feat(elasticsearch): Decouple setting access policies from domain constructor (#15876)

Currently when creating an elasticsearch domain the access policies must be set in the constructor. This makes it impossible to create access policies that reference the domain. 

### Use Cases

See: https://aws.amazon.com/premiumsupport/knowledge-center/kinesis-firehose-cross-account-streaming/

### Proposed Solution

This PR extracts the access policy setting to a helper method which can be used if the `accessPolicies` and `useUnsignedBasicAuth` props are not set. The helper will error if access policies are already set to prevent creating duplicate custom resources.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: TikiTDO

packages/@aws-cdk/aws-elasticsearch/README.md

@@ -233,7 +233,62 @@ const domain = new es.Domain(this, 'Domain', {
 const masterUserPassword = domain.masterUserPassword;
 ```
 
+## Custom access policies
 
+If the domain requires custom access control it can be configured either as a
+constructor property, or later by means of a helper method.
+
+For simple permissions the `accessPolicies` constructor may be sufficient:
+
+```ts
+const domain = new es.Domain(this, 'Domain', {
+  version: es.ElasticsearchVersion.V7_1,
+  accessPolicies: [
+    new iam.PolicyStatement({
+      actions: ['es:*ESHttpPost', 'es:ESHttpPut*'],
+      effect: iam.Effect.ALLOW,
+      principals: [new iam.AccountPrincipal('123456789012')],
+      resources: ['*'],
+    }),
+  ]
+});
+```
+
+For more complex use-cases, for example, to set the domain up to receive data from a
+[cross-account Kinesis Firehose](https://aws.amazon.com/premiumsupport/knowledge-center/kinesis-firehose-cross-account-streaming/) the `addAccessPolicies` helper method
+allows for policies that include the explicit domain ARN.
+
+```ts
+const domain = new es.Domain(this, 'Domain', {
+  version: es.ElasticsearchVersion.V7_1,
+});
+
+domain.addAccessPolicies(
+  new iam.PolicyStatement({
+    actions: ['es:ESHttpPost', 'es:ESHttpPut'],
+    effect: iam.Effect.ALLOW,
+    principals: [new iam.AccountPrincipal('123456789012')],
+    resources: [domain.domainArn, `${domain.domainArn}/*`],
+  }),
+  new iam.PolicyStatement({
+    actions: ['es:ESHttpGet'],
+    effect: iam.Effect.ALLOW,
+    principals: [new iam.AccountPrincipal('123456789012')],
+    resources: [
+      `${domain.domainArn}/_all/_settings`,
+      `${domain.domainArn}/_cluster/stats`,
+      `${domain.domainArn}/index-name*/_mapping/type-name`,
+      `${domain.domainArn}/roletest*/_mapping/roletest`,
+      `${domain.domainArn}/_nodes`,
+      `${domain.domainArn}/_nodes/stats`,
+      `${domain.domainArn}/_nodes/*/stats`,
+      `${domain.domainArn}/_stats`,
+      `${domain.domainArn}/index-name*/_stats`,
+      `${domain.domainArn}/roletest*/_stat`,
+    ],
+  }),
+);
+```
 
 ## Audit logs
 
@@ -400,7 +455,7 @@ Make the following modifications to your CDK application to migrate to the `@aws
 Follow these steps to migrate your application without data loss:
 
 - Ensure that the [removal policy](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.RemovalPolicy.html) on your domains are set to `RemovalPolicy.RETAIN`. This is the default for the domain construct, so nothing is required unless you have specifically set the removal policy to some other value.
-- Remove the domain resource from your CloudFormation stacks by manually modifying the synthesized templates used to create the CloudFormation stacks. This may also involve modifying or deleting dependent resources, such as the custom resources that CDK creates to manage the domain's access policy or any other resource you have connected to the domain. You will need to search for references to each domain's logical ID to determine which other resources refer to it and replace or delete those references. Do not remove resources that are dependencies of the domain or you will have to recreate or import them before importing the domain. After modification, deploy the stacks through the AWS Management Console or using the AWS CLI. 
