Adding terraform script.

o19s · Dec 18, 2024 · 87a25b3 · 87a25b3
1 parent b538ad1
commit 87a25b3
Show file tree

Hide file tree

Showing 2 changed files with 179 additions and 7 deletions.
diff --git a/osi/template.yaml b/osi/template.yaml
@@ -4,6 +4,7 @@ Description: AWS CloudFormation Template for OpenSearch Service
 
 Parameters:
 
+
   OpenSearchUserName:
     Description: OpenSearch username
     Type: String
@@ -25,7 +26,7 @@ Resources:
   S3Bucket:
     Type: AWS::S3::Bucket
     Properties:
-      BucketName: mtnfog-ubi
+      BucketName: !Sub "${AWS::StackName}-ubi-queries-events"
 
   IngestionLogGroup: 
     Type: AWS::Logs::LogGroup
@@ -58,13 +59,13 @@ Resources:
         VolumeType: gp2
         VolumeSize: 10
       AccessPolicies:
-        Version: '2012-10-17'
+        Version: "2012-10-17"
         Statement:
           - Effect: Allow
             Principal:
-              AWS: '*'
-            Action: 'es:*'
-            Resource: '*'
+              AWS: "*"
+            Action: "es:*"
+            Resource: "*"
 
   OsisRole:
     Type: AWS::IAM::Role
@@ -94,10 +95,10 @@ Resources:
                           - Arn
                       - "*"
               - Effect: Allow
-                Action: 'es:ESHttp*'
+                Action: "es:ESHttp*"
                 Resource:
                   Fn::Join:
-                    - ':/'
+                    - ":/"
                     - - Fn::GetAtt:
                           - OpenSearchDomain
                           - Arn

diff --git a/osi/terraform/main.tf b/osi/terraform/main.tf
@@ -0,0 +1,171 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.36"
+    }
+  }
+
+  required_version = ">= 1.2.0"
+}
+
+provider "aws" {
+  region  = "us-east-1"
+  profile = "mtnfog"
+}
+
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+}
+
+output "ingest_endpoint_url" {
+  value = tolist(aws_osis_pipeline.ubi_events_pipeline.ingest_endpoint_urls)[0]
+}
+
+resource "aws_iam_role" "ubi" {
+  name = "ubiosisrole"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "osis-pipelines.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+data "aws_iam_policy_document" "access_policy" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${aws_iam_role.ubi.arn}"]
+    }
+
+    actions = ["es:*"]
+  }
+}
+
+resource "aws_opensearch_domain" "opensearch_ubi" {
+
+  domain_name    = "osi-ubi-domain"
+  engine_version = "OpenSearch_2.17"
+
+  cluster_config {
+    instance_type = "t3.small.search"
+  }
+
+  encrypt_at_rest {
+    enabled = true
+  }
+
+  domain_endpoint_options {
+    enforce_https       = true
+    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
+  }
+
+  node_to_node_encryption {
+    enabled = true
+  }
+
+  ebs_options {
+    ebs_enabled = true
+    volume_size = 10
+  }
+
+  access_policies = data.aws_iam_policy_document.access_policy.json
+}
+
+resource "aws_iam_policy" "ubi" {
+  name        = "osis_role_policy"
+  description = "Policy for OSIS pipeline role"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action   = ["es:DescribeDomain"]
+        Effect   = "Allow"
+        Resource = "arn:aws:es:${data.aws_region.current.name}:${local.account_id}:domain/*"
+      },
+      {
+        Action   = ["es:ESHttp*"]
+        Effect   = "Allow"
+        Resource = "arn:aws:es:${data.aws_region.current.name}:${local.account_id}:domain/osi-ubi-domain/*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ubi" {
+  role       = aws_iam_role.ubi.name
+  policy_arn = aws_iam_policy.ubi.arn
+}
+
+resource "aws_cloudwatch_log_group" "ubi" {
+  name              = "/aws/vendedlogs/OpenSearchIngestion/ubi-pipeline"
+  retention_in_days = 365
+  tags = {
+    Name = "UBI OSIS Pipeline"
+  }
+}
+
+resource "aws_s3_bucket" "ubi_queries_events_bucket" {
+  bucket = "my-tf-test-bucket"
+
+  tags = {
+    Name = "ubi-queries-events-sink"
+  }
+}
+
+resource "aws_osis_pipeline" "ubi_events_pipeline" {
+  pipeline_name               = "ubi-pipeline"
+  pipeline_configuration_body = <<-EOT
+            version: "2"
+            ubi-pipeline:
+              source:
+                http:
+                  path: "/ubi_events"
+              processor:
+                - date:
+                    from_time_received: true
+                    destination: "@timestamp"
+              sink:
+                - opensearch:
+                    hosts: ["https://${aws_opensearch_domain.opensearch_ubi.endpoint}"]
+                    index: "ubi_events"
+                    aws:
+                      sts_role_arn: "${aws_iam_role.ubi.arn}"   
+                      region: "${data.aws_region.current.name}"
+                - s3:
+                    aws:
+                      sts_role_arn: "${aws_iam_role.ubi.arn}"
+                      region: "${data.aws_region.current.name}"
+                    bucket: aws_s3_bucket.ubi_queries_events_bucket.name
+                    object_key:
+                      path_prefix: ubi_events/
+                    threshold:
+                      event_collect_timeout: "10s"
+                    codec:
+                      ndjson:
+        EOT
+  max_units                   = 1
+  min_units                   = 1
+  log_publishing_options {
+    is_logging_enabled = true
+    cloudwatch_log_destination {
+      log_group = aws_cloudwatch_log_group.ubi.name
+    }
+  }
+  tags = {
+    Name = "AWS Blog OSIS Pipeline ubi"
+  }
+}