Resource: aws_opensearchserverless_security_policy

Terraform resource for managing an AWS OpenSearch Serverless Security Policy. See AWS documentation for encryption policies and network policies.

Example Usage

Encryption Security Policy

Applies to a single collection

resource "aws_opensearchserverless_security_policy" "example" {
  name        = "example"
  type        = "encryption"
  description = "encryption security policy for example-collection"
  policy = jsonencode({
    Rules = [
      {
        Resource = [
          "collection/example-collection"
        ],
        ResourceType = "collection"
      }
    ],
    AWSOwnedKey = true
  })
}

Applies to multiple collections

resource "aws_opensearchserverless_security_policy" "example" {
  name        = "example"
  type        = "encryption"
  description = "encryption security policy for collections that begin with \"example\""
  policy = jsonencode({
    Rules = [
      {
        Resource = [
          "collection/example*"
        ],
        ResourceType = "collection"
      }
    ],
    AWSOwnedKey = true
  })
}

Using a customer managed key

resource "aws_opensearchserverless_security_policy" "example" {
  name        = "example"
  type        = "encryption"
  description = "encryption security policy using customer KMS key"
  policy = jsonencode({
    Rules = [
      {
        Resource = [
          "collection/customer-managed-key-collection"
        ],
        ResourceType = "collection"
      }
    ],
    AWSOwnedKey = false
    KmsARN      = "arn:aws:kms:us-east-1:123456789012:key/93fd6da4-a317-4c17-bfe9-382b5d988b36"
  })
}

Network Security Policy

Allow public access to the collection endpoint and the Dashboards endpoint

resource "aws_opensearchserverless_security_policy" "example" {
  name        = "example"
  type        = "network"
  description = "Public access"
  policy = jsonencode([
    {
      Description = "Public access to collection and Dashboards endpoint for example collection",
      Rules = [
        {
          ResourceType = "collection",
          Resource = [
            "collection/example-collection"
          ]
        },
        {
          ResourceType = "dashboard"
          Resource = [
            "collection/example-collection"
          ]
        }
      ],
      AllowFromPublic = true
    }
  ])
}

Allow VPC access to the collection endpoint and the Dashboards endpoint

resource "aws_opensearchserverless_security_policy" "example" {
  name        = "example"
  type        = "network"
  description = "VPC access"
  policy = jsonencode([
    {
      Description = "VPC access to collection and Dashboards endpoint for example collection",
      Rules = [
        {
          ResourceType = "collection",
          Resource = [
            "collection/example-collection"
          ]
        },
        {
          ResourceType = "dashboard"
          Resource = [
            "collection/example-collection"
          ]
        }
      ],
      AllowFromPublic = false,
      SourceVPCEs = [
        "vpce-050f79086ee71ac05"
      ]
    }
  ])
}

Mixed access for different collections

resource "aws_opensearchserverless_security_policy" "example" {
  name        = "example"
  type        = "network"
  description = "Mixed access for marketing and sales"
  policy = jsonencode([
    {
      "Description" : "Marketing access",
      "Rules" : [
        {
          "ResourceType" : "collection",
          "Resource" : [
            "collection/marketing*"
          ]
        },
        {
          "ResourceType" : "dashboard",
          "Resource" : [
            "collection/marketing*"
          ]
        }
      ],
      "AllowFromPublic" : false,
      "SourceVPCEs" : [
        "vpce-050f79086ee71ac05"
      ]
    },
    {
      "Description" : "Sales access",
      "Rules" : [
        {
          "ResourceType" : "collection",
          "Resource" : [
            "collection/finance"
          ]
        }
      ],
      "AllowFromPublic" : true
    }
  ])
}

Argument Reference

The following arguments are required:

The following arguments are optional:

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import OpenSearchServerless Security Policy using the name and type arguments separated by a slash (/). For example:

import {
  to = aws_opensearchserverless_security_policy.example
  id = "example/encryption"
}

Using terraform import, import OpenSearchServerless Security Policy using the name and type arguments separated by a slash (/). For example:

% terraform import aws_opensearchserverless_security_policy.example example/encryption