+- Remove the domain resource from your CloudFormation stacks by manually modifying the synthesized templates used to create the CloudFormation stacks. This may also involve modifying or deleting dependent resources, such as the custom resources that CDK creates to manage the domain's access policy or any other resource you have connected to the domain. You will need to search for references to each domain's logical ID to determine which other resources refer to it and replace or delete those references. Do not remove resources that are dependencies of the domain or you will have to recreate or import them before importing the domain. After modification, deploy the stacks through the AWS Management Console or using the AWS CLI.
 - Migrate your CDK application to use the new `@aws-cdk/aws-opensearchservice` module by applying the necessary modifications listed above. Synthesize your application and obtain the resulting stack templates.
 - Copy just the definition of the domain from the "migrated" templates to the corresponding "stripped" templates that you deployed above. [Import](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-existing-stack.html) the orphaned domains into your CloudFormation stacks using these templates.
 - Synthesize and deploy your CDK application to reconfigure/recreate the modified dependent resources. The CloudFormation stacks should now contain the same resources as existed prior to migration.

packages/@aws-cdk/aws-elasticsearch/lib/domain.ts

@@ -1264,6 +1264,9 @@ export class Domain extends DomainBase implements IDomain, ec2.IConnectable {
 
   private readonly domain: CfnDomain;
 
+  private accessPolicy?: ElasticsearchAccessPolicy
+  private encryptionAtRestOptions?: EncryptionAtRestOptions
+
   private readonly _connections: ec2.Connections | undefined;
 
   constructor(scope: Construct, id: string, props: DomainProps) {
@@ -1720,33 +1723,12 @@ export class Domain extends DomainBase implements IDomain, ec2.IConnectable {
       });
     }
 
-    const accessPolicyStatements: iam.PolicyStatement[] | undefined = unsignedBasicAuthEnabled
-      ? (props.accessPolicies ?? []).concat(unsignedAccessPolicy)
-      : props.accessPolicies;
-
-    if (accessPolicyStatements != null) {
-      const accessPolicy = new ElasticsearchAccessPolicy(this, 'ESAccessPolicy', {
-        domainName: this.domainName,
-        domainArn: this.domainArn,
-        accessPolicies: accessPolicyStatements,
-      });
-
-      if (props.encryptionAtRest?.kmsKey) {
-
-        // https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html
-
-        // these permissions are documented as required during domain creation.
-        // while not strictly documented for updates as well, it stands to reason that an update
-        // operation might require these in case the cluster uses a kms key.
-        // empircal evidence shows this is indeed required: https://github.com/aws/aws-cdk/issues/11412
-        accessPolicy.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
-          actions: ['kms:List*', 'kms:Describe*', 'kms:CreateGrant'],
-          resources: [props.encryptionAtRest.kmsKey.keyArn],
-          effect: iam.Effect.ALLOW,
-        }));
-      }
-
-      accessPolicy.node.addDependency(this.domain);
+    this.encryptionAtRestOptions = props.encryptionAtRest;
+    if (props.accessPolicies) {
+      this.addAccessPolicies(...props.accessPolicies);
+    }
+    if (unsignedBasicAuthEnabled) {
+      this.addAccessPolicies(unsignedAccessPolicy);
     }
   }
 
@@ -1760,6 +1742,38 @@ export class Domain extends DomainBase implements IDomain, ec2.IConnectable {
     }
     return this._connections;
   }
+
+  /**
+   * Add policy statements to the domain access policy
+   */
+  public addAccessPolicies(...accessPolicyStatements: iam.PolicyStatement[]) {
+    if (accessPolicyStatements.length > 0) {
+      if (!this.accessPolicy) {
+        // Only create the custom resource after there are statements to set.
+        this.accessPolicy = new ElasticsearchAccessPolicy(this, 'ESAccessPolicy', {
