1

I have this configuration for opensearch service and it is working as expected.

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:1234:domain/esupport/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "1.2.3.4",
            "5.6.7.8"
          ]
        }
      }
    }
  ]
}

It will allow access from 2 IP addresses mentioned above. If I want to add one more, I can edit the code and update. But I will like to add the IP address using cloudformation template or Lambda function URL. Is it possible?

shantanuo
  • 31,689
  • 78
  • 245
  • 403

1 Answers1

0

Yes, this is how I have defined my OpenSearch in YAML CloudFormation. I cheated and moved to JSON as the YAML was YAMLing me.

  Opensearch:
    Type: AWS::OpenSearchService::Domain
    Properties:
      AccessPolicies:
        {
          "Version": "2012-10-17",
          "Statement":
            [
              {
                "Effect": "Allow",
                "Principal": { "AWS": "*" },
                "Action": ["es:*"],
                "Resource": "*",
                "Condition":
                  { "IpAddress": { "aws:SourceIp": ["1.2.3.4"] } },
              },
            ],
        }
      AdvancedOptions:
        rest.action.multi.allow_explicit_index: true
      ClusterConfig:
        InstanceCount: 1
        InstanceType: t2.small.search
      DomainName: ${sls:stage}-mydomain
      EBSOptions:
        EBSEnabled: true
        VolumeSize: 20
        VolumeType: gp2
      EngineVersion: OpenSearch_1.0
      LogPublishingOptions:
        ES_APPLICATION_LOGS:
          CloudWatchLogsLogGroupArn: !GetAtt OSAppLogGroup.Arn
          Enabled: true
        SEARCH_SLOW_LOGS:
          CloudWatchLogsLogGroupArn: !GetAtt OSSlowLogGroup.Arn
          Enabled: true
        INDEX_SLOW_LOGS:
          CloudWatchLogsLogGroupArn: !GetAtt OSIndexSlowLogGroup.Arn
          Enabled: true
      Tags:
        - Key: stage
          Value: ${sls:stage}

The IP condition is just a string on the standard policy template so you could also define a Policy JSON with variables (eg if you are using Terraform, or Serverless). I don't think this is possible using a CF resource though.

If you are regularly changing the IP it may be better to put this behind a single entry point like API Gateway so you can administrate the IP block at that point.

Tobin
  • 1,698
  • 15
  • 24
  • I do not think this will work in my case. I do not want to create any new resources. Nor do I want to modify the cluster. I just want to add one IP address and I do not know or care how many IP addresses are already there. – shantanuo Jun 10 '23 at 10:11