  opensearchserverless_collection_arn       = module.opensearch_serverless.collection_arn
   opensearch_vpc_create_service_linked_role = true
   opensearch_index_name                     = local.index_name
   s3_backup_mode                            = "All"

diff --git a/examples/opensearch/direct-put-to-opensearchserverless/outputs.tf b/examples/opensearch/direct-put-to-opensearchserverless/outputs.tf
@@ -1,4 +1,4 @@
 output "os_domain" {
   description = "Opensearch Serverless Collection Endpoint"
-  value       = aws_opensearchserverless_collection.os.collection_endpoint
+  value       = module.opensearch_serverless.collection_endpoint
 }