add frozen_solid/aws-opensearchserverless-is-public.tf

semgrep · Sep 27, 2023 · 2f96865 · 2f96865
1 parent b368e13
commit 2f96865
Showing 1 changed file with 97 additions and 0 deletions.
diff --git a/frozen_solid/aws-opensearchserverless-is-public.tf b/frozen_solid/aws-opensearchserverless-is-public.tf
@@ -0,0 +1,97 @@
+resource "aws_opensearchserverless_security_policy" "example" {
+  name        = "example"
+  type        = "network"
+  description = "Mixed access for marketing and sales"
+  policy = jsonencode([
+    {
+      "Description" : "Marketing access",
+      "Rules" : [
+        {
+          "ResourceType" : "collection",
+          "Resource" : [
+            "collection/marketing*"
+          ]
+        },
+        {
+          "ResourceType" : "dashboard",
+          "Resource" : [
+            "collection/marketing*"
+          ]
+        }
+      ],
+      "AllowFromPublic" : false,
+      "SourceVPCEs" : [
+        "vpce-050f79086ee71ac05"
+      ]
+    },
+    # ruleid: aws-opensearchserverless-is-public
+    {
+      "Description" : "Sales access",
+      "Rules" : [
+        {
+          "ResourceType" : "collection",
+          "Resource" : [
+            "collection/finance"
+          ]
+        }
+      ],
+      "AllowFromPublic" : true
+    }
+  ])
+}
+
+resource "aws_opensearchserverless_security_policy" "pass" {
+  name        = "example"
+  type        = "network"
+  description = "VPC access"
+  policy = jsonencode(
+    {
+      Description = "VPC access to collection and Dashboards endpoint for example collection",
+      Rules = [
+        {
+          ResourceType = "collection",
+          Resource = [
+            "collection/example-collection"
+          ]
+        },
+        {
+          ResourceType = "dashboard"
+          Resource = [
+            "collection/example-collection"
+          ]
+        }
+      ],
+      # ok: aws-opensearchserverless-is-public
+      AllowFromPublic = false,
+      SourceVPCEs = [
+        "vpce-050f79086ee71ac05"
+      ]
+    }
+  )
+}
+
+resource "aws_opensearchserverless_security_policy" "fail_2_heredoc" {
+  name        = "fail_2_heredoc"
+  type        = "network"
+  description = "public access"
+  # ruleid: aws-opensearchserverless-is-public
+  policy = <<POLICY
+{
+   "Rules": [
+      {
+         "Resource": [
+            "collection/example-collection"
+         ],
+         "ResourceType": "collection"
+      },
+      {
+         "Resource": [
+            "collection/example-collection"
+         ],
+         "ResourceType": "dashboard"
+      }
+   ],
+   "AllowFromPublic": true
+}
+POLICY
+}