Updates the staging stack to allow multiple accounts to access the read permissions. This will allow us to grant access to the OpenSearch CI test accounts. Contributes toward opensearch-project#5796. (opensearch-project#5830)

Signed-off-by: David Venable <dlv@amazon.com>
Signed-off-by: Jonah Calvo <caljonah@amazon.com>

Author: dlvenable

release/staging-resources-cdk/README.md

@@ -52,13 +52,13 @@ The following CDK commands all require defining context. The context variables a
 
 * `archivesBucketName` - The name of the S3 bucket you will use to deploy. This bucket must be in the same region as your stack.
 * `dataPrepperOrganization` - The name of the GitHub organization which has the `data-prepper` repository. This allows you to create staging environments for forks. The default value is `opensearch-project`.
-* `ciAccountId` - The AWS account Id of the OpenSearch CI release/build server.
+* `ciAccountIds` - The AWS account Ids of the OpenSearch CI release/build server and test environments. This is a comma-delimited value and requires at least one account.
 
 The following command will deploy the CDK stack and create a new S3 bucket. If you'd like to use an existing S3 bucket, see the section below
 for deploying individual stacks.
 
 ```
-cdk deploy --all --context archivesBucketName={s3-bucket-name} --context dataPrepperOrganization={data-prepper-organization-name} --context ciAccountId={opensearch-ci-account-id}
+cdk deploy --all --context archivesBucketName={s3-bucket-name} --context dataPrepperOrganization={data-prepper-organization-name} --context ciAccountIds={opensearch-ci-account-id}
 ```
 
 #### Deploy to Use an Existing S3 Bucket

release/staging-resources-cdk/lib/OpenSearchCIAccessStack.ts

@@ -21,13 +21,27 @@ export class OpenSearchCIAccessStack extends Stack {
     super(scope, id, props);
 
     const archivesBucketName: string = scope.node.tryGetContext('archivesBucketName');
-    const ciAccountId: string = scope.node.tryGetContext('ciAccountId');
+    const ciAccountIds: string = scope.node.tryGetContext('ciAccountIds');
+
+    const trustedAccountIds = ciAccountIds.split(',')
+      .map(id => id.trim())
+      .filter(id => id.length > 0);
+    
+    if (trustedAccountIds.length === 0) {
+      throw new Error('At least one account ID must be provided in ciAccountIds');
+    }
+    
+    const principals = [];
+    
+    for (const accountId of trustedAccountIds) {
+      principals.push(
+        new ArnPrincipal(`arn:aws:iam::${accountId}:role/OpenSearch-CI-MainNodeRole`),
+        new ArnPrincipal(`arn:aws:iam::${accountId}:role/OpenSearch-CI-AgentNodeRole`)
+      );
+    }
 
     new Role(this, 'OpenSearchCIAccessRole', {
-      assumedBy: new CompositePrincipal(
-        new ArnPrincipal(`arn:aws:iam::${ciAccountId}:role/OpenSearch-CI-MainNodeRole`),
-        new ArnPrincipal(`arn:aws:iam::${ciAccountId}:role/OpenSearch-CI-AgentNodeRole`)
-      ),
+      assumedBy: new CompositePrincipal(...principals),
       inlinePolicies: {
         S3Access: new PolicyDocument({
           statements: [new PolicyStatement({

release/staging-resources-cdk/test/OpenSearchCIAccessStack.test.ts

@@ -17,7 +17,7 @@ beforeEach(() => {
   app = new App({
     context: {
       archivesBucketName: 'test-archives-bucket',
-      ciAccountId: '123456789012'
+      ciAccountIds: '123456789012'
     }
   });
 });
@@ -70,3 +70,64 @@ test('Creates IAM role with S3 access policy', () => {
     }]
   });
 });
+
+test('Creates IAM role with assume role policy for multiple CI accounts', () => {
+  const appWithMultipleAccounts = new App({
+    context: {
+      archivesBucketName: 'test-archives-bucket',
+      ciAccountIds: '123456789012,210987654321'
+    }
+  });
+
+  const stackUnderTest = new OpenSearchCIAccessStack(appWithMultipleAccounts, 'TestStack');
+
+  const template = Template.fromStack(stackUnderTest);
+
+  template.hasResourceProperties('AWS::IAM::Role', {
+    AssumeRolePolicyDocument: {
+      Statement: [
+        {
+          Effect: 'Allow',
+          Principal: {
+            AWS: 'arn:aws:iam::123456789012:role/OpenSearch-CI-MainNodeRole'
+          },
+          Action: 'sts:AssumeRole'
+        },
+        {
+          Effect: 'Allow',
+          Principal: {
+            AWS: 'arn:aws:iam::123456789012:role/OpenSearch-CI-AgentNodeRole'
+          },
+          Action: 'sts:AssumeRole'
+        },
+        {
+          Effect: 'Allow',
+          Principal: {
+            AWS: 'arn:aws:iam::210987654321:role/OpenSearch-CI-MainNodeRole'
+          },
+          Action: 'sts:AssumeRole'
+        },
+        {
+          Effect: 'Allow',
+          Principal: {
+            AWS: 'arn:aws:iam::210987654321:role/OpenSearch-CI-AgentNodeRole'
+          },
+          Action: 'sts:AssumeRole'
+        }
+      ]
+    }
+  });
+});
+
+test('Throws error when no account IDs are provided', () => {
+  const appWithNoAccounts = new App({
+    context: {
+      archivesBucketName: 'test-archives-bucket',
+      ciAccountIds: ''
+    }
+  });
+
+  expect(() => {
+    new OpenSearchCIAccessStack(appWithNoAccounts, 'TestStack');
+  }).toThrow('At least one account ID must be provided in ciAccountIds');
+});