@@ -84,6 +84,55 @@ data "aws_iam_policy_document" "elasticsearch-log-publishing-policy" {
8484 }
8585}
8686
87+ data "aws_iam_policy_document" "cognito_es_policy" {
88+ version = " 2012-10-17"
89+ statement {
90+ effect = " Allow"
91+ actions =
92+ " cognito-idp:DescribeUserPool"
93+ " cognito-idp:CreateUserPoolClient"
94+ " cognito-idp:DeleteUserPoolClient"
95+ " cognito-idp:DescribeUserPoolClient"
96+ " cognito-idp:AdminInitiateAuth"
97+ " cognito-idp:AdminUserGlobalSignOut"
98+ " cognito-idp:ListUserPoolClients"
99+ " cognito-identity:DescribeIdentityPool"
100+ " cognito-identity:UpdateIdentityPool"
101+ " cognito-identity:SetIdentityPoolRoles"
102+ " cognito-identity:GetIdentityPoolRoles"
103+ ]
104+ resources =
105+ " *"
106+ ]
107+ }
108+ }
109+
110+ data "aws_iam_policy_document" "es_assume_policy" {
111+ version = " 2012-10-17"
112+ statement {
113+ effect = " Allow"
114+ principals {
115+ type = " Service"
116+ identifiers = " es.amazonaws.com"
117+ }
118+ actions = " sts:AssumeRole"
119+ }
120+ }
121+
122+ module "cognito-role" {
123+ source = " git::https://github.com/clouddrove/terraform-aws-iam-role.git?ref=tags/0.14.0"
124+
125+ name = format (" %s-cognito-role" . labels . id )
126+ environment = . environment
127+ label_order = " name"
128+ enabled = . cognito_enabled
129+
130+ assume_role_policy = . aws_iam_policy_document . es_assume_policy . json
131+
132+ policy_enabled = true
133+ policy = . aws_iam_policy_document . cognito_es_policy . json
134+ }
135+
87136# Module : Elasticsearch
88137# Description : Terraform module to create Elasticsearch resource on AWS.
89138resource "aws_elasticsearch_domain" "default" {
@@ -178,6 +227,13 @@ resource "aws_elasticsearch_domain" "default-public" {
178227 kms_key_id = . kms_key_id
179228 }
180229
230+ cognito_options {
231+ enabled = . cognito_enabled
232+ user_pool_id = . user_pool_id
233+ identity_pool_id = . identity_pool_id
234+ role_arn = . cognito-role . arn
235+ }
236+
181237 cluster_config {
182238 instance_count = . instance_count
183239 instance_type = . instance_type
@@ -248,6 +304,13 @@ resource "aws_elasticsearch_domain" "single" {
248304 kms_key_id = . kms_key_id
249305 }
250306
307+ cognito_options {
308+ enabled = . cognito_enabled
309+ user_pool_id = . user_pool_id
310+ identity_pool_id = . identity_pool_id
311+ role_arn = . cognito-role . arn
312+ }
313+
251314 cluster_config {
252315 instance_count = . instance_count
253316 instance_type = . instance_type
@@ -316,6 +379,13 @@ resource "aws_elasticsearch_domain" "single-public" {
316379 kms_key_id = . kms_key_id
317380 }
318381
382+ cognito_options {
383+ enabled = . cognito_enabled
384+ user_pool_id = . user_pool_id
385+ identity_pool_id = . identity_pool_id
386+ role_arn = . cognito-role . arn
387+ }
388+
319389 cluster_config {
320390 instance_count = . instance_count
321391 instance_type = . instance_type
@@ -367,6 +437,7 @@ data "aws_iam_policy_document" "default" {
367437
368438 statement {
369439 actions = distinct (compact (var. iam_actions ))
440+ effect = " Allow"
370441
371442 resources =
372443 var . zone_awareness_enabled ? (var. public_enabled ? join (" " . default-public . * . arn ) : join (" " . default . * . arn )) : (var. public_enabled ? join (" " . single-public . * . arn ) : join (" " . single . * . arn )),
@@ -377,6 +448,14 @@ data "aws_iam_policy_document" "default" {
377448 type = " AWS"
378449 identifiers = " *"
379450 }
451+ condition {
452+ test = " IpAddress"
453+ variable = " aws:SourceIp"
454+
455+ values =
456+ " *"
457+ ]
458+ }
380459 }
381460}
382461
0 commit comments