+          domainName: this.domainName,
+          domainArn: this.domainArn,
+          accessPolicies: accessPolicyStatements,
+        });
+
+        if (this.encryptionAtRestOptions?.kmsKey) {
+          // https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html
+
+          // these permissions are documented as required during domain creation.
+          // while not strictly documented for updates as well, it stands to reason that an update
+          // operation might require these in case the cluster uses a kms key.
+          // empircal evidence shows this is indeed required: https://github.com/aws/aws-cdk/issues/11412
+          this.accessPolicy.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
+            actions: ['kms:List*', 'kms:Describe*', 'kms:CreateGrant'],
+            resources: [this.encryptionAtRestOptions.kmsKey.keyArn],
+            effect: iam.Effect.ALLOW,
+          }));
+        }
+      } else {
+        this.accessPolicy.addAccessPolicies(...accessPolicyStatements);
+      }
+    }
+  }
 }
 
 /**

packages/@aws-cdk/aws-elasticsearch/lib/elasticsearch-access-policy.ts

@@ -1,9 +1,7 @@
 import * as iam from '@aws-cdk/aws-iam';
+import * as cdk from '@aws-cdk/core';
 import * as cr from '@aws-cdk/custom-resources';
-
-// keep this import separate from other imports to reduce chance for merge conflicts with v2-main
-// eslint-disable-next-line no-duplicate-imports, import/order
-import { Construct } from '@aws-cdk/core';
+import { Construct } from 'constructs';
 
 /**
  * Construction properties for ElasticsearchAccessPolicy
@@ -29,25 +27,39 @@ export interface ElasticsearchAccessPolicyProps {
  * Creates LogGroup resource policies.
  */
 export class ElasticsearchAccessPolicy extends cr.AwsCustomResource {
-  constructor(scope: Construct, id: string, props: ElasticsearchAccessPolicyProps) {
-    const policyDocument = new iam.PolicyDocument({
-      statements: props.accessPolicies,
-    });
 
+  private accessPolicyStatements: iam.PolicyStatement[] = [];
+
+  constructor(scope: Construct, id: string, props: ElasticsearchAccessPolicyProps) {
     super(scope, id, {
       resourceType: 'Custom::ElasticsearchAccessPolicy',
       onUpdate: {
         action: 'updateElasticsearchDomainConfig',
         service: 'ES',
         parameters: {
           DomainName: props.domainName,
-          AccessPolicies: JSON.stringify(policyDocument.toJSON()),
+          AccessPolicies: cdk.Lazy.string({
+            produce: () => JSON.stringify(
+              new iam.PolicyDocument({
+                statements: this.accessPolicyStatements,
+              }).toJSON(),
+            ),
+          }),
         },
         // this is needed to limit the response body, otherwise it exceeds the CFN 4k limit
         outputPaths: ['DomainConfig.ElasticsearchClusterConfig.AccessPolicies'],
         physicalResourceId: cr.PhysicalResourceId.of(`${props.domainName}AccessPolicy`),
       },
       policy: cr.AwsCustomResourcePolicy.fromSdkCalls({ resources: [props.domainArn] }),
     });
+
+    this.addAccessPolicies(...props.accessPolicies);
+  }
+
+  /**
+   * Add policy statements to the domain access policy
+   */
+  public addAccessPolicies(...accessPolicyStatements: iam.PolicyStatement[]) {
+    this.accessPolicyStatements.push(...accessPolicyStatements);
   }
 }

packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts

@@ -200,6 +200,67 @@ test('can enable version upgrade update policy', () => {
   });
 });
 
+test('can set a self-referencing custom policy', () => {
+  const domain = new Domain(stack, 'Domain', {
+    version: ElasticsearchVersion.V7_1,
+  });
+
+  domain.addAccessPolicies(
+    new iam.PolicyStatement({
+      actions: ['es:ESHttpPost', 'es:ESHttpPut'],
+      effect: iam.Effect.ALLOW,
+      principals: [new iam.AccountPrincipal('5678')],
+      resources: [domain.domainArn, `${domain.domainArn}/*`],
+    }),
+  );
+
+  const expectedPolicy = {
+    'Fn::Join': [
+      '',
+      [
+        '{"action":"updateElasticsearchDomainConfig","service":"ES","parameters":{"DomainName":"',
