hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.88k stars 9.22k forks source link

elasticsearch auth using cognito #5606

Open iwasnobody opened 6 years ago

iwasnobody commented 6 years ago

Community Note

Terraform Version

Terraform v0.11.7

Affected Resource(s)

Terraform Configuration Files

resource "aws_elasticsearch_domain" "es" {
  provider = "aws.${var.project}"
  domain_name           = "${var.project}-${var.env}-ecs-${var.env}"
  elasticsearch_version = "6.2"
  cluster_config {
    instance_type = "i3.large.elasticsearch"
    instance_count = 4
    dedicated_master_enabled = true
    dedicated_master_type = "c4.large.elasticsearch"
    dedicated_master_count = 3
    zone_awareness_enabled = true
  }
  encrypt_at_rest {
    enabled = true
  }
  cognito_options {
    enabled = false
    user_pool_id = "${aws_cognito_user_pool.kibana_pool.id}"
    identity_pool_id = "${aws_cognito_identity_pool.kibana_identity.id}"
    role_arn = "${aws_iam_role.es_cognitoaccess_role.arn}"
  }
  access_policies = <<CONFIG
  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "es:*",
            "Principal": "*",
            "Effect": "Allow",
            "Resource": "arn:aws:es:${var.aws_region}:${var.project_account}:domain/${var.project}-${var.env}-ecs-${var.env}-fake/*"
        }
    ]
  }
CONFIG

  snapshot_options {
    automated_snapshot_start_hour = 23
  }
  depends_on = ["aws_cognito_identity_pool.kibana_identity","aws_iam_role_policy_attachment.es_cognitoaccess_policy1"]
}

resource "aws_cognito_user_pool" "kibana_pool" {
  provider = "aws.${var.project}"
  name = "${var.project}_${var.env}_kibana_pool"
}
resource "aws_cognito_user_pool_domain" "kibana_domain" {
  provider = "aws.${var.project}"
  domain = "kibana-elasticsearch-${var.project_account}"
  user_pool_id = "${aws_cognito_user_pool.kibana_pool.id}"
}
resource "aws_cognito_user_group" "app_logs" {
  provider = "aws.${var.project}"
  name         = "es_app_logs"
  user_pool_id = "${aws_cognito_user_pool.kibana_pool.id}"
  description  = "Allow access to ecs es logs"
  precedence   = 100
  role_arn     = "${aws_iam_role.idpoolAuth_app_role.arn}"
}
resource "aws_cognito_user_group" "devops_logs" {
  provider = "aws.${var.project}"
  name         = "es_devops_logs"
  user_pool_id = "${aws_cognito_user_pool.kibana_pool.id}"
  description  = "Allow access to all es logs"
  precedence   = 10
  role_arn     = "${aws_iam_role.idpoolAuth_devops_role.arn}"
}
resource "aws_cognito_identity_pool" "kibana_identity" {
  provider = "aws.${var.project}"
  identity_pool_name               = "${var.project}_${var.env}_kibana_identity"
  allow_unauthenticated_identities = true
}
resource "aws_cognito_identity_pool_roles_attachment" "kibana_identity" {
  provider = "aws.${var.project}"
  identity_pool_id = "${aws_cognito_identity_pool.kibana_identity.id}"

  roles {
    "authenticated" = "${aws_iam_role.idpoolauth_role.arn}",
    "unauthenticated" = "${aws_iam_role.idpoolunauth_role.arn}"
  }
}
resource "aws_iam_role" "idpoolauth_role" {
  provider = "aws.${var.project}"
  name = "Cognito_kibana_idpoolAuth_Role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.kibana_identity.id}"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}
EOF
}
resource "aws_iam_role_policy" "idpoolauth_role_policy1" {
  provider = "aws.${var.project}"
  name = "idpoolauth_role_policy1"
  role = "${aws_iam_role.idpoolauth_role.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mobileanalytics:PutEvents",
        "cognito-sync:*",
        "cognito-identity:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
EOF
}
resource "aws_iam_role" "idpoolunauth_role" {
  provider = "aws.${var.project}"
  name = "Cognito_kibana_idpoolUnauth_Role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.kibana_identity.id}"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "unauthenticated"
        }
      }
    }
  ]
}
EOF
}
resource "aws_iam_role_policy" "idpoolunauth_role_policy1" {
  provider = "aws.${var.project}"
  name = "idpoolunauth_role_policy1"
  role = "${aws_iam_role.idpoolunauth_role.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mobileanalytics:PutEvents",
        "cognito-sync:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
EOF
}
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

automatic created user pool id and app id in cognito identity pool.

Actual Behavior

https://aws.amazon.com/cn/blogs/database/get-started-with-amazon-elasticsearch-service-use-amazon-cognito-for-kibana-access-control/ "At the top of the page, choose Federated Identities to view your identity pools. Choose your identity pool (kibana_identities) to edit. In the upper-right corner of the page, choose Edit identity pool. Scroll down and choose the down arrow to reveal the Authentication providers settings. Under Authenticated role selection, open the drop-down list and select Choose role from token."

According to the above aws blog, enable cognito auth in elasticsearch console. There will be automatic created user pool id and app id in identity pool. But it is empty in my case.

  1. terraform apply

Important Factoids

References

abdellaui commented 4 years ago

you have to enable cognito_options, try this:

  cognito_options {
    enabled = true
    user_pool_id = "${aws_cognito_user_pool.kibana_pool.id}"
    identity_pool_id = "${aws_cognito_identity_pool.kibana_identity.id}"
    role_arn = "${aws_iam_role.es_cognitoaccess_role.arn}"
  }