Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get ElasticSearch automatic role generation working #320

Merged
merged 4 commits into from
Apr 21, 2020
Merged

Get ElasticSearch automatic role generation working #320

merged 4 commits into from
Apr 21, 2020

Conversation

mfogel
Copy link
Contributor

@mfogel mfogel commented Apr 4, 2020
edited
Loading

This PR gets automatic role generation working, when using elastic search service as a data source, as discussed on #233

Rather than overload the endpoint config key, this PR adds an optional domain config key which is to be a reference to a resource of type AWS::Elasticsearch::Domain.

If domain is provided, endpoint no longer needs to be provided - it is automatically derived from the domain reference.

This also adds es:ESHttpPatch to the list of actions enabled by automatic role generation, since it's one of the 6 basic ones listed in the AWS docs on ElasticSearch IAM roles.

I wouldn't view this as a backward-incompatible change because the previous version of this (with the overloaded endpoint key), AFAIK, didn't work.

I'm now using this on a live personal deployment of mine with the following config:

      - type: AMAZON_ELASTICSEARCH
        name: ElasticSearchDataSource
        config:
          domain: ElasticSearchDomain

Short and sweet.

Let me know if there's any changes or tweaks you'd like to see, thanks & cheers

mfogel added 3 commits April 4, 2020 15:14
@mfogel
Fix auto-iam role generation
38623ad 
Adds an optional 'domain' config item (rather than overloading the
'endpoint' config item).
@mfogel
Apply ES auto-role generation to correct resource
0d297ec 
According to https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html
(and according to my testing) these actions need to be applied to a
subresource of the ES domain, not to the domain itself.
@mfogel
Add ESHttpPatch to the allowed actions
c3b18fb
@bboure
Copy link
Collaborator

bboure commented Apr 6, 2020
edited
Loading

Thank you @mfogel for your contrib.
I don't really see it as a breaking change either, since previous implementation is broken as you said.

LGTM

bboure
bboure reviewed Apr 18, 2020
View reviewed changes
src/index.js Outdated
if (typeof ds.config.endpoint === 'string') {
if (ds.config.domain) {
arn = { 'Fn::Join': ['/', [{ 'Fn::GetAtt': [ds.config.domain, 'Arn'] }, '*']] };
} else if (ds.config.endpoint) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mfogel Can we keep the check typeof ds.config.endpoint === 'string' ?
This will avoid the code below to break on other values.
If something else than a string comes here, let the Error to be thrown on line 715.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mfogel I have applied this change for you.
Will merge soon

Thank you again

@bboure bboure merged commit dcf6277 into sid88in:master Apr 21, 2020
@bboure
Copy link
Collaborator

bboure commented Apr 21, 2020

Released in 1.3.0 🎉

@mfogel
Copy link
Contributor Author

mfogel commented Apr 21, 2020

wonderful, thank you @bboure !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bboure bboure bboure left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mfogel @bboure