feat(issue-667): added an optional custom policy for vector collection (#811)

dineshSajwan · dinsajwa · krokoko · web-flow · commit 213032dcc1ee · 2024-11-20T14:21:38.000-06:00
* feat(issue-667): added an optional custom policy for vector collection

---------

Co-authored-by: dinsajwa &lt;dinsajwa@amazon.com&gt;
Co-authored-by: Alain Krok &lt;alkrok@amazon.com&gt;
diff --git a/apidocs/namespaces/opensearchserverless/interfaces/VectorCollectionProps.md b/apidocs/namespaces/opensearchserverless/interfaces/VectorCollectionProps.md
@@ -16,6 +16,14 @@ The name of the collection.
 
 ***
 
+### customAossPolicy?
+
+> `readonly` `optional` **customAossPolicy**: `ManagedPolicy`
+
+A user defined IAM policy that allows API access to the collection.
+
+***
+
 ### standbyReplicas?
 
 > `readonly` `optional` **standbyReplicas**: [`VectorCollectionStandbyReplicas`](../enumerations/VectorCollectionStandbyReplicas.md)
diff --git a/src/cdk-lib/opensearchserverless/vector-collection.ts b/src/cdk-lib/opensearchserverless/vector-collection.ts
@@ -33,6 +33,11 @@ export interface VectorCollectionProps {
    * @default ENABLED
    */
   readonly standbyReplicas?: VectorCollectionStandbyReplicas;
+
+  /**
+   * A user defined IAM policy that allows API access to the collection.
+   */
+  readonly customAossPolicy?: iam.ManagedPolicy;
 }
 
 /**
@@ -135,20 +140,24 @@ export class VectorCollection extends Construct {
     this.collectionArn = collection.attrArn;
     this.collectionId = collection.attrId;
 
-    this.aossPolicy = new iam.ManagedPolicy(
-      this,
-      'AOSSApiAccessAll', {
-        statements: [
-          new iam.PolicyStatement({
-            effect: iam.Effect.ALLOW,
-            actions: [
-              'aoss:APIAccessAll',
-            ],
-            resources: [collection.attrArn],
-          }),
-        ],
-      },
-    );
+    if (props?.customAossPolicy) {
+      this.aossPolicy = props.customAossPolicy;
+    } else {
+      this.aossPolicy = new iam.ManagedPolicy(
+        this,
+        'AOSSApiAccessAll', {
+          statements: [
+            new iam.PolicyStatement({
+              effect: iam.Effect.ALLOW,
+              actions: [
+                'aoss:APIAccessAll',
+              ],
+              resources: [collection.attrArn],
+            }),
+          ],
+        },
+      );
+    }
 
     collection.addDependency(encryptionPolicy);
     collection.addDependency(networkPolicy);
