Merge pull request #32571 from joshjluo/d-aws_opensearchserverless_ac…

…cess_policy-resource

docs: Add examples and AWS documentation to aws_opensearchserverless_access…

website/docs/r/opensearchserverless_access_policy.html.markdown

@@ -8,38 +8,121 @@ description: |-
 
 # Resource: aws_opensearchserverless_access_policy
 
-Terraform resource for managing an AWS OpenSearch Serverless Access Policy.
+Terraform resource for managing an AWS OpenSearch Serverless Access Policy. See AWS documentation for [data access policies](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html) and [supported data access policy permissions](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html#serverless-data-supported-permissions).
 
 ## Example Usage
 
-### Basic Usage
+### Grant all collection and index permissions
 
 ```terraform
 data "aws_caller_identity" "current" {}
-data "aws_partition" "current" {}
 
-resource "aws_opensearchserverless_access_policy" "test" {
+resource "aws_opensearchserverless_access_policy" "example" {
+  name        = "example"
+  type        = "data"
+  description = "read and write permissions"
+  policy = jsonencode([
+    {
+      Rules = [
+        {
+          ResourceType = "index",
+          Resource = [
+            "index/example-collection/*"
+          ],
+          Permission = [
+            "aoss:*"
+          ]
+        },
+        {
+          ResourceType = "collection",
+          Resource = [
+            "collection/example-collection"
+          ],
+          Permission = [
+            "aoss:*"
+          ]
+        }
+      ],
+      Principal = [
+        data.aws_caller_identity.current.arn
+      ]
+    }
+  ])
+}
+```
+
+### Grant read-only collection and index permissions
+
+```
+data "aws_caller_identity" "current" {}
+
+resource "aws_opensearchserverless_access_policy" "example" {
+  name        = "example"
+  type        = "data"
+  description = "read-only permissions"
+  policy = jsonencode([
+    {
+      Rules = [
+        {
+          ResourceType = "index",
+          Resource = [
+            "index/example-collection/*"
+          ],
+          Permission = [
+            "aoss:DescribeIndex",
+            "aoss:ReadDocument",
+          ]
+        },
+        {
+          ResourceType = "collection",
+          Resource = [
+            "collection/example-collection"
+          ],
+          Permission = [
+            "aoss:DescribeCollectionItems"
+          ]
+        }
+      ],
+      Principal = [
+        data.aws_caller_identity.current.arn
+      ]
+    }
+  ])
+}
+```
+
+### Grant SAML identity permissions
+
+```
+resource "aws_opensearchserverless_access_policy" "example" {
   name = "example"
   type = "data"
+  description = "saml permissions"
   policy = jsonencode([
     {
-      "Rules" : [
+      Rules = [
         {
-          "ResourceType" : "index",
-          "Resource" : [
-            "index/books/*"
+          ResourceType = "index",
+          Resource = [
+            "index/example-collection/*"
           ],
-          "Permission" : [
-            "aoss:CreateIndex",
-            "aoss:ReadDocument",
-            "aoss:UpdateIndex",
-            "aoss:DeleteIndex",
-            "aoss:WriteDocument"
+          Permission = [
+            "aoss:*"
+          ]
+        },
+        {
+          ResourceType = "collection",
+          Resource = [
+            "collection/example-collection"
+          ],
+          Permission = [
+            "aoss:*"
           ]
         }
       ],
-      "Principal" : [
-        "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/admin"
+      Principal = [
+        "saml/123456789012/myprovider/user/Annie",
+        "saml/123456789012/anotherprovider/group/Accounting"
       ]
     }
   ])