feat(opensearchservice): SAML authorization properties for Domain con…

…struct (#26673) Allows to specify [SAML authentication](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/saml.html) for OpenSearch domains via high-level construct properties. Example: ``` const domain = new Domain(this, 'Domain', { version: EngineVersion.OPENSEARCH_1_0, enforceHttps: true, nodeToNodeEncryption: true, encryptionAtRest: { enabled: true, }, fineGrainedAccessControl: { masterUserName: 'master-user', samlAuthenticationEnabled: true, samlAuthenticationOptions: { idpEntityId: 'entity-id', idpMetadataContent: 'metadata-content-with-quotes-escaped', }, }, }); ``` Closes #26600. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Aug 12, 2023 · 6e20cbf · 6e20cbf
1 parent e0ca252
commit 6e20cbf
Show file tree

Hide file tree

Showing 13 changed files with 1,053 additions and 0 deletions.
diff --git a/...ancedsecurity-with-saml.js.snapshot/cdk-opensearch-advancedsecurity-with-saml.assets.json b/...ancedsecurity-with-saml.js.snapshot/cdk-opensearch-advancedsecurity-with-saml.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "33.0.0",
+  "files": {
+    "026445656dddc9b7080faac1092d4280a9c24fdf2b21a398f4c44f31d96fcc22": {
+      "source": {
+        "path": "cdk-opensearch-advancedsecurity-with-saml.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "026445656dddc9b7080faac1092d4280a9c24fdf2b21a398f4c44f31d96fcc22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...cedsecurity-with-saml.js.snapshot/cdk-opensearch-advancedsecurity-with-saml.template.json b/...cedsecurity-with-saml.js.snapshot/cdk-opensearch-advancedsecurity-with-saml.template.json
diff --git a/...ws-opensearchservice/test/integ.opensearch.advancedsecurity-with-saml.js.snapshot/cdk.out b/...ws-opensearchservice/test/integ.opensearch.advancedsecurity-with-saml.js.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"33.0.0"}
diff --git a/...opensearchservice/test/integ.opensearch.advancedsecurity-with-saml.js.snapshot/integ.json b/...opensearchservice/test/integ.opensearch.advancedsecurity-with-saml.js.snapshot/integ.json
@@ -0,0 +1,12 @@
+{
+  "version": "33.0.0",
+  "testCases": {
+    "integ-opensearch-advancedsecurity-with-saml/DefaultTest": {
+      "stacks": [
+        "cdk-opensearch-advancedsecurity-with-saml"
+      ],
+      "assertionStack": "integ-opensearch-advancedsecurity-with-saml/DefaultTest/DeployAssert",
+      "assertionStackName": "integopensearchadvancedsecuritywithsamlDefaultTestDeployAssertA27B274A"
+    }
+  }
+}
diff --git a/...apshot/integopensearchadvancedsecuritywithsamlDefaultTestDeployAssertA27B274A.assets.json b/...apshot/integopensearchadvancedsecuritywithsamlDefaultTestDeployAssertA27B274A.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "33.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "integopensearchadvancedsecuritywithsamlDefaultTestDeployAssertA27B274A.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...shot/integopensearchadvancedsecuritywithsamlDefaultTestDeployAssertA27B274A.template.json b/...shot/integopensearchadvancedsecuritywithsamlDefaultTestDeployAssertA27B274A.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...nsearchservice/test/integ.opensearch.advancedsecurity-with-saml.js.snapshot/manifest.json b/...nsearchservice/test/integ.opensearch.advancedsecurity-with-saml.js.snapshot/manifest.json
@@ -0,0 +1,117 @@
+{
+  "version": "33.0.0",
+  "artifacts": {
+    "cdk-opensearch-advancedsecurity-with-saml.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "cdk-opensearch-advancedsecurity-with-saml.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "cdk-opensearch-advancedsecurity-with-saml": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "cdk-opensearch-advancedsecurity-with-saml.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/026445656dddc9b7080faac1092d4280a9c24fdf2b21a398f4c44f31d96fcc22.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "cdk-opensearch-advancedsecurity-with-saml.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "cdk-opensearch-advancedsecurity-with-saml.assets"
+      ],
+      "metadata": {
+        "/cdk-opensearch-advancedsecurity-with-saml/User/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "User00B015A1"
+          }
+        ],
+        "/cdk-opensearch-advancedsecurity-with-saml/Domain/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "Domain66AC69E0"
+          }
+        ],
+        "/cdk-opensearch-advancedsecurity-with-saml/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/cdk-opensearch-advancedsecurity-with-saml/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "cdk-opensearch-advancedsecurity-with-saml"
+    },
+    "integopensearchadvancedsecuritywithsamlDefaultTestDeployAssertA27B274A.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "integopensearchadvancedsecuritywithsamlDefaultTestDeployAssertA27B274A.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "integopensearchadvancedsecuritywithsamlDefaultTestDeployAssertA27B274A": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "integopensearchadvancedsecuritywithsamlDefaultTestDeployAssertA27B274A.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "integopensearchadvancedsecuritywithsamlDefaultTestDeployAssertA27B274A.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "integopensearchadvancedsecuritywithsamlDefaultTestDeployAssertA27B274A.assets"
+      ],
+      "metadata": {
+        "/integ-opensearch-advancedsecurity-with-saml/DefaultTest/DeployAssert/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/integ-opensearch-advancedsecurity-with-saml/DefaultTest/DeployAssert/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "integ-opensearch-advancedsecurity-with-saml/DefaultTest/DeployAssert"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
+    }
+  }
+}
diff --git a/...-opensearchservice/test/integ.opensearch.advancedsecurity-with-saml.js.snapshot/tree.json b/...-opensearchservice/test/integ.opensearch.advancedsecurity-with-saml.js.snapshot/tree.json
diff --git a/...work-integ/test/aws-opensearchservice/test/integ.opensearch.advancedsecurity-with-saml.ts b/...work-integ/test/aws-opensearchservice/test/integ.opensearch.advancedsecurity-with-saml.ts
@@ -0,0 +1,41 @@
+import * as path from 'path';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as cdk from 'aws-cdk-lib';
+import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+
+const app = new cdk.App();
+const stack = new cdk.Stack(app, 'cdk-opensearch-advancedsecurity-with-saml');
+
+const user = new iam.User(stack, 'User');
+
+const metadataDocument = iam.SamlMetadataDocument.fromFile(path.join(__dirname, 'saml-metadata-document.xml'));
+
+new opensearch.Domain(stack, 'Domain', {
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  version: opensearch.EngineVersion.ELASTICSEARCH_7_1,
+  fineGrainedAccessControl: {
+    masterUserArn: user.userArn,
+    samlAuthenticationEnabled: true,
+    samlAuthenticationOptions: {
+      idpEntityId: 'entity-id',
+      idpMetadataContent: metadataDocument.xml,
+      masterBackendRole: 'backend-role',
+      masterUserName: 'master-username',
+    },
+  },
+  encryptionAtRest: {
+    enabled: true,
+  },
+  nodeToNodeEncryption: true,
+  enforceHttps: true,
+  capacity: {
+    multiAzWithStandbyEnabled: false,
+  },
+});
+
+new integ.IntegTest(app, 'integ-opensearch-advancedsecurity-with-saml', {
+  testCases: [stack],
+});
+
+app.synth();