feat(iot-actions-alpha): open search action in IoT topic rule (#28748)

The CDK has no support to writes data to an Amazon OpenSearch Service via AWS IoT Rule. Adding the action that writes data to an Amazon OpenSearch Service to AWS IoT topic rule.

OpenSearch action for IoT Topic Rule documentation is here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iot-topicrule-opensearchaction.html.

Closes #17702.

Tested by deploying my own stack and confirmed that publishing a message to IoT topic rule will successfully write data to open search service.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: GavinZZ

packages/@aws-cdk/aws-iot-actions-alpha/README.md

@@ -355,20 +355,41 @@ to an HTTPS endpoint when it is triggered:
 
 ```ts
 const topicRule = new iot.TopicRule(this, 'TopicRule', {
-    sql: iot.IotSql.fromStringAsVer20160323(
-      "SELECT topic(2) as device_id, year, month, day FROM 'device/+/data'",
-    ),
-  });
-
-  topicRule.addAction(
-    new actions.HttpsAction('https://example.com/endpoint', {
-      confirmationUrl: 'https://example.com',
-      headers: [
-        { key: 'key0', value: 'value0' },
-        { key: 'key1', value: 'value1' },
-      ],
-      auth: { serviceName: 'serviceName', signingRegion: 'us-east-1' },
-    }),
-  );
-}
+  sql: iot.IotSql.fromStringAsVer20160323(
+    "SELECT topic(2) as device_id, year, month, day FROM 'device/+/data'",
+  ),
+});
+
+topicRule.addAction(
+  new actions.HttpsAction('https://example.com/endpoint', {
+    confirmationUrl: 'https://example.com',
+    headers: [
+      { key: 'key0', value: 'value0' },
+      { key: 'key1', value: 'value1' },
+    ],
+    auth: { serviceName: 'serviceName', signingRegion: 'us-east-1' },
+  }),
+);
+```
+
+## Write Data to Open Search Service
+
+The code snippet below creates an AWS IoT Rule that writes data
+to an Open Search Service when it is triggered:
+
+```ts
+import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
+declare const domain: opensearch.Domain;
+
+const topicRule = new iot.TopicRule(this, 'TopicRule', {
+  sql: iot.IotSql.fromStringAsVer20160323(
+    "SELECT topic(2) as device_id, year, month, day FROM 'device/+/data'",
+  ),
+});
+
+topicRule.addAction(new actions.OpenSearchAction(domain, {
+  id: 'my-id',
+  index: 'my-index',
+  type: 'my-type',
+}));
 ```

packages/@aws-cdk/aws-iot-actions-alpha/lib/index.ts

@@ -8,6 +8,7 @@ export * from './iotevents-put-message-action';
 export * from './iot-republish-action';
 export * from './kinesis-put-record-action';
 export * from './lambda-function-action';
+export * from './open-search-action';
 export * from './s3-put-object-action';
 export * from './sqs-queue-action';
 export * from './sns-topic-action';

packages/@aws-cdk/aws-iot-actions-alpha/lib/open-search-action.ts

@@ -0,0 +1,59 @@
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as iot from '@aws-cdk/aws-iot-alpha';
+import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
+import { CommonActionProps } from './common-action-props';
+import { singletonActionRole } from './private/role';
+
+/**
+ * Configuration properties of an action for Open Search.
+ */
+export interface OpenSearchActionProps extends CommonActionProps {
+  /**
+   * The unique identifier for the document you are storing.
+   */
+  readonly id: string;
+
+  /**
+   * The OpenSearch index where you want to store your data.
+   */
+  readonly index: string;
+
+  /**
+   * The type of document you are storing.
+   */
+  readonly type: string;
+}
+
+/**
+ * The action to write data to an Amazon OpenSearch Service domain.
+ */
+export class OpenSearchAction implements iot.IAction {
+  constructor(private readonly domain: opensearch.Domain, private readonly props: OpenSearchActionProps) {
+  }
+
+  /**
+   * @internal
+   */
+  public _bind(rule: iot.ITopicRule): iot.ActionConfig {
+    const role = this.props.role ?? singletonActionRole(rule);
+
+    // According to CloudFormation documentation, we only need 'es:ESHttpPut' permission
+    // https://docs.aws.amazon.com/iot/latest/developerguide/opensearch-rule-action.html#opensearch-rule-action-requirements
+    role.addToPrincipalPolicy(new iam.PolicyStatement({
+      actions: ['es:ESHttpPut'],
+      resources: [this.domain.domainArn, `${this.domain.domainArn}/*`],
+    }));
+
+    return {
+      configuration: {
+        openSearch: {
+          endpoint: `https://${this.domain.domainEndpoint}`,
+          id: this.props.id,
+          index: this.props.index,
+          type: this.props.type,
+          roleArn: role.roleArn,
+        },
+      },
+    };
+  }
+}