elasticsearch auth using cognito

[iwasnobody]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7

• provider.aws v1.31.0
• provider.template v1.0.0

Affected Resource(s)

• aws_elasticsearch_domain,aws_cognito_identity_pool

Terraform Configuration Files

resource "aws_elasticsearch_domain" "es" {
  provider = "aws.${var.project}"
  domain_name           = "${var.project}-${var.env}-ecs-${var.env}"
  elasticsearch_version = "6.2"
  cluster_config {
    instance_type = "i3.large.elasticsearch"
    instance_count = 4
    dedicated_master_enabled = true
    dedicated_master_type = "c4.large.elasticsearch"
    dedicated_master_count = 3
    zone_awareness_enabled = true
  }
  encrypt_at_rest {
    enabled = true
  }
  cognito_options {
    enabled = false
    user_pool_id = "${aws_cognito_user_pool.kibana_pool.id}"
    identity_pool_id = "${aws_cognito_identity_pool.kibana_identity.id}"
    role_arn = "${aws_iam_role.es_cognitoaccess_role.arn}"
  }
  access_policies = <<CONFIG
  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "es:*",
            "Principal": "*",
            "Effect": "Allow",
            "Resource": "arn:aws:es:${var.aws_region}:${var.project_account}:domain/${var.project}-${var.env}-ecs-${var.env}-fake/*"
        }
    ]
  }
CONFIG

  snapshot_options {
    automated_snapshot_start_hour = 23
  }
  depends_on = ["aws_cognito_identity_pool.kibana_identity","aws_iam_role_policy_attachment.es_cognitoaccess_policy1"]
}

resource "aws_cognito_user_pool" "kibana_pool" {
  provider = "aws.${var.project}"
  name = "${var.project}_${var.env}_kibana_pool"
}
resource "aws_cognito_user_pool_domain" "kibana_domain" {
  provider = "aws.${var.project}"
  domain = "kibana-elasticsearch-${var.project_account}"
  user_pool_id = "${aws_cognito_user_pool.kibana_pool.id}"
}
resource "aws_cognito_user_group" "app_logs" {
  provider = "aws.${var.project}"
  name         = "es_app_logs"
  user_pool_id = "${aws_cognito_user_pool.kibana_pool.id}"
  description  = "Allow access to ecs es logs"
  precedence   = 100
  role_arn     = "${aws_iam_role.idpoolAuth_app_role.arn}"
}
resource "aws_cognito_user_group" "devops_logs" {
  provider = "aws.${var.project}"
  name         = "es_devops_logs"
  user_pool_id = "${aws_cognito_user_pool.kibana_pool.id}"
  description  = "Allow access to all es logs"
  precedence   = 10
  role_arn     = "${aws_iam_role.idpoolAuth_devops_role.arn}"
}
resource "aws_cognito_identity_pool" "kibana_identity" {
  provider = "aws.${var.project}"
  identity_pool_name               = "${var.project}_${var.env}_kibana_identity"
  allow_unauthenticated_identities = true
}
resource "aws_cognito_identity_pool_roles_attachment" "kibana_identity" {
  provider = "aws.${var.project}"
  identity_pool_id = "${aws_cognito_identity_pool.kibana_identity.id}"

  roles {
    "authenticated" = "${aws_iam_role.idpoolauth_role.arn}",
    "unauthenticated" = "${aws_iam_role.idpoolunauth_role.arn}"
  }
}
resource "aws_iam_role" "idpoolauth_role" {
  provider = "aws.${var.project}"
  name = "Cognito_kibana_idpoolAuth_Role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.kibana_identity.id}"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}
EOF
}
resource "aws_iam_role_policy" "idpoolauth_role_policy1" {
  provider = "aws.${var.project}"
  name = "idpoolauth_role_policy1"
  role = "${aws_iam_role.idpoolauth_role.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mobileanalytics:PutEvents",
        "cognito-sync:*",
        "cognito-identity:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
EOF
}
resource "aws_iam_role" "idpoolunauth_role" {
  provider = "aws.${var.project}"
  name = "Cognito_kibana_idpoolUnauth_Role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.kibana_identity.id}"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "unauthenticated"
        }
      }
    }
  ]
}
EOF
}
resource "aws_iam_role_policy" "idpoolunauth_role_policy1" {
  provider = "aws.${var.project}"
  name = "idpoolunauth_role_policy1"
  role = "${aws_iam_role.idpoolunauth_role.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mobileanalytics:PutEvents",
        "cognito-sync:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
EOF
}

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

automatic created user pool id and app id in cognito identity pool.

Actual Behavior

https://aws.amazon.com/cn/blogs/database/get-started-with-amazon-elasticsearch-service-use-amazon-cognito-for-kibana-access-control/ "At the top of the page, choose Federated Identities to view your identity pools. Choose your identity pool (kibana_identities) to edit. In the upper-right corner of the page, choose Edit identity pool. Scroll down and choose the down arrow to reveal the Authentication providers settings. Under Authenticated role selection, open the drop-down list and select Choose role from token."

According to the above aws blog, enable cognito auth in elasticsearch console. There will be automatic created user pool id and app id in identity pool. But it is empty in my case.

1. terraform apply

Important Factoids

References

• 0000

[abdellaui]

you have to enable cognito_options, try this:

  cognito_options {
    enabled = true
    user_pool_id = "${aws_cognito_user_pool.kibana_pool.id}"
    identity_pool_id = "${aws_cognito_identity_pool.kibana_identity.id}"
    role_arn = "${aws_iam_role.es_cognitoaccess_role.arn}"
  }