+        {
+          Ref: 'Domain66AC69E0',
+        },
+        '","AccessPolicies":"{\\"Statement\\":[{\\"Action\\":[\\"es:ESHttpPost\\",\\"es:ESHttpPut\\"],\\"Effect\\":\\"Allow\\",\\"Principal\\":{\\"AWS\\":\\"arn:',
+        {
+          Ref: 'AWS::Partition',
+        },
+        ':iam::5678:root\\"},\\"Resource\\":[\\"',
+        {
+          'Fn::GetAtt': [
+            'Domain66AC69E0',
+            'Arn',
+          ],
+        },
+        '\\",\\"',
+        {
+          'Fn::GetAtt': [
+            'Domain66AC69E0',
+            'Arn',
+          ],
+        },
+        '/*\\"]}],\\"Version\\":\\"2012-10-17\\"}"},"outputPaths":["DomainConfig.ElasticsearchClusterConfig.AccessPolicies"],"physicalResourceId":{"id":"',
+        {
+          Ref: 'Domain66AC69E0',
+        },
+        'AccessPolicy"}}',
+      ],
+    ],
+  };
+  Template.fromStack(stack).hasResourceProperties('Custom::ElasticsearchAccessPolicy', {
+    ServiceToken: {
+      'Fn::GetAtt': [
+        'AWS679f53fac002430cb0da5b7982bd22872D164C4C',
+        'Arn',
+      ],
+    },
+    Create: expectedPolicy,
+    Update: expectedPolicy,
+  });
+});
+
+
 describe('UltraWarm instances', () => {
 
   test('can enable UltraWarm instances', () => {

packages/@aws-cdk/aws-elasticsearch/test/elasticsearch-access-policy.test.ts

@@ -55,3 +55,55 @@ test('minimal example renders correctly', () => {
     }),
   });
 });
+
+test('support access policy added inline and later', () => {
+  const elasticsearchAccessPolicy = new ElasticsearchAccessPolicy(stack, 'ElasticsearchAccessPolicy', {
+    domainName: 'TestDomain',
+    domainArn: 'test:arn',
+    accessPolicies: [
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['es:ESHttp*'],
+        principals: [new iam.AnyPrincipal()],
+        resources: ['test:arn'],
+      }),
+    ],
+  });
+  elasticsearchAccessPolicy.addAccessPolicies(
+    new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: ['*'],
+      principals: [new iam.AnyPrincipal()],
+      resources: ['test:arn'],
+    }),
+  );
+
+  Template.fromStack(stack).hasResourceProperties('Custom::ElasticsearchAccessPolicy', {
+    ServiceToken: {
+      'Fn::GetAtt': [
+        'AWS679f53fac002430cb0da5b7982bd22872D164C4C',
+        'Arn',
+      ],
+    },
+    Create: JSON.stringify({
+      action: 'updateElasticsearchDomainConfig',
+      service: 'ES',
+      parameters: {
+        DomainName: 'TestDomain',
+        AccessPolicies: '{"Statement":[{"Action":"es:ESHttp*","Effect":"Allow","Principal":{"AWS":"*"},"Resource":"test:arn"},{"Action":"*","Effect":"Allow","Principal":{"AWS":"*"},"Resource":"test:arn"}],"Version":"2012-10-17"}',
+      },
+      outputPaths: ['DomainConfig.ElasticsearchClusterConfig.AccessPolicies'],
+      physicalResourceId: { id: 'TestDomainAccessPolicy' },
+    }),
+    Update: JSON.stringify({
+      action: 'updateElasticsearchDomainConfig',
+      service: 'ES',
+      parameters: {
+        DomainName: 'TestDomain',
+        AccessPolicies: '{"Statement":[{"Action":"es:ESHttp*","Effect":"Allow","Principal":{"AWS":"*"},"Resource":"test:arn"},{"Action":"*","Effect":"Allow","Principal":{"AWS":"*"},"Resource":"test:arn"}],"Version":"2012-10-17"}',
+      },
+      outputPaths: ['DomainConfig.ElasticsearchClusterConfig.AccessPolicies'],
+      physicalResourceId: { id: 'TestDomainAccessPolicy' },
+    }),
+  });
+});

packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.custom-kms-key.expected.json

@@ -222,10 +222,7 @@
             "Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2"
           }
         ]
-      },
-      "DependsOn": [
-        "Domain66AC69E0"
-      ]
+      }
     },
     "DomainESAccessPolicy89986F33": {
       "Type": "Custom::ElasticsearchAccessPolicy",
@@ -287,8 +284,7 @@
         "InstallLatestAwsSdk": true
       },
       "DependsOn": [
-        "DomainESAccessPolicyCustomResourcePolicy9747FC42",
-        "Domain66AC69E0"
+        "DomainESAccessPolicyCustomResourcePolicy9747FC42"
       ],
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete"