From cf999e1f69a745b8aff9ed08361471ffd55cfe81 Mon Sep 17 00:00:00 2001 From: Joshua Luo Date: Tue, 18 Jul 2023 12:30:02 -0500 Subject: [PATCH] Add examples and AWS documentation to aws_opensearchserverless_access_policy resource --- ...archserverless_access_policy.html.markdown | 115 +++++++++++++++--- 1 file changed, 99 insertions(+), 16 deletions(-) diff --git a/website/docs/r/opensearchserverless_access_policy.html.markdown b/website/docs/r/opensearchserverless_access_policy.html.markdown index 0a0fe675c9ed..1c3259636535 100644 --- a/website/docs/r/opensearchserverless_access_policy.html.markdown +++ b/website/docs/r/opensearchserverless_access_policy.html.markdown @@ -8,38 +8,121 @@ description: |- # Resource: aws_opensearchserverless_access_policy -Terraform resource for managing an AWS OpenSearch Serverless Access Policy. +Terraform resource for managing an AWS OpenSearch Serverless Access Policy. See AWS documentation for [data access policies](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html) and [supported data access policy permissions](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html#serverless-data-supported-permissions). ## Example Usage -### Basic Usage +### Grant all collection and index permissions ```terraform data "aws_caller_identity" "current" {} -data "aws_partition" "current" {} -resource "aws_opensearchserverless_access_policy" "test" { +resource "aws_opensearchserverless_access_policy" "example" { + name = "example" + type = "data" + description = "read and write permissions" + policy = jsonencode([ + { + Rules = [ + { + ResourceType = "index", + Resource = [ + "index/example-collection/*" + ], + Permission = [ + "aoss:*" + ] + }, + { + ResourceType = "collection", + Resource = [ + "collection/example-collection" + ], + Permission = [ + "aoss:*" + ] + } + ], + Principal = [ + data.aws_caller_identity.current.arn + ] + } + ]) +} +``` + +### Grant read-only collection and index permissions + +``` +data "aws_caller_identity" "current" {} + +resource "aws_opensearchserverless_access_policy" "example" { + name = "example" + type = "data" + description = "read-only permissions" + policy = jsonencode([ + { + Rules = [ + { + ResourceType = "index", + Resource = [ + "index/example-collection/*" + ], + Permission = [ + "aoss:DescribeIndex", + "aoss:ReadDocument", + ] + }, + { + ResourceType = "collection", + Resource = [ + "collection/example-collection" + ], + Permission = [ + "aoss:DescribeCollectionItems" + ] + } + ], + Principal = [ + data.aws_caller_identity.current.arn + ] + } + ]) +} +``` + +### Grant SAML identity permissions + +``` +resource "aws_opensearchserverless_access_policy" "example" { name = "example" type = "data" + description = "saml permissions" policy = jsonencode([ { - "Rules" : [ + Rules = [ { - "ResourceType" : "index", - "Resource" : [ - "index/books/*" + ResourceType = "index", + Resource = [ + "index/example-collection/*" ], - "Permission" : [ - "aoss:CreateIndex", - "aoss:ReadDocument", - "aoss:UpdateIndex", - "aoss:DeleteIndex", - "aoss:WriteDocument" + Permission = [ + "aoss:*" + ] + }, + { + ResourceType = "collection", + Resource = [ + "collection/example-collection" + ], + Permission = [ + "aoss:*" ] } ], - "Principal" : [ - "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/admin" + Principal = [ + "saml/123456789012/myprovider/user/Annie", + "saml/123456789012/anotherprovider/group/Accounting" ] } ])