Creates an IAM role granting the OpenSearch CI access to the S3 artifacts (opensearch-project#5815)

Creates an IAM role that the OpenSearch CI build server can assume to gain access to the S3 bucket for archives. Contributes toward opensearch-project#5796 by allowing the server to perform a full S3 download of the Maven artifacts.

Signed-off-by: David Venable <dlv@amazon.com>
Signed-off-by: Jonah Calvo <caljonah@amazon.com>

Author: dlvenable

release/staging-resources-cdk/README.md

@@ -52,12 +52,13 @@ The following CDK commands all require defining context. The context variables a
 
 * `archivesBucketName` - The name of the S3 bucket you will use to deploy. This bucket must be in the same region as your stack.
 * `dataPrepperOrganization` - The name of the GitHub organization which has the `data-prepper` repository. This allows you to create staging environments for forks. The default value is `opensearch-project`.
+* `ciAccountId` - The AWS account Id of the OpenSearch CI release/build server.
 
 The following command will deploy the CDK stack and create a new S3 bucket. If you'd like to use an existing S3 bucket, see the section below
 for deploying individual stacks.
 
 ```
-cdk deploy --all --context archivesBucketName={s3-bucket-name} --context dataPrepperOrganization={data-prepper-organization-name}
+cdk deploy --all --context archivesBucketName={s3-bucket-name} --context dataPrepperOrganization={data-prepper-organization-name} --context ciAccountId={opensearch-ci-account-id}
 ```
 
 #### Deploy to Use an Existing S3 Bucket

release/staging-resources-cdk/bin/staging-resources-cdk.ts

@@ -11,6 +11,7 @@ import {GitHubAccessStack} from '../lib/GitHubAccessStack';
 import {ArchivesBucketStack} from '../lib/ArchivesBucketStack';
 import {StagingResourcesStack} from '../lib/StagingResourcesStack';
 import {GitHubActionsReleaseAccessStack} from '../lib/GitHubActionsReleaseAccessStack';
+import { OpenSearchCIAccessStack } from '../lib/OpenSearchCIAccessStack';
 
 
 const app = new App();
@@ -27,6 +28,10 @@ const stagingResourcesStack = new StagingResourcesStack(app, 'StagingResourcesSt
   stackName: 'StagingResources'
 });
 
+new OpenSearchCIAccessStack(app, 'OpenSearchCIAccessStack', {
+  stackName: 'DataPrepperStagingResources-OpenSearchCIAccess'
+});
+
 new GitHubActionsReleaseAccessStack(app, 'GitHubActionsReleaseAccessStack', {
   stackName: 'GitHubActionsReleaseAccess',
   gitHubOidcProvider: gitHubAccessStack.gitHubOidcProvider,

release/staging-resources-cdk/lib/OpenSearchCIAccessStack.ts

@@ -0,0 +1,45 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+import { Stack, StackProps } from 'aws-cdk-lib';
+import { Role, ArnPrincipal, PolicyStatement, Effect, PolicyDocument, CompositePrincipal } from 'aws-cdk-lib/aws-iam';
+import { Construct } from 'constructs';
+
+/**
+ * This stack creates resources necessary for the OpenSearch CI server
+ * to access the staging archives bucket by assuming a role in the staging
+ * account.
+ */
+export class OpenSearchCIAccessStack extends Stack {
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    const archivesBucketName: string = scope.node.tryGetContext('archivesBucketName');
+    const ciAccountId: string = scope.node.tryGetContext('ciAccountId');
+
+    new Role(this, 'OpenSearchCIAccessRole', {
+      assumedBy: new CompositePrincipal(
+        new ArnPrincipal(`arn:aws:iam::${ciAccountId}:role/OpenSearch-CI-MainNodeRole`),
+        new ArnPrincipal(`arn:aws:iam::${ciAccountId}:role/OpenSearch-CI-AgentNodeRole`)
+      ),
+      inlinePolicies: {
+        S3Access: new PolicyDocument({
+          statements: [new PolicyStatement({
+            effect: Effect.ALLOW,
+            actions: ['s3:GetObject', 's3:ListBucket', 's3:GetObjectAcl'],
+            resources: [
+              `arn:aws:s3:::${archivesBucketName}`,
+              `arn:aws:s3:::${archivesBucketName}/*`
+            ]
+          })]
+        })
+      }
+    });
+  }